Introduction
In on-premise ("on-prem") deployments, connecting to company platforms and tools such as warehouses, source code management (e.g., GitHub), business intelligence platforms and any others β is all done entirely within the local environment. This deployment option is suitable for highly regulated industries requiring strict data residency compliance.
How It Works?
Compute resources are deployed within the corporate infrastructure to allow Foundational to handle extraction, parsing and analysis β all done locally.
Data Handling
Sensitive data (such as source code content or table statistics) is processed locally and does not leave the corporate network. Only sanitized, lineage-related information is sent out.
Prerequisites
Ensure you have:
Access to an AWS account where you can create IAM roles and assign permissions
AWS CLI configured with credentials for your AWS account
Terraform >= 1.0 installed
The following information from Foundational (contact Foundational's Support Team to get these details):
foundational_account_id: Foundational's AWS account IDexternal_id: A unique identifier for secure role assumption
Security
Access permissions
Foundational receives the following permissions for the AWS account where it's deployed:
Kubernetes (EKS) - Create, manage, and deploy EKS clusters
Networking (VPC/EC2) - Create and manage VPCs and other networking
IAM Roles & Policies - Create and manage service roles and policies
Storage & Encryption - Create and manage S3 buckets (
foundational-onprem-*prefix)Container Registry (ECR) - Pull Docker images (read only access) from Foundational's ECR
Logging & Monitoring - Create and manage CloudWatch log groups
Security Safeguards
All permissions are restricted using:
Resource Prefixes: All resources must be named with
foundational-onprem-*prefixTag-Based Conditions: Resources must be tagged with
ManagedBy=FoundationalandResourceGroup=foundational-onpremIAM Path Restrictions: All IAM roles/policies created by Foundational must be under
/foundational-onprem/*pathExternal ID: Required for cross-account role assumption
Foundational cannot access or modify any existing resources in the account that don't match these restrictions. The permissions are limited to creating and managing new infrastructure specifically for the Foundational deployment.
Best Practices
Use a Dedicated AWS Sub-Account
We strongly recommend creating a dedicated AWS sub-account (within your AWS Organization) for deploying the Foundational on-premise agent, rather than deploying directly into your main AWS account.
This approach has many benefits, including:
Isolation & Security - Separate the Foundational deployment from your production resources
Access Control - Grant Foundational access only to the specific data sources and systems needed within your AWS organization
Cost Tracking - Easily track and allocate costs associated with Foundational separately from your other AWS expenses
Compliance & Auditing - Simplified compliance reporting and security audits with clear resource boundaries
Network Segmentation - Control exactly which networks and resources the Foundational agent can access through dedicated network configurations
Setup Foundational On-Premise Agent
Make sure you have the following information from Foundational (contact our Support Team to get these details):
foundational_account_id: Foundational's AWS account IDexternal_id: A unique identifier for secure role assumption
Download Terraform files for Foundational On-Premise agent setup: foundational-on-premise-agent-terraform.zip
Follow the instructions in the README.md file, in order to properly apply this Terraform setup.
You can also look at the examplemain.tffile to see an example of how the Foundational terraform can be deployed.Provide Foundational support team with the created
deployer_role_arn(see the readme file on how to get that value). Once this is done, the Foundational Support team will connect Foundational to your on-premise deployment.