Skip to main content
This page walks you through provisioning the Synthetiq deployment infrastructure in your own AWS account using the Synthetiq CLI.

Prerequisites

  • A Synthetiq account with an organization
  • The Synthetiq CLI installed (npm install -g @synthetiq/cli) — the CLI is currently hosted on a private npm registry and requires credentials provided by Synthetiq
  • An AWS account — see provisioning permissions below
  • AWS credentials available in your environment (via environment variables, AWS SSO, or ~/.aws/credentials)
  • Two wildcard SSL certificates in ACM (or let the CLI provision them for you):
    • *.apps.yourcompany.com — for the CDN (static assets)
    • *.api.apps.yourcompany.com — for the load balancer (API traffic)
The domain can be any domain you control — for example, apps.yourcompany.com or internal.acme.com. Each app you deploy gets its own subdomain under this domain (e.g., my-app.apps.yourcompany.com).

Provisioning permissions

All resources created by the provisioner are namespaced under synthetiq-* and managed entirely through CloudFormation. The provisioner does not modify or access any existing resources in your account. We recommend using an IAM user or role with AdministratorAccess (or equivalent broad permissions) when running synthetiq provision aws, as the provisioner creates resources across many AWS services.
  • CloudFormation
  • IAM (roles, OIDC providers, policies)
  • ECS and ECR
  • EC2 (subnets, NAT gateway, security groups, VPC endpoints)
  • Elastic Load Balancing
  • S3
  • Lambda
  • Step Functions
  • CodeBuild
  • CloudFront
  • DynamoDB
  • ACM (certificate provisioning)
  • Route 53 (DNS validation for certificates)
  • API Gateway
  • Secrets Manager
  • CloudWatch Logs
  • Application Auto Scaling
If your organization requires a narrower policy, the list above describes the full set of AWS services the provisioner interacts with. Contact Synthetiq for a minimal IAM policy document.

Step 1: Authenticate with Synthetiq

synthetiq login
This opens your browser to sign in with your Synthetiq account. Once authenticated, the CLI stores your session locally so subsequent commands can communicate with the Synthetiq platform.

Step 2: Provision your infrastructure

synthetiq provision aws \
  --region us-east-1 \
  --domain apps.yourcompany.com
The CLI provisions all required infrastructure in your AWS account and registers the results with the Synthetiq platform. Once complete, you can deploy apps from the Synthetiq console just like you would on Synthetiq-hosted infrastructure.

What this creates

The provisioner deploys two CloudFormation stacks in your account: Infrastructure stack (synthetiq-infra) — the core deployment pipeline and app-serving resources:
  • Compute cluster for running app and worker containers
  • Load balancer for routing HTTPS traffic to apps by subdomain
  • Container registry for app images
  • Deployment pipeline (build, package, migrate, and deploy orchestration)
  • Storage for deployment artifacts, static assets, and app data
  • Networking (private subnets, NAT gateway for outbound access)
  • IAM roles scoped per app for each deployment phase
Edge stack (synthetiq-edge) — global content delivery:
  • CloudFront CDN distribution with HTTP/2 and HTTP/3
  • Edge routing functions that map subdomains to per-app static assets
  • Routing table for subdomain-to-origin mapping

Options

ParameterRequiredDefaultDescription
--regionYesAWS region for your infrastructure
--domainYesBase domain for your apps — any domain you control (e.g., apps.yourcompany.com, internal.acme.com)
--api-cert-arnNoAuto-provisionedACM certificate ARN for *.api.{domain} (load balancer)
--cdn-cert-arnNoAuto-provisionedACM certificate ARN for *.{domain} (CDN, must be in us-east-1)
--vpc-idNoDefault VPCVPC to deploy into
If you don’t provide certificate ARNs, the CLI requests certificates via ACM and walks you through DNS validation.

Step 3: Configure DNS

After provisioning, point your domain to the infrastructure the CLI created. The CLI outputs the DNS records you need to add:
  • *.api.apps.yourcompany.com → load balancer (API traffic)
  • *.apps.yourcompany.com → CloudFront distribution (static assets)

What happens next

Once provisioning is complete, your infrastructure is registered with the Synthetiq platform. You can deploy apps with a single click from the Synthetiq console — the platform triggers deployments in your account through the deploy role that was created during provisioning.

Updating your infrastructure

Synthetiq regularly publishes infrastructure updates that include performance improvements, security patches, and new platform features. We recommend keeping your infrastructure up to date with the latest CLI version. All Synthetiq packages — including the CLI, app framework, and infrastructure templates — share the same version number. To update your infrastructure, upgrade the CLI and re-provision: 
npm install -g @synthetiq/cli@latest
synthetiq provision aws --region us-east-1 --domain apps.yourcompany.com
The CLI detects the existing stacks and updates them with the latest templates, applying only what has changed.