- Overview
- Architecture
- Prerequisites
- Getting Started
- CLI Tool
- Deploying Kubrick
- Working with Existing Secrets
- Troubleshooting
- Cleanup and Management
- Advanced Configurations
- IaC File Structure
The Kubrick Terraform directory provides everything you need to set up Kubrick in a production environment. Using Terraform, you can deploy the required AWS infrastructure, which includes: Lambdas, API Gateway, CloudFront, S3, SQS, and RDS. This guide will walk you through provisioning Kubrick's architecture using Terraform.
Kubrick deploys a complete serverless architecture on AWS with the following components:
- AWS Lambda - Serverless compute for video processing and API logic
- API Gateway - REST API endpoints and request routing for frontend communication
- CloudFront - Content delivery network for fast global asset delivery
- S3 Buckets - Object storage for video uploads and static content
- SQS Queues - Message queuing for asynchronous video processing workflows
- RDS PostgreSQL - Managed database for persistent application data
- Secrets Manager - Encrypted storage for database credentials and API keys
- IAM Roles & Policies - Security permissions and access control for all services
Before deploying Kubrick, ensure you have the following:
- Terraform (>= 1.0) - Installation Guide
- AWS CLI (>= 2.15.0) - Installation Guide
- Python (>= 3.13) - Installation Guide
- uv - Installation Guide
- Node.js (>= 24.2.0) & npm (>= 11.4.2) - Installation Guide
- AWS Account with appropriate permissions
- AWS CLI configured with credentials (
aws configure) - TwelveLabs API Key - Get your API key
Your AWS user/role needs the following permissions to deploy Kubrick:
AmazonS3FullAccessAWSLambda_FullAccessAmazonAPIGatewayAdministratorCloudFrontFullAccessAmazonSQSFullAccessAmazonRDSFullAccessSecretsManagerReadWriteIAMFullAccess
Note: For production deployments, consider using more restrictive custom policies following the principle of least privilege.
-
Clone the Repository:
git clone https://github.com/kubrick-ai/kubrick.git
Kubrick includes a command-line interface tool that simplifies deployment and management. The CLI provides interactive prompts and handles Terraform operations automatically.
-
Navigate to CLI directory:
cd kubrick/cli -
Build the CLI:
npm run build
kubrick deploy- Deploy new or existing Kubrick infrastructure with interactive promptskubrick destroy- Destroy existing Kubrick infrastructure with interactive promptskubrick --help- Show help message
The CLI provides an interactive experience for infrastructure management:
kubrick deploy # Deploy with guided prompts
kubrick destroy # Destroy with guided promptsThe CLI will prompt you for required configuration values and handle the Terraform deployment process automatically.
You can deploy Kubrick using either the CLI tool (recommended) or manual Terraform commands.
The easiest way to deploy Kubrick is using the CLI tool:
-
Build and use the CLI (see CLI Tool section above)
-
Run deployment:
kubrick deploy
-
Follow the interactive prompts to configure your deployment
For advanced users who prefer direct Terraform control:
- Clone and Prepare Repository:
git clone https://github.com/kubrick-ai/kubrick.git
cd kubrick- Build Lambda Packages: Build the serverless functions and layers manually with
./lambda/build-package.shor use your own CI/CD solution.
-
Initialize Terraform: Navigate to the Terraform directory and initialize:
cd kubrick/terraform terraform init -
Configure Variables: Create a
terraform.tfvarsfile with your configuration:# Required variables aws_region = "us-east-1" # Your AWS region # Database credentials db_username = "postgres" # Your PostgreSQL username db_password = "your-password" # Your PostgreSQL password # API keys twelvelabs_api_key = "your-twelvelabs-api-key" # Your TwelveLabs API key # Optional: Override default values aws_profile = "default" secrets_manager_name = "kubrick_secret"
If you don't create a
terraform.tfvarsfile, Terraform will prompt you for these values during deployment. -
Review Deployment Plan:
Generate and review the execution plan:
terraform plan
-
Deploy Infrastructure:
Apply the Terraform configuration:
terraform apply # Deploy the infrastructure
If you already have a secret named kubrick_secret in AWS Secrets Manager,
you'll need to import it into Terraform's state:
-
Verify Secret Contents: Ensure your existing secret contains the required keys:
aws secretsmanager get-secret-value \ --secret-id kubrick_secret \ --query SecretString --output text
Required keys:
DB_USERNAMEDB_PASSWORDTWELVELABS_API_KEY
If your secret is missing any keys or has different key names, update it before importing.
-
Update Secret if Needed: If keys are missing or have different names:
aws secretsmanager update-secret \ --secret-id kubrick_secret \ --secret-string '{ "DB_USERNAME": "postgres", "DB_PASSWORD": "your-password", "TWELVELABS_API_KEY": "your-api-key" }'
-
Import Existing Secret:
Import the secret into Terraform state:
terraform import module.secrets_manager.aws_secretsmanager_secret.kubrick_secret kubrick_secret
-
Verify Import:
terraform plan
Common Import Issues
- ResourceExistsException: Follow the secret import steps above
- VPC/Subnet conflicts: Ensure your AWS account doesn't have conflicting default VPC settings
- IAM role conflicts: Check for existing roles with similar names
api_gateway- REST API endpoints for video operationscloudfront- CDN for global content deliverydynamodb- Embedding cache for performance optimizationiam- Roles and policies for service permissionslambda- Serverless functions and layersrds- PostgreSQL database for metadatas3- Storage buckets for videos and static assetss3_notifications- Event triggers for video processingsecrets_manager- Secure credential storagesqs- Message queues for async processingvpc_network- Network infrastructure and security
-
API Handlers:
api_fetch_tasks_handler- Task status and managementapi_fetch_videos_handler- Video listing and metadataapi_search_handler- Semantic search with embeddingsapi_video_upload_link_handler- Presigned upload URLs
-
Processing Functions:
db_bootstrap- Database initializations3_delete_handler- Cleanup on video deletionsqs_embedding_task_consumer- Process embedding jobssqs_embedding_task_producer- Create embedding jobs
-
Shared Layers:
config_layer- Common configuration utilitiesembed_service_layer- TwelveLabs API integrationresponse_utils_layer- HTTP response formattings3_utils_layer- S3 operation utilitiesvector_database_layer- Vector similarity operations
After deployment completes:
-
Check Terraform Output: Review important outputs:
terraform output
Key outputs include:
- CloudFront distribution URL
- API Gateway endpoint
- S3 bucket names
- RDS endpoint
-
Verify AWS Resources:
Check resource creation:
# Lambda functions aws lambda list-functions --query 'Functions[?contains(FunctionName, `kubrick`)]' # API Gateway aws apigateway get-rest-apis --query 'items[?contains(name, `kubrick`)]' # S3 buckets aws s3 ls | grep kubrick
-
Test the Playground:
Access the CloudFront URL from the Terraform output to test the web interface.
-
API Health Check:
Test API endpoints:
curl https://your-api-gateway-url/v1_0/videos
Update aws_region in your terraform.tfvars:
aws_region = "eu-west-1" # Europe (Ireland)Modify database settings in terraform.tfvars:
db_username = "kubrick_admin"
db_password = "your-complex-password-here"Change the API version/stage:
stage_name = "production" # Creates /production/ endpoints- Build script errors: Ensure Python 3.13 and
uvare installed - Terraform init fails: Check AWS credentials and region
- Lambda package too large: Verify dependencies in
pyproject.tomlfiles - RDS timeout: Increase default timeout or check VPC configuration
# Backup state
terraform state pull > kubrick.tfstate.backup
# List resources in state
terraform state list
# Remove problematic resource
terraform state rm aws_s3_bucket.exampleterraform destroyThis will permanently delete all data including uploaded videos and database contents.
Remove specific resources:
# Remove CloudFront
terraform destroy -target=module.cloudfront
# Remove RDS
terraform destroy -target=module.rdsExample GitHub Actions workflow:
name: Deploy Kubrick
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
- name: Terraform Deploy
run: |
cd terraform
terraform init
terraform apply -auto-approve
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
TF_VAR_twelvelabs_api_key: ${{ secrets.TWELVELABS_API_KEY }}Create separate .tfvars files for each environment:
# Development
terraform apply -var-file="dev.tfvars"
# Production
terraform apply -var-file="prod.tfvars"kubrick/
├── ...
└── terraform/
├── modules/
│ ├── api_gateway/
│ ├── cloudfront/
│ ├── dynamodb/
│ ├── iam/
│ ├── lambda/
│ ├── rds/
│ ├── s3/
│ ├── s3_notifications/
│ ├── secrets_manager/
│ ├── sqs/
│ └── vpc_network/
├── main.tf
├── variables.tf
└── terraform.tfvars.example