Idempotent AWS provisioning script for the EKS MVP (setup-aws.sh)

[ealt]

Context

With 13a (#298), 13c (#305), and 13d (#304) merged, the chart deploys on EKS — but everything upstream of setup-experiment-helm.sh is currently a manual checklist in the chart README (EKS cluster, ECR repo + image push, RDS instance, S3 bucket + IRSA). Operator preference: idempotent scripts over human-executed step sequences; guided assistance as fallback.

Scope

reference/scripts/setup-aws/setup-aws.sh — create-if-absent provisioning of the chart's upstream dependencies:

1. EKS: verify kubectl context against a named cluster, or create via eksctl (operator-supplied name/region/node shape; no fictional defaults — fail loud with the required flag, don't invent).
2. ECR: create-if-absent repo; docker build from reference/compose/Dockerfile; tag + push; emit the image.repository/image.tag pair.
3. RDS Postgres: create-if-absent instance (or accept an existing DSN and skip); emit the postgres.mode=external connection string handoff.
4. S3 + IRSA: create-if-absent bucket; create/verify the IRSA role + service-account annotation for blob.backend=s3.
5. Hand off to setup-experiment-helm.sh with the gathered values (or emit the exact invocation).

Every step checks-then-creates and converges on re-run (mirrors setup-experiment.sh / repo_init idempotency idiom). Bash-3.2-clean per AGENTS.md.

Out of scope

• DNS / Ingress provisioning (tracked with the Hosted Web UI milestone's ingress issue)
• GCP/azure equivalents — AWS first; structure the script so a sibling setup-gcp.sh can mirror it

Part of the AWS MVP milestone.