> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tensor9.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Installation Guide

This guide walks through the installation step by step.

<Tabs>
  <Tab title="AWS">
    ## Before You Begin

    Make sure you have:

    * Your setup link (provided by us)
    * AWS CLI installed and configured with appropriate permissions
    * Terraform installed (v1.0+)
    * Permissions to create VPCs, subnets, IAM roles, security groups, S3 buckets, and EC2 instances

    ## Step 1: Open Your Setup Link

    Open the setup link in your browser. This opens the setup wizard, a guided interface that walks you through each stage of the installation.

    ## Step 2: Select AWS and Your Region

    In the setup wizard, choose **AWS** as your environment. Select the AWS region where you want the infrastructure deployed. Pick the region closest to your users or the one that matches your compliance requirements.

    ## Step 3: Select Terraform as Your Install Method

    Choose **Terraform**. The wizard generates a Terraform configuration tailored to your selections.

    ## Step 4: Download and Apply the Infrastructure Template

    The first Terraform file creates your foundational infrastructure:

    * A VPC with public and private subnets
    * IAM roles for the controller
    * Security groups with minimal required access
    * An S3 bucket for deployment state

    **Download the file**, then run:

    ```bash theme={null}
    terraform init
    AWS_PROFILE=<YOUR_PROFILE> terraform plan    # Review what will be created
    AWS_PROFILE=<YOUR_PROFILE> terraform apply
    ```

    > **Important:** Replace `<YOUR_PROFILE>` with the name of the AWS CLI profile configured for your dedicated deployment account. Using ambient credentials (e.g., from a different account) can cause errors. You can check your available profiles with `aws configure list-profiles`.

    Review the plan output carefully - it shows exactly what resources will be created in your account. The setup wizard auto-advances when it detects the apply has completed.

    > **Tip:** You can review the `.tf` file before applying. Everything is standard Terraform - no custom providers or opaque modules.

    ## Step 5: Download and Apply the Controller Template

    Once the infrastructure is in place, a second Terraform file becomes available. This creates the EC2 instance that runs the controller.

    **Download the file**, then run:

    ```bash theme={null}
    terraform init
    AWS_PROFILE=<YOUR_PROFILE> terraform plan
    AWS_PROFILE=<YOUR_PROFILE> terraform apply
    ```

    The controller instance:

    * Runs in your private subnet (no public IP)
    * Communicates outbound only - no inbound ports are opened
    * Uses the IAM role created in the previous step

    ## Step 6: Wait for the Controller to Come Online

    After the controller template is applied, the instance boots and connects to our systems. The setup wizard shows progress in real time. This typically takes 2-5 minutes.

    ## Step 7: Configure Your Deployment

    Once the controller is online, the setup wizard moves to configuration. You'll walk through each item directly in the wizard:

    1. **DNS** - Choose a domain for the application. See [DNS and Domains](/customer/configuration/dns-and-domains).
    2. **Services** - Select any service options relevant to your deployment. See [Services](/customer/configuration/services).
    3. **Secrets** - Create any required credentials directly in your AWS account. See [Secrets](/customer/configuration/secrets).

    ## Step 8: We Deploy

    After configuration is complete, we deploy the application into the environment you prepared. The controller handles the deployment automatically - you don't need to do anything for this step.

    Once deployment completes, you'll have access to your **Customer Portal**, a web interface where you can monitor health, review and approve operations, view deployed infrastructure, and configure release windows.

    ## What Gets Created in Your Account

    | Resource        | Purpose                                     |
    | --------------- | ------------------------------------------- |
    | VPC             | Isolated network for the deployment         |
    | Public subnet   | Load balancer and NAT gateway               |
    | Private subnet  | Controller instance (no public IP)          |
    | NAT gateway     | Outbound internet access for private subnet |
    | IAM roles       | Permissions for the controller              |
    | Security groups | Network access rules (minimal)              |
    | S3 bucket       | Deployment state storage                    |
    | EC2 instance    | Runs the controller                         |

    All resources are tagged for easy identification in your AWS console.

    ## Understanding Permissions

    The controller's EC2 instance runs with an IAM instance profile. The role lives in your AWS account, and you can inspect it at any time:

    ```bash theme={null}
    aws iam get-role --role-name <controller-role-name>
    aws iam list-attached-role-policies --role-name <controller-role-name>
    ```

    To revoke access, detach the policies from the role or delete the role entirely. See [Revoking Access](/customer/security/revoking-access) for details.
  </Tab>

  <Tab title="Kubernetes">
    ## Before You Begin

    Make sure you have:

    * Your setup link (provided by us)
    * A running Kubernetes cluster (v1.24+)
    * kubectl configured and pointing at your cluster
    * Terraform installed (v1.0+)
    * Cluster admin access (to create namespaces, service accounts, roles, and deployments)

    ## Step 1: Open Your Setup Link

    Open the setup link in your browser. This opens the setup wizard, a guided interface that walks you through each stage of the installation.

    ## Step 2: Select Kubernetes

    In the setup wizard, choose **Kubernetes** as your environment. The cluster you provide is dedicated to this deployment, and the controller gets cluster-wide permissions.

    ## Step 3: Select Terraform as Your Install Method

    Choose **Terraform**. The wizard generates a Terraform configuration tailored to your environment.

    ## Step 4: Download and Apply the Controller Template

    Kubernetes installation is a single Terraform apply. The template creates everything needed:

    * A dedicated namespace for the deployment
    * Service accounts for the controller
    * RBAC roles and role bindings
    * The controller deployment and service

    **Download the file**, then run:

    ```bash theme={null}
    terraform init
    terraform plan    # Review what will be created
    terraform apply
    ```

    > **Tip:** Review the plan output before applying. You'll see exactly what namespaces, roles, and service accounts will be created. Everything uses standard Kubernetes resources - no custom resource definitions or operators required.

    ### What the Template Creates

    | Resource            | Purpose                               |
    | ------------------- | ------------------------------------- |
    | Namespace           | Isolated space for the deployment     |
    | ServiceAccounts     | Identity for the controller           |
    | ClusterRoles        | Permission definitions (cluster-wide) |
    | ClusterRoleBindings | Bind permissions to service accounts  |
    | Deployment          | The controller itself                 |
    | Service             | Network access to the controller      |

    ## Step 5: Wait for the Controller to Come Online

    After applying, the controller pod starts and connects to our systems. The setup wizard shows progress in real time. This typically takes 1-3 minutes.

    You can also watch progress with kubectl:

    ```bash theme={null}
    kubectl get pods -n <namespace> -w
    ```

    The namespace name is shown in the Terraform output.

    ## Step 6: Configure Your Deployment

    Once the controller is online, the setup wizard moves to configuration. You'll walk through each item directly in the wizard:

    1. **DNS** - Choose a domain for the application. See [DNS and Domains](/customer/configuration/dns-and-domains).
    2. **Services** - Select any service options relevant to your deployment. See [Services](/customer/configuration/services).
    3. **Secrets** - Create required credentials directly in your cluster. See [Secrets](/customer/configuration/secrets).

    ## Step 7: We Deploy

    After configuration is complete, we deploy the application into your cluster. The controller handles this automatically.

    Once deployment completes, you'll have access to your **Customer Portal**, a web interface where you can monitor health, review and approve operations, view deployed infrastructure, and configure release windows.

    ## Understanding Permissions

    The controller's service account is bound by `ClusterRole` and `ClusterRoleBinding` resources defined in the Terraform configuration you applied. Those bindings live in your cluster, and you can inspect, modify, or revoke them at any time. See [Permissions](/customer/security/permissions) and [Revoking Access](/customer/security/revoking-access).
  </Tab>
</Tabs>

## Next Steps

* [Verify Your Installation](/customer/installation/verify)
* [DNS and Domains](/customer/configuration/dns-and-domains)
* [Secrets](/customer/configuration/secrets)