Checklist
AWS Account & Access
| Area | Checklist Item | Detailed Requirement | What / Why | Acceptance Criteria | Status | Captured Values / Notes |
|---|---|---|---|---|---|---|
| Account | AWS Account ID | Valid AWS Account ID must be shared | Required for IAM role creation, billing ownership, tagging, and Terraform backend access | Account ID is correct, billing enabled, and accessible | ||
| Region | AWS Region Selection | Region must support EKS, EC2, VPC, ACM, ElastiCache, Amazon MQ | Some services are region-restricted; unsupported regions break deployment | Region confirmed in AWS console and supports all required services | ||
| CLI | AWS CLI Configured | IAM User with AWS CLI authenticated | Terraform/Terragrunt deployments require programmatic access | aws sts get-caller-identity returns expected account | ||
| IAM | Deployment Permissions | Administrator IAM permissions | Deployment spans EC2, EKS, IAM, S3, ACM, Route 53, MQ, ElastiCache, CloudWatch | IAM policy allows create/update/delete on required services |
Service Quotas
| Area | Checklist Item | Detailed Requirement | What / Why | Acceptance Criteria | Status | Captured Values / Notes |
|---|---|---|---|---|---|---|
| EC2 | On-Demand vCPU Quota | Minimum 100–150 vCPU quota for On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances | Autoscaling, r6a instances, and Karpenter require high vCPU headroom | Quota increase approved in Service Quotas console | ||
| EC2 | Instance Families Availability | C, M, R family instances available in region | Workloads require compute, memory, and database-optimised nodes | Instance families visible and selectable in EC2 console | ||
| EKS | EKS Cluster Quota | At least 1 EKS cluster allowed based on required environment deployment | Cluster creation blocked if quota insufficient | Quota >= 1 cluster | ||
| VPC | NAT Gateway Quota | 1 NAT Gateway per AZ (recommended 3) | Private subnets require outbound internet access | Quota >= AZ count | ||
| Networking | Elastic IP Quota | Elastic IPs available for NAT Gateways | Each NAT Gateway consumes one Elastic IP | Elastic IP quota sufficient for the number of AZs | ||
| ElastiCache | ElastiCache Quota | At least 2 nodes for Redis cluster (cache.t3.micro, Redis 7.0) | Required when ENABLE_AWS_SERVICES=true | Quota >= 2 nodes | ||
| Amazon MQ | Amazon MQ Quota | At least 1 broker for RabbitMQ (mq.m5.large, RabbitMQ 3.13) | Required when ENABLE_AWS_SERVICES=true | Quota >= 1 broker |
Domains & SSL
| Area | Checklist Item | Detailed Requirement | What / Why | Acceptance Criteria | Status | Captured Values / Notes |
|---|---|---|---|---|---|---|
| Domains | Frontend Domain | Public domain for web frontend (e.g. app.example.com) | Used for ALB routing and SSL termination | Domain resolves and ownership confirmed | ||
| Domains | Backend API Domain | Public domain for FastAPI backend (e.g. api.example.com) | Required for API access and TLS | Domain documented and approved | ||
| Domains | Automator Service Domain | Public domain for Automator Service (e.g. automations.example.com) | Required for API access and TLS | Domain documented and approved | ||
| Domains | Supabase Service Domain | When not using Supabase Cloud — public domain for Supabase (e.g. supabase.example.com) | Required for API access and TLS when self-hosting Supabase | Domain documented and approved | ||
| Certificates | ACM Certificates | Wildcard or individual ACM certificates created in the deployment region | TLS termination at ALB requires valid ACM certificates | Certificates in ISSUED state and in the same AWS region as the deployment |
Networking
| Area | Checklist Item | Detailed Requirement | What / Why | Acceptance Criteria | Status | Captured Values / Notes |
|---|---|---|---|---|---|---|
| VPC | VPC Strategy | Confirm existing VPC or approve new VPC creation | Defines isolation, routing, and security boundaries | VPC ID or CIDR block approved | ||
| CIDR | CIDR Planning | CIDR must not overlap with on-premises or other VPCs | Overlapping CIDRs break routing and VPN connectivity | CIDR validated against existing networks | ||
| Subnets | Public Subnets | Public subnets per AZ for ALB and NAT Gateways | Required for ingress and egress traffic | Subnets tagged and routable | ||
| Subnets | Private Subnets | Private subnets per AZ for EKS worker nodes | Ensures workloads are not directly internet-exposed | Subnets mapped and reachable via NAT Gateway | ||
| Egress | Outbound Access | Outbound ports 80, 443, 53 allowed from worker nodes | Needed for container image pulls, AWS API calls, and DNS resolution | Firewall/security group rules validated |
Service Configuration
| Area | Checklist Item | Detailed Requirement | What / Why | Acceptance Criteria | Status | Captured Values / Notes |
|---|---|---|---|---|---|---|
| Supabase | Supabase Enablement | Confirm self-hosted Supabase (ENABLE_SUPABASE=true) or Supabase Cloud | Affects DB provisioning, secrets, ingress, and networking configuration | Decision documented; corresponding ENABLE_* flags set in deployment | ||
| AWS Services | Redis Usage | Confirm AWS ElastiCache Redis (ENABLE_AWS_SERVICES=true) or external Redis | Affects high availability, cost, and networking design | Decision documented | ||
| AWS Services | RabbitMQ Usage | Confirm Amazon MQ (ENABLE_AWS_SERVICES=true) or external RabbitMQ | Impacts messaging reliability and HA | Decision documented | ||
| Load Balancer | ALB Controller | AWS Load Balancer Controller enabled (ENABLE_ALB_CONTROLLER=true, default) | Required for ALB ingress provisioning from Kubernetes annotations | Controller pods running in infrastructure namespace |
Autoscaling
| Area | Checklist Item | Detailed Requirement | What / Why | Acceptance Criteria | Status | Captured Values / Notes |
|---|---|---|---|---|---|---|
| Karpenter | Karpenter Installed | Karpenter controller deployed via EKS module | Handles dynamic node provisioning; replaces managed node group autoscaling | Karpenter pods healthy in dedicated node group | ||
| Karpenter | Spot Strategy | Spot vs On-Demand usage defined per node class | Optimises cost while maintaining stability; Spot interruption handling must be enabled | Interruption handling via SQS enabled if Spot instances are used | ||
| KEDA | Pod Autoscaling | KEDA installed via Helm chart (keda namespace) | Handles dynamic pod scaling based on CPU/Memory thresholds | KEDA operator pods healthy; ScaledObjects applied to all services |
Storage
| Area | Checklist Item | Detailed Requirement | What / Why | Acceptance Criteria | Status | Captured Values / Notes |
|---|---|---|---|---|---|---|
| EBS | EBS CSI Driver | EBS CSI driver installed (kube-system namespace) | Required for dynamic persistent volume provisioning via StorageClass | Driver pods healthy; PVCs provisioning successfully |
Security
| Area | Checklist Item | Detailed Requirement | What / Why | Acceptance Criteria | Status | Captured Values / Notes |
|---|---|---|---|---|---|---|
| Encryption | Encryption at Rest | EBS volumes, S3 state bucket, and Redis encryption enabled | Protects sensitive data at rest across all storage layers | Encryption confirmed via AWS console for each service | ||
| Encryption | Encryption in Transit | TLS enforced for all external and internal service communication | Prevents data interception in transit | HTTPS endpoints verified; Redis transit_encryption_enabled = true | ||
| Audit | Audit Logging | CloudTrail, VPC Flow Logs, and Kubernetes audit logs enabled | Required for incident investigations, compliance, and audits | Logs visible and queryable in CloudWatch / S3 |
Deployment
| Area | Checklist Item | Detailed Requirement | What / Why | Acceptance Criteria | Status | Captured Values / Notes |
|---|---|---|---|---|---|---|
| Schedule | Deployment Window | Deployment date and time window approved by customer | Ensures customer team availability for validation and rollback if needed | Written confirmation received |
Sign-off
| Area | Checklist Item | Detailed Requirement | What / Why | Acceptance Criteria | Status | Captured Values / Notes |
|---|---|---|---|---|---|---|
| Approval | Customer Approval | Customer formally approves cost estimate, scope, and deployment plan | Formal go-live authorisation required before infrastructure is provisioned | Email or signed document approval received |
Service Enable / Disable Flags Reference
Confirm the intended value for each flag with the customer before deployment.| Environment Variable | Default | Effect |
|---|---|---|
ENABLE_SUPABASE | false | Deploy self-hosted Supabase stack (Kong, Auth, Storage, Studio) |
ENABLE_CNPG | false | Deploy CloudNativePG operator (prerequisite for self-hosted Supabase DB) |
ENABLE_HA_SUPABASE_DB | false | Deploy HA PostgreSQL cluster via CloudNativePG (prerequisite for Supabase) |
ENABLE_AWS_SERVICES | false | Provision ElastiCache Redis and Amazon MQ RabbitMQ |
ENABLE_ALB_CONTROLLER | true | Deploy AWS Load Balancer Controller |
ENABLE_SIGNOZ | false | Deploy SigNoz observability platform + k8s-infra agent |
Captured Values Summary
Record final values collected from the customer before deployment.| Parameter | Value |
|---|---|
| AWS Account ID | |
| AWS Region | |
| VPC CIDR | |
| Availability Zones | |
| Frontend Domain | |
| API Domain | |
| Automator Domain | |
| Supabase Domain (if self-hosted) | |
| SigNoz Domain (if enabled) | |
| ACM Certificate ARN(s) | |
| Supabase Mode | Cloud / Self-hosted |
| Redis | ElastiCache / External |
| RabbitMQ | Amazon MQ / External |
| Deployment Date / Window | |
| Customer Approval Reference |