Deploy Infrastructure

Prerequisites

• AWS SSO login: aws sso login --profile orcha-prod
• Python venv activated: source .venv/bin/activate

First-Time Setup (New Environment)

For a brand new environment, complete these steps before deploying ComputeStack:

1. ACM Certificate - Create cross-account certificate (see acm-certificates.md)
2. DNS Delegation - Add NS records in management account (see dns-delegation.md)

Steps

cd /home/volrath/code/orcha/infra
source .venv/bin/activate

# 1. Bootstrap (first time only)
AWS_PROFILE=orcha-prod cdk bootstrap aws://700558745280/eu-central-1 --context env_name=prod

# 2. Deploy
AWS_PROFILE=orcha-prod cdk deploy --all --context env_name=prod

# 3. NS delegation (first time only, note HostedZoneId from deploy output)
./scripts/delegate-subdomain.sh prod <HOSTED_ZONE_ID>

# 4. GCP setup (first time only) - Document AI, Workload Identity, Gmail Pub/Sub
./scripts/setup-gcp.sh --gcp-project getorcha-prod --aws-account 700558745280 --env prod --app-domain app.getorcha.com
# Then create Gmail OAuth credentials manually (see runbooks/new-environment/gcp-setup.md)

# 5. Outlook setup (first time only) - Microsoft Entra app registrations
./scripts/setup-outlook.ps1 -EnvName prod -TenantId "<your-tenant-id>" -AppDomain app.getorcha.com -CognitoDomain v1-orcha-prod-auth
# See runbooks/new-environment/outlook-setup.md for details

# 6. Update secrets (add output from steps 4+5 to secrets first)
./scripts/update-secrets.sh --from-file secrets

# 7. Configure Cognito Identity Providers (first time only)
./scripts/setup-cognito-idps.sh
# See runbooks/new-environment/cognito-setup.md for details

Verify

AWS_PROFILE=orcha-prod aws cloudformation list-stacks \
  --query "StackSummaries[?contains(StackName,'V1OrchaProd')].{Name:StackName,Status:StackStatus}" \
  --output table