Documentation Index
Fetch the complete documentation index at: https://docs.bunship.com/llms.txt
Use this file to discover all available pages before exploring further.
AWS gives you full control over infrastructure, scaling, and networking. This guide covers deploying BunShip with ECS Fargate (the recommended approach), with notes on EC2 and Lambda alternatives.
Architecture Options
| Option | Best For | Operational Overhead |
|---|
| ECS Fargate | Most teams. Serverless containers, no servers to manage. | Low |
| ECS on EC2 | Cost optimization at scale. You manage the EC2 instances. | Medium |
| EC2 directly | Full control. Run Docker or PM2 on bare instances. | High |
| Lambda | Event-driven workloads. Not ideal for BunShip’s persistent API. | Low (but limited) |
This guide focuses on ECS Fargate. It provides the best balance of simplicity and production
readiness for BunShip deployments.
Prerequisites
- An AWS account
- The AWS CLI v2 installed and configured
- A Turso account for the database
- Docker installed locally (for building images)
# Verify AWS CLI
aws --version
aws sts get-caller-identity
ECS Fargate Deployment
Create an ECR repository
Amazon Elastic Container Registry stores your Docker images.aws ecr create-repository \
--repository-name bunship-api \
--region us-east-1
# Save the repository URI
# Example: 123456789012.dkr.ecr.us-east-1.amazonaws.com/bunship-api
Build and push the image
# Authenticate Docker with ECR
aws ecr get-login-password --region us-east-1 | \
docker login --username AWS --password-stdin \
123456789012.dkr.ecr.us-east-1.amazonaws.com
# Build the image
docker build -f docker/Dockerfile.api -t bunship-api:latest .
# Tag for ECR
docker tag bunship-api:latest \
123456789012.dkr.ecr.us-east-1.amazonaws.com/bunship-api:latest
# Push
docker push \
123456789012.dkr.ecr.us-east-1.amazonaws.com/bunship-api:latest
Create an ECS cluster
aws ecs create-cluster \
--cluster-name bunship-cluster \
--capacity-providers FARGATE \
--default-capacity-provider-strategy capacityProvider=FARGATE,weight=1
Store secrets in AWS Secrets Manager
Store sensitive values separately from your task definition.aws secretsmanager create-secret \
--name bunship/production \
--secret-string '{
"JWT_SECRET": "your-jwt-secret",
"JWT_REFRESH_SECRET": "your-refresh-secret",
"DATABASE_AUTH_TOKEN": "your-turso-token",
"STRIPE_SECRET_KEY": "sk_live_xxx",
"STRIPE_WEBHOOK_SECRET": "whsec_xxx",
"RESEND_API_KEY": "re_xxx",
"REDIS_URL": "rediss://default:xxx@your-redis:6379"
}'
Create a task definition
Save this as ecs-task-definition.json:{
"family": "bunship-api",
"networkMode": "awsvpc",
"requiresCompatibilities": ["FARGATE"],
"cpu": "512",
"memory": "1024",
"executionRoleArn": "arn:aws:iam::123456789012:role/ecsTaskExecutionRole",
"taskRoleArn": "arn:aws:iam::123456789012:role/bunshipTaskRole",
"containerDefinitions": [
{
"name": "api",
"image": "123456789012.dkr.ecr.us-east-1.amazonaws.com/bunship-api:latest",
"essential": true,
"portMappings": [
{
"containerPort": 3000,
"protocol": "tcp"
}
],
"environment": [
{ "name": "NODE_ENV", "value": "production" },
{ "name": "PORT", "value": "3000" },
{ "name": "API_URL", "value": "https://api.yourdomain.com" },
{ "name": "FRONTEND_URL", "value": "https://yourdomain.com" },
{ "name": "DATABASE_URL", "value": "libsql://your-db.turso.io" }
],
"secrets": [
{
"name": "JWT_SECRET",
"valueFrom": "arn:aws:secretsmanager:us-east-1:123456789012:secret:bunship/production:JWT_SECRET::"
},
{
"name": "JWT_REFRESH_SECRET",
"valueFrom": "arn:aws:secretsmanager:us-east-1:123456789012:secret:bunship/production:JWT_REFRESH_SECRET::"
},
{
"name": "DATABASE_AUTH_TOKEN",
"valueFrom": "arn:aws:secretsmanager:us-east-1:123456789012:secret:bunship/production:DATABASE_AUTH_TOKEN::"
},
{
"name": "STRIPE_SECRET_KEY",
"valueFrom": "arn:aws:secretsmanager:us-east-1:123456789012:secret:bunship/production:STRIPE_SECRET_KEY::"
},
{
"name": "REDIS_URL",
"valueFrom": "arn:aws:secretsmanager:us-east-1:123456789012:secret:bunship/production:REDIS_URL::"
},
{
"name": "RESEND_API_KEY",
"valueFrom": "arn:aws:secretsmanager:us-east-1:123456789012:secret:bunship/production:RESEND_API_KEY::"
}
],
"healthCheck": {
"command": ["CMD-SHELL", "bun fetch http://localhost:3000/health || exit 1"],
"interval": 30,
"timeout": 5,
"retries": 3,
"startPeriod": 10
},
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/ecs/bunship-api",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "api"
}
}
}
]
}
aws ecs register-task-definition \
--cli-input-json file://ecs-task-definition.json
Create an Application Load Balancer
The ALB distributes traffic across your ECS tasks and terminates TLS.# Create a target group
aws elbv2 create-target-group \
--name bunship-api-tg \
--protocol HTTP \
--port 3000 \
--vpc-id vpc-xxx \
--target-type ip \
--health-check-path /health \
--health-check-interval-seconds 30
# Create the ALB
aws elbv2 create-load-balancer \
--name bunship-alb \
--subnets subnet-xxx subnet-yyy \
--security-groups sg-xxx
# Create an HTTPS listener
aws elbv2 create-listener \
--load-balancer-arn arn:aws:elasticloadbalancing:... \
--protocol HTTPS \
--port 443 \
--certificates CertificateArn=arn:aws:acm:us-east-1:123456789012:certificate/xxx \
--default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:...
# Redirect HTTP to HTTPS
aws elbv2 create-listener \
--load-balancer-arn arn:aws:elasticloadbalancing:... \
--protocol HTTP \
--port 80 \
--default-actions Type=redirect,RedirectConfig='{Protocol=HTTPS,Port=443,StatusCode=HTTP_301}'
Create the ECS service
aws ecs create-service \
--cluster bunship-cluster \
--service-name bunship-api \
--task-definition bunship-api:1 \
--desired-count 2 \
--launch-type FARGATE \
--network-configuration "awsvpcConfiguration={subnets=[subnet-xxx,subnet-yyy],securityGroups=[sg-xxx],assignPublicIp=ENABLED}" \
--load-balancers "targetGroupArn=arn:aws:elasticloadbalancing:...,containerName=api,containerPort=3000" \
--deployment-configuration "minimumHealthyPercent=100,maximumPercent=200" \
--health-check-grace-period-seconds 60
Deploy the worker
Create a second task definition for the worker with a different command. The worker does not need a load balancer or port mappings.# Use the same image, different command
# In the container definition:
# "command": ["bun", "run", "apps/api/src/worker.ts"]
# Remove portMappings and healthCheck
aws ecs create-service \
--cluster bunship-cluster \
--service-name bunship-worker \
--task-definition bunship-worker:1 \
--desired-count 1 \
--launch-type FARGATE \
--network-configuration "awsvpcConfiguration={subnets=[subnet-xxx],securityGroups=[sg-xxx],assignPublicIp=ENABLED}"
ElastiCache for Redis
If you prefer AWS-managed Redis over Upstash or other providers:
# Create a Redis cluster
aws elasticache create-replication-group \
--replication-group-id bunship-redis \
--replication-group-description "BunShip Redis" \
--engine redis \
--engine-version 7.0 \
--cache-node-type cache.t4g.micro \
--num-cache-clusters 1 \
--automatic-failover-enabled \
--at-rest-encryption-enabled \
--transit-encryption-enabled \
--cache-subnet-group-name your-subnet-group \
--security-group-ids sg-xxx
REDIS_URL secret to point to the ElastiCache endpoint:
rediss://your-cluster.xxx.cache.amazonaws.com:6379
ElastiCache is VPC-only. Your ECS tasks must run in the same VPC and security group must allow
port 6379 between the ECS tasks and the ElastiCache cluster.
S3 Bucket Configuration
Create a bucket for file uploads:
# Create the bucket
aws s3api create-bucket \
--bucket bunship-uploads \
--region us-east-1
# Block public access (serve files through signed URLs or CloudFront)
aws s3api put-public-access-block \
--bucket bunship-uploads \
--public-access-block-configuration \
BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
# Set CORS for direct uploads
aws s3api put-bucket-cors \
--bucket bunship-uploads \
--cors-configuration '{
"CORSRules": [
{
"AllowedHeaders": ["*"],
"AllowedMethods": ["GET", "PUT", "POST"],
"AllowedOrigins": ["https://yourdomain.com"],
"MaxAgeSeconds": 3600
}
]
}'
S3_ENDPOINT=https://s3.us-east-1.amazonaws.com
S3_BUCKET=bunship-uploads
S3_ACCESS_KEY_ID=AKIA...
S3_SECRET_ACCESS_KEY=xxx
S3_REGION=us-east-1
For ECS tasks, use an IAM task role with S3 permissions instead of access keys. This avoids
storing long-lived credentials.
CloudFront CDN
Place CloudFront in front of your ALB for edge caching and DDoS protection:
aws cloudfront create-distribution \
--origin-domain-name bunship-alb-xxx.us-east-1.elb.amazonaws.com \
--default-root-object "" \
--query 'Distribution.DomainName'
| Setting | Value | Reason |
|---|
| Cache Policy | CachingDisabled | API responses are dynamic |
| Origin Request Policy | AllViewer | Forward all headers, cookies, query strings |
| Viewer Protocol Policy | redirect-to-https | Enforce HTTPS |
| Allowed HTTP Methods | GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE | Full API support |
ALB Health Checks
The ALB health check confirms each ECS task is ready to serve traffic:
| Setting | Value |
|---|
| Path | /health |
| Protocol | HTTP |
| Port | 3000 |
| Healthy threshold | 2 consecutive successes |
| Unhealthy threshold | 3 consecutive failures |
| Interval | 30 seconds |
| Timeout | 5 seconds |
CI/CD with GitHub Actions
BunShip includes a release workflow (.github/workflows/release.yml) that builds and pushes Docker images when you create a version tag. Extend it with an ECS deployment step:
# Add to .github/workflows/release.yml after the build-and-push job:
deploy:
name: Deploy to ECS
runs-on: ubuntu-latest
needs: build-and-push
if: startsWith(github.ref, 'refs/tags/v')
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: Download task definition
run: |
aws ecs describe-task-definition \
--task-definition bunship-api \
--query taskDefinition > task-definition.json
- name: Update image in task definition
id: task-def
uses: aws-actions/amazon-ecs-render-task-definition@v1
with:
task-definition: task-definition.json
container-name: api
image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.build-and-push.outputs.version }}
- name: Deploy to ECS
uses: aws-actions/amazon-ecs-deploy-task-definition@v2
with:
task-definition: ${{ steps.task-def.outputs.task-definition }}
service: bunship-api
cluster: bunship-cluster
wait-for-service-stability: true
- name: Deploy worker
run: |
aws ecs update-service \
--cluster bunship-cluster \
--service bunship-worker \
--force-new-deployment
AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEY
Scaling
ECS Auto Scaling
Configure target tracking to scale based on CPU utilization:
# Register a scalable target
aws application-autoscaling register-scalable-target \
--service-namespace ecs \
--resource-id service/bunship-cluster/bunship-api \
--scalable-dimension ecs:service:DesiredCount \
--min-capacity 2 \
--max-capacity 10
# Create a scaling policy
aws application-autoscaling put-scaling-policy \
--service-namespace ecs \
--resource-id service/bunship-cluster/bunship-api \
--scalable-dimension ecs:service:DesiredCount \
--policy-name cpu-tracking \
--policy-type TargetTrackingScaling \
--target-tracking-scaling-policy-configuration '{
"TargetValue": 70.0,
"PredefinedMetricSpecification": {
"PredefinedMetricType": "ECSServiceAverageCPUUtilization"
},
"ScaleInCooldown": 300,
"ScaleOutCooldown": 60
}'
Cost Estimates
Approximate monthly costs for a small production deployment in us-east-1:
| Resource | Configuration | Estimated Cost |
|---|
| ECS Fargate (API, 2 tasks) | 0.5 vCPU, 1 GB each | ~$30 |
| ECS Fargate (Worker, 1 task) | 0.5 vCPU, 1 GB | ~$15 |
| ALB | Standard | ~$18 |
| ElastiCache (Redis) | cache.t4g.micro | ~$12 |
| CloudFront | 10 GB transfer | ~$1 |
| S3 | 5 GB storage | ~$0.12 |
| Secrets Manager | 7 secrets | ~$3 |
| Total | | ~$79 |
