docs: add README for site contributors and infra maintainers

Mohitsharma44 · claude · Mohitsharma44 · commit 4c8fe62bafba · 2026-02-11T23:13:47.000-08:00
Root README targets research scientists managing content — covers
editing workflow, deployment pipeline, file structure, and publications.
Infra README documents architecture, Terraform files, CI/CD, IAM roles,
domains, and bootstrap procedure.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/README.md b/README.md
@@ -1,2 +1,57 @@
-# website
-The CUSP Urban Observatory pubilc website
+# CUSP Urban Observatory
+
+[![Deploy Site](https://github.com/CUSPUO/cuspuo.github.io/actions/workflows/deploy.yml/badge.svg)](https://github.com/CUSPUO/cuspuo.github.io/actions/workflows/deploy.yml)
+[![Terraform](https://github.com/CUSPUO/cuspuo.github.io/actions/workflows/terraform.yml/badge.svg)](https://github.com/CUSPUO/cuspuo.github.io/actions/workflows/terraform.yml)
+
+The public website for the CUSP Urban Observatory.
+
+**Live at:** [cuspuo.org](https://cuspuo.org) | [cuspuo.com](https://cuspuo.com)
+
+## Editing the Site
+
+The site is static HTML. To make changes:
+
+1. Edit the relevant files (see [File Structure](#file-structure) below)
+2. Commit and push to the `master` branch (or open a PR and merge it)
+3. The site automatically deploys within ~1 minute
+
+No build step, no manual deployment — just edit, push, and it's live.
+
+## How Deployment Works
+
+When changes are pushed to `master`:
+
+1. **Sync** — All site files are uploaded to an S3 bucket
+2. **Cache clear** — CloudFront CDN cache is invalidated
+3. **Live** — Changes are available on all domains (cuspuo.org, cuspuo.com, and their www variants)
+
+HTML files are cached for 5 minutes; other assets (images, CSS, JS) are cached for 24 hours.
+
+## File Structure
+
+```
+index.html                  Main site page
+UOpublications.html         Publications listing
+404.html                    Custom error page
+comingsoon.html             Placeholder page
+images/                     Team photos and site images
+assets/                     CSS, JavaScript, and fonts
+projects/                   Project sub-pages (cdrhythms, visim_energy, etc.)
+bibtex2html/                Tool to convert BibTeX to HTML (see its own README)
+uo.bib                      BibTeX source for publications
+```
+
+## Updating Publications
+
+Publications are generated from `uo.bib` using the `bibtex2html/` tool:
+
+```bash
+cd bibtex2html
+python bibtex2html_p3.py ../uo.bib template.html ../UOpublications.html
+```
+
+See [`bibtex2html/README.md`](bibtex2html/README.md) for details.
+
+## Infrastructure
+
+The site is hosted on AWS (S3 + CloudFront) and managed with Terraform. See [`infra/README.md`](infra/README.md) for architecture, setup, and operational details.
diff --git a/infra/README.md b/infra/README.md
@@ -0,0 +1,111 @@
+# Infrastructure
+
+Terraform-managed AWS infrastructure for the CUSP Urban Observatory static site.
+
+## Architecture
+
+```
+                    ┌─────────────┐
+                    │   Route53   │
+                    │  DNS Zones  │
+                    └──────┬──────┘
+                           │ A/AAAA/CNAME
+                           ▼
+┌──────────┐       ┌──────────────┐       ┌────────────┐
+│   ACM    │──TLS──│  CloudFront  │──OAC──│  S3 Bucket │
+│  Cert    │       │ Distribution │       │ (private)  │
+└──────────┘       └──────────────┘       └────────────┘
+                     │           │
+              URL rewrite    Security headers
+             (index.html)    (HSTS, CSP, etc.)
+```
+
+- **S3** — Private bucket (`cuspuo-site`), accessible only via CloudFront OAC
+- **CloudFront** — CDN with TLS 1.2+, HTTP→HTTPS redirect, security headers, custom 404 page
+- **CloudFront Function** — Rewrites directory paths (`/path/` → `/path/index.html`)
+- **ACM** — TLS certificate with DNS validation for all active domains
+- **Route53** — DNS zones for `cuspuo.org` and `cuspuo.com` with A, AAAA, CNAME, and CAA records
+- **IAM** — GitHub Actions OIDC federation (no static credentials), separate deploy and terraform roles with permissions boundaries
+
+## Active Domains
+
+| Domain | DNS Provider | Status |
+|--------|-------------|--------|
+| cuspuo.org | Route53 | Active |
+| www.cuspuo.org | Route53 | Active |
+| cuspuo.com | Route53 | Active |
+| www.cuspuo.com | Route53 | Active |
+| muonetwork.com | GoDaddy | Deferred |
+| muonetwork.org | GoDaddy | Deferred |
+
+To enable the GoDaddy domains, set `external_domains = ["muonetwork.com", "muonetwork.org"]` in `variables.tf` and follow the output instructions for manual DNS configuration.
+
+## CI/CD Workflows
+
+| Workflow | Trigger | Action |
+|----------|---------|--------|
+| **Deploy Site** | Push to `master` (non-infra files) | S3 sync + CloudFront invalidation |
+| **Terraform Plan** | PR with `infra/**` changes | Plan + Infracost cost estimate posted to PR |
+| **Terraform Apply** | Push to `master` with `infra/**` changes | Auto-apply (no manual approval) |
+
+## Prerequisites
+
+- **AWS CLI** with profile `muon` configured for account `217832331713`
+- **Terraform** >= 1.5.0
+
+## Local Usage
+
+All local terraform commands require the `muon` AWS profile:
+
+```bash
+cd infra
+
+# Set profile for the session
+export AWS_PROFILE=muon
+
+# Standard workflow
+terraform init
+terraform plan
+terraform apply
+```
+
+## State Management
+
+- **State bucket:** `cuspuo-terraform-state` (S3, versioned, encrypted)
+- **Lock table:** `cuspuo-terraform-lock` (DynamoDB)
+- **State key:** `cuspuo-site/terraform.tfstate`
+
+## Terraform Files
+
+| File | Purpose |
+|------|---------|
+| `providers.tf` | AWS provider config and S3 backend |
+| `variables.tf` | Input variables (domains, bucket names, GitHub config) |
+| `locals.tf` | Computed values (domain lists, aliases) |
+| `state.tf` | State bucket and DynamoDB lock table |
+| `s3.tf` | Site bucket with OAC policy |
+| `acm.tf` | TLS certificate and DNS validation |
+| `cloudfront.tf` | CDN distribution, URL rewrite function, security headers |
+| `iam.tf` | OIDC provider, deploy/terraform roles, permissions boundaries |
+| `route53.tf` | DNS records (A, AAAA, CNAME, CAA) |
+| `outputs.tf` | Distribution ID, role ARNs, GoDaddy instructions |
+
+## IAM Roles
+
+| Role | Purpose | Trust |
+|------|---------|-------|
+| `cuspuo-github-deploy` | S3 sync + CloudFront invalidation | `master` branch only |
+| `cuspuo-github-terraform` | Infrastructure management | `master` branch, PRs, and `production-infra` environment |
+
+Both roles use OIDC federation (no static AWS keys) and have permissions boundaries to prevent privilege escalation.
+
+## Bootstrap from Scratch
+
+If you ever need to recreate the infrastructure from zero:
+
+1. Comment out the `backend "s3"` block in `providers.tf`
+2. Run `terraform init` (uses local state)
+3. Run `terraform apply -target=aws_s3_bucket.state -target=aws_s3_bucket_versioning.state -target=aws_s3_bucket_server_side_encryption_configuration.state -target=aws_s3_bucket_public_access_block.state -target=aws_dynamodb_table.state_lock`
+4. Uncomment the backend block
+5. Run `terraform init -migrate-state` to move state to S3
+6. Run `terraform apply` for the full infrastructure
