Operations

Terraform

The Terraform configuration in infra/terraform/ provisions the AWS resources that the gateway and operator need. It is opinionated about the resources hev layer needs to behave correctly and conservative about resources around it. Route53 hosted zones and ACM certificates are opt-in; most installs bring existing DNS and TLS.

What it sets up

Resource	Purpose
S3 bucket	Durable storage for namespace snapshots, search history, and clickstream events.
IAM roles + IRSA policies	Gateway S3 access, dashboard cost-read access, and worker/operator AWS access.
ECR repositories	Image registry for the gateway, operator, and customer-built function images.
EKS + VPC + node pools	Recommended fresh-cluster runtime for design partners.
Route53 + ACM	Optional DNS zones, records, and TLS certificates when `manage_public_dns=true`.

Cluster: recommended

Design-partner installs should use a fresh EKS cluster unless there is a specific reason to bind hev layer to an existing one. The cluster path provisions:

a VPC with the subnets, NAT, and endpoints hev layer expects
an EKS control plane and node groups
Karpenter for node autoscaling
the AWS Load Balancer Controller for ingress
EFS for shared persistent volumes

Cost notes

The Terraform is designed to deploy a cost-efficient AWS footprint with autoscaling for on-demand indexing work. At rest, the fixed costs are mostly EKS, NAT when private workers need third-party egress, and small storage lines. Indexing bursts scale worker nodes up through Karpenter and back down when queues drain.

Heavier search use cases may need more read-side infrastructure: additional gateway replicas, larger document-cache nodes, or dedicated node pools for steady read traffic. Contact hev layer for help sizing read-heavy deployments.

Outputs

Terraform emits the values the Helm chart needs to install: the S3 bucket name, gateway IRSA role ARN, dashboard cost-read role ARN, ECR image URLs, and cluster metadata. Pass these into the Helm values file described in Helm Install.