AI Security installer prompts

Use this reference to prepare your answers before you run the AI Security interactive wizard. The installer asks a set of base questions first, then cloud-specific questions depending on which provider you choose.

For installation prerequisites and setup steps, see Deploy AI Security to the cloud.

---

Base questions

The installer asks these questions regardless of which cloud provider you choose.

1. Which operation would you like to perform? create | update | destroy
2. Enter the path to the config file. If you don't have one, the installer generates it automatically.
3. Would you like to use the interactive wizard? yes | no
4. Would you like to create a new Kubernetes cluster in the cloud provider of your choice? yes | no
   • If no: Select the kubectl context to deploy the applications to.
5. Would you like to deploy AI Guardrails to a cluster? yes | no
6. Would you like to deploy AI Red Team to a cluster? yes | no
   • If yes: Would you like to deploy the Red Team Worker? yes | no
7. Enter the application base URL you would like to use.
8. Where would you like to store the state of the deployment? local | s3 | azure | gcp

State storage follow-up questions

Depending on your answer to question 8, the installer asks the following.

S3

• Enter the S3 bucket name.
• Enter the S3 key name.
• Enter the AWS region for the S3 bucket.
• Enter the AWS profile for the S3 bucket.

Azure

• Enter the Azure region.
• Enter the existing storage account name.
• Enter the existing resource group name.
• Enter the container name.
• Enter the blob key name.

GCP

• Confirm or select your GCP account.
• Enter your GCP Project ID.
• Enter the existing GCS bucket name where Pulumi state will be stored.
• Enter the bucket key name.

Credentials

After the state storage questions, the installer asks for your Harbor credentials:

• Enter your Harbor username.
• Enter your Harbor password.

Cloud provider selection

• Which cloud provider would you like to deploy the cluster to? aws | azure | gcp

---

AWS prompts

These prompts follow the base questions when you select AWS.

1. Which AWS region would you like to deploy the cluster to?
2. Enter the AWS profile you would like to use (leave blank for default).
3. Enter the name you would like to use for the cluster.
4. Do you need a new VPC and subnets created? yes | no
   • If no:
     • Enter the VPC ID you would like the cluster deployed to.
     • Enter the subnet IDs the cluster will use (comma-separated).

Node groups

The installer asks the following for each node group: default, moderator, scanner, and (if Red Team Worker is enabled) prefect.

• Would you like to customize the {node_group_name} node group? yes | no
  • If yes:
    • Enter the instance type.
    • Enter the minimum number of instances.
    • Enter the maximum number of instances.
    • Enter the desired number of instances.

Database

• Would you like to deploy an external RDS cluster for the CAI platform? yes | no

Ingress and load balancer

• Would you like to deploy an ingress controller and load balancer via the installer? yes | no
  • If yes:
    • Would you like to supply an ACM certificate ARN? yes | no
      • If yes: Enter the certificate ARN.
      • If no:
        • Enter the path to the certificate body.
        • Enter the path to the certificate key.
        • Enter the path to the certificate chain (optional).

Quota and confirmation

• If quotas are insufficient or unknown: confirm you want to proceed despite the quota warning. yes | no
• Confirm you want to proceed with the deployment. This process can take up to 45 minutes. yes | no
• The stack has been deployed. Run the end-to-end validation? yes | no
• The CAI Installer has completed. Would you like to run the installer again? yes | no

---

Azure prompts

These prompts follow the base questions when you select Azure.

1. Select the Azure subscription to use.
2. Enter the Azure region.
3. Do you want to use an existing resource group? yes | no
   • If yes: Select the resource group to use.
   • If no: Enter the new resource group name.
4. Enter the name of the AKS cluster.
5. Do you need a new VNet and subnets created? yes | no
   • If no (use existing):
     • Select the Virtual Network to use.
     • If ingress type is AGIC:
       • Select the subnet for AKS nodes.
       • Select the subnet for Application Gateway.
     • Otherwise: Select the subnet for AKS nodes.

Ingress controller

• Do you need an ingress controller created? yes | no
  • If yes: Which ingress controller would you like to use? agic | nginx

Red Team Worker

• Do you want to deploy the Red Team Worker? yes | no

Node groups

The installer asks the following for each node group: default, moderator, scanner, and (if Red Team Worker is enabled) prefect.

• Do you want to customize the {node_group_name} node group? yes | no
  • If yes:
    • Enter the minimum size.
    • Enter the maximum size.
    • Enter the desired size.
    • Enter the instance type.
    • Enable auto scaling? yes | no

Database

• Do you want to deploy an Azure Database for PostgreSQL? yes | no
  • If yes:
    • Enter the database name.
    • Enter the database admin username.
    • Enter the database admin password.

SSL certificate

If ingress is enabled, the installer collects your SSL certificate.

• Do you have a certificate in Azure Key Vault? yes | no
  • If yes:
    • Select the Key Vault containing your certificate.
    • Select the certificate to use.
    • If listing fails: Enter the certificate name in Key Vault.
  • If no:
    • Do you want to provide a PFX certificate for Application Gateway? yes | no (Recommended for Azure)
      • If yes:
        • Enter the path to the PFX certificate file.
        • Does your PFX certificate have a password? yes | no
          • If yes: Enter the password for your PFX certificate.
      • If no (PEM files):
        • Enter the path to the certificate body.
        • Enter the path to the certificate key.
        • Do you want to provide a certificate chain file? yes | no
          • If yes: Enter the path to the certificate chain file.
    • If using AGIC: Do you want to convert your certificates to PFX format now? yes | no

Quota and confirmation

• If quota check errors: Would you like to proceed despite the quota check error? yes | no
• Confirm you want to proceed with the deployment. This process can take up to 45 minutes. yes | no
• The stack has been deployed. Run the end-to-end validation? yes | no
• The CAI Installer has completed. Would you like to run the installer again? yes | no

---

GCP prompts

These prompts follow the base questions when you select GCP.

1. Enter your GCP Project ID.
2. Enter the GCP region.
3. Confirm or select your GCP account.
   • If not already authenticated:
     • How would you like to authenticate with GCP? gcloudCLI | ServiceAccount
       • If ServiceAccount: Enter the path to your GCP service account key JSON file.

VPC and subnets

• Do you want to use an existing VPC and subnets? yes | no
  • If yes:
    • Enter the existing VPC name.
    • Enter the existing public subnet name.
    • Enter the existing private subnet name.
  • If no:
    • Enter the CIDR block for the new VPC (leave blank for default 10.0.0.0/16).

Node pools

The installer asks the following for each node pool: default, moderator, cai-scanner, and (if Red Team is enabled) prefect.

• Would you like to customize the {node_pool_name} node pool? yes | no
  • If yes:
    • Enter the instance type.
    • Enter the minimum number of instances.
    • Enter the maximum number of instances.
    • Enter the desired number of instances.

Database

• Would you like to deploy an external Cloud SQL database for the CAI platform? yes | no
  • If yes:
    • Would you like to customize the Cloud SQL instance type? yes | no
      • If yes: Enter the Cloud SQL instance type (tier).

Ingress and load balancer

• Would you like to deploy an ingress controller and load balancer? yes | no
  • If yes:
    • Would you like to use an existing classic Google Certificate Manager certificate (GCE)? yes | no
      • If yes: Enter the existing Google Certificate Manager certificate name.
      • If no:
        • Enter the path to the certificate body.
        • Enter the path to the certificate key.
        • Enter the path to the certificate chain (optional).

Quota and confirmation

• GCP quota warning: Some quotas may be insufficient. Do you want to continue anyway? yes | no
• Confirm you want to proceed with the deployment. This process can take up to 45 minutes. yes | no
• The stack has been deployed. Run the end-to-end validation? yes | no
• The CAI Installer has completed. Would you like to run the installer again? yes | no

---

References

For more information, see:

• Deploy AI Security to the cloud
• AWS required permissions
• Set up DNS and Ingress