diff --git a/cdn/terraform/main.tf b/cdn/terraform/main.tf
index 3a8f0d0..6900a68 100644
--- a/cdn/terraform/main.tf
+++ b/cdn/terraform/main.tf
@@ -1,26 +1,41 @@
-# See: https://www.terraform.io/docs/providers/aws
+# Provider documentation: https://www.terraform.io/docs/providers/aws
+#
+# Some AWS credentials documentation:
+# https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
+#
+# You must set up an AWS Credentials file to use the AWS provider.
+# For example, you might put the following in ~/.aws/credentials:
+#
+#   [guix]
+#   aws_access_key_id=ACCESS_KEY_ID
+#   aws_secret_access_key=SECRET_ACCESS_KEY
+#
+# Then you can invoke "terraform" like this to use the credentials:
+#
+#   AWS_PROFILE=guix AWS_DEFAULT_REGION=us-west-2 terraform apply
+#
+# The first environment variable tells the AWS provider to look for a
+# "profile" named "guix".  You can use any profile name you want, but
+# it needs to match the profile name in the AWS credentials file.
+#
+# The second environment variable tells the AWS provider what region
+# to use.  For global services like IAM or CloudFront, you can use any
+# region, but you might get better performance when using a region
+# that is geographically close to you.  If we ever use any services
+# that are not global (e.g., EC2), then the region will specify where
+# those resources (e.g., EC2 instances) will exist.
 
-provider "aws" {
-  # You must set up an AWS Credentials file a profile of the same name
-  # (i.e., "guix").  For example, put this in your ~/.aws/credentials:
-  #
-  #   [guix]
-  #   aws_access_key_id=ACCESS_KEY_ID
-  #   aws_secret_access_key=SECRET_ACCESS_KEY
-  #
-  # See: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
-  # That documentation AWS CLI documentation, but the same ideas apply
-  # generally to other AWS SDKs and tools.
-  profile = "guix"
-}
+provider "aws" {}
 
-# A friendly name for our account - this is displayed in various
+# A friendly name for our account.  This is displayed in various
 # places, such as the AWS Management Console.
+
 resource "aws_iam_account_alias" "alias" {
   account_alias = "guix"
 }
 
 # Encourage good password hygiene.
+
 resource "aws_iam_account_password_policy" "strict" {
   minimum_password_length = 20
   require_lowercase_characters = true