AWS Deployment Guide
Last updated
Was this helpful?
Last updated
Was this helpful?
This Quick Start guide provides instructions for deploying a self-hosted CloudQuery Platform in Amazon Web Services (AWS). CloudQuery is an open source high-performance data integration platform that helps you transform your cloud infrastructure into queryable datasets.
This deployment is for customers who want to self-host a complete CloudQuery Cloud Governance solution. During deployment, customers can configure the AWS CloudFormation templates to define the desired cluster configuration and settings.
Deploying this Quick Start for a new virtual private cloud (VPC) with default parameters builds the following CloudQuery environment in AWS Cloud using a combination of CloudFormation (for infrastructure deployment) and Helm (for application deployment in the k8s clusters).
As shown in the diagram, the Quick Start sets up the following:
A highly available architecture that spans two Availability Zones.
A VPC configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.
An internet gateway to allow internet access for load balancers.
In the public subnets:
Managed NAT gateways to allow outbound internet access for resources in the private subnets.
Public load balancers for ingress traffic to the platform.
In the private subnets:
An Amazon EKS cluster for running the CloudQuery platform components
Worker nodes in an Auto Scaling group
Private subnets for the database tier
In the database subnets:
Amazon RDS PostgreSQL instance for platform state storage
Isolated network tier with no direct internet access
Additional Components:
AWS Secrets Manager for secure credentials storage
IAM roles and security groups for least-privilege access
The NGINX ingress controller provides L7 load balancing:
Terminates TLS at the edge
Provides URL-based routing
Integrates with cert-manager for automatic TLS
External Secrets Operator (ESO) provides a vendor-agnostic approach to secrets management in Kubernetes. It allows CloudQuery to:
Securely fetch secrets from AWS Secrets Manager
Automatically sync secrets to Kubernetes
Rotate credentials without pod restarts
Support multiple secret backends if needed
Cert-Manager automates certificate management within Kubernetes:
Automatically provisions TLS certificates from Let's Encrypt
Handles certificate renewal
Integrates with ingress resources
Provides vendor-agnostic certificate management
The installation guide provides two installation options using a CloudFormation template:
a complete infrastructure deployment (including VPC, EKS, and PostgreSQL), and
a minimal deployment that works with your existing EKS installation.
AWS CLI v2.x
Kubectl v1.30 or later
Helm v3.x
The minimal deployment requires additional prerequisites:
An existing EKS cluster
A Postgres Database and a connection string
A VPC
The AWS user/role executing the installation needs permissions for:
CloudFormation full access
EKS admin access
IAM create/modify permission
VPC full access
RDS full access
Secrets Manager write access
This option will install everything you need as part of one CloudFormation stack, including a VPC, EKS, and PostgreSQL.
Generate a private key:
Deploy the CloudFormation stack
Wait for stack deployment to complete (this can take around 20 minutes).
This option assumes you already have a VPC, Postgres database and EKS cluster configured.
Generate a private key:
Configure the following environment variables
The EKS OIDC provider URL can be found on the EKS cluster overview page:
Deploy the CloudFormation stack
Wait for stack deployment to complete (this can take around 20 minutes).
Once the stack creation is complete, configure access to the cluster
Add and update the required Helm dependencies
Install the dependant operators
Create a helm values yaml file (e.g. platform-values.yml) filling in the relevant variables. See table below for explanation.
secrets-region
The AWS region where the cluster secrets are stored, which should be the same as the cluster
secrets-key
The full ARN of the secrets key in AWS. This can be found in the CloudFormation stack output variable CloudQueryPlatformSecrets
secret-role-ARN
The full ARN of the AWS role used by the secrets operator to fetch the secrets. This can be found in the CloudFormation stack output variable ExternalSecretsRole
email-address
The email address to use with Lets Encrypt for certificate registration
domain
The domain for which a certificate will be created. This needs to be a domain you own and are able to create DNS records for.
Install the CloudQuery platform
Install the CloudQuery operator
Retrieve the hostname of the NLB
Add a DNS CNAME record to your DNS provider pointing the domain you selected in the previous section, which will direct traffic to your ingress URL and allow the certificate verification to complete.
Verify all components are running
Check ingress status
Check certificates status
Note: It may take from a few minutes to a few hours for the certificates to be installed. This mostly depends on DNS and its caching mechanism.
See Platform Activation for how to activate your new CloudQuery installation.
See Adding S3-to-SQS notifications for information on how to set up an SQS queue which will receive `s3:ObjectCreated:*` messages when items are added to an existing bucket.
A CloudQuery activation key. This is usually an API key from . For more information, see .
ClickHouse Database and a ClickHouse DSN string (See for help).
Configure the following environment variables (see above for how to obtain these):
Download the CloudFormation template from:
(Example: wget https://cq-cloud-cloudformation-templates.s3.us-east-1.amazonaws.com/cq-platform/template.yml)
Continue to .
Download the CloudFormation template from:
(Example: wget https://cq-cloud-cloudformation-templates.s3.us-east-1.amazonaws.com/cq-platform/template.yml )
Continue to .
Once installed, log into the platform at https://<your-domain> using a username of and password pass - this will be changed on first login. Follow the setup instructions in the platform UI.
