_infra/synthetiq.yaml — committed to your git repository. generate and provision read it; changing your infrastructure means editing it and re-running the lifecycle.
Create it with infra init
From your infrastructure repository:
init confirms the target AWS account, discovers your VPC, public subnets, and issued certificates, and writes the config with concrete ids:
generate and provision find the file from anywhere inside the repo.
Fields
Required — existing infrastructure Synthetiq references, never modifies:| Field | Description |
|---|---|
region | The region Synthetiq provisions into |
domain | The base domain apps are served under |
network.vpc | The VPC Synthetiq lands in (in a fresh sub-account, init discovers the default VPC) |
network.public_subnets | Subnets for the load balancer and NAT — at least 3 Availability Zones |
certs.api_cert_arn | Issued ACM ARN covering *.api.<domain>, in your region |
certs.cdn_cert_arn | Issued ACM ARN covering *.<domain> + apex, in us-east-1 |
| Field | When present |
|---|---|
overrides.nat | Workload egress routes through this NAT gateway; the stack doesn’t create one |
overrides.private_subnets | Workloads run in these subnets; the stack creates no networking. Cannot be combined with overrides.nat — see Networking |
Add resources in the diff generate produces — so the effect of an omission is always visible before it’s applied.
Unknown keys are rejected at load time, so a typo fails in CI instead of being silently ignored.
Authoring without AWS access
Run without credentials,init enters offline mode and asks for the values directly instead of discovering them. synthetiq infra generate validates every value against the real account later, wherever credentials exist (CI, or a teammate with a profile).
The file is plain YAML — editing it by hand is equally valid. That’s also how you change infrastructure later: edit, commit, and re-run generate to see the diff before anything is applied.