Sync IVS real-time recording configuration

[SethSharp]

What problems are you solving?

Adds a dedicated sync:recording command that provisions all recording-related services for IVS real-time streaming, and supports multi-region IVS deployments via a regions array in the manifest.

Is there anything the reviewer needs to know to deploy this?

1. yolo.yml

aws:
  ivs:
    logging: true
    recording:
      real_time: true
    # IVS is often in a different region to the rest of your infrastructure.
    # Use region (single) or regions (multi) — both are optional and fall back to aws.region.
    region: us-east-1
    # regions:
    #   - us-east-1
    #   - ap-southeast-2

Region resolution order: aws.ivs.regions → [aws.ivs.region] → [aws.region]

2. Sync order

yolo sync:recording production
yolo sync:logging production

After running, env vars are printed per region for the app's .env:

AWS_IVS_REALTIME_RECORDINGS_BUCKET=yolo-production-liveplatforms-ivs-realtime-recordings

# Per region (one per configured IVS region):
AWS_IVS_STORAGE_CONFIGURATION_ARN_US_EAST_1=arn:aws:ivs:us-east-1:...
AWS_IVS_STORAGE_CONFIGURATION_ARN_AP_SOUTHEAST_2=arn:aws:ivs:ap-southeast-2:...
AWS_IVS_ENCODER_CONFIGURATION_ARN_US_EAST_1=arn:aws:ivs:us-east-1:...
AWS_IVS_ENCODER_CONFIGURATION_ARN_AP_SOUTHEAST_2=arn:aws:ivs:ap-southeast-2:...

3. IAM permissions required for the user running yolo

Policy	Type	Why
AmazonS3FullAccess	AWS managed	Create recording bucket and set bucket policy
IVSFullAccess	AWS managed	Create StorageConfiguration and EncoderConfiguration
CloudWatchLogsFullAccess	AWS managed	Create log group and resource policy
AmazonEventBridgeFullAccess	AWS managed	Create EventBridge rule and target

---

What sync:recording provisions

Step	What it creates
SyncIvsRealtimeRecordingBucketStep	Single shared S3 bucket — bucket policy allows ivs-composite.{region}.amazonaws.com for all configured IVS regions; grants MediaConvert role read access
SyncIvsStorageConfigurationStep	IVS Real-Time StorageConfiguration per configured region, each pointing at the shared bucket
SyncIvsEncoderConfigurationStep	IVS Real-Time EncoderConfiguration (720p30 @ 2.5 Mbps) per configured region

What sync:logging provisions

Step	What it creates
SyncIvsCloudWatchLogGroupStep	CloudWatch log group per configured IVS region with configurable retention
SyncIvsEventBridgeRuleStep	EventBridge rule for aws.ivs state change events per configured region
SyncIvsEventBridgeTargetStep	EventBridge target wiring each rule to its region's log group

Multi-region behaviour

All six IVS steps loop over aws.ivs.regions (defaults to [aws.region] when not set). Each step uses a region-specific AWS SDK client created from the base awsArguments with the region overridden. Results across regions are merged via StepResult::highest() — CREATED wins over SYNCED wins over SKIPPED.

The recordings bucket is shared across regions (S3 names are globally unique). Its bucket policy is built to include a principal entry for each configured IVS region so every ivs-composite.{region}.amazonaws.com service can write to it.

Recording format

IVS composite recording outputs TS-based HLS (not fMP4/CMAF like individual participant recording). This is directly compatible with the existing MediaConvert pipeline — no FFmpeg or pre-processing step required.

Notes

• S3 bucket name is auto-generated via Helpers::keyedResourceName() to avoid global name collisions
• All steps skip gracefully if the relevant aws.ivs config is absent — no breaking change for existing deployments
• The recordings bucket uses BucketOwnerPreferred ownership — required because IVS writes objects with bucket-owner-full-control ACL
• sync:iam has no IVS-specific steps — no IAM roles are provisioned for recording