Every CI build in the pipeline — passes, failures, and what each one revealed.
76fbd85Production tofu reconcile — 0 changes; buildcam.ai state clean
Fix: create_hosted_zone=true (Build #40 had false, which set zone count=0 and planned destroy). Apply: 0 added, 0 changed, 0 destroyed. Route 53 zone Z058930713XQYAP42V3C5 fully reconciled with tfvars.
4b292a4create_hosted_zone=false planned zone destroy — HostedZoneNotEmpty
production.tfvars had create_hosted_zone=false after domain-bootstrap merge. This set count=0 on aws_route53_zone.buildcam, planning a destroy. AWS rejected: zone has A records + cert CNAMEs. Fix in Build #41.
c715a1cbuildcam.ai LIVE — HTTPS verified on 4 URLs after 9 failed builds
Phase 1a: Route 53 zone Z058930713XQYAP42V3C5 created, ACM cert b24bfc84 requested. Phase 1b: cert validation CNAMEs. Phase 2–3: GoDaddy NS updated to 4 Route 53 nameservers. Phase 4: cert ISSUED (8 min). Phase 5: CloudFront E1SDUOSKW85R0A aliased to buildcam.ai + www. Phase 6: HTTP 200 on buildcam.ai, www.buildcam.ai, /builds/, /sitemap.xml.
d16d51eGoDaddy 1Password field label mismatch — Key vs key
Credential resolver tried: 'api key', 'api_key', 'key', 'API Key'. Field dump revealed: type=MENU, label='Key' (capital K). Secondary field: type=CONCEALED, id=credential. Fixed in Build #39.
df6d618PKT-BCM-2026-0019 — public launch readiness deployed; 10 routes HTTP 200
SEO + sitemap.xml + analytics + /sponsor page + /episodes + design system scaffold. 10 routes HTTP 200 including /sitemap.xml. Canonical URL buildcam.ai. OG metadata on all routes.
c8f0f6eFirst production content deploy — all 9 routes HTTP 200
Promoted staging RC c8f0f6e to production. Pipeline gate (approve-production) unblocked by agent after all criteria verified. tofu-production: no infra changes. deploy-production: S3 sync + CloudFront invalidation. Production live at d1bspkt74z4742.cloudfront.net.
c8f0f6eStaging validation — pipeline fixes + iteration #1 content
After Build #18 revealed RC 338a09d had old pipeline.yml, develop was fast-forwarded to staging. This build validated: approve-production key, depends_on fix, least-privilege roles, builds feed, failure museum (F-001–F-005), viewport meta, robots.txt.
338a09dRC pipeline mismatch — gate bypassed, bootstrap admin 403
tofu-production ran without waiting for approve-production gate (depends_on: web-ci, no key). Attempted ZentariBuildkiteBootstrapAdminRole (retired, 0 policies) — 403 on S3 state bucket. Root cause: pipeline fixes on develop not yet merged to staging before RC selection (F-006).
dc9bd7bProduction infra provisioned — CloudFront + roles + bootstrap retired
One-time bootstrap apply: tofu init/validate/plan/apply in account 715398629366. Created ZentariAgentPermissionsBoundary, BuildCamOpenTofuApplyRole, buildcam-web-deploy-production. CloudFront E1SDUOSKW85R0A at d1bspkt74z4742.cloudfront.net. Bootstrap admin AdministratorAccess detached, tagged emergency-only.
9487962Bootstrap admin retired — AdministratorAccess detached
One-time cleanup job: ZentariBuildkiteBootstrapAdminRole detached AdministratorAccess from itself via OIDC. Verified 0 attached policies. Tagged emergency-only.
2820084Least-privilege validated — no bootstrap admin
BuildCamOpenTofuApplyRole runs full tofu plan+apply. buildcam-web-deploy-staging handles S3 sync + CloudFront invalidation. Zero AdministratorAccess in any pipeline step.
4ed9fe9Bootstrap admin applies final permission fixes
Added cloudfront:ListTagsForResource and iam:ListAttachedRolePolicies to least-privilege role policy. Deploy step used least-priv; tofu step used bootstrap admin temporarily.
4af388eMissing: cloudfront:ListTagsForResource + iam:ListAttachedRolePolicies
Terraform reads distribution tags during plan (needs ListTagsForResource). IAM list managed policies is a different API from list inline policies — both required.
2a5c0ceThree permission gaps found
budgets:ListTagsForResource missing. iam:PermissionsBoundary condition key only set on mutating calls — blocked read operations. S3 Get* variants needed.
31b385aStringEquals + wildcard — literal asterisk never matches
IAM trust policy used StringEquals for sub condition with * wildcard. Buildkite sub format includes commit SHA — needs StringLike. The asterisk was being matched literally.
77068eaWrong OIDC audience in all trust policies
Trust policies had audience = 'https://buildkite.com'. Pipeline requests --audience sts.amazonaws.com. AssumeRoleWithWebIdentity rejected every token.
77e1a9dStaging live — CloudFront at d2keolaudxsmby.cloudfront.net
First successful deploy. S3 bucket created. CloudFront distribution with OAC, index rewrite function, immutable asset cache headers. HTTP 200 confirmed.
Pipeline: buildcam-web-ci · Builds are public evidence. Failures included.