Documentation Index
Fetch the complete documentation index at: https://ai-kb.automationanywhere.com/llms.txt
Use this file to discover all available pages before exploring further.
This checklist must be completed and reviewed with the customer before deploying the EKB EKS infrastructure on their AWS account. All items must be confirmed, captured, and signed off prior to deployment.
Checklist
AWS Account & Access
| Area | Checklist Item | Detailed Requirement | What / Why | Acceptance Criteria | Status | Captured Values / Notes |
|---|
| Account | AWS Account ID | Valid AWS Account ID must be shared | Required for IAM role creation, billing ownership, tagging, and Terraform backend access | Account ID is correct, billing enabled, and accessible | | |
| Region | AWS Region Selection | Region must support EKS, EC2, VPC, ACM, ElastiCache, Amazon MQ | Some services are region-restricted; unsupported regions break deployment | Region confirmed in AWS console and supports all required services | | |
| CLI | AWS CLI Configured | IAM User with AWS CLI authenticated | Terraform/Terragrunt deployments require programmatic access | aws sts get-caller-identity returns expected account | | |
| IAM | Deployment Permissions | Administrator IAM permissions | Deployment spans EC2, EKS, IAM, S3, ACM, Route 53, MQ, ElastiCache, CloudWatch | IAM policy allows create/update/delete on required services | | |
Service Quotas
| Area | Checklist Item | Detailed Requirement | What / Why | Acceptance Criteria | Status | Captured Values / Notes |
|---|
| EC2 | On-Demand vCPU Quota | Minimum 100–150 vCPU quota for On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances | Autoscaling, r6a instances, and Karpenter require high vCPU headroom | Quota increase approved in Service Quotas console | | |
| EC2 | Instance Families Availability | C, M, R family instances available in region | Workloads require compute, memory, and database-optimised nodes | Instance families visible and selectable in EC2 console | | |
| EKS | EKS Cluster Quota | At least 1 EKS cluster allowed based on required environment deployment | Cluster creation blocked if quota insufficient | Quota >= 1 cluster | | |
| VPC | NAT Gateway Quota | 1 NAT Gateway per AZ (recommended 3) | Private subnets require outbound internet access | Quota >= AZ count | | |
| Networking | Elastic IP Quota | Elastic IPs available for NAT Gateways | Each NAT Gateway consumes one Elastic IP | Elastic IP quota sufficient for the number of AZs | | |
| ElastiCache | ElastiCache Quota | At least 2 nodes for Redis cluster (cache.t3.micro, Redis 7.0) | Required when ENABLE_AWS_SERVICES=true | Quota >= 2 nodes | | |
| Amazon MQ | Amazon MQ Quota | At least 1 broker for RabbitMQ (mq.m5.large, RabbitMQ 3.13) | Required when ENABLE_AWS_SERVICES=true | Quota >= 1 broker | | |
Domains & SSL
| Area | Checklist Item | Detailed Requirement | What / Why | Acceptance Criteria | Status | Captured Values / Notes |
|---|
| Domains | Frontend Domain | Public domain for web frontend (e.g. app.example.com) | Used for ALB routing and SSL termination | Domain resolves and ownership confirmed | | |
| Domains | Backend API Domain | Public domain for FastAPI backend (e.g. api.example.com) | Required for API access and TLS | Domain documented and approved | | |
| Domains | Automator Service Domain | Public domain for Automator Service (e.g. automations.example.com) | Required for API access and TLS | Domain documented and approved | | |
| Domains | Supabase Service Domain | When not using Supabase Cloud — public domain for Supabase (e.g. supabase.example.com) | Required for API access and TLS when self-hosting Supabase | Domain documented and approved | | |
| Certificates | ACM Certificates | Wildcard or individual ACM certificates created in the deployment region | TLS termination at ALB requires valid ACM certificates | Certificates in ISSUED state and in the same AWS region as the deployment | | |
Networking
| Area | Checklist Item | Detailed Requirement | What / Why | Acceptance Criteria | Status | Captured Values / Notes |
|---|
| VPC | VPC Strategy | Confirm existing VPC or approve new VPC creation | Defines isolation, routing, and security boundaries | VPC ID or CIDR block approved | | |
| CIDR | CIDR Planning | CIDR must not overlap with on-premises or other VPCs | Overlapping CIDRs break routing and VPN connectivity | CIDR validated against existing networks | | |
| Subnets | Public Subnets | Public subnets per AZ for ALB and NAT Gateways | Required for ingress and egress traffic | Subnets tagged and routable | | |
| Subnets | Private Subnets | Private subnets per AZ for EKS worker nodes | Ensures workloads are not directly internet-exposed | Subnets mapped and reachable via NAT Gateway | | |
| Egress | Outbound Access | Outbound ports 80, 443, 53 allowed from worker nodes | Needed for container image pulls, AWS API calls, and DNS resolution | Firewall/security group rules validated | | |
Service Configuration
| Area | Checklist Item | Detailed Requirement | What / Why | Acceptance Criteria | Status | Captured Values / Notes |
|---|
| Supabase | Supabase Enablement | Confirm self-hosted Supabase (ENABLE_SUPABASE=true) or Supabase Cloud | Affects DB provisioning, secrets, ingress, and networking configuration | Decision documented; corresponding ENABLE_* flags set in deployment | | |
| AWS Services | Redis Usage | Confirm AWS ElastiCache Redis (ENABLE_AWS_SERVICES=true) or external Redis | Affects high availability, cost, and networking design | Decision documented | | |
| AWS Services | RabbitMQ Usage | Confirm Amazon MQ (ENABLE_AWS_SERVICES=true) or external RabbitMQ | Impacts messaging reliability and HA | Decision documented | | |
| Load Balancer | ALB Controller | AWS Load Balancer Controller enabled (ENABLE_ALB_CONTROLLER=true, default) | Required for ALB ingress provisioning from Kubernetes annotations | Controller pods running in infrastructure namespace | | |
Autoscaling
| Area | Checklist Item | Detailed Requirement | What / Why | Acceptance Criteria | Status | Captured Values / Notes |
|---|
| Karpenter | Karpenter Installed | Karpenter controller deployed via EKS module | Handles dynamic node provisioning; replaces managed node group autoscaling | Karpenter pods healthy in dedicated node group | | |
| Karpenter | Spot Strategy | Spot vs On-Demand usage defined per node class | Optimises cost while maintaining stability; Spot interruption handling must be enabled | Interruption handling via SQS enabled if Spot instances are used | | |
| KEDA | Pod Autoscaling | KEDA installed via Helm chart (keda namespace) | Handles dynamic pod scaling based on CPU/Memory thresholds | KEDA operator pods healthy; ScaledObjects applied to all services | | |
Storage
| Area | Checklist Item | Detailed Requirement | What / Why | Acceptance Criteria | Status | Captured Values / Notes |
|---|
| EBS | EBS CSI Driver | EBS CSI driver installed (kube-system namespace) | Required for dynamic persistent volume provisioning via StorageClass | Driver pods healthy; PVCs provisioning successfully | | |
Security
| Area | Checklist Item | Detailed Requirement | What / Why | Acceptance Criteria | Status | Captured Values / Notes |
|---|
| Encryption | Encryption at Rest | EBS volumes, S3 state bucket, and Redis encryption enabled | Protects sensitive data at rest across all storage layers | Encryption confirmed via AWS console for each service | | |
| Encryption | Encryption in Transit | TLS enforced for all external and internal service communication | Prevents data interception in transit | HTTPS endpoints verified; Redis transit_encryption_enabled = true | | |
| Audit | Audit Logging | CloudTrail, VPC Flow Logs, and Kubernetes audit logs enabled | Required for incident investigations, compliance, and audits | Logs visible and queryable in CloudWatch / S3 | | |
Deployment
| Area | Checklist Item | Detailed Requirement | What / Why | Acceptance Criteria | Status | Captured Values / Notes |
|---|
| Schedule | Deployment Window | Deployment date and time window approved by customer | Ensures customer team availability for validation and rollback if needed | Written confirmation received | | |
Sign-off
| Area | Checklist Item | Detailed Requirement | What / Why | Acceptance Criteria | Status | Captured Values / Notes |
|---|
| Approval | Customer Approval | Customer formally approves cost estimate, scope, and deployment plan | Formal go-live authorisation required before infrastructure is provisioned | Email or signed document approval received | | |
Service Enable / Disable Flags Reference
Confirm the intended value for each flag with the customer before deployment.
| Environment Variable | Default | Effect |
|---|
ENABLE_SUPABASE | false | Deploy self-hosted Supabase stack (Kong, Auth, Storage, Studio) |
ENABLE_CNPG | false | Deploy CloudNativePG operator (prerequisite for self-hosted Supabase DB) |
ENABLE_HA_SUPABASE_DB | false | Deploy HA PostgreSQL cluster via CloudNativePG (prerequisite for Supabase) |
ENABLE_AWS_SERVICES | false | Provision ElastiCache Redis and Amazon MQ RabbitMQ |
ENABLE_ALB_CONTROLLER | true | Deploy AWS Load Balancer Controller |
ENABLE_SIGNOZ | false | Deploy SigNoz observability platform + k8s-infra agent |
Captured Values Summary
Record final values collected from the customer before deployment.
| Parameter | Value |
|---|
| AWS Account ID | |
| AWS Region | |
| VPC CIDR | |
| Availability Zones | |
| Frontend Domain | |
| API Domain | |
| Automator Domain | |
| Supabase Domain (if self-hosted) | |
| SigNoz Domain (if enabled) | |
| ACM Certificate ARN(s) | |
| Supabase Mode | Cloud / Self-hosted |
| Redis | ElastiCache / External |
| RabbitMQ | Amazon MQ / External |
| Deployment Date / Window | |
| Customer Approval Reference | |
