Deployment¶
Hawk runs on AWS. The deployment is managed by a single Pulumi project in the infra/ directory.
Infrastructure Overview¶
infra/
├── __main__.py # Entrypoint — instantiates all stacks
├── lib/ # Shared: config, naming, tagging, IAM helpers
├── core/ # VPC, EKS, ALB, ECS, RDS, Route53, S3
├── k8s/ # Karpenter, Cilium, Datadog agent, GPU operator, RBAC
├── hawk/ # Hawk API (ECS), Lambdas, EventBridge, CloudFront
└── datadog/ # Monitors, dashboards, log archives (optional)
Deployment Phases¶
Stacks deploy in order:
- CoreStack — VPC, EKS, ALB, ECS cluster, RDS, Route53, S3
- K8sStack — Cluster-level Kubernetes resources (skipped for dev envs sharing EKS)
- HawkStack — Hawk API, Lambda functions, EventBridge, CloudFront
Stack Configuration¶
Copy Pulumi.example.yaml to Pulumi.<stack-name>.yaml and fill in your values:
```yaml config: aws:region: us-west-2 hawk:env: staging hawk:domain: staging.example.com hawk:publicDomain: example.com hawk:primarySubnetCidr: "10.0.0.0/16"
# OIDC provider (Okta, Auth0, Cognito, etc.) hawk:oidcClientId: "" hawk:oidcAudience: "" hawk:oidcIssuer: "https://login.example.com/oauth2/default" hawk:oidcDomain: "login.example.com" ```
See the Configuration Reference for all available options.
LLM API Keys¶
Hawk's LLM proxy (Middleman) needs API keys to forward requests to model providers:
bash
scripts/dev/set-api-keys.sh <env> OPENAI_API_KEY=sk-...
Set multiple keys at once:
bash
scripts/dev/set-api-keys.sh <env> OPENAI_API_KEY=sk-... ANTHROPIC_API_KEY=sk-ant-...
Supported keys: OPENAI_API_KEY, ANTHROPIC_API_KEY, GEMINI_API_KEY, DEEPINFRA_TOKEN, DEEPSEEK_API_KEY, FIREWORKS_API_KEY, MISTRAL_API_KEY, OPENROUTER_API_KEY, TOGETHER_API_KEY, XAI_API_KEY.
Multiple Environments¶
You can run multiple Hawk environments (staging, production, dev) from the same repo. Each gets its own Pulumi stack and isolated AWS resources.
```bash pulumi stack init staging
configure Pulumi.staging.yaml¶
pulumi up -s staging
pulumi stack init production
configure Pulumi.production.yaml¶
pulumi up -s production ```
Dev Environments¶
Lightweight dev environments share an existing stack's VPC, ALB, and EKS cluster while getting their own database and services:
bash
cd infra
./new-dev-env.sh alice # creates a dev-alice stack
Services appear at:
- API:
https://api-alice.hawk.<staging-domain> - Viewer:
https://viewer-alice.hawk.<staging-domain>
Database migrations run automatically on deploy. Secrets are shared from staging.
Domain Naming¶
Dev envs use a slug pattern so the OIDC provider can wildcard *.hawk.<staging-domain>:
| Example | What |
|---|---|
api.hawk.<domain> |
Hawk API (staging) |
api-alice.hawk.<domain> |
Hawk API (alice's dev env) |
viewer.hawk.<domain> |
Eval log viewer (staging) |
viewer-alice.hawk.<domain> |
Eval log viewer (alice's dev env) |
Tearing Down¶
bash
pulumi destroy -s dev-alice
pulumi stack rm dev-alice # only after destroy completes
Warning
Always wait for pulumi destroy to complete before running stack rm. Running stack rm first will orphan AWS resources in your account.
Optional Integrations¶
| Service | Config Key | Purpose |
|---|---|---|
| Datadog | hawk:enableDatadog |
APM, metrics, log forwarding, monitors |
| Cloudflare | hawk:cloudflareZoneId |
DNS delegation from parent Cloudflare zone |
| Tailscale | tailscaleAuthKeysSecretArn |
VPN jumphost / subnet router |
When disabled, services fall back to simpler alternatives (CloudWatch logs instead of Datadog, no DNS delegation).