When to use this

Set helm.deploy_charts = false to have Terraform provision the AWS infrastructure and cluster controllers only, without deploying the ao-data-platform chart. You then install and manage the Helm release yourself.

module "ao_data_platform" {
  source  = "monte-carlo-data/ao-data-platform/aws"
  version = "1.0.0"

  region = "us-east-1"

  helm = {
    deploy_charts = false
  }
}

Terraform still creates the IRSA roles, ACM certificates, KMS key, and Secrets Manager secrets — you wire their values into your Helm release (see Configure values). The Terraform-managed path is the reference implementation: when self-managing, you reproduce the same values it would otherwise pass to the chart.

1. Apply the infrastructure

Run terraform apply with helm.deploy_charts = false, then collect the outputs you will need for the chart:

terraform output

Keep these handy — the mapping table below shows where each goes:
otel_collector_irsa_role_arn, llm_worker_irsa_role_arn, otel_collector_certificate_arn, clickhouse_certificate_arn, and the Secrets Manager secret behind clickhouse_otel_credentials_secret_arn.

2. Confirm cluster prerequisites

The chart expects these to be present in the cluster (Terraform installs them unless you disabled the corresponding helm.install_* flag):

• Helm 3
• cert-manager — internal Collector↔ClickHouse TLS is always enabled (tls.enabled = true) and requires it
• External Secrets Operator with a ClusterSecretStore configured for AWS Secrets Manager
• AWS Load Balancer Controller — for the NLB Services
• Private subnets tagged kubernetes.io/role/internal-elb: 1

3. Configure values

At minimum, point the ClickHouse externalSecret at the AWS Secrets Manager secret holding the otel user password (the one Terraform created), wire in the IRSA roles and ACM certificates, and set the ClickHouse hostname. The chart's keys map to the Terraform outputs as follows:

A minimal values.yaml covering the required wiring:

clickhouse:
  hostname: clickhouse.acme.com        # adds the external-dns hostname annotation
  storageClass: clickhouse-gp3         # or your own StorageClass
  storageSize: 500Gi
  externalSecret:
    secretStoreRef:
      name: aws-secretsmanager         # your ClusterSecretStore
      kind: ClusterSecretStore
    remoteRef:
      key: <otel-password-secret>      # AWS Secrets Manager secret name (otel user)
  # If you run a dedicated ClickHouse node group, match its label/taint:
  nodeSelector:
    dedicated: clickhouse
  tolerations:
    - key: dedicated
      operator: Equal
      value: clickhouse
      effect: NoSchedule

tls:
  enabled: true                        # requires cert-manager
  certManager:
    createCA: true                     # or set existingIssuerRef to reuse an Issuer

llmWorker:
  image:
    repository: montecarlodata/ao-llm-worker
    tag: "1.0.0"
  aws:
    region: us-east-1                  # Bedrock region
  serviceAccount:
    annotations:
      eks.amazonaws.com/role-arn: <llm_worker_irsa_role_arn>

To enable the optional read-only user, set clickhouse.readonlyUser.enabled: true and configure clickhouse.readonlyUser.externalSecret the same way as the otel one.

4. Install the chart

Install the published chart from Docker Hub into the montecarlo namespace. Its subchart dependencies — the Altinity ClickHouse operator and the OpenTelemetry Collector chart — are bundled in the published OCI artifact, so no separate helm dependency build is needed:

helm install ao-data-platform oci://registry-1.docker.io/montecarlodata/ao-data-platform \
  --version 1.5.0 \
  -n montecarlo --create-namespace \
  -f values.yaml

5. Verify

Confirm the components are healthy using the checklist in Connect to Monte Carlo, then continue with the credential handoff there.