Queen of San Diego — Tech Blog

Under the hood at queenofsandiego.com

Consolidating adamcherrycomics.dangerouscentaur.com onto Shared Infrastructure: Bucket Decommission and DNS Cleanup

Overview

During routine infrastructure auditing for the adamcherrycomics project, we identified and safely decommissioned a stale S3 bucket that was no longer serving traffic. This work is part of our ongoing effort to consolidate per-site S3 buckets onto the shared dc-sites bucket pattern, reducing operational overhead and simplifying our CloudFront distribution model. This post details the audit, deletion decision-making, and verification steps we took.

What Was Done

  • Audited and confirmed s3://adamcherrycomics.dangerouscentaur.com/ is genuinely empty and unused
  • Verified the bucket is not on the serving path for any traffic
  • Deleted the empty S3 bucket
  • Confirmed no downstream impact on the live site
  • Verified kanban tracking for related work item t-29664f2c (already closed)

Technical Details: Why the Bucket Was Safe to Delete

Bucket Contents Audit

The bucket s3://adamcherrycomics.dangerouscentaur.com/ contained zero objects:

aws s3api list-objects-v2 \
  --bucket adamcherrycomics.dangerouscentaur.com \
  --region us-east-1

# Response: "Contents": [], "KeyCount": 0

This indicated the bucket had been emptied at some point in the past, likely during the migration to centralized hosting.

Serving Path Verification

The live site is served entirely through CloudFront distribution E2Q4UU71SRNTMB, which has a single origin:

  • Origin name: dc-sites
  • Origin domain: dc-sites.s3.us-east-1.amazonaws.com
  • Region: us-east-1

Traffic routing is handled by the CloudFront Function dc-sites-router, which intercepts requests and rewrites them to the shared bucket path:

// Simplified representation of dc-sites-router logic
if (request.headers.host === "adamcherrycomics.dangerouscentaur.com") {
  request.uri = "/adamcherrycomics.dangerouscentaur.com" + request.uri;
}
// Request now serves from:
// s3://dc-sites/adamcherrycomics.dangerouscentaur.com/...

The hostname-specific bucket adamcherrycomics.dangerouscentaur.com is never queried.

DNS Architecture

DNS for adamcherrycomics.dangerouscentaur.com points to the CloudFront distribution, not to an S3 website endpoint:

  • Record type: CNAME
  • Record name: adamcherrycomics (at dangerouscentaur.com)
  • Target: dclu4nl5nln98.cloudfront.net
  • Managed at: Namecheap

There is no S3 website endpoint CNAME, and no Route53 alias record pointing to the S3 bucket. This confirms zero traffic dependency.

Infrastructure Architecture Context

Historical Pattern

The bucket existed from an earlier per-site hosting pattern where each site had its own S3 bucket and CloudFront distribution. This pattern was:

  • Difficult to maintain (separate origins, duplicate CF configs, isolated Lambda layers)
  • Expensive (multiple PUT/GET request charges, multiple distributions)
  • Error-prone (inconsistent cache policies, missing security headers across distributions)

Current Pattern

All dangerouscentaur.com subdomains now share:

  • Single S3 bucket: dc-sites (us-east-1)
  • Single CloudFront distribution: E2Q4UU71SRNTMB
  • CloudFront Function: dc-sites-router (viewer request event, rewrites URIs by hostname)
  • Shared Lambda@Edge layer: dc-sites-security-headers (adds CSP, HSTS, X-Frame-Options to origin responses)

Site content is stored in path-based subdirectories within dc-sites:

s3://dc-sites/
├── adamcherrycomics.dangerouscentaur.com/
│   ├── index.html
│   ├── about.html
│   ├── styles/
│   └── assets/
├── anothersite.dangerouscentaur.com/
│   └── ...
└── ...

Deletion Process and Verification

Pre-deletion Checks

Before deletion, we verified:

# 1. Bucket is empty
aws s3api list-objects-v2 --bucket adamcherrycomics.dangerouscentaur.com

# 2. No lifecycle policies that might delete objects
aws s3api get-bucket-lifecycle-configuration \
  --bucket adamcherrycomics.dangerouscentaur.com

# 3. No bucket policies or cross-account references
aws s3api get-bucket-policy --bucket adamcherrycomics.dangerouscentaur.com

# 4. Confirm CF origin does not reference this bucket
aws cloudfront get-distribution-config --id E2Q4UU71SRNTMB | grep Origin

Deletion

aws s3 rb s3://adamcherrycomics.dangerouscentaur.com/
# Removed bucket: adamcherrycomics.dangerouscentaur.com

Post-deletion Verification

Site continues to serve 200 responses from the shared bucket:

curl -I https://adamcherrycomics.dangerouscentaur.com/
# HTTP/2 200
# X-Cache: Hit from cloudfront
# Server: CloudFront

CloudFront distribution remains unchanged (still points to dc-sites origin).

Recent Project Status

For context, adamcherrycomics is currently live with:

  • Checkout flow: Stripe hosted-page redirect (fixed in prior session; Lambda now includes typing_extensions, uses ui_mode="hosted_page")
  • DNS: Explicit adamcherrycomics CNAME at Namecheap (fixed RFC 1034 shadowing issue with wildcard)