Amazon Web Services
The Onehouse infrastructure deployment follows two steps:
- Onehouse Customer Stack — Deploys the IAM roles and permissions which allow Onehouse to operate the platform. Can be deployed using Terraform or CloudFormation.
- Onehouse Kubernetes Deployment — Uses the IAM roles provisioned in the Customer Stack to deploy the Onehouse dataplane EKS cluster. This starts automatically after step 1.
Step 1: Deploy the Customer Stack
Provide your AWS VPC ID, two private subnets within that VPC, and choose your IaC method.

Terraform
Prerequisites
Create an S3 bucket to hold Terraform artifacts before deploying the customer stack: onehouse-customer-bucket-<RequestIdPrefix>. This bucket stores configs and Terraform state. You can find the RequestIdPrefix in the Onehouse UI installation steps.
Install Terraform Stack
You will need administrator-level privileges. The Terraform script generates IAM roles and attaches policies.

- The Terraform module is hosted on a private registry. Reach out to your Onehouse POC to get a Terraform Cloud token, then authenticate:

- Create a directory with the following structure in a Linux or UNIX environment authenticated to your AWS account:
my-terraform-project/
├── main.tf
├── variables.tf
└── backend.tf
backend.tf
To use a custom S3 bucket for Terraform state instead of onehouse-customer-bucket-<REQUEST_ID_PREFIX>, update the bucket field. region must always be updated.
terraform {
required_version = "1.11.0"
required_providers {
aws = {
version = "5.82.0"
}
}
backend "s3" {
bucket = "onehouse-customer-bucket-${REQUEST_ID_PREFIX}"
key = "onboarding/terraform/preboarding/onehouse.tfstate"
region = "${REGION}"
}
}
provider "aws" {
region = "${REGION}"
}
main.tf
Update TERRAFORM_MODULE_VERSION:
module "customer-stack" {
source = "app.terraform.io/Onehouse/customer-stack/aws"
version = "${TERRAFORM_MODULE_VERSION}"
# insert required variables here
}
output "core_role_arn" {
value = module.customer-stack.core_role_arn
}
The latest stable AWS customer stack version is 1.0.41. See the Changelog below for recent changes.
Terraform Variables
| Variable | Description | Default |
|---|---|---|
| productFlow | Product flow. Values: core, lite | core |
| region | [Required] Region of the EKS cluster | |
| requestId | Onehouse requestId. Provide directly or via requestIdSecretManager. | |
| requestIdSecretManager | Provide requestId via Secrets Manager (enabled + secretArn). | enabled = false |
| environment | [Required] Onehouse environment. Values: production | |
| s3BucketArns | [Required] S3 bucket ARNs for Onehouse access. Example: arn:aws:s3:::<bucket_name> | |
| s3KmsKeys | [Optional] KMS key ARNs for encrypted S3 buckets. | [] |
| s3DataLoad | Enable to load existing data (JSON, CSV, Parquet) from S3. Grants SNS/SQS permissions. | { enabled = false } |
| mskDataLoad | Enable to capture data from Amazon MSK. | { enabled = true } |
| databaseDataLoad | Enable to load from databases (Postgres, MySQL). Requires mskDataLoad enabled. | { enabled = true } |
| glueSync | Enable to sync to AWS Glue. | { enabled = true } |
| secretsManagerConfig | Permissions for secrets/secrets-manager. Values: OMS (Onehouse managed), BYOS (bring your own secret — recommended). | |
| ascp | Enable mounting Onehouse secrets from AWS Secrets Manager. | { enabled = false } |
| kinesisDataLoad | Enable to load data from Amazon Kinesis Data Streams. | { enabled = false } |
| aclSync | Enable ACL settings sync across meta-stores via Onehouse. | { enabled = false } |
| clustersConfig | Cluster settings including Lake Formation authorization. | { enableLakeformationAuthorization = false } |
| lockProviderConfig | DynamoDB table permissions for table locking. | { enableDynamoDB = true } |
| ec2Config | EC2 configuration for bastion host, diagnostic host, and PrivateLink. VPC ID and private subnet ID required. | |
| integrations | Enable Datadog or GuardDuty integrations. | { enableDatadog = false, enableGuardduty = false } |
| karpenterSupport | Enable Karpenter support. | { enabled = true } |
| customerRoleArns | [Optional] Customer role ARNs for EKS cluster access. | [] |
| customAmiSupport | Enable custom AMI support. | { createEbsKmsKeyArn = true, ebsKmsKeyArn = "" } |
| permissions_boundary | [Optional] ARN of IAM policy for permissions boundary. Required if your AWS account enforces boundaries. | "" |
| customTags | [Optional] Custom tags for all resources. Example: { "Team" = "platform" } | |
| s3SupportBucketArns | S3 bucket paths the Onehouse support team can read. | [] |
| additional_node_role_policy_arns | [Optional] Additional IAM managed policy ARNs to attach to the EKS node role, e.g. to grant cross-account access to a Secrets Manager secret or KMS key. Combined with additional_node_role_inline_policies, at most 2 custom policies are allowed. | [] |
| additional_node_role_inline_policies | [Optional] Additional inline IAM policies for the EKS node role, as a map of policy name to policy JSON. Use for resource-scoped permissions such as cross-account secretsmanager:GetSecretValue / kms:Decrypt. For cross-account access, the target resource policy must also grant the node role. Combined with additional_node_role_policy_arns, at most 2 custom policies are allowed. | {} |
| eksControlPlaneAuditLogs | [Optional] Grant the Onehouse core role permission to enable EKS control-plane logging (including API server audit logs) and manage the cluster's CloudWatch log group lifecycle. Enablement is also gated by product configuration. | { enabled = false } |
| customerStackS3Distribution | [Optional] Allow Onehouse CI to publish the customer-stack module archive into your onehouse-customer-bucket-<requestIdPrefix> so you can consume the module via an s3:: Terraform source instead of the Onehouse private registry. Enable only if you use S3-based module distribution. | { enabled = false } |
Creating a bastion host is mandatory for cluster access. Enable bastionHostConfig under ec2Config and provide vpcID and privateSubnetID.
Run Terraform Stack
terraform init --reconfigure
terraform plan
terraform apply
Terraform will generate an IAM Role ARN. Copy and paste this ARN into the Onehouse UI.

Migrating an Existing Terraform Stack to Private Registry Modules
If you already have a Terraform stack with created resources, migrate using the script below. The terraform state mv line is commented out intentionally — run the script first to preview the moves, then uncomment to execute.
#!/usr/bin/env bash
set -euo pipefail
if [ $# -ne 1 ]; then
echo "Usage: $0 <wrapper_module_name>"
exit 1
fi
WRAPPER=$1
terraform state list | grep -v '^data\.' | while read -r resource; do
new_resource="module.${WRAPPER}.${resource}"
echo "Moving: $resource -> $new_resource"
#terraform state mv "$resource" "$new_resource"
done
CloudFormation
Install CloudFormation Stack
Click "Take me to AWS CloudFormation" and fill out the Parameters section.

Do not change the name of the CloudFormation stack. Onehouse uses the defined name to monitor the onboarding process.
Click Create Stack. Once the stack is created, return to the Onehouse UI and click Next.
Step 2: Kubernetes Cluster Deployment
The Onehouse dataplane Kubernetes cluster creation starts automatically after the customer stack is deployed. Once finished, the wizard closes and you will see one entry in Connections > Cloud Accounts.

Do not close the page while provisioning is in progress. This step takes approximately 30–40 minutes. If it fails, contact your Onehouse team.
Changelog
Recent AWS customer stack releases. Pin the version in your main.tf to a specific release; bump the version and re-run terraform apply to upgrade.
| Version | Highlights |
|---|---|
1.0.41 (current) | Added support for attaching additional customer-supplied IAM policies to the EKS node role. |
1.0.37–1.0.40 | Enabling EKS Control Plane audit logs and assorted bug fixes. |
1.0.36 | Fixed IAM policy size limit by using inline role policies for S3 access. |
1.0.35 | Added optional trust for githubRunnerRole on the support role (opt-in, disabled by default). |
1.0.34 | Added IAM role and permissions for the AWS Load Balancer Controller so Onehouse can manage internal load balancers. Added read-only EC2 permissions required by the latest Karpenter version. |
1.0.32 | Added glue:GetUserDefinedFunction permission so Glue sync can read user-defined functions. |
1.0.31 | Added Kinesis Data Streams ingestion permissions. Added customTags support for bastion hosts. Scoped IAM permissions to the deployment region for tighter least-privilege. |
1.0.28 | Fixed bastion AMI selection to work reliably across all AWS regions. |