Skip to content
ThinkWork ThinkWork

Greenfield AWS Deploy

This guide walks through a full ThinkWork deployment into a fresh AWS account with no existing infrastructure. At the end, you’ll have ~260 AWS resources running across three tiers, accessible via the admin app and GraphQL API.

What gets deployed

Section titled “What gets deployed”

ThinkWork is organized into three infrastructure tiers that deploy in order:

Foundation tier — Networking, identity, and encryption

  • VPC with public and private subnets across 2 AZs
  • NAT Gateway (single, for cost)
  • Cognito User Pool + Identity Pool
  • KMS keys (app data, audit logs, credential vault)
  • Route53 hosted zone + ACM certificates
  • SES identity (verified domain for outbound email)

Data tier — Storage and AI services

  • Aurora Postgres (serverless v2 by default, 0.5–16 ACUs) with pgvector for the Bedrock KB vector index
  • S3 buckets: skill catalog, knowledge documents, audit logs, assets
  • Bedrock Knowledge Base service role (vector store lives in Aurora — no OpenSearch)
  • Secrets Manager secret for DB credentials

App tier — Compute and APIs

  • AppSync GraphQL API (real-time subscriptions)
  • API Gateway v2 HTTP API
  • AgentCore Lambda (container image, 3GB memory, 15min timeout)
  • Connector Lambda functions (Slack, GitHub, Google)
  • Step Functions state machines (automations, routine runner)
  • CloudFront distributions (admin app, end-user app)
  • Bedrock AgentCore Memory (always on — auto-provisioned for managed long-term memory)
  • ECS Fargate (only if enable_hindsight = true)

Prerequisites

Section titled “Prerequisites”
  • AWS account with Administrator access (or a scoped IAM role — see IAM requirements below)
  • AWS CLI configured: aws sts get-caller-identity should return your account
  • Terraform 1.6+ installed: terraform --version
  • Node.js 20+ for the CLI: node --version
  • Bedrock model access enabled in your target region

Enable Bedrock model access

Section titled “Enable Bedrock model access”

In the AWS console:

  1. Navigate to Amazon Bedrock → Model access
  2. Click Manage model access
  3. Enable at minimum: Claude 3.5 Sonnet v2 and Titan Text Embeddings v2
  4. Wait for access to be approved (usually instant for Claude models)

Step-by-step deploy

Section titled “Step-by-step deploy”

  1. Install the CLI

    Terminal window
    npm install -g thinkwork-cli
    thinkwork --version

  2. Configure AWS credentials

    Terminal window
    # Option A: AWS profile
    export AWS_PROFILE=my-profile
    

    # Option B: Environment variables
    export AWS_ACCESS_KEY_ID=...
    export AWS_SECRET_ACCESS_KEY=...
    export AWS_REGION=us-east-1

  3. Login and create an environment

    Terminal window
    thinkwork login
    # Enter environment name: dev
    # Enter region: us-east-1
    # Enter AWS profile: default (or your profile name)

  4. Initialize a deployment directory

    Terminal window
    mkdir thinkwork-deploy && cd thinkwork-deploy
    thinkwork init -s dev

  5. Edit terraform.tfvars

    # terraform.tfvars — required fields
    

    stage      = "dev"
    region     = "us-east-1"
    account_id = "123456789012"
    

    # Database
    db_password = "a-strong-password-32-chars-minimum"
    

    # Domain (optional — if you have a Route53 hosted zone)
    # domain_name    = "thinkwork.example.com"
    # hosted_zone_id = "Z1234567890ABC"
    

    # Memory
    # AgentCore managed memory (auto-retention) is always on.
    # Uncomment to also enable the Hindsight ECS add-on:
    # enable_hindsight = true
    

    # Database engine
    database_engine = "aurora-serverless"   # recommended for dev
    

    # Bedrock model for default agent template
    default_model_id = "anthropic.claude-3-5-sonnet-20241022-v2:0"

  6. Run the deploy

    Terminal window
    thinkwork deploy -s dev

    The CLI will print progress as each tier completes. First deploy output:

    Initializing Terraform providers...
    Downloading thinkwork-ai/thinkwork/aws v1.0.0...
    

    Planning...
    + 264 resources to add
    

    Applying foundation tier...
    ✓ VPC and subnets (1m 12s)
    ✓ Cognito user pool (0m 34s)
    ✓ KMS keys (0m 18s)
    ✓ ACM certificates (2m 05s) — waiting for DNS validation
    

    Applying data tier...
    ✓ Aurora cluster (4m 22s)
    ✓ S3 buckets (0m 08s)
    ✓ Bedrock Knowledge Base service role (0m 12s)
    

    Applying app tier...
    ✓ AppSync API (0m 22s)
    ✓ API Gateway (0m 15s)
    ✓ AgentCore Lambda (1m 33s) — building container image
    ✓ Step Functions (0m 11s)
    ✓ CloudFront distributions (2m 44s)
    

    Deploy complete in 17m 24s.

  7. Run doctor

    Terminal window
    thinkwork doctor -s dev

    All checks should pass. If any fail, see the Troubleshooting section below.

  8. Get your endpoints

    Terminal window
    thinkwork outputs -s dev
    AppSync API:     https://abc.appsync-api.us-east-1.amazonaws.com/graphql
    API Gateway:     https://xyz.execute-api.us-east-1.amazonaws.com
    Admin App:       https://d1234.cloudfront.net
    Cognito Pool ID: us-east-1_ABC123
    Cognito Client:  1abc2def3ghi

  9. Create your first Cognito user

    Terminal window
    aws cognito-idp admin-create-user \
      --user-pool-id us-east-1_ABC123 \
      --username admin@example.com \
      --temporary-password "Temp1234!" \
      --message-action SUPPRESS
    

    aws cognito-idp admin-set-user-password \
      --user-pool-id us-east-1_ABC123 \
      --username admin@example.com \
      --password "YourPermanentPassword!" \
      --permanent

  10. Sign in to the admin app

    Navigate to the Admin App URL, sign in with your Cognito user, and create your first agent.

Resource count breakdown

Section titled “Resource count breakdown”
CategoryCountKey resources
Networking22VPC, subnets, route tables, NAT gateway, IGW, security groups
IAM38Roles and policies for each Lambda, ECS task, AppSync data source
Cognito6User pool, identity pool, app client, domain, groups
KMS4App data, audit logs, credential vault, Bedrock
Aurora12Cluster, instance, subnet group, parameter groups, security groups
S38Skill catalog, KB docs, audit logs, assets, CF logs, Lambda artifacts
Lambda18AgentCore, connector handlers, auth triggers, migration runner
AppSync14API, schema, resolvers, data sources, functions
API Gateway8HTTP API, routes, integrations, stage
CloudFront6Admin dist, end-user dist, OAC policies, cache behaviors
Step Functions4State machines for automations, routine runner
EventBridge3Scheduled automation rules, event bus
SES5Identity, config set, event destination, suppression list
Secrets Manager4DB credentials, Cognito secrets, connector secrets
Route53 / ACM8Hosted zone records, certificates, validation records
Misc18CloudWatch log groups, SSM parameters, ECR repo
Total~258

Subsequent deploys

Section titled “Subsequent deploys”

After the first deploy, re-running thinkwork deploy -s dev is fast (2–4 minutes) for application changes. Terraform only applies changes.

Operations that take longer:

  • Aurora scaling parameter changes: 5–10 min (no downtime)
  • CloudFront distribution changes: 3–8 min (no downtime)
  • Container image updates: 2–3 min (no downtime, Lambda blue/green)

Troubleshooting

Section titled “Troubleshooting”

ACM certificate stuck in PENDING_VALIDATION DNS validation records weren’t created. If you provided a hosted_zone_id, check that the Route53 zone matches your domain. If you’re using an external DNS provider, manually add the CNAME records shown in the ACM console.

Aurora cluster creation timeout Aurora serverless v2 creation occasionally takes longer than Terraform’s default timeout. Re-run thinkwork deploy -s dev — Terraform will pick up where it left off.

AgentCore Lambda fails doctor check The container image may still be building. Wait 2 minutes and re-run thinkwork doctor -s dev. If it still fails, check the Lambda function’s CloudWatch logs for the error.

Bedrock AccessDeniedException You haven’t enabled model access. Go to Amazon Bedrock → Model access in the AWS console and enable the required models.