AWS EKS with Terraform (Recommended for Production)
For AWS production deployments, use the Terraform EKS module to provision infrastructure, then deploy the application with Helm. This provides better separation of concerns and security.
New to EKS deployment? See the comprehensive EKS + Terraform deployment guide for detailed instructions on provisioning EKS infrastructure.
It also needs AWS Marketplace permissions so the first invocation of a Bedrock model can auto-subscribe the account to the model’s Marketplace offer (without these, model calls fail with a 403 access-denied error):
The recommended AWS production deployment separates infrastructure provisioning from application deployment. The Terraform EKS module supports three deployment modes:
Full Stack: Create new VPC + new EKS cluster + application infrastructure
Existing VPC: Use existing VPC + create new EKS cluster + application infrastructure
Existing EKS: Use existing VPC + existing EKS cluster + application infrastructure only
For AWS production, first provision infrastructure with EKS Terraform
module, then deploy the application with this Helm
chart. This separation provides better security, scalability, and operational
control.
Get production-ready deployment with just 5 parameters:
# Deploy with development valueshelm upgrade --install anysource . \ --namespace anysource-dev --create-namespace \ -f values-local.yaml \ --atomic --wait# OR deploy with AWS production values (requires external RDS/ElastiCache)helm upgrade --install anysource . \ --namespace anysource-prod --create-namespace \ -f values.example.yaml \ --atomic --wait
That’s it! You get production-ready defaults for everything else.
Deployment Telemetry: The chart automatically sends deployment completion events to Sentry via Helm hooks for observability. Use --atomic --wait flags to ensure both success and failure events are captured. Telemetry gracefully degrades if SENTRY_DSN is not configured.
Ensure your Kubernetes cluster has an ingress controller and certificate management for automatic SSL certificates.
See the SSL Certificate Management guide for detailed cert-manager vs ACM configuration.
Full control over all deployment settings:
# Get full configuration templatehelm show values . > values-custom.yaml# Customize all settings as needednano values-custom.yaml# Deploy with custom configurationhelm upgrade --install anysource . \ --namespace anysource --create-namespace \ --values values-custom.yaml \ --atomic --wait
Set readerHost to your RDS reader endpoint to offload read-heavy queries (audit logs, analytics) to a read replica. When omitted, all traffic goes to the primary host.
By default the chart creates a Kubernetes Secret from the values in backend.secrets. To reference a pre-existing Secret instead (useful when secrets are managed by an external operator or Vault):
backend: existingSecret: "my-backend-secret"
The Secret must contain all keys the backend expects (SECRET_KEY, MASTER_SALT, AUTH_API_KEY, and optionally SENTRY_DSN). When existingSecret is set, backend.secrets values are ignored.
If outbound HTTPS traffic passes through an enterprise proxy that terminates TLS with a private CA, mount the CA certificate so the backend trusts the proxy:
The chart appends the PEM to the container’s system CA bundle and configures Python/curl clients to use the merged file. The CA is injected into backend, worker, and cron job pods.
For pre-deployment diff capture (optional), use the wrapper script:
cd infra/aws-helm/anysource-chart# Enable pre-deployment diff telemetryDEPLOY_TELEMETRY_DIFF=true \ ./files/deploy-helm-with-telemetry.sh auto auto -f values-production.yaml
This wrapper sends an additional event with Helm diff output before deployment.
Recommended: Always use --atomic --wait flags with helm upgrade to ensure:
Deployments roll back automatically on failure
The post-rollback hook captures failure telemetry
Kubernetes waits for pods to be ready before marking success
Use our Terraform EKS module to provision production-grade infrastructure:
EKS clusters, RDS, ElastiCache, VPC, IAM roles, and monitoring. Then deploy
applications with this Helm chart.