From 2745e7540815bff831b19b19a9cc55c1503da97f Mon Sep 17 00:00:00 2001
From: Joe Lothan <joe@lothan.net>
Date: Tue, 19 May 2026 10:23:29 -0400
Subject: [PATCH] updated infra README about pinning AMI

---
 infra/README.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/infra/README.md b/infra/README.md
index e1e76da..3aeef60 100644
--- a/infra/README.md
+++ b/infra/README.md
@@ -46,6 +46,25 @@ psql $DATABASE_URL -c 'SELECT 1;'
 psql $DATABASE_URL -f ~/everytab/pipeline/01_cc_index/schema.sql
 ```
 
+## Pinning the EC2 AMI
+
+The `data.aws_ami` lookup fetches the latest Amazon Linux 2023 AMI. If Amazon publishes a new one between applies, Terraform will want to replace your EC2 instance.
+
+To prevent this, pin the AMI after initial creation:
+
+```bash
+# Get the current instance's AMI
+aws ec2 describe-instances --filters "Name=tag:Name,Values=everytab" \
+  --query "Reservations[0].Instances[0].ImageId" --output text
+
+# Add to terraform.tfvars
+echo 'ec2_ami = "ami-XXXXXXXXXXXX"' >> terraform.tfvars
+```
+
+Now `terraform apply` won't replace the instance for non-EC2 changes (like adding CloudFront logging).
+
+Remove the `ec2_ami` line from tfvars when you want a fresh instance with the latest AMI (e.g., after teardown).
+
 ## Teardown (after backup)
 
 Switch to serving-only mode (destroys EC2, RDS, icons bucket):