Skip to main content

Amazon Web Services

The Onehouse infrastructure deployment follows two steps:

  1. Onehouse Customer Stack — Deploys the IAM roles and permissions which allow Onehouse to operate the platform. Can be deployed using Terraform or CloudFormation.
  2. Onehouse Kubernetes Deployment — Uses the IAM roles provisioned in the Customer Stack to deploy the Onehouse dataplane EKS cluster. This starts automatically after step 1.

Step 1: Deploy the Customer Stack

Provide your AWS VPC ID, two private subnets within that VPC, and choose your IaC method.

account-link

Terraform

Prerequisites

Create an S3 bucket to hold Terraform artifacts before deploying the customer stack: onehouse-customer-bucket-<RequestIdPrefix>. This bucket stores configs and Terraform state. You can find the RequestIdPrefix in the Onehouse UI installation steps.

Install Terraform Stack

You will need administrator-level privileges. The Terraform script generates IAM roles and attaches policies.

Terraform Details

  1. The Terraform module is hosted on a private registry. Reach out to your Onehouse POC to get a Terraform Cloud token, then authenticate:

  1. Create a directory with the following structure in a Linux or UNIX environment authenticated to your AWS account:
my-terraform-project/
├── main.tf
├── variables.tf
└── backend.tf

backend.tf

note

To use a custom S3 bucket for Terraform state instead of onehouse-customer-bucket-<REQUEST_ID_PREFIX>, update the bucket field. region must always be updated.

terraform {
required_version = "1.11.0"
required_providers {
aws = {
version = "5.82.0"
}
}
backend "s3" {
bucket = "onehouse-customer-bucket-${REQUEST_ID_PREFIX}"
key = "onboarding/terraform/preboarding/onehouse.tfstate"
region = "${REGION}"
}
}

provider "aws" {
region = "${REGION}"
}

main.tf

Update TERRAFORM_MODULE_VERSION:

module "customer-stack" {
source = "app.terraform.io/Onehouse/customer-stack/aws"
version = "${TERRAFORM_MODULE_VERSION}"
# insert required variables here
}

output "core_role_arn" {
value = module.customer-stack.core_role_arn
}
Current stable release

The latest stable AWS customer stack version is 1.0.41. See the Changelog below for recent changes.

Terraform Variables

VariableDescriptionDefault
productFlowProduct flow. Values: core, litecore
region[Required] Region of the EKS cluster
requestIdOnehouse requestId. Provide directly or via requestIdSecretManager.
requestIdSecretManagerProvide requestId via Secrets Manager (enabled + secretArn).enabled = false
environment[Required] Onehouse environment. Values: production
s3BucketArns[Required] S3 bucket ARNs for Onehouse access. Example: arn:aws:s3:::<bucket_name>
s3KmsKeys[Optional] KMS key ARNs for encrypted S3 buckets.[]
s3DataLoadEnable to load existing data (JSON, CSV, Parquet) from S3. Grants SNS/SQS permissions.{ enabled = false }
mskDataLoadEnable to capture data from Amazon MSK.{ enabled = true }
databaseDataLoadEnable to load from databases (Postgres, MySQL). Requires mskDataLoad enabled.{ enabled = true }
glueSyncEnable to sync to AWS Glue.{ enabled = true }
secretsManagerConfigPermissions for secrets/secrets-manager. Values: OMS (Onehouse managed), BYOS (bring your own secret — recommended).
ascpEnable mounting Onehouse secrets from AWS Secrets Manager.{ enabled = false }
kinesisDataLoadEnable to load data from Amazon Kinesis Data Streams.{ enabled = false }
aclSyncEnable ACL settings sync across meta-stores via Onehouse.{ enabled = false }
clustersConfigCluster settings including Lake Formation authorization.{ enableLakeformationAuthorization = false }
lockProviderConfigDynamoDB table permissions for table locking.{ enableDynamoDB = true }
ec2ConfigEC2 configuration for bastion host, diagnostic host, and PrivateLink. VPC ID and private subnet ID required.
integrationsEnable Datadog or GuardDuty integrations.{ enableDatadog = false, enableGuardduty = false }
karpenterSupportEnable Karpenter support.{ enabled = true }
customerRoleArns[Optional] Customer role ARNs for EKS cluster access.[]
customAmiSupportEnable custom AMI support.{ createEbsKmsKeyArn = true, ebsKmsKeyArn = "" }
permissions_boundary[Optional] ARN of IAM policy for permissions boundary. Required if your AWS account enforces boundaries.""
customTags[Optional] Custom tags for all resources. Example: { "Team" = "platform" }
s3SupportBucketArnsS3 bucket paths the Onehouse support team can read.[]
additional_node_role_policy_arns[Optional] Additional IAM managed policy ARNs to attach to the EKS node role, e.g. to grant cross-account access to a Secrets Manager secret or KMS key. Combined with additional_node_role_inline_policies, at most 2 custom policies are allowed.[]
additional_node_role_inline_policies[Optional] Additional inline IAM policies for the EKS node role, as a map of policy name to policy JSON. Use for resource-scoped permissions such as cross-account secretsmanager:GetSecretValue / kms:Decrypt. For cross-account access, the target resource policy must also grant the node role. Combined with additional_node_role_policy_arns, at most 2 custom policies are allowed.{}
eksControlPlaneAuditLogs[Optional] Grant the Onehouse core role permission to enable EKS control-plane logging (including API server audit logs) and manage the cluster's CloudWatch log group lifecycle. Enablement is also gated by product configuration.{ enabled = false }
customerStackS3Distribution[Optional] Allow Onehouse CI to publish the customer-stack module archive into your onehouse-customer-bucket-<requestIdPrefix> so you can consume the module via an s3:: Terraform source instead of the Onehouse private registry. Enable only if you use S3-based module distribution.{ enabled = false }
Bastion Host

Creating a bastion host is mandatory for cluster access. Enable bastionHostConfig under ec2Config and provide vpcID and privateSubnetID.

Run Terraform Stack

terraform init --reconfigure
terraform plan
terraform apply

Terraform will generate an IAM Role ARN. Copy and paste this ARN into the Onehouse UI.

Migrating an Existing Terraform Stack to Private Registry Modules

If you already have a Terraform stack with created resources, migrate using the script below. The terraform state mv line is commented out intentionally — run the script first to preview the moves, then uncomment to execute.

#!/usr/bin/env bash
set -euo pipefail

if [ $# -ne 1 ]; then
echo "Usage: $0 <wrapper_module_name>"
exit 1
fi

WRAPPER=$1

terraform state list | grep -v '^data\.' | while read -r resource; do
new_resource="module.${WRAPPER}.${resource}"
echo "Moving: $resource -> $new_resource"
#terraform state mv "$resource" "$new_resource"
done
CloudFormation

Install CloudFormation Stack

Click "Take me to AWS CloudFormation" and fill out the Parameters section.

caution

Do not change the name of the CloudFormation stack. Onehouse uses the defined name to monitor the onboarding process.

Click Create Stack. Once the stack is created, return to the Onehouse UI and click Next.

Step 2: Kubernetes Cluster Deployment

The Onehouse dataplane Kubernetes cluster creation starts automatically after the customer stack is deployed. Once finished, the wizard closes and you will see one entry in Connections > Cloud Accounts.

caution

Do not close the page while provisioning is in progress. This step takes approximately 30–40 minutes. If it fails, contact your Onehouse team.

Changelog

Recent AWS customer stack releases. Pin the version in your main.tf to a specific release; bump the version and re-run terraform apply to upgrade.

VersionHighlights
1.0.41 (current)Added support for attaching additional customer-supplied IAM policies to the EKS node role.
1.0.371.0.40Enabling EKS Control Plane audit logs and assorted bug fixes.
1.0.36Fixed IAM policy size limit by using inline role policies for S3 access.
1.0.35Added optional trust for githubRunnerRole on the support role (opt-in, disabled by default).
1.0.34Added IAM role and permissions for the AWS Load Balancer Controller so Onehouse can manage internal load balancers. Added read-only EC2 permissions required by the latest Karpenter version.
1.0.32Added glue:GetUserDefinedFunction permission so Glue sync can read user-defined functions.
1.0.31Added Kinesis Data Streams ingestion permissions. Added customTags support for bastion hosts. Scoped IAM permissions to the deployment region for tighter least-privilege.
1.0.28Fixed bastion AMI selection to work reliably across all AWS regions.