Install this Claude Code skill.
Name: AWS Infrastructure Setup
Save to: ~/.claude/skills/aws-infrastructure-setup.md

---
---
name: aws-infrastructure-setup
description: Set up AWS infrastructure from scratch — VPC, EC2, RDS, S3, IAM. Use when user says "set up AWS", "create VPC", "deploy to AWS", or "configure EC2".
---

Walk the user through setting up production-ready AWS infrastructure.

## Instructions

### Step 1: AWS Account & CLI Setup
Ask the user:
- Do they have an AWS account? If not, guide to aws.amazon.com
- Is AWS CLI installed? If not:
  ```bash
  brew install awscli        # macOS
  # or
  curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
  unzip awscliv2.zip && sudo ./aws/install   # Linux
  ```
- Configure credentials:
  ```bash
  aws configure
  # Enter: Access Key ID, Secret Access Key, Region (us-east-1), Output (json)
  ```

### Step 2: VPC & Networking
Create a VPC with public and private subnets:

1. **VPC**: 10.0.0.0/16 CIDR block
2. **Public subnets**: 10.0.1.0/24, 10.0.2.0/24 (two AZs for redundancy)
3. **Private subnets**: 10.0.3.0/24, 10.0.4.0/24
4. **Internet Gateway**: Attach to VPC
5. **NAT Gateway**: In public subnet for private subnet internet access
6. **Route tables**: Public → IGW, Private → NAT

Generate the Terraform or CloudFormation template based on user preference. If they prefer CLI:
```bash
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=prod-vpc}]'
```

### Step 3: Security Groups
Create security groups for each tier:

- **ALB/Public**: Inbound 80, 443 from 0.0.0.0/0
- **App/EC2**: Inbound from ALB SG only (port 3000 or 8080)
- **Database/RDS**: Inbound 5432 (Postgres) or 3306 (MySQL) from App SG only
- **SSH Bastion**: Inbound 22 from user's IP only

### Step 4: EC2 Instance
Ask the user about their workload:
- Instance type recommendation:
  | Workload | Type | vCPU | RAM | Cost/mo |
  |----------|------|------|-----|---------|
  | Dev/test | t3.micro | 2 | 1GB | ~$8 |
  | Small app | t3.small | 2 | 2GB | ~$15 |
  | Production | t3.medium | 2 | 4GB | ~$30 |
  | High traffic | m5.large | 2 | 8GB | ~$70 |

- Generate user data script for their stack (Node.js, Python, Docker, etc.)
- Set up SSH key pair
- Assign to private subnet with ALB in front

### Step 5: RDS Database
- Engine: PostgreSQL 16 or MySQL 8
- Instance: db.t3.micro (dev) or db.t3.medium (prod)
- Multi-AZ: Yes for production
- Storage: 20GB gp3, auto-scaling enabled
- Subnet group: Private subnets only
- Parameter group: Set timezone, max_connections

### Step 6: S3 Buckets
Create buckets for:
- **Assets/uploads**: Public read, versioning enabled
- **Backups**: Private, lifecycle rules (move to Glacier after 90 days)
- **Logs**: Private, server access logging

CORS configuration for asset bucket if serving to web.

### Step 7: IAM Roles & Policies
- EC2 instance role: S3 read/write, CloudWatch logs, SSM for SSH
- Deploy role: ECR push, ECS update, S3 sync
- Monitoring role: CloudWatch read-only

Follow least-privilege: only grant what's needed.

### Step 8: Verification Checklist
- [ ] VPC created with public/private subnets in 2+ AZs
- [ ] Security groups follow least-privilege (no 0.0.0.0/0 on SSH)
- [ ] EC2 accessible via ALB, not directly
- [ ] RDS in private subnet, not publicly accessible
- [ ] S3 buckets have proper ACLs and no public write
- [ ] IAM roles use least-privilege policies
- [ ] CloudWatch alarms set for CPU, memory, disk
- [ ] Backups configured (RDS snapshots, S3 versioning)

## Output
Provide the user with:
1. Architecture diagram (text-based)
2. All resource IDs and endpoints
3. Connection strings (with placeholder credentials)
4. Cost estimate (monthly)
5. Next steps (domain setup, SSL, CI/CD)