Overview

Edit customer-config.yml in your installer bundle before make generate-customer-assets. This file declares your deployment namespace, AWS environments, hosted zones, admin users, optional Canton settings, and AWS resource tags.

customer-config.yml

Required fields:

• namespace - deployment namespace (must match Makefile NAMESPACE)
• environments - non-empty list; each entry includes name, account_id, region, testnet, hosted_zone, hosted_zone_id, components, and admins

Optional:

• canton per environment - ledger, validator, token, and OAuth URLs when Canton is enabled
• tags - key-value map of tags applied to CDK-provisioned AWS resources

Resource tags (tags)

Add a top-level tags map to label wallet infrastructure in your AWS account. Keys and values are strings forwarded to CDK resource tagging.

tags:
  env: production
  cost-center: custody
  team: platform-ops

Use names your organization already requires for cost allocation, ownership, or compliance reporting.

Optional: import existing AWS infrastructure

Standard installs omit the blocks below. The CDK long-lived stack then creates a VPC, ACM certificates, Route 53 records, and related resources.

Add these under the matching entry in the environments[] list when your platform team supplies existing infrastructure or manages DNS outside the wallet stack. The configurator applies them when you run make generate-customer-assets. You can also add or change the same blocks after generation if import decisions come later.

Route 53 (route53_records_config) - set create_records: false when another team owns DNS for the wallet hostnames:

route53_records_config:
  create_records: false

ACM certificates (certificate_config) - set one or both ARNs; omit the block to let CDK issue default certificates. alb_certificate_arn covers the API load balancer (api.{dns_prefix}.{zone}). cloud_front_certificate_arn covers the UI distribution ({dns_prefix}.{zone} and www.{dns_prefix}.{zone}). You may reuse one certificate for both ARNs.

certificate_config:
  alb_certificate_arn: arn:aws:acm:us-east-1:123456789012:certificate/<cert-id>
  cloud_front_certificate_arn: arn:aws:acm:us-east-1:123456789012:certificate/<cert-id>

VPC (vpc_config) - supply IDs and CIDR metadata for the VPC your network team provisioned. Private subnets carry wallet workloads; public subnets carry ingress. Isolated subnet fields are optional when your VPC layout includes them.

vpc_config:
  vpc_id: vpc-xxxxxxxx
  availability_zones:
    - us-east-1a
    - us-east-1b
  region: us-east-1
  vpc_cidr_block: 10.0.0.0/20
  private_subnet_ids:
    - subnet-xxxx
    - subnet-yyyy
  private_subnet_route_table_ids:
    - rtb-xxxx
    - rtb-yyyy
  private_subnet_ipv4_cidr_blocks:
    - 10.0.6.0/23
    - 10.0.8.0/23
  public_subnet_ids:
    - subnet-xxxx
    - subnet-yyyy
  public_subnet_route_table_ids:
    - rtb-xxxx
    - rtb-yyyy
  public_subnet_ipv4_cidr_blocks:
    - 10.0.0.0/23
    - 10.0.2.0/23

Example skeleton:

namespace: your-namespace
tags:
  env: production
  cost-center: custody
  team: platform-ops
environments:
  - name: testnet
    account_id: "123456789012"
    region: us-east-1
    testnet: true
    hosted_zone: wallet.example.com
    hosted_zone_id: Z0XXXXXXXXXXXX
    components:
      - wallet
      - policyNode0
      - policyNode1
      - policyNode2
    admins:
      - name: Admin User
        email: [email protected]
  - name: mainnet
    account_id: "123456789012"
    region: us-east-1
    testnet: false
    hosted_zone: wallet.example.com
    hosted_zone_id: Z0XXXXXXXXXXXX
    components:
      - wallet
      - policyNode0
      - policyNode1
      - policyNode2
    admins:
      - name: Admin User
        email: [email protected]

See the customer-config.yml file in your delivery bundle for the full template and comments.