Terraform Deployment

The Terraform module automatically provisions the required AWS infrastructure - either by creating a dedicated VPC for Yuki or deploying the proxy inside your existing VPC, depending on your configuration.

💡 Note: You don’t need to run these steps manually - our onboarding wizard will walk you through each step.

Same Cluster:

Dedicated VPC:

→ For the full request/response flow and protocols, see Secure Data Flow.

Prerequisites

  • Access to an AWS account with IAM permissions to create VPC, EC2, EKS, and IAM roles

  • An existing EKS cluster or plan to create one

  • Your Company, Org, and Account GUIDs from the Yuki onboarding wizard

1. Use the Yuki Terraform Module

Add the module block to your Terraform configuration:

module "yuki-proxy" {
  source = "github.com/YukiTechnologies/yuki-proxy-tf?ref=v0.0.29"

  aws = {
    profile = "default"
    region  = "us-east-1"
  }

  vpc_config = {
    name            = "yuki-proxy"
    azs             = ["us-east-1a", "us-east-1b"]
    cidr            = "10.30.0.0/16"
    private_subnets = ["10.30.64.0/19", "10.30.96.0/19"]
    public_subnets  = ["10.30.0.0/19", "10.30.32.0/19"]
  }

  create_vpc_peering = false

  public_domain = {
    name            = "snowflake-locator.company-domain.com"
    route53_zone_id = "Z0123456789ABCDE"
    certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234"
  }

  eks_cluster_name = "acme-yuki-proxy"
  container_image  = "<...>.amazonaws.com/yuki-proxy:0.0.1"

  proxy_environment_variables = {
    PROXY_HOST    = "https://snowflake-locator.snowflakecomputing.com"
    COMPUTE_HOST  = <COMPUTE>
    SYSTEM_HOST   = <SYSTEM_HOST>
    COMPANY_GUID  = <COMPANY_GUID>
    ORG_GUID      = <ORG_GUID>
    ACCOUNT_GUID  = <ACCOUNT_GUID>
  }
}

Understanding the Components

VPC Configuration

The vpc_config block defines where the proxy will run.

You can either:

  • Create a dedicated VPC (recommended for isolated environments), or

  • Deploy into an existing VPC by setting create_vpc = false and providing your existing subnet IDs.

When selecting CIDR ranges:

  • Avoid overlap with other VPCs in your AWS environment.

  • Reserve unique CIDR blocks if you expect to add VPC Peering later.

💡 Tip: For simple deployments, you can let Yuki create the VPC automatically with defaults.

VPC Peering

create_vpc_peering allows the Yuki VPC to connect with other VPCs in your organization.

Enable this only if:

  • You need Yuki to communicate with workloads or services in another VPC.

  • You manage a multi-account setup (e.g., Snowflake in one AWS account and Yuki in another).

Example:

create_vpc_peering = true

⚙️ Best practice: Keep peering disabled (false) unless explicitly required - it simplifies routing and security management.

Public Domain Configuration

Defines the HTTPS domain for the Yuki Proxy.

Field
Description
Example

name

DNS name for the proxy endpoint

snowflake-locator.company-domain.com

route53_zone_id

Your Route 53 hosted zone ID

Z0123456789ABCDE

certificate_arn

ARN of an ACM certificate for HTTPS

arn:aws:acm:us-east-1:123456789012:certificate/abcd1234

💡 If you don’t need a public domain, you can leave this block empty.

EKS & Container Settings

Parameter
Description
Example

eks_cluster_name

EKS cluster that hosts Yuki Proxy pods

acme-yuki-proxy

container_image

Yuki Proxy container image in ECR

123456789012.dkr.ecr.us-east-1.amazonaws.com/yuki-proxy:0.0.270

💡 The onboarding wizard automatically selects the correct image version for your account.

Proxy Environment Variables

These variables configure the proxy’s connection to Snowflake and Yuki’s optimization engine.

Variable
Description
Example

PROXY_HOST

Snowflake-facing endpoint

https://acme-yuki-proxy.snowflakecomputing.com

COMPUTE_HOST

Internal Yuki compute API

https://app.yukicomputing.com

SYSTEM_HOST

Yuki system API

https://app.yukicomputing.com

COMPANY_GUID

Yuki company identifier

c7a112b0-81f9-4f6c-a45e-1f3f17f6a278

ORG_GUID

Yuki Organization ID

7a45b2b5-eac2-4ad8-1e2f-8203a35b12d0

ACCOUNT_GUID

Yuki account ID

e2t9f91e-d2e4-46b1-bda8-4fd741a13d29

2. Initialize and Apply

terraform init
terraform apply

This will:

  • Provision networking, IAM roles, and EKS services

  • Deploy the Yuki Proxy container

  • Configure HTTPS routing to the proxy endpoint

Your host address for the Yuki Proxy will be: snowflake-locator.company-domain.com

This is the connection string you’ll use later when enabling optimization for your warehouses. That’s it - no Kubernetes, no Terraform, no infrastructure to manage.

💡 For Business Critical accounts, see AWS PrivateLink Setup to ensure all Yuki–Snowflake traffic remains private.

Managing Terraform Deployments

Follow these best practices for maintaining your Terraform-based Yuki deployment:

  • Store Terraform state securely (e.g., S3 backend + DynamoDB locking).

  • Manage sensitive variables via environment variables or .tfvars (never commit secrets).

  • Use CI/CD pipelines for controlled deployments and versioning.

  • To upgrade, bump the container_image tag and re-apply:

terraform plan
terraform apply -auto-approve

💡 Tip: Always back up your Terraform state before applying major changes or upgrades.

Next Step

Proceed to configure security settings: → Configure Security

PreviousHelm DeploymentNextConfigure Security

Last updated