Installation

Integrating Karini AI into your secure enterprise environment is a streamlined, efficient process. Our deployment methodology prioritizes security, simplicity, and minimal disruption to your existing infrastructure.

Through our enterprise-grade Terraform implementation, Karini AI can be seamlessly deployed within your Virtual Private Cloud (VPC) with minimal configuration requirements. This infrastructure-as-code approach ensures consistent, repeatable deployments while maintaining the highest security standards.

To begin your deployment journey, simply contact the Karini AI implementation team for personalized deployment instructions and access to our Terraform modules customized for your specific environment.

Our technical specialists will guide you through the deployment process and ensure successful integration with your existing systems, enabling your organization to quickly leverage the full capabilities of our AI solutions.

For the deployment, you can optionally have Administrator role in your AWS account so other resources can be created or a scoped down policy as below

Pre-requisites:

AWS Console User

The AWS console user needs to have the following policy assigned to them:

Substitute <<INSERT TERRAFORM BUCKET NAME PREFIX>> with your own prefix

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "EKSClusterManagement",
        "Effect": "Allow",
        "Action": [
          "eks:CreateCluster",
          "eks:DeleteCluster",
          "eks:DescribeCluster",
          "eks:ListClusters",
          "eks:UpdateClusterConfig",
          "eks:UpdateClusterVersion",
          "eks:CreateAddon",
          "eks:DeleteAddon",
          "eks:DescribeAddon",
          "eks:ListAddons",
          "eks:UpdateAddon",
          "eks:CreateNodegroup",
          "eks:DeleteNodegroup",
          "eks:DescribeNodegroup",
          "eks:ListNodegroups",
          "eks:UpdateNodegroupConfig",
          "eks:UpdateNodegroupVersion"
        ],
        "Resource": "*"
      },
      {
        "Sid": "EC2Management",
        "Effect": "Allow",
        "Action": [
          "ec2:CreateSecurityGroup",
          "ec2:DeleteSecurityGroup",
          "ec2:DescribeSecurityGroups",
          "ec2:AuthorizeSecurityGroupIngress",
          "ec2:RevokeSecurityGroupIngress",
          "ec2:AuthorizeSecurityGroupEgress",
          "ec2:RevokeSecurityGroupEgress",
          "ec2:CreateTags",
          "ec2:DeleteTags",
          "ec2:DescribeTags",
          "ec2:DescribeInstances",
          "ec2:DescribeSubnets",
          "ec2:DescribeVpcs",
          "ec2:DescribeVpcAttribute",
          "ec2:DescribeRouteTables",
          "ec2:DescribeNetworkInterfaces",
          "ec2:CreateNetworkInterface",
          "ec2:DeleteNetworkInterface",
          "ec2:DescribeNetworkInterfaceAttribute",
          "ec2:CreateKeyPair",
          "ec2:DeleteKeyPair",
          "ec2:DescribeKeyPairs",
          "ec2:DescribeImages",
          "ec2:DescribeImageAttribute",
          "ec2:RunInstances",
          "ec2:TerminateInstances",
          "ec2:StopInstances",
          "ec2:StartInstances",
          "ec2:AssociateIamInstanceProfile"
        ],
        "Resource": "*"
      },
      {
        "Sid": "IAMManagement",
        "Effect": "Allow",
        "Action": [
          "iam:CreateRole",
          "iam:DeleteRole",
          "iam:GetRole",
          "iam:ListRoles",
          "iam:CreatePolicy",
          "iam:DeletePolicy",
          "iam:GetPolicy",
          "iam:ListPolicies",
          "iam:AttachRolePolicy",
          "iam:DetachRolePolicy",
          "iam:PutRolePolicy",
          "iam:DeleteRolePolicy",
          "iam:GetRolePolicy",
          "iam:ListRolePolicies",
          "iam:CreateServiceLinkedRole",
          "iam:GetOpenIDConnectProvider",
          "iam:CreateOpenIDConnectProvider",
          "iam:DeleteOpenIDConnectProvider",
          "iam:ListOpenIDConnectProviders",
          "iam:TagRole",
          "iam:TagPolicy",
          "iam:CreateInstanceProfile",
          "iam:AddRoleToInstanceProfile",
          "iam:PassRole",
          "iam:ListInstanceProfiles",
          "iam:GetRole"
        ],
        "Resource": "*"
      },
      {
        "Sid": "IAMPassRole",
        "Effect": "Allow",
        "Action": "iam:PassRole",
        "Resource": "arn:aws:iam::*:role/eks-*",
        "Condition": {
          "StringEquals": {
            "iam:PassedToService": [
              "eks.amazonaws.com",
              "ec2.amazonaws.com"
            ]
          }
        }
      },
      {
        "Sid": "KMSManagement",
        "Effect": "Allow",
        "Action": [
          "kms:CreateKey",
          "kms:DescribeKey",
          "kms:EnableKey",
          "kms:ListKeys",
          "kms:PutKeyPolicy",
          "kms:ScheduleKeyDeletion",
          "kms:CreateAlias",
          "kms:DeleteAlias",
          "kms:ListAliases",
          "kms:UpdateAlias",
          "kms:TagResource"
        ],
        "Resource": "*"
      },
      {
        "Sid": "S3Management",
        "Effect": "Allow",
        "Action": [
          "s3:CreateBucket",
          "s3:DeleteBucket",
          "s3:GetBucketLocation",
          "s3:GetBucketPolicy",
          "s3:PutBucketPolicy",
          "s3:GetBucketAcl",
          "s3:PutBucketAcl",
          "s3:GetObject",
          "s3:PutObject",
          "s3:ListBucket",
          "s3:DeleteObject",
          "s3:PutBucketPublicAccessBlock",
          "s3:PutEncryptionConfiguration",
          "s3:PutLifecycleConfiguration"
        ],
        "Resource": "*"
      },
      {
        "Sid": "CloudWatchManagement",
        "Effect": "Allow",
        "Action": [
          "logs:CreateLogGroup",
          "logs:DeleteLogGroup",
          "logs:DescribeLogGroups",
          "logs:ListTagsLogGroup",
          "logs:PutRetentionPolicy"
        ],
        "Resource": "*"
      },
      {
        "Sid": "EFSManagement",
        "Effect": "Allow",
        "Action": [
          "elasticfilesystem:CreateFileSystem",
          "elasticfilesystem:DeleteFileSystem",
          "elasticfilesystem:DescribeFileSystems",
          "elasticfilesystem:CreateMountTarget",
          "elasticfilesystem:DeleteMountTarget",
          "elasticfilesystem:DescribeMountTargets",
          "elasticfilesystem:CreateAccessPoint",
          "elasticfilesystem:DeleteAccessPoint",
          "elasticfilesystem:DescribeAccessPoints",
          "elasticfilesystem:TagResource"
        ],
        "Resource": "*"
      },
      {
        "Sid": "LambdaManagement",
        "Effect": "Allow",
        "Action": [
          "lambda:CreateFunction",
          "lambda:DeleteFunction",
          "lambda:GetFunction",
          "lambda:ListFunctions",
          "lambda:UpdateFunctionCode",
          "lambda:UpdateFunctionConfiguration",
          "lambda:TagResource"
        ],
        "Resource": "*"
      },
      {
        "Sid": "ECRAccess",
        "Effect": "Allow",
        "Action": [
          "ecr:GetAuthorizationToken",
          "ecr:BatchCheckLayerAvailability",
          "ecr:GetDownloadUrlForLayer",
          "ecr:BatchGetImage",
          "ecr:DescribeRepositories",
          "ecr:ListImages"
        ],
        "Resource": "*"
      },
      {
        "Sid": "OpenSearchManagement",
        "Effect": "Allow",
        "Action": [
          "es:CreateDomain",
          "es:DeleteDomain",
          "es:DescribeDomain",
          "es:DescribeDomains",
          "es:ListDomainNames",
          "es:UpdateDomainConfig",
          "es:AddTags",
          "es:ESHttpGet",
          "es:ESHttpPut",
          "es:ESHttpPost",
          "es:ESHttpHead"
        ],
        "Resource": "*"
      },
      {
        "Sid": "SecretsManagerManagement",
        "Effect": "Allow",
        "Action": [
          "secretsmanager:CreateSecret",
          "secretsmanager:DeleteSecret",
          "secretsmanager:DescribeSecret",
          "secretsmanager:GetSecretValue",
          "secretsmanager:ListSecrets",
          "secretsmanager:PutSecretValue",
          "secretsmanager:UpdateSecret",
          "secretsmanager:TagResource"
        ],
        "Resource": "*"
      },
      {
        "Sid": "ACMManagement",
        "Effect": "Allow",
        "Action": [
          "acm:RequestCertificate",
          "acm:DescribeCertificate",
          "acm:ListCertificates",
          "acm:AddTagsToCertificate"
        ],
        "Resource": "*"
      },
      {
        "Sid": "TerraformBackend",
        "Effect": "Allow",
        "Action": [
          "s3:GetObject",
          "s3:PutObject",
          "s3:ListBucket",
          "dynamodb:GetItem",
          "dynamodb:PutItem",
          "dynamodb:DeleteItem"
        ],
        "Resource": [
          "arn:aws:s3:::<<INSERT TERRAFORM BUCKET NAME PREFIX>>-terraform-statefiles",
          "arn:aws:s3:::<<INSERT TERRAFORM BUCKET NAME PREFIX>>-terraform-statefiles/*",
          "arn:aws:dynamodb:*:*:table/<<INSERT TERRAFORM BUCKET NAME PREFIX>>-terraform-lock"
        ]
      }
    ]
  }

EC2 Role

The EC2 role needs to have the follwoing policy assigned:

Substitute <<INSERT TERRAFORM BUCKET NAME PREFIX>> with your own prefix

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EKSWorkerNodePermissions",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVolumes",
                "ec2:DescribeVolumesModifications",
                "ec2:DescribeVpcs",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeAvailabilityZones",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSubnet",
                "ec2:CreateRouteTable",
                "ec2:CreateInternetGateway",
                "ec2:DescribeSecurityGroupRules",
                "ec2:DescribeAddressesAttribute",
                "ec2:DescribeNatGateways",
                "ec2:CreateLaunchTemplate",
                "ec2:DescribeLaunchTemplates",
                "ec2:DescribeLaunchTemplateVersions"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IAMManagement",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:GetRole",
                "iam:ListRoles",
                "iam:CreatePolicy",
                "iam:DeletePolicy",
                "iam:GetPolicy",
                "iam:ListPolicies",
                "iam:AttachRolePolicy",
                "iam:DetachRolePolicy",
                "iam:PutRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:GetRolePolicy",
                "iam:ListRolePolicies",
                "iam:CreateServiceLinkedRole",
                "iam:GetOpenIDConnectProvider",
                "iam:CreateOpenIDConnectProvider",
                "iam:DeleteOpenIDConnectProvider",
                "iam:ListOpenIDConnectProviders",
                "iam:TagRole",
                "iam:TagPolicy",
                "iam:CreateInstanceProfile",
                "iam:AddRoleToInstanceProfile",
                "iam:PassRole",
                "iam:ListInstanceProfiles",
                "iam:GetPolicyVersion",
                "iam:ListAttachedRolePolicies",
                "iam:ListPolicyVersions",
                "iam:ListInstanceProfilesForRole",
                "iam:TagOpenIDConnectProvider",
                "iam:UpdateAssumeRolePolicy"
            ],
            "Resource": "*"
        },
        {
            "Sid": "SecretsManagerPermissions",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:CreateSecret",
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:DeleteSecret",
                "secretsmanager:PutSecretValue"
            ],
            "Resource": "*"
        },
        {
            "Sid": "EFSCreatePermissions",
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:CreateFileSystem",
                "elasticfilesystem:DeleteFileSystem",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:TagResource",
                "elasticfilesystem:DescribeLifecycleConfiguration",
                "elasticfilesystem:CreateAccessPoint",
                "elasticfilesystem:CreateMountTarget",
                "elasticfilesystem:DescribeAccessPoints",
                "elasticfilesystem:DeleteAccessPoint",
                "elasticfilesystem:DescribeMountTargets",
                "elasticfilesystem:DescribeMountTargetSecurityGroups",
                "elasticfilesystem:DeleteMountTarget"
            ],
            "Resource": "*"
        },
        {
            "Sid": "KMSCreatePermissions",
            "Effect": "Allow",
            "Action": [
                "kms:CreateKey",
                "kms:TagResource",
                "kms:DescribeKey",
                "kms:CreateAlias",
                "kms:ListAliases",
                "kms:DeleteAlias"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CloudWatchLogsPermissions",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:TagResource",
                "logs:PutRetentionPolicy",
                "logs:ListTagsForResource",
                "logs:DeleteLogGroup"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VPCPermissions",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateSubnet",
                "ec2:CreateSecurityGroup",
                "ec2:CreateRouteTable",
                "ec2:CreateInternetGateway",
                "ec2:DescribeSecurityGroupRules",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcs",
                "ec2:ModifyVpcAttribute",
                "ec2:CreateVpc",
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "ec2:DescribeAccountAttributes",
                "ec2:ModifyVpcTenancy",
                "ec2:CreateNatGateway",
                "ec2:AllocateAddress",
                "ec2:AssociateRouteTable",
                "ec2:CreateRoute",
                "ec2:AttachInternetGateway",
                "ec2:DetachInternetGateway",
                "ec2:ModifySubnetAttribute",
                "ec2:DeleteVpc",
                "ec2:ReleaseAddress",
                "ec2:DeleteInternetGateway",
                "ec2:DeleteRouteTable",
                "ec2:DeleteSubnet",
                "ec2:DeleteSecurityGroup",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeNetworkAcls",
                "ec2:CreateNetworkAclEntry",
                "ec2:DeleteNetworkAclEntry",
                "ec2:DescribeAddresses",
                "ec2:DeleteNatGateway",
                "ec2:DisassociateRouteTable",
                "ec2:DeleteRoute",
                "ec2:DisassociateAddress",
                "ec2:DeleteNetworkInterface",
                "ec2:RunInstances",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:DeleteLaunchTemplate"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ECRPermissions",
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchGetImage",
                "ecr:GetDownloadUrlForLayer"
            ],
            "Resource": "*"
        },
        {
            "Sid": "STSPermissions",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CloudWatchAgentPermissions",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricData",
                "ec2:DescribeTags"
            ],
            "Resource": "*"
        },
        {
            "Sid": "KMSTaggingPermissions",
            "Effect": "Allow",
            "Action": [
                "kms:TagResource"
            ],
            "Resource": "*"
        },
        {
            "Sid": "LambdaPermissions",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction",
                "lambda:GetFunction",
                "lambda:ListVersionsByFunction",
                "lambda:DeleteFunction",
                "lambda:UpdateFunctionCode",
                "lambda:GetFunctionConfiguration",
                "lambda:UpdateFunctionConfiguration"
            ],
            "Resource": "*"
        },
        {
            "Sid": "EKSPermissions",
            "Effect": "Allow",
            "Action": [
                "eks:CreateCluster",
                "eks:TagResource",
                "eks:DescribeCluster",
                "eks:DeleteCluster",
                "eks:DescribeAddonVersions",
                "eks:CreateAccessEntry",
                "eks:DescribeAccessEntry",
                "eks:DeleteAccessEntry",
                "eks:CreateNodegroup",
                "eks:AssociateAccessPolicy",
                "eks:ListAssociatedAccessPolicies",
                "eks:DisassociateAccessPolicy",
                "eks:DescribeNodegroup",
                "eks:CreateAddon",
                "eks:DeleteAddon",
                "eks:DescribeAddon",
                "eks:DeleteNodegroup",
                "eks:DescribeUpdate",
                "eks:UpdateAddon"
            ],
            "Resource": "*"
        },
        {
            "Sid": "OpenSearchPermissions",
            "Effect": "Allow",
            "Action": [
                "es:CreateDomain",
                "es:DeleteDomain",
                "es:DescribeDomain",
                "es:DescribeDomains",
                "es:ListDomainNames",
                "es:UpdateDomainConfig",
                "es:AddTags",
                "es:ESHttpGet",
                "es:ESHttpPut",
                "es:ESHttpPost",
                "es:ESHttpHead",
                "es:DescribeElasticsearchDomainConfig",
                "es:ListTags"
            ],
            "Resource": "*"
        },
        {
            "Sid": "TerraformBackendPermissions",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "dynamodb:GetItem",
                "dynamodb:PutItem",
                "dynamodb:DeleteItem"
            ],
            "Resource": [
                "arn:aws:s3:::<<INSERT TERRAFORM BUCKET NAME PREFIX>>-terraform-statefiles",
                "arn:aws:s3:::<<INSERT TERRAFORM BUCKET NAME PREFIX>>-terraform-statefiles/*",
                "arn:aws:dynamodb:*:*:table/f<<INSERT TERRAFORM BUCKET NAME PREFIX>>-terraform-lock"
            ]
        },
        
    ]
}

Try Karini AI

Last updated