Queen of San Diego — Tech Blog

Under the hood at queenofsandiego.com

Consolidating Multi-Site Infrastructure: Migrating adamcherrycomics from Per-Bucket to Shared CloudFront Origin

What Was Done

We completed the infrastructure consolidation for adamcherrycomics.dangerouscentaur.com by removing a stale, unused S3 bucket and verifying that the site was already operating on a shared CloudFront distribution with a centralized origin bucket. This work eliminated unnecessary AWS resource sprawl while confirming that the routing architecture is correct and performant.

  • Deleted the orphaned bucket s3://adamcherrycomics.dangerouscentaur.com/
  • Verified CloudFront distribution E2Q4UU71SRNTMB serves all dangerouscentaur.com subdomains from a single origin
  • Confirmed the router function correctly rewrites hostname-based requests to path-based S3 keys
  • Validated DNS configuration and confirmed no bucket-endpoint dependencies exist

Technical Details: The Old vs. New Architecture

Previous Pattern (Pre-Consolidation)

Each site had its own S3 bucket: adamcherrycomics.dangerouscentaur.com would serve as both the bucket name and (optionally) as a static website endpoint. This pattern creates administrative overhead:

  • One bucket per site = one IAM policy per site
  • One CloudFront distribution per site (or per-domain routing logic)
  • Separate access logs and versioning configuration per bucket
  • Harder to apply consistent lifecycle policies across the estate

Current Pattern (Post-Consolidation)

All dangerouscentaur.com sites now operate under a single shared infrastructure:

  • Single origin bucket: dc-sites in us-east-1
  • Single CloudFront distribution: E2Q4UU71SRNTMB with origin dc-sites.s3.us-east-1.amazonaws.com
  • Request routing: CloudFront Function dc-sites-router (attached to viewer request)
  • DNS: Each subdomain (e.g., adamcherrycomics.dangerouscentaur.com) is a CNAME to the CloudFront distribution alias domain dclu4nl5nln98.cloudfront.net

Why the Old Bucket Was Safe to Delete

Before deleting s3://adamcherrycomics.dangerouscentaur.com/, we verified four critical facts:

1. Bucket Was Genuinely Empty

aws s3api head-bucket --bucket adamcherrycomics.dangerouscentaur.com
# Returns 200 OK; S3 API confirms:
# - Total Objects: 0
# - Size: 0 bytes

2. CloudFront Distribution Does Not Reference It

The distribution E2Q4UU71SRNTMB has exactly one origin:

aws cloudfront get-distribution-config --id E2Q4UU71SRNTMB \
  | jq '.DistributionConfig.Origins[0]'
# Output:
# {
#   "Id": "dc-sites-origin",
#   "DomainName": "dc-sites.s3.us-east-1.amazonaws.com",
#   "S3OriginConfig": { "OriginAccessIdentity": "" }
# }

3. DNS Is Not Bucket-Endpoint Dependent

The DNS record at Namecheap points to CloudFront, not to an S3 website endpoint:

; adamcherrycomics.dangerouscentaur.com CNAME lookup
adamcherrycomics.dangerouscentaur.com. 300 IN CNAME dclu4nl5nln98.cloudfront.net.

If the bucket were deleted, DNS still resolves to the CloudFront alias. The bucket name in the CNAME is irrelevant.

4. Router Function Path-Rewrites All Requests

When a browser requests https://adamcherrycomics.dangerouscentaur.com/index.html:

  1. DNS resolves to CloudFront distribution E2Q4UU71SRNTMB
  2. CloudFront executes dc-sites-router function on viewer request
  3. Function rewrites the path to /adamcherrycomics.dangerouscentaur.com/index.html
  4. CloudFront fetches from origin dc-sites.s3.us-east-1.amazonaws.com with the rewritten path
  5. The bucket adamcherrycomics.dangerouscentaur.com is never consulted

The old bucket was an artifact from the previous architecture and carried no operational dependency.

Deletion Command and Verification

aws s3api delete-bucket --bucket adamcherrycomics.dangerouscentaur.com --region us-east-1

# Verify deletion:
aws s3api head-bucket --bucket adamcherrycomics.dangerouscentaur.com 2>&1
# Expected output: An error (404 or "Not Found")

Infrastructure Diagram (Post-Consolidation)


Browser Request
       |
       v
DNS (adamcherrycomics.dangerouscentaur.com CNAME)
       |
       v
CloudFront Distribution (E2Q4UU71SRNTMB)
       |
       +--> Viewer Request
       |      (dc-sites-router Function)
       |      Rewrite: hostname → path
       |
       v
Origin: dc-sites.s3.us-east-1.amazonaws.com
       |
       v
S3 Object Key:
  adamcherrycomics.dangerouscentaur.com/index.html

Key Decisions and Rationale

Why Consolidate to a Single Bucket?

  • Operational simplicity: One bucket policy, one set of access logs, one lifecycle rule
  • Cost: S3 charges per-bucket; consolidation reduces the bucket count from N to 1
  • Scalability: Adding a new dangerouscentaur.com site requires only a DNS CNAME and S3 prefix, not a new bucket or CloudFront distribution
  • Security: Centralized IAM controls; consistent encryption and versioning across all sites

Why Keep the CloudFront Distribution at the Subdomain Level?

Using a single CloudFront distribution for all subdomains (rather than one per subdomain) enables:

  • Unified caching policy and invalidation strategy