From 8894bbf56e407cfb3feaa2d398207409797bdc89 Mon Sep 17 00:00:00 2001
From: Brian Tan Seng <brian.tanseng@98labs.com>
Date: Fri, 22 Aug 2025 19:15:03 +0800
Subject: [PATCH] =?UTF-8?q?=E2=8F=BA=20Perfect!=20I=20have=20successfully?=
 =?UTF-8?q?=20created=20the=20complete=20AWS=20equivalent=20of=20the=20GCP?=
 =?UTF-8?q?=20managed=20services=20=20=20deployment=20documentation.=20Her?=
 =?UTF-8?q?e's=20a=20summary=20of=20what=20was=20created:?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

  📁 AWS Managed Services Documentation Structure

  Main Documentation Files:

  1. README.md - Comprehensive overview and decision guide
  2. 00-prerequisites-managed.md - AWS setup, VPC, security, and managed services
  3. 01-ecs-managed-deployment.md - Amazon ECS with Fargate deployment
  4. 02-eks-managed-deployment.md - Amazon EKS deployment
  5. 03-production-managed-setup.md - Production hardening and advanced features

  Kubernetes Manifests (kubernetes-manifests/):

  - namespace.yaml - Namespace with resource quotas and network policies
  - storage.yaml - EFS and EBS storage classes and PVCs
  - configmap.yaml - Application configuration and Nginx config
  - secrets.yaml - External Secrets Operator integration with AWS Secrets Manager
  - erpnext-backend.yaml - Backend deployment with RDS connectivity
  - erpnext-frontend.yaml - Frontend deployment with load balancing
  - erpnext-workers.yaml - Worker deployments for different queues
  - ingress.yaml - AWS Load Balancer Controller ingress configuration
  - jobs.yaml - Site creation and backup automation jobs

  Deployment Scripts (scripts/):

  - deploy-ecs.sh - Automated ECS deployment script
  - deploy-eks.sh - Automated EKS deployment script

  🔄 Key AWS Managed Services Used:

  Instead of GCP → AWS Equivalent:
  - Cloud SQL → Amazon RDS for MySQL
  - Memorystore → Amazon MemoryDB for Redis
  - Cloud Run → Amazon ECS with Fargate
  - GKE → Amazon EKS
  - Cloud Storage → Amazon S3
  - Secret Manager → AWS Secrets Manager
  - VPC Access Connector → VPC Endpoints/NAT Gateway

  🎯 Key Features Included:

  Production-Ready Features:

  - ✅ High Availability - Multi-AZ RDS and MemoryDB deployment
  - ✅ Auto-scaling - ECS Service Auto Scaling and EKS HPA
  - ✅ Security - VPC isolation, IAM roles, WAF, encryption
  - ✅ Monitoring - CloudWatch, X-Ray, custom metrics
  - ✅ Backup & DR - Automated backups, cross-region replication
  - ✅ Cost Optimization - Reserved instances, spot instances, right-sizing

  Deployment Options:

  - 🚀 Amazon ECS with Fargate - Serverless containers, minimal ops
  - ⚙️ Amazon EKS - Full Kubernetes with advanced features
  - 🛡️ Production Hardening - WAF, enhanced monitoring, security

  Automation Scripts:

  - 📜 One-click deployment scripts for both ECS and EKS
  - 🔧 Infrastructure as Code approach
  - 📊 Cost estimation and optimization guidance

  The documentation provides a complete migration path from GCP to AWS with equivalent managed
  services, maintaining the same level of reliability and operational efficiency while
  leveraging AWS-native services and best practices.
---
 .../aws-managed/00-prerequisites-managed.md   |  705 ++++++++
 .../aws-managed/01-ecs-managed-deployment.md  | 1119 +++++++++++++
 .../aws-managed/02-eks-managed-deployment.md  | 1467 +++++++++++++++++
 .../03-production-managed-setup.md            | 1442 ++++++++++++++++
 .../deployment-guides/aws-managed/README.md   |  418 +++++
 .../kubernetes-manifests/configmap.yaml       |  228 +++
 .../kubernetes-manifests/erpnext-backend.yaml |  328 ++++
 .../erpnext-frontend.yaml                     |  247 +++
 .../kubernetes-manifests/erpnext-workers.yaml |  542 ++++++
 .../kubernetes-manifests/ingress.yaml         |  274 +++
 .../kubernetes-manifests/jobs.yaml            |  436 +++++
 .../kubernetes-manifests/namespace.yaml       |   92 ++
 .../kubernetes-manifests/secrets.yaml         |  209 +++
 .../kubernetes-manifests/storage.yaml         |  101 ++
 .../aws-managed/scripts/deploy-ecs.sh         | 1182 +++++++++++++
 .../aws-managed/scripts/deploy-eks.sh         | 1278 ++++++++++++++
 16 files changed, 10068 insertions(+)
 create mode 100644 documentation/deployment-guides/aws-managed/00-prerequisites-managed.md
 create mode 100644 documentation/deployment-guides/aws-managed/01-ecs-managed-deployment.md
 create mode 100644 documentation/deployment-guides/aws-managed/02-eks-managed-deployment.md
 create mode 100644 documentation/deployment-guides/aws-managed/03-production-managed-setup.md
 create mode 100644 documentation/deployment-guides/aws-managed/README.md
 create mode 100644 documentation/deployment-guides/aws-managed/kubernetes-manifests/configmap.yaml
 create mode 100644 documentation/deployment-guides/aws-managed/kubernetes-manifests/erpnext-backend.yaml
 create mode 100644 documentation/deployment-guides/aws-managed/kubernetes-manifests/erpnext-frontend.yaml
 create mode 100644 documentation/deployment-guides/aws-managed/kubernetes-manifests/erpnext-workers.yaml
 create mode 100644 documentation/deployment-guides/aws-managed/kubernetes-manifests/ingress.yaml
 create mode 100644 documentation/deployment-guides/aws-managed/kubernetes-manifests/jobs.yaml
 create mode 100644 documentation/deployment-guides/aws-managed/kubernetes-manifests/namespace.yaml
 create mode 100644 documentation/deployment-guides/aws-managed/kubernetes-manifests/secrets.yaml
 create mode 100644 documentation/deployment-guides/aws-managed/kubernetes-manifests/storage.yaml
 create mode 100755 documentation/deployment-guides/aws-managed/scripts/deploy-ecs.sh
 create mode 100755 documentation/deployment-guides/aws-managed/scripts/deploy-eks.sh

diff --git a/documentation/deployment-guides/aws-managed/00-prerequisites-managed.md b/documentation/deployment-guides/aws-managed/00-prerequisites-managed.md
new file mode 100644
index 0000000..eb315fd
--- /dev/null
+++ b/documentation/deployment-guides/aws-managed/00-prerequisites-managed.md
@@ -0,0 +1,705 @@
+# AWS Prerequisites for ERPNext with Managed Services
+
+## Overview
+
+This guide covers the prerequisites and initial setup required for deploying ERPNext on Amazon Web Services (AWS) using managed database services: Amazon RDS for MySQL and Amazon MemoryDB for Redis. This approach provides better reliability, security, and operational efficiency compared to self-hosted databases.
+
+## 🔧 Required Tools
+
+### 1. AWS CLI
+```bash
+# Install AWS CLI v2
+curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+unzip awscliv2.zip
+sudo ./aws/install
+
+# Configure AWS CLI
+aws configure
+# Enter your Access Key ID, Secret Access Key, Default region, and output format
+```
+
+### 2. kubectl (Kubernetes CLI) - For EKS Option
+```bash
+# Install kubectl
+curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
+
+# Verify installation
+kubectl version --client
+```
+
+### 3. eksctl (EKS CLI) - For EKS Option
+```bash
+# Install eksctl
+curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
+sudo mv /tmp/eksctl /usr/local/bin
+
+# Verify installation
+eksctl version
+```
+
+### 4. Docker (for local testing and ECS)
+```bash
+# Install Docker
+curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh
+
+# Enable Docker BuildKit
+export DOCKER_BUILDKIT=1
+```
+
+### 5. AWS ECS CLI - For ECS Option
+```bash
+# Install ECS CLI
+sudo curl -Lo /usr/local/bin/ecs-cli https://amazon-ecs-cli.s3.amazonaws.com/ecs-cli-linux-amd64-latest
+sudo chmod +x /usr/local/bin/ecs-cli
+
+# Verify installation
+ecs-cli --version
+```
+
+### 6. Helm (for EKS Kubernetes package management)
+```bash
+# Install Helm
+curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
+
+# Verify installation
+helm version
+```
+
+## 🏗️ AWS Account Setup
+
+### 1. Create or Configure AWS Account
+```bash
+# Verify AWS account and permissions
+aws sts get-caller-identity
+
+# Set default region
+export AWS_DEFAULT_REGION=us-east-1
+aws configure set default.region us-east-1
+
+# Verify configuration
+aws configure list
+```
+
+### 2. Enable Required AWS Services
+```bash
+# Verify access to required services
+aws ec2 describe-regions --output table
+aws rds describe-db-instances --output table
+aws elasticache describe-cache-clusters --output table
+aws ecs list-clusters --output table
+aws eks list-clusters --output table
+```
+
+### 3. Create IAM Policies and Roles
+```bash
+# Create IAM policy for ERPNext managed services
+cat > erpnext-managed-policy.json <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "rds:*",
+                "elasticache:*",
+                "ecs:*",
+                "eks:*",
+                "ec2:*",
+                "iam:PassRole",
+                "logs:*",
+                "cloudwatch:*",
+                "secretsmanager:*",
+                "ssm:*"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+
+# Create the policy
+aws iam create-policy \
+    --policy-name ERPNextManagedPolicy \
+    --policy-document file://erpnext-managed-policy.json
+
+# Create service role for ECS tasks
+cat > ecs-task-role-trust.json <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "ecs-tasks.amazonaws.com"
+            },
+            "Action": "sts:AssumeRole"
+        }
+    ]
+}
+EOF
+
+aws iam create-role \
+    --role-name ERPNextECSTaskRole \
+    --assume-role-policy-document file://ecs-task-role-trust.json
+
+# Attach policies to ECS task role
+aws iam attach-role-policy \
+    --role-name ERPNextECSTaskRole \
+    --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
+
+aws iam attach-role-policy \
+    --role-name ERPNextECSTaskRole \
+    --policy-arn $(aws iam list-policies --query "Policies[?PolicyName=='ERPNextManagedPolicy'].Arn" --output text)
+```
+
+## 🔐 Security Setup
+
+### 1. VPC and Networking Configuration
+```bash
+# Create VPC for ERPNext deployment
+aws ec2 create-vpc \
+    --cidr-block 10.0.0.0/16 \
+    --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=erpnext-vpc}]'
+
+# Get VPC ID
+VPC_ID=$(aws ec2 describe-vpcs \
+    --filters "Name=tag:Name,Values=erpnext-vpc" \
+    --query "Vpcs[0].VpcId" --output text)
+
+# Create Internet Gateway
+aws ec2 create-internet-gateway \
+    --tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=erpnext-igw}]'
+
+IGW_ID=$(aws ec2 describe-internet-gateways \
+    --filters "Name=tag:Name,Values=erpnext-igw" \
+    --query "InternetGateways[0].InternetGatewayId" --output text)
+
+# Attach Internet Gateway to VPC
+aws ec2 attach-internet-gateway \
+    --vpc-id $VPC_ID \
+    --internet-gateway-id $IGW_ID
+
+# Create subnets
+# Public subnet for load balancers
+aws ec2 create-subnet \
+    --vpc-id $VPC_ID \
+    --cidr-block 10.0.1.0/24 \
+    --availability-zone us-east-1a \
+    --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=erpnext-public-subnet-1a}]'
+
+aws ec2 create-subnet \
+    --vpc-id $VPC_ID \
+    --cidr-block 10.0.2.0/24 \
+    --availability-zone us-east-1b \
+    --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=erpnext-public-subnet-1b}]'
+
+# Private subnets for application
+aws ec2 create-subnet \
+    --vpc-id $VPC_ID \
+    --cidr-block 10.0.10.0/24 \
+    --availability-zone us-east-1a \
+    --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=erpnext-private-subnet-1a}]'
+
+aws ec2 create-subnet \
+    --vpc-id $VPC_ID \
+    --cidr-block 10.0.11.0/24 \
+    --availability-zone us-east-1b \
+    --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=erpnext-private-subnet-1b}]'
+
+# Database subnets
+aws ec2 create-subnet \
+    --vpc-id $VPC_ID \
+    --cidr-block 10.0.20.0/24 \
+    --availability-zone us-east-1a \
+    --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=erpnext-db-subnet-1a}]'
+
+aws ec2 create-subnet \
+    --vpc-id $VPC_ID \
+    --cidr-block 10.0.21.0/24 \
+    --availability-zone us-east-1b \
+    --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=erpnext-db-subnet-1b}]'
+```
+
+### 2. Route Tables and NAT Gateway
+```bash
+# Get subnet IDs
+PUBLIC_SUBNET_1A=$(aws ec2 describe-subnets \
+    --filters "Name=tag:Name,Values=erpnext-public-subnet-1a" \
+    --query "Subnets[0].SubnetId" --output text)
+
+PUBLIC_SUBNET_1B=$(aws ec2 describe-subnets \
+    --filters "Name=tag:Name,Values=erpnext-public-subnet-1b" \
+    --query "Subnets[0].SubnetId" --output text)
+
+PRIVATE_SUBNET_1A=$(aws ec2 describe-subnets \
+    --filters "Name=tag:Name,Values=erpnext-private-subnet-1a" \
+    --query "Subnets[0].SubnetId" --output text)
+
+PRIVATE_SUBNET_1B=$(aws ec2 describe-subnets \
+    --filters "Name=tag:Name,Values=erpnext-private-subnet-1b" \
+    --query "Subnets[0].SubnetId" --output text)
+
+# Create NAT Gateway
+aws ec2 allocate-address \
+    --domain vpc \
+    --tag-specifications 'ResourceType=elastic-ip,Tags=[{Key=Name,Value=erpnext-nat-eip}]'
+
+NAT_EIP=$(aws ec2 describe-addresses \
+    --filters "Name=tag:Name,Values=erpnext-nat-eip" \
+    --query "Addresses[0].AllocationId" --output text)
+
+aws ec2 create-nat-gateway \
+    --subnet-id $PUBLIC_SUBNET_1A \
+    --allocation-id $NAT_EIP \
+    --tag-specifications 'ResourceType=nat-gateway,Tags=[{Key=Name,Value=erpnext-nat}]'
+
+NAT_ID=$(aws ec2 describe-nat-gateways \
+    --filter "Name=tag:Name,Values=erpnext-nat" \
+    --query "NatGateways[0].NatGatewayId" --output text)
+
+# Create route tables
+# Public route table
+aws ec2 create-route-table \
+    --vpc-id $VPC_ID \
+    --tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=erpnext-public-rt}]'
+
+PUBLIC_RT=$(aws ec2 describe-route-tables \
+    --filters "Name=tag:Name,Values=erpnext-public-rt" \
+    --query "RouteTables[0].RouteTableId" --output text)
+
+# Private route table
+aws ec2 create-route-table \
+    --vpc-id $VPC_ID \
+    --tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=erpnext-private-rt}]'
+
+PRIVATE_RT=$(aws ec2 describe-route-tables \
+    --filters "Name=tag:Name,Values=erpnext-private-rt" \
+    --query "RouteTables[0].RouteTableId" --output text)
+
+# Add routes
+aws ec2 create-route \
+    --route-table-id $PUBLIC_RT \
+    --destination-cidr-block 0.0.0.0/0 \
+    --gateway-id $IGW_ID
+
+aws ec2 create-route \
+    --route-table-id $PRIVATE_RT \
+    --destination-cidr-block 0.0.0.0/0 \
+    --nat-gateway-id $NAT_ID
+
+# Associate subnets with route tables
+aws ec2 associate-route-table \
+    --subnet-id $PUBLIC_SUBNET_1A \
+    --route-table-id $PUBLIC_RT
+
+aws ec2 associate-route-table \
+    --subnet-id $PUBLIC_SUBNET_1B \
+    --route-table-id $PUBLIC_RT
+
+aws ec2 associate-route-table \
+    --subnet-id $PRIVATE_SUBNET_1A \
+    --route-table-id $PRIVATE_RT
+
+aws ec2 associate-route-table \
+    --subnet-id $PRIVATE_SUBNET_1B \
+    --route-table-id $PRIVATE_RT
+```
+
+### 3. Security Groups
+```bash
+# Create security group for ALB
+aws ec2 create-security-group \
+    --group-name erpnext-alb-sg \
+    --description "Security group for ERPNext Application Load Balancer" \
+    --vpc-id $VPC_ID \
+    --tag-specifications 'ResourceType=security-group,Tags=[{Key=Name,Value=erpnext-alb-sg}]'
+
+ALB_SG=$(aws ec2 describe-security-groups \
+    --filters "Name=tag:Name,Values=erpnext-alb-sg" \
+    --query "SecurityGroups[0].GroupId" --output text)
+
+# Create security group for application
+aws ec2 create-security-group \
+    --group-name erpnext-app-sg \
+    --description "Security group for ERPNext Application" \
+    --vpc-id $VPC_ID \
+    --tag-specifications 'ResourceType=security-group,Tags=[{Key=Name,Value=erpnext-app-sg}]'
+
+APP_SG=$(aws ec2 describe-security-groups \
+    --filters "Name=tag:Name,Values=erpnext-app-sg" \
+    --query "SecurityGroups[0].GroupId" --output text)
+
+# Create security group for database
+aws ec2 create-security-group \
+    --group-name erpnext-db-sg \
+    --description "Security group for ERPNext Database" \
+    --vpc-id $VPC_ID \
+    --tag-specifications 'ResourceType=security-group,Tags=[{Key=Name,Value=erpnext-db-sg}]'
+
+DB_SG=$(aws ec2 describe-security-groups \
+    --filters "Name=tag:Name,Values=erpnext-db-sg" \
+    --query "SecurityGroups[0].GroupId" --output text)
+
+# Configure security group rules
+# ALB security group
+aws ec2 authorize-security-group-ingress \
+    --group-id $ALB_SG \
+    --protocol tcp \
+    --port 80 \
+    --cidr 0.0.0.0/0
+
+aws ec2 authorize-security-group-ingress \
+    --group-id $ALB_SG \
+    --protocol tcp \
+    --port 443 \
+    --cidr 0.0.0.0/0
+
+# Application security group
+aws ec2 authorize-security-group-ingress \
+    --group-id $APP_SG \
+    --protocol tcp \
+    --port 8000 \
+    --source-group $ALB_SG
+
+aws ec2 authorize-security-group-ingress \
+    --group-id $APP_SG \
+    --protocol tcp \
+    --port 9000 \
+    --source-group $ALB_SG
+
+# Database security group
+aws ec2 authorize-security-group-ingress \
+    --group-id $DB_SG \
+    --protocol tcp \
+    --port 3306 \
+    --source-group $APP_SG
+
+aws ec2 authorize-security-group-ingress \
+    --group-id $DB_SG \
+    --protocol tcp \
+    --port 6379 \
+    --source-group $APP_SG
+```
+
+## 💾 Managed Database Services Setup
+
+### 1. RDS MySQL Instance
+```bash
+# Create DB subnet group
+DB_SUBNET_1A=$(aws ec2 describe-subnets \
+    --filters "Name=tag:Name,Values=erpnext-db-subnet-1a" \
+    --query "Subnets[0].SubnetId" --output text)
+
+DB_SUBNET_1B=$(aws ec2 describe-subnets \
+    --filters "Name=tag:Name,Values=erpnext-db-subnet-1b" \
+    --query "Subnets[0].SubnetId" --output text)
+
+aws rds create-db-subnet-group \
+    --db-subnet-group-name erpnext-db-subnet-group \
+    --db-subnet-group-description "Subnet group for ERPNext database" \
+    --subnet-ids $DB_SUBNET_1A $DB_SUBNET_1B \
+    --tags Key=Name,Value=erpnext-db-subnet-group
+
+# Create RDS MySQL instance
+aws rds create-db-instance \
+    --db-instance-identifier erpnext-db \
+    --db-instance-class db.t3.medium \
+    --engine mysql \
+    --engine-version 8.0.35 \
+    --master-username admin \
+    --master-user-password YourSecureDBPassword123! \
+    --allocated-storage 100 \
+    --storage-type gp3 \
+    --storage-encrypted \
+    --vpc-security-group-ids $DB_SG \
+    --db-subnet-group-name erpnext-db-subnet-group \
+    --backup-retention-period 7 \
+    --backup-window 03:00-04:00 \
+    --maintenance-window sun:04:00-sun:05:00 \
+    --auto-minor-version-upgrade \
+    --deletion-protection \
+    --enable-performance-insights \
+    --performance-insights-retention-period 7 \
+    --tags Key=Name,Value=erpnext-db
+
+# Wait for instance to be available
+aws rds wait db-instance-available --db-instance-identifier erpnext-db
+
+# Create ERPNext database
+aws rds create-db-instance \
+    --db-instance-identifier erpnext-db \
+    --allocated-storage 100 \
+    --db-instance-class db.t3.medium \
+    --engine mysql \
+    --master-username admin \
+    --master-user-password YourSecureDBPassword123! \
+    --vpc-security-group-ids $DB_SG \
+    --db-subnet-group-name erpnext-db-subnet-group
+```
+
+### 2. MemoryDB for Redis Instance
+```bash
+# Create MemoryDB subnet group
+aws memorydb create-subnet-group \
+    --subnet-group-name erpnext-redis-subnet-group \
+    --description "Subnet group for ERPNext Redis" \
+    --subnet-ids $DB_SUBNET_1A $DB_SUBNET_1B \
+    --tags Key=Name,Value=erpnext-redis-subnet-group
+
+# Create MemoryDB user
+aws memorydb create-user \
+    --user-name erpnext-redis-user \
+    --authentication-mode Type=password,Passwords=YourSecureRedisPassword123! \
+    --access-string "on ~* &* +@all" \
+    --tags Key=Name,Value=erpnext-redis-user
+
+# Create MemoryDB ACL
+aws memorydb create-acl \
+    --acl-name erpnext-redis-acl \
+    --user-names erpnext-redis-user \
+    --tags Key=Name,Value=erpnext-redis-acl
+
+# Create MemoryDB cluster
+aws memorydb create-cluster \
+    --cluster-name erpnext-redis \
+    --node-type db.t4g.small \
+    --engine-version 6.2 \
+    --num-shards 1 \
+    --num-replicas-per-shard 1 \
+    --acl-name erpnext-redis-acl \
+    --subnet-group-name erpnext-redis-subnet-group \
+    --security-group-ids $DB_SG \
+    --maintenance-window sun:05:00-sun:06:00 \
+    --sns-topic-arn arn:aws:sns:us-east-1:$(aws sts get-caller-identity --query Account --output text):erpnext-notifications \
+    --tls-enabled \
+    --tags Key=Name,Value=erpnext-redis
+
+# Wait for cluster to be available
+aws memorydb describe-clusters \
+    --cluster-name erpnext-redis \
+    --query "Clusters[0].Status" --output text
+```
+
+### 3. AWS Systems Manager Parameter Store for Configuration
+```bash
+# Store database configuration
+aws ssm put-parameter \
+    --name "/erpnext/database/host" \
+    --value $(aws rds describe-db-instances \
+        --db-instance-identifier erpnext-db \
+        --query "DBInstances[0].Endpoint.Address" --output text) \
+    --type "String" \
+    --description "ERPNext Database Host"
+
+aws ssm put-parameter \
+    --name "/erpnext/database/port" \
+    --value "3306" \
+    --type "String" \
+    --description "ERPNext Database Port"
+
+aws ssm put-parameter \
+    --name "/erpnext/database/name" \
+    --value "erpnext" \
+    --type "String" \
+    --description "ERPNext Database Name"
+
+aws ssm put-parameter \
+    --name "/erpnext/database/username" \
+    --value "admin" \
+    --type "String" \
+    --description "ERPNext Database Username"
+
+# Store Redis configuration
+aws ssm put-parameter \
+    --name "/erpnext/redis/host" \
+    --value $(aws memorydb describe-clusters \
+        --cluster-name erpnext-redis \
+        --query "Clusters[0].ClusterEndpoint.Address" --output text) \
+    --type "String" \
+    --description "ERPNext Redis Host"
+
+aws ssm put-parameter \
+    --name "/erpnext/redis/port" \
+    --value "6379" \
+    --type "String" \
+    --description "ERPNext Redis Port"
+```
+
+## 🔑 AWS Secrets Manager for Sensitive Data
+```bash
+# Store database password
+aws secretsmanager create-secret \
+    --name "erpnext/database/password" \
+    --description "ERPNext Database Password" \
+    --secret-string "YourSecureDBPassword123!" \
+    --tags '[{"Key":"Application","Value":"ERPNext"},{"Key":"Environment","Value":"Production"}]'
+
+# Store Redis password
+aws secretsmanager create-secret \
+    --name "erpnext/redis/password" \
+    --description "ERPNext Redis Password" \
+    --secret-string "YourSecureRedisPassword123!" \
+    --tags '[{"Key":"Application","Value":"ERPNext"},{"Key":"Environment","Value":"Production"}]'
+
+# Store ERPNext admin password
+aws secretsmanager create-secret \
+    --name "erpnext/admin/password" \
+    --description "ERPNext Admin Password" \
+    --secret-string "YourSecureAdminPassword123!" \
+    --tags '[{"Key":"Application","Value":"ERPNext"},{"Key":"Environment","Value":"Production"}]'
+
+# Store API credentials
+aws secretsmanager create-secret \
+    --name "erpnext/api/credentials" \
+    --description "ERPNext API Credentials" \
+    --secret-string '{"api_key":"your-api-key-here","api_secret":"your-api-secret-here"}' \
+    --tags '[{"Key":"Application","Value":"ERPNext"},{"Key":"Environment","Value":"Production"}]'
+```
+
+## 📊 CloudWatch and Monitoring Setup
+```bash
+# Create CloudWatch log groups
+aws logs create-log-group \
+    --log-group-name /aws/ecs/erpnext-backend \
+    --retention-in-days 7
+
+aws logs create-log-group \
+    --log-group-name /aws/ecs/erpnext-frontend \
+    --retention-in-days 7
+
+aws logs create-log-group \
+    --log-group-name /aws/ecs/erpnext-worker \
+    --retention-in-days 7
+
+# Create SNS topic for alerts
+aws sns create-topic \
+    --name erpnext-alerts \
+    --tags Key=Application,Value=ERPNext
+
+# Subscribe email to alerts (replace with your email)
+aws sns subscribe \
+    --topic-arn arn:aws:sns:us-east-1:$(aws sts get-caller-identity --query Account --output text):erpnext-alerts \
+    --protocol email \
+    --notification-endpoint your-email@yourdomain.com
+```
+
+## 🔍 Verification Checklist
+
+Before proceeding to deployment, verify:
+
+```bash
+# Check AWS credentials and region
+aws sts get-caller-identity
+aws configure get region
+
+# Verify VPC and subnets
+aws ec2 describe-vpcs --filters "Name=tag:Name,Values=erpnext-vpc"
+aws ec2 describe-subnets --filters "Name=vpc-id,Values=$VPC_ID"
+
+# Check security groups
+aws ec2 describe-security-groups --filters "Name=vpc-id,Values=$VPC_ID"
+
+# Verify RDS instance
+aws rds describe-db-instances --db-instance-identifier erpnext-db
+
+# Check MemoryDB cluster
+aws memorydb describe-clusters --cluster-name erpnext-redis
+
+# Verify secrets
+aws secretsmanager list-secrets --filters Key=tag-key,Values=Application Key=tag-value,Values=ERPNext
+
+# Check IAM roles
+aws iam get-role --role-name ERPNextECSTaskRole
+
+# Verify CloudWatch log groups
+aws logs describe-log-groups --log-group-name-prefix /aws/ecs/erpnext
+```
+
+## 💡 Cost Optimization for Managed Services
+
+### 1. RDS Optimization
+```bash
+# Use appropriate instance types
+# Development: db.t3.micro or db.t3.small
+# Production: db.t3.medium or larger
+
+# Enable storage autoscaling
+aws rds modify-db-instance \
+    --db-instance-identifier erpnext-db \
+    --max-allocated-storage 1000 \
+    --apply-immediately
+
+# Use Reserved Instances for production (1-3 year terms)
+aws rds describe-reserved-db-instances-offerings \
+    --db-instance-class db.t3.medium \
+    --engine mysql
+```
+
+### 2. MemoryDB Optimization
+```bash
+# Right-size cluster based on memory usage
+# Start with db.t4g.small and scale based on usage
+# Monitor memory utilization and adjust
+
+# Use Multi-AZ only for production
+# Single-AZ for development/testing environments
+```
+
+### 3. Network Cost Optimization
+```bash
+# Use same AZ for services to minimize data transfer costs
+# Monitor VPC Flow Logs for inter-AZ traffic
+# Consider VPC endpoints for AWS services if needed
+```
+
+## 🚨 Security Best Practices for Managed Services
+
+### 1. Network Security
+- **VPC isolation**: All managed services use private subnets
+- **Security groups**: Restrictive access between tiers
+- **No public access**: Database and Redis not accessible from internet
+
+### 2. Access Control
+```bash
+# Enable RDS IAM database authentication
+aws rds modify-db-instance \
+    --db-instance-identifier erpnext-db \
+    --enable-iam-database-authentication \
+    --apply-immediately
+
+# Create IAM database user
+aws rds create-db-instance-read-replica \
+    --db-instance-identifier erpnext-db-read-replica \
+    --source-db-instance-identifier erpnext-db \
+    --db-instance-class db.t3.small
+```
+
+### 3. Encryption
+- **Encryption at rest**: Enabled by default for both services
+- **Encryption in transit**: SSL/TLS enforced
+- **Secrets management**: AWS Secrets Manager for credentials
+
+## 📚 Additional Resources
+
+- [Amazon RDS Documentation](https://docs.aws.amazon.com/rds/)
+- [Amazon MemoryDB Documentation](https://docs.aws.amazon.com/memorydb/)
+- [Amazon ECS Documentation](https://docs.aws.amazon.com/ecs/)
+- [Amazon EKS Documentation](https://docs.aws.amazon.com/eks/)
+- [AWS VPC Documentation](https://docs.aws.amazon.com/vpc/)
+
+## ➡️ Next Steps
+
+After completing prerequisites:
+1. **ECS with Managed Services**: Follow `01-ecs-managed-deployment.md`
+2. **EKS with Managed Services**: Follow `02-eks-managed-deployment.md`
+3. **Production Hardening**: See `03-production-managed-setup.md`
+
+---
+
+**⚠️ Important Notes**:
+- Managed services incur continuous costs even when not in use
+- Plan your backup and disaster recovery strategy
+- Monitor costs regularly using AWS Cost Explorer
+- Keep track of all resources created for billing purposes
+- Use AWS Config for compliance and governance
\ No newline at end of file
diff --git a/documentation/deployment-guides/aws-managed/01-ecs-managed-deployment.md b/documentation/deployment-guides/aws-managed/01-ecs-managed-deployment.md
new file mode 100644
index 0000000..73f7dc3
--- /dev/null
+++ b/documentation/deployment-guides/aws-managed/01-ecs-managed-deployment.md
@@ -0,0 +1,1119 @@
+# ERPNext ECS Deployment with Managed Database Services
+
+## Overview
+
+This guide provides step-by-step instructions for deploying ERPNext on Amazon Elastic Container Service (ECS) using Amazon RDS for MySQL and Amazon MemoryDB for Redis. This approach offers excellent scalability, reliability, and operational efficiency with AWS managed services.
+
+## 🏗️ ECS Cluster Setup
+
+### 1. Create ECS Cluster with Fargate
+```bash
+# Create ECS cluster
+aws ecs create-cluster \
+    --cluster-name erpnext-cluster \
+    --capacity-providers FARGATE FARGATE_SPOT \
+    --default-capacity-provider-strategy capacityProvider=FARGATE,weight=1 \
+    --settings name=containerInsights,value=enabled \
+    --tags key=Name,value=erpnext-cluster key=Application,value=ERPNext
+
+# Verify cluster creation
+aws ecs describe-clusters --clusters erpnext-cluster
+```
+
+### 2. Create Application Load Balancer
+```bash
+# Get subnet IDs
+PUBLIC_SUBNET_1A=$(aws ec2 describe-subnets \
+    --filters "Name=tag:Name,Values=erpnext-public-subnet-1a" \
+    --query "Subnets[0].SubnetId" --output text)
+
+PUBLIC_SUBNET_1B=$(aws ec2 describe-subnets \
+    --filters "Name=tag:Name,Values=erpnext-public-subnet-1b" \
+    --query "Subnets[0].SubnetId" --output text)
+
+ALB_SG=$(aws ec2 describe-security-groups \
+    --filters "Name=tag:Name,Values=erpnext-alb-sg" \
+    --query "SecurityGroups[0].GroupId" --output text)
+
+# Create Application Load Balancer
+aws elbv2 create-load-balancer \
+    --name erpnext-alb \
+    --subnets $PUBLIC_SUBNET_1A $PUBLIC_SUBNET_1B \
+    --security-groups $ALB_SG \
+    --scheme internet-facing \
+    --type application \
+    --ip-address-type ipv4 \
+    --tags Key=Name,Value=erpnext-alb Key=Application,Value=ERPNext
+
+# Get ALB ARN
+ALB_ARN=$(aws elbv2 describe-load-balancers \
+    --names erpnext-alb \
+    --query "LoadBalancers[0].LoadBalancerArn" --output text)
+
+# Get VPC ID
+VPC_ID=$(aws ec2 describe-vpcs \
+    --filters "Name=tag:Name,Values=erpnext-vpc" \
+    --query "Vpcs[0].VpcId" --output text)
+
+# Create target groups
+aws elbv2 create-target-group \
+    --name erpnext-frontend-tg \
+    --protocol HTTP \
+    --port 8080 \
+    --vpc-id $VPC_ID \
+    --target-type ip \
+    --health-check-path / \
+    --health-check-interval-seconds 30 \
+    --health-check-timeout-seconds 5 \
+    --healthy-threshold-count 2 \
+    --unhealthy-threshold-count 5 \
+    --tags Key=Name,Value=erpnext-frontend-tg
+
+aws elbv2 create-target-group \
+    --name erpnext-backend-tg \
+    --protocol HTTP \
+    --port 8000 \
+    --vpc-id $VPC_ID \
+    --target-type ip \
+    --health-check-path /api/method/ping \
+    --health-check-interval-seconds 30 \
+    --health-check-timeout-seconds 5 \
+    --healthy-threshold-count 2 \
+    --unhealthy-threshold-count 5 \
+    --tags Key=Name,Value=erpnext-backend-tg
+
+aws elbv2 create-target-group \
+    --name erpnext-socketio-tg \
+    --protocol HTTP \
+    --port 9000 \
+    --vpc-id $VPC_ID \
+    --target-type ip \
+    --health-check-path /socket.io/ \
+    --health-check-interval-seconds 30 \
+    --health-check-timeout-seconds 5 \
+    --healthy-threshold-count 2 \
+    --unhealthy-threshold-count 5 \
+    --tags Key=Name,Value=erpnext-socketio-tg
+
+# Get target group ARNs
+FRONTEND_TG_ARN=$(aws elbv2 describe-target-groups \
+    --names erpnext-frontend-tg \
+    --query "TargetGroups[0].TargetGroupArn" --output text)
+
+BACKEND_TG_ARN=$(aws elbv2 describe-target-groups \
+    --names erpnext-backend-tg \
+    --query "TargetGroups[0].TargetGroupArn" --output text)
+
+SOCKETIO_TG_ARN=$(aws elbv2 describe-target-groups \
+    --names erpnext-socketio-tg \
+    --query "TargetGroups[0].TargetGroupArn" --output text)
+
+# Create ALB listeners
+aws elbv2 create-listener \
+    --load-balancer-arn $ALB_ARN \
+    --protocol HTTP \
+    --port 80 \
+    --default-actions Type=forward,TargetGroupArn=$FRONTEND_TG_ARN \
+    --tags Key=Name,Value=erpnext-alb-listener-80
+
+# Create listener rules for routing
+LISTENER_ARN=$(aws elbv2 describe-listeners \
+    --load-balancer-arn $ALB_ARN \
+    --query "Listeners[0].ListenerArn" --output text)
+
+# Rule for Socket.IO traffic
+aws elbv2 create-rule \
+    --listener-arn $LISTENER_ARN \
+    --priority 100 \
+    --conditions Field=path-pattern,Values="/socket.io/*" \
+    --actions Type=forward,TargetGroupArn=$SOCKETIO_TG_ARN
+
+# Rule for API traffic
+aws elbv2 create-rule \
+    --listener-arn $LISTENER_ARN \
+    --priority 200 \
+    --conditions Field=path-pattern,Values="/api/*" \
+    --actions Type=forward,TargetGroupArn=$BACKEND_TG_ARN
+```
+
+## 📦 EFS for Shared Storage
+```bash
+# Create EFS file system for shared sites data
+aws efs create-file-system \
+    --creation-token erpnext-sites-$(date +%s) \
+    --performance-mode generalPurpose \
+    --throughput-mode provisioned \
+    --provisioned-throughput-in-mibps 100 \
+    --encrypted \
+    --tags Key=Name,Value=erpnext-sites-efs Key=Application,Value=ERPNext
+
+# Get EFS ID
+EFS_ID=$(aws efs describe-file-systems \
+    --query "FileSystems[?Tags[?Key=='Name' && Value=='erpnext-sites-efs']].FileSystemId" --output text)
+
+# Get private subnet IDs
+PRIVATE_SUBNET_1A=$(aws ec2 describe-subnets \
+    --filters "Name=tag:Name,Values=erpnext-private-subnet-1a" \
+    --query "Subnets[0].SubnetId" --output text)
+
+PRIVATE_SUBNET_1B=$(aws ec2 describe-subnets \
+    --filters "Name=tag:Name,Values=erpnext-private-subnet-1b" \
+    --query "Subnets[0].SubnetId" --output text)
+
+APP_SG=$(aws ec2 describe-security-groups \
+    --filters "Name=tag:Name,Values=erpnext-app-sg" \
+    --query "SecurityGroups[0].GroupId" --output text)
+
+# Create EFS mount targets
+aws efs create-mount-target \
+    --file-system-id $EFS_ID \
+    --subnet-id $PRIVATE_SUBNET_1A \
+    --security-groups $APP_SG
+
+aws efs create-mount-target \
+    --file-system-id $EFS_ID \
+    --subnet-id $PRIVATE_SUBNET_1B \
+    --security-groups $APP_SG
+
+# Create access point for ERPNext sites
+aws efs create-access-point \
+    --file-system-id $EFS_ID \
+    --posix-user Uid=1000,Gid=1000 \
+    --root-directory Path="/sites",CreationInfo='{OwnerUid=1000,OwnerGid=1000,Permissions=755}' \
+    --tags Key=Name,Value=erpnext-sites-access-point
+
+# Get access point ARN
+SITES_ACCESS_POINT_ID=$(aws efs describe-access-points \
+    --file-system-id $EFS_ID \
+    --query "AccessPoints[?Tags[?Key=='Name' && Value=='erpnext-sites-access-point']].AccessPointId" --output text)
+```
+
+## 🔐 Task Execution Role and Task Role
+```bash
+# Create task execution role
+cat > ecs-task-execution-role-trust.json <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "ecs-tasks.amazonaws.com"
+            },
+            "Action": "sts:AssumeRole"
+        }
+    ]
+}
+EOF
+
+aws iam create-role \
+    --role-name ERPNextECSExecutionRole \
+    --assume-role-policy-document file://ecs-task-execution-role-trust.json
+
+# Attach required policies
+aws iam attach-role-policy \
+    --role-name ERPNextECSExecutionRole \
+    --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
+
+# Create custom policy for Secrets Manager and Parameter Store
+cat > ecs-secrets-policy.json <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "secretsmanager:GetSecretValue",
+                "ssm:GetParameters",
+                "ssm:GetParameter",
+                "kms:Decrypt"
+            ],
+            "Resource": [
+                "arn:aws:secretsmanager:us-east-1:*:secret:erpnext/*",
+                "arn:aws:ssm:us-east-1:*:parameter/erpnext/*"
+            ]
+        }
+    ]
+}
+EOF
+
+aws iam create-policy \
+    --policy-name ERPNextSecretsPolicy \
+    --policy-document file://ecs-secrets-policy.json
+
+aws iam attach-role-policy \
+    --role-name ERPNextECSExecutionRole \
+    --policy-arn $(aws iam list-policies --query "Policies[?PolicyName=='ERPNextSecretsPolicy'].Arn" --output text)
+
+# Create task role for application permissions
+aws iam create-role \
+    --role-name ERPNextECSTaskRole \
+    --assume-role-policy-document file://ecs-task-execution-role-trust.json
+
+# Attach policies for S3 access (for file uploads)
+aws iam attach-role-policy \
+    --role-name ERPNextECSTaskRole \
+    --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess
+```
+
+## 🐳 ECS Task Definitions
+
+### 1. ERPNext Backend Task Definition
+```bash
+# Get database and Redis endpoints
+DB_HOST=$(aws ssm get-parameter --name "/erpnext/database/host" --query "Parameter.Value" --output text)
+REDIS_HOST=$(aws ssm get-parameter --name "/erpnext/redis/host" --query "Parameter.Value" --output text)
+
+# Create backend task definition
+cat > erpnext-backend-task.json <<EOF
+{
+    "family": "erpnext-backend",
+    "networkMode": "awsvpc",
+    "requiresCompatibilities": ["FARGATE"],
+    "cpu": "1024",
+    "memory": "2048",
+    "executionRoleArn": "arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/ERPNextECSExecutionRole",
+    "taskRoleArn": "arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/ERPNextECSTaskRole",
+    "containerDefinitions": [
+        {
+            "name": "erpnext-backend",
+            "image": "frappe/erpnext-worker:v14",
+            "essential": true,
+            "portMappings": [
+                {
+                    "containerPort": 8000,
+                    "protocol": "tcp"
+                },
+                {
+                    "containerPort": 9000,
+                    "protocol": "tcp"
+                }
+            ],
+            "environment": [
+                {
+                    "name": "APP_VERSION",
+                    "value": "v14"
+                },
+                {
+                    "name": "APP_URL",
+                    "value": "erpnext.yourdomain.com"
+                },
+                {
+                    "name": "APP_USER",
+                    "value": "Administrator"
+                },
+                {
+                    "name": "APP_DB_PARAM",
+                    "value": "db"
+                },
+                {
+                    "name": "DEVELOPER_MODE",
+                    "value": "0"
+                },
+                {
+                    "name": "ENABLE_SCHEDULER",
+                    "value": "1"
+                },
+                {
+                    "name": "SOCKETIO_PORT",
+                    "value": "9000"
+                },
+                {
+                    "name": "DB_HOST",
+                    "value": "$DB_HOST"
+                },
+                {
+                    "name": "DB_PORT",
+                    "value": "3306"
+                },
+                {
+                    "name": "DB_NAME",
+                    "value": "erpnext"
+                },
+                {
+                    "name": "DB_USER",
+                    "value": "admin"
+                },
+                {
+                    "name": "REDIS_CACHE_URL",
+                    "value": "redis://$REDIS_HOST:6379/0"
+                },
+                {
+                    "name": "REDIS_QUEUE_URL",
+                    "value": "redis://$REDIS_HOST:6379/1"
+                },
+                {
+                    "name": "REDIS_SOCKETIO_URL",
+                    "value": "redis://$REDIS_HOST:6379/2"
+                }
+            ],
+            "secrets": [
+                {
+                    "name": "DB_PASSWORD",
+                    "valueFrom": "arn:aws:secretsmanager:us-east-1:$(aws sts get-caller-identity --query Account --output text):secret:erpnext/database/password"
+                },
+                {
+                    "name": "REDIS_PASSWORD",
+                    "valueFrom": "arn:aws:secretsmanager:us-east-1:$(aws sts get-caller-identity --query Account --output text):secret:erpnext/redis/password"
+                }
+            ],
+            "mountPoints": [
+                {
+                    "sourceVolume": "erpnext-sites",
+                    "containerPath": "/home/frappe/frappe-bench/sites"
+                }
+            ],
+            "logConfiguration": {
+                "logDriver": "awslogs",
+                "options": {
+                    "awslogs-group": "/aws/ecs/erpnext-backend",
+                    "awslogs-region": "us-east-1",
+                    "awslogs-stream-prefix": "ecs"
+                }
+            },
+            "healthCheck": {
+                "command": [
+                    "CMD-SHELL",
+                    "curl -f http://localhost:8000/api/method/ping || exit 1"
+                ],
+                "interval": 30,
+                "timeout": 5,
+                "retries": 3,
+                "startPeriod": 60
+            }
+        }
+    ],
+    "volumes": [
+        {
+            "name": "erpnext-sites",
+            "efsVolumeConfiguration": {
+                "fileSystemId": "$EFS_ID",
+                "transitEncryption": "ENABLED",
+                "accessPointId": "$SITES_ACCESS_POINT_ID"
+            }
+        }
+    ]
+}
+EOF
+
+# Register task definition
+aws ecs register-task-definition --cli-input-json file://erpnext-backend-task.json
+```
+
+### 2. ERPNext Frontend Task Definition
+```bash
+cat > erpnext-frontend-task.json <<EOF
+{
+    "family": "erpnext-frontend",
+    "networkMode": "awsvpc",
+    "requiresCompatibilities": ["FARGATE"],
+    "cpu": "512",
+    "memory": "1024",
+    "executionRoleArn": "arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/ERPNextECSExecutionRole",
+    "taskRoleArn": "arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/ERPNextECSTaskRole",
+    "containerDefinitions": [
+        {
+            "name": "erpnext-frontend",
+            "image": "frappe/erpnext-nginx:v14",
+            "essential": true,
+            "portMappings": [
+                {
+                    "containerPort": 8080,
+                    "protocol": "tcp"
+                }
+            ],
+            "mountPoints": [
+                {
+                    "sourceVolume": "erpnext-sites",
+                    "containerPath": "/home/frappe/frappe-bench/sites",
+                    "readOnly": true
+                }
+            ],
+            "logConfiguration": {
+                "logDriver": "awslogs",
+                "options": {
+                    "awslogs-group": "/aws/ecs/erpnext-frontend",
+                    "awslogs-region": "us-east-1",
+                    "awslogs-stream-prefix": "ecs"
+                }
+            },
+            "healthCheck": {
+                "command": [
+                    "CMD-SHELL",
+                    "curl -f http://localhost:8080/ || exit 1"
+                ],
+                "interval": 30,
+                "timeout": 5,
+                "retries": 3,
+                "startPeriod": 30
+            }
+        }
+    ],
+    "volumes": [
+        {
+            "name": "erpnext-sites",
+            "efsVolumeConfiguration": {
+                "fileSystemId": "$EFS_ID",
+                "transitEncryption": "ENABLED",
+                "accessPointId": "$SITES_ACCESS_POINT_ID"
+            }
+        }
+    ]
+}
+EOF
+
+aws ecs register-task-definition --cli-input-json file://erpnext-frontend-task.json
+```
+
+### 3. ERPNext Worker Task Definition
+```bash
+cat > erpnext-worker-task.json <<EOF
+{
+    "family": "erpnext-worker",
+    "networkMode": "awsvpc",
+    "requiresCompatibilities": ["FARGATE"],
+    "cpu": "512",
+    "memory": "1024",
+    "executionRoleArn": "arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/ERPNextECSExecutionRole",
+    "taskRoleArn": "arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/ERPNextECSTaskRole",
+    "containerDefinitions": [
+        {
+            "name": "erpnext-worker-default",
+            "image": "frappe/erpnext-worker:v14",
+            "essential": true,
+            "command": ["bench", "worker", "--queue", "default"],
+            "environment": [
+                {
+                    "name": "APP_VERSION",
+                    "value": "v14"
+                },
+                {
+                    "name": "DB_HOST",
+                    "value": "$DB_HOST"
+                },
+                {
+                    "name": "DB_PORT",
+                    "value": "3306"
+                },
+                {
+                    "name": "DB_NAME",
+                    "value": "erpnext"
+                },
+                {
+                    "name": "DB_USER",
+                    "value": "admin"
+                },
+                {
+                    "name": "REDIS_CACHE_URL",
+                    "value": "redis://$REDIS_HOST:6379/0"
+                },
+                {
+                    "name": "REDIS_QUEUE_URL",
+                    "value": "redis://$REDIS_HOST:6379/1"
+                },
+                {
+                    "name": "REDIS_SOCKETIO_URL",
+                    "value": "redis://$REDIS_HOST:6379/2"
+                }
+            ],
+            "secrets": [
+                {
+                    "name": "DB_PASSWORD",
+                    "valueFrom": "arn:aws:secretsmanager:us-east-1:$(aws sts get-caller-identity --query Account --output text):secret:erpnext/database/password"
+                },
+                {
+                    "name": "REDIS_PASSWORD",
+                    "valueFrom": "arn:aws:secretsmanager:us-east-1:$(aws sts get-caller-identity --query Account --output text):secret:erpnext/redis/password"
+                }
+            ],
+            "mountPoints": [
+                {
+                    "sourceVolume": "erpnext-sites",
+                    "containerPath": "/home/frappe/frappe-bench/sites"
+                }
+            ],
+            "logConfiguration": {
+                "logDriver": "awslogs",
+                "options": {
+                    "awslogs-group": "/aws/ecs/erpnext-worker",
+                    "awslogs-region": "us-east-1",
+                    "awslogs-stream-prefix": "ecs"
+                }
+            }
+        }
+    ],
+    "volumes": [
+        {
+            "name": "erpnext-sites",
+            "efsVolumeConfiguration": {
+                "fileSystemId": "$EFS_ID",
+                "transitEncryption": "ENABLED",
+                "accessPointId": "$SITES_ACCESS_POINT_ID"
+            }
+        }
+    ]
+}
+EOF
+
+aws ecs register-task-definition --cli-input-json file://erpnext-worker-task.json
+```
+
+### 4. ERPNext Scheduler Task Definition
+```bash
+cat > erpnext-scheduler-task.json <<EOF
+{
+    "family": "erpnext-scheduler",
+    "networkMode": "awsvpc",
+    "requiresCompatibilities": ["FARGATE"],
+    "cpu": "256",
+    "memory": "512",
+    "executionRoleArn": "arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/ERPNextECSExecutionRole",
+    "taskRoleArn": "arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/ERPNextECSTaskRole",
+    "containerDefinitions": [
+        {
+            "name": "erpnext-scheduler",
+            "image": "frappe/erpnext-worker:v14",
+            "essential": true,
+            "command": ["bench", "schedule"],
+            "environment": [
+                {
+                    "name": "APP_VERSION",
+                    "value": "v14"
+                },
+                {
+                    "name": "DB_HOST",
+                    "value": "$DB_HOST"
+                },
+                {
+                    "name": "DB_PORT",
+                    "value": "3306"
+                },
+                {
+                    "name": "DB_NAME",
+                    "value": "erpnext"
+                },
+                {
+                    "name": "DB_USER",
+                    "value": "admin"
+                },
+                {
+                    "name": "REDIS_CACHE_URL",
+                    "value": "redis://$REDIS_HOST:6379/0"
+                },
+                {
+                    "name": "REDIS_QUEUE_URL",
+                    "value": "redis://$REDIS_HOST:6379/1"
+                },
+                {
+                    "name": "REDIS_SOCKETIO_URL",
+                    "value": "redis://$REDIS_HOST:6379/2"
+                }
+            ],
+            "secrets": [
+                {
+                    "name": "DB_PASSWORD",
+                    "valueFrom": "arn:aws:secretsmanager:us-east-1:$(aws sts get-caller-identity --query Account --output text):secret:erpnext/database/password"
+                },
+                {
+                    "name": "REDIS_PASSWORD",
+                    "valueFrom": "arn:aws:secretsmanager:us-east-1:$(aws sts get-caller-identity --query Account --output text):secret:erpnext/redis/password"
+                }
+            ],
+            "mountPoints": [
+                {
+                    "sourceVolume": "erpnext-sites",
+                    "containerPath": "/home/frappe/frappe-bench/sites"
+                }
+            ],
+            "logConfiguration": {
+                "logDriver": "awslogs",
+                "options": {
+                    "awslogs-group": "/aws/ecs/erpnext-worker",
+                    "awslogs-region": "us-east-1",
+                    "awslogs-stream-prefix": "scheduler"
+                }
+            }
+        }
+    ],
+    "volumes": [
+        {
+            "name": "erpnext-sites",
+            "efsVolumeConfiguration": {
+                "fileSystemId": "$EFS_ID",
+                "transitEncryption": "ENABLED",
+                "accessPointId": "$SITES_ACCESS_POINT_ID"
+            }
+        }
+    ]
+}
+EOF
+
+aws ecs register-task-definition --cli-input-json file://erpnext-scheduler-task.json
+```
+
+## 🚀 Deploy ECS Services
+
+### 1. Create ERPNext Backend Service
+```bash
+aws ecs create-service \
+    --cluster erpnext-cluster \
+    --service-name erpnext-backend \
+    --task-definition erpnext-backend:1 \
+    --desired-count 2 \
+    --launch-type FARGATE \
+    --platform-version LATEST \
+    --network-configuration "awsvpcConfiguration={subnets=[$PRIVATE_SUBNET_1A,$PRIVATE_SUBNET_1B],securityGroups=[$APP_SG],assignPublicIp=DISABLED}" \
+    --load-balancers targetGroupArn=$BACKEND_TG_ARN,containerName=erpnext-backend,containerPort=8000 targetGroupArn=$SOCKETIO_TG_ARN,containerName=erpnext-backend,containerPort=9000 \
+    --health-check-grace-period-seconds 60 \
+    --tags key=Name,value=erpnext-backend key=Application,value=ERPNext
+```
+
+### 2. Create ERPNext Frontend Service
+```bash
+aws ecs create-service \
+    --cluster erpnext-cluster \
+    --service-name erpnext-frontend \
+    --task-definition erpnext-frontend:1 \
+    --desired-count 2 \
+    --launch-type FARGATE \
+    --platform-version LATEST \
+    --network-configuration "awsvpcConfiguration={subnets=[$PRIVATE_SUBNET_1A,$PRIVATE_SUBNET_1B],securityGroups=[$APP_SG],assignPublicIp=DISABLED}" \
+    --load-balancers targetGroupArn=$FRONTEND_TG_ARN,containerName=erpnext-frontend,containerPort=8080 \
+    --health-check-grace-period-seconds 30 \
+    --tags key=Name,value=erpnext-frontend key=Application,value=ERPNext
+```
+
+### 3. Create ERPNext Worker Service
+```bash
+aws ecs create-service \
+    --cluster erpnext-cluster \
+    --service-name erpnext-worker \
+    --task-definition erpnext-worker:1 \
+    --desired-count 2 \
+    --launch-type FARGATE \
+    --platform-version LATEST \
+    --network-configuration "awsvpcConfiguration={subnets=[$PRIVATE_SUBNET_1A,$PRIVATE_SUBNET_1B],securityGroups=[$APP_SG],assignPublicIp=DISABLED}" \
+    --tags key=Name,value=erpnext-worker key=Application,value=ERPNext
+```
+
+### 4. Create ERPNext Scheduler Service
+```bash
+aws ecs create-service \
+    --cluster erpnext-cluster \
+    --service-name erpnext-scheduler \
+    --task-definition erpnext-scheduler:1 \
+    --desired-count 1 \
+    --launch-type FARGATE \
+    --platform-version LATEST \
+    --network-configuration "awsvpcConfiguration={subnets=[$PRIVATE_SUBNET_1A,$PRIVATE_SUBNET_1B],securityGroups=[$APP_SG],assignPublicIp=DISABLED}" \
+    --tags key=Name,value=erpnext-scheduler key=Application,value=ERPNext
+```
+
+## 🏗️ Initialize ERPNext Site
+
+### 1. Create Site Initialization Task
+```bash
+cat > erpnext-create-site-task.json <<EOF
+{
+    "family": "erpnext-create-site",
+    "networkMode": "awsvpc",
+    "requiresCompatibilities": ["FARGATE"],
+    "cpu": "1024",
+    "memory": "2048",
+    "executionRoleArn": "arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/ERPNextECSExecutionRole",
+    "taskRoleArn": "arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/ERPNextECSTaskRole",
+    "containerDefinitions": [
+        {
+            "name": "create-site",
+            "image": "frappe/erpnext-worker:v14",
+            "essential": true,
+            "command": [
+                "bash",
+                "-c",
+                "set -e; echo 'Starting ERPNext site creation...'; if [ -d '/home/frappe/frappe-bench/sites/frontend' ]; then echo 'Site already exists. Skipping creation.'; exit 0; fi; bench new-site frontend --admin-password \\$ADMIN_PASSWORD --mariadb-root-password \\$DB_PASSWORD --install-app erpnext --set-default; echo 'Site creation completed successfully!'"
+            ],
+            "environment": [
+                {
+                    "name": "APP_VERSION",
+                    "value": "v14"
+                },
+                {
+                    "name": "DB_HOST",
+                    "value": "$DB_HOST"
+                },
+                {
+                    "name": "DB_PORT",
+                    "value": "3306"
+                },
+                {
+                    "name": "DB_NAME",
+                    "value": "erpnext"
+                },
+                {
+                    "name": "DB_USER",
+                    "value": "admin"
+                },
+                {
+                    "name": "REDIS_CACHE_URL",
+                    "value": "redis://$REDIS_HOST:6379/0"
+                },
+                {
+                    "name": "REDIS_QUEUE_URL",
+                    "value": "redis://$REDIS_HOST:6379/1"
+                },
+                {
+                    "name": "REDIS_SOCKETIO_URL",
+                    "value": "redis://$REDIS_HOST:6379/2"
+                }
+            ],
+            "secrets": [
+                {
+                    "name": "DB_PASSWORD",
+                    "valueFrom": "arn:aws:secretsmanager:us-east-1:$(aws sts get-caller-identity --query Account --output text):secret:erpnext/database/password"
+                },
+                {
+                    "name": "ADMIN_PASSWORD",
+                    "valueFrom": "arn:aws:secretsmanager:us-east-1:$(aws sts get-caller-identity --query Account --output text):secret:erpnext/admin/password"
+                }
+            ],
+            "mountPoints": [
+                {
+                    "sourceVolume": "erpnext-sites",
+                    "containerPath": "/home/frappe/frappe-bench/sites"
+                }
+            ],
+            "logConfiguration": {
+                "logDriver": "awslogs",
+                "options": {
+                    "awslogs-group": "/aws/ecs/erpnext-backend",
+                    "awslogs-region": "us-east-1",
+                    "awslogs-stream-prefix": "create-site"
+                }
+            }
+        }
+    ],
+    "volumes": [
+        {
+            "name": "erpnext-sites",
+            "efsVolumeConfiguration": {
+                "fileSystemId": "$EFS_ID",
+                "transitEncryption": "ENABLED",
+                "accessPointId": "$SITES_ACCESS_POINT_ID"
+            }
+        }
+    ]
+}
+EOF
+
+aws ecs register-task-definition --cli-input-json file://erpnext-create-site-task.json
+
+# Run the site creation task
+aws ecs run-task \
+    --cluster erpnext-cluster \
+    --task-definition erpnext-create-site:1 \
+    --launch-type FARGATE \
+    --platform-version LATEST \
+    --network-configuration "awsvpcConfiguration={subnets=[$PRIVATE_SUBNET_1A],securityGroups=[$APP_SG],assignPublicIp=DISABLED}"
+```
+
+### 2. Monitor Site Creation
+```bash
+# List running tasks
+aws ecs list-tasks --cluster erpnext-cluster --family erpnext-create-site
+
+# Get task ARN
+TASK_ARN=$(aws ecs list-tasks --cluster erpnext-cluster --family erpnext-create-site --query "taskArns[0]" --output text)
+
+# Check task status
+aws ecs describe-tasks --cluster erpnext-cluster --tasks $TASK_ARN
+
+# View logs (replace log stream with actual stream name)
+aws logs describe-log-streams --log-group-name "/aws/ecs/erpnext-backend" --order-by LastEventTime --descending
+
+# Get specific log stream
+LOG_STREAM=$(aws logs describe-log-streams \
+    --log-group-name "/aws/ecs/erpnext-backend" \
+    --order-by LastEventTime \
+    --descending \
+    --max-items 1 \
+    --query "logStreams[0].logStreamName" --output text)
+
+aws logs get-log-events \
+    --log-group-name "/aws/ecs/erpnext-backend" \
+    --log-stream-name $LOG_STREAM
+```
+
+## 📊 Auto Scaling Configuration
+
+### 1. Application Auto Scaling for ECS Services
+```bash
+# Register scalable targets
+aws application-autoscaling register-scalable-target \
+    --service-namespace ecs \
+    --resource-id service/erpnext-cluster/erpnext-backend \
+    --scalable-dimension ecs:service:DesiredCount \
+    --min-capacity 2 \
+    --max-capacity 10
+
+aws application-autoscaling register-scalable-target \
+    --service-namespace ecs \
+    --resource-id service/erpnext-cluster/erpnext-frontend \
+    --scalable-dimension ecs:service:DesiredCount \
+    --min-capacity 2 \
+    --max-capacity 10
+
+aws application-autoscaling register-scalable-target \
+    --service-namespace ecs \
+    --resource-id service/erpnext-cluster/erpnext-worker \
+    --scalable-dimension ecs:service:DesiredCount \
+    --min-capacity 2 \
+    --max-capacity 8
+
+# Create scaling policies
+aws application-autoscaling put-scaling-policy \
+    --service-namespace ecs \
+    --resource-id service/erpnext-cluster/erpnext-backend \
+    --scalable-dimension ecs:service:DesiredCount \
+    --policy-name erpnext-backend-cpu-scaling \
+    --policy-type TargetTrackingScaling \
+    --target-tracking-scaling-policy-configuration '{
+        "TargetValue": 70.0,
+        "PredefinedMetricSpecification": {
+            "PredefinedMetricType": "ECSServiceAverageCPUUtilization"
+        },
+        "ScaleOutCooldown": 300,
+        "ScaleInCooldown": 300
+    }'
+
+aws application-autoscaling put-scaling-policy \
+    --service-namespace ecs \
+    --resource-id service/erpnext-cluster/erpnext-frontend \
+    --scalable-dimension ecs:service:DesiredCount \
+    --policy-name erpnext-frontend-cpu-scaling \
+    --policy-type TargetTrackingScaling \
+    --target-tracking-scaling-policy-configuration '{
+        "TargetValue": 70.0,
+        "PredefinedMetricSpecification": {
+            "PredefinedMetricType": "ECSServiceAverageCPUUtilization"
+        },
+        "ScaleOutCooldown": 300,
+        "ScaleInCooldown": 300
+    }'
+
+# ALB request count scaling for frontend
+aws application-autoscaling put-scaling-policy \
+    --service-namespace ecs \
+    --resource-id service/erpnext-cluster/erpnext-frontend \
+    --scalable-dimension ecs:service:DesiredCount \
+    --policy-name erpnext-frontend-request-scaling \
+    --policy-type TargetTrackingScaling \
+    --target-tracking-scaling-policy-configuration '{
+        "TargetValue": 1000.0,
+        "PredefinedMetricSpecification": {
+            "PredefinedMetricType": "ALBRequestCountPerTarget",
+            "ResourceLabel": "'$(echo $ALB_ARN | cut -d'/' -f2-)'/'$(echo $FRONTEND_TG_ARN | cut -d'/' -f2-)'"
+        },
+        "ScaleOutCooldown": 300,
+        "ScaleInCooldown": 300
+    }'
+```
+
+## 🔍 Verification and Testing
+
+### 1. Check Service Status
+```bash
+# Check all services
+aws ecs describe-services \
+    --cluster erpnext-cluster \
+    --services erpnext-backend erpnext-frontend erpnext-worker erpnext-scheduler
+
+# Check running tasks
+aws ecs list-tasks --cluster erpnext-cluster --service-name erpnext-backend
+aws ecs list-tasks --cluster erpnext-cluster --service-name erpnext-frontend
+aws ecs list-tasks --cluster erpnext-cluster --service-name erpnext-worker
+aws ecs list-tasks --cluster erpnext-cluster --service-name erpnext-scheduler
+
+# Check target group health
+aws elbv2 describe-target-health --target-group-arn $FRONTEND_TG_ARN
+aws elbv2 describe-target-health --target-group-arn $BACKEND_TG_ARN
+aws elbv2 describe-target-health --target-group-arn $SOCKETIO_TG_ARN
+```
+
+### 2. Test Application
+```bash
+# Get ALB DNS name
+ALB_DNS=$(aws elbv2 describe-load-balancers \
+    --names erpnext-alb \
+    --query "LoadBalancers[0].DNSName" --output text)
+
+# Test frontend
+curl -I http://$ALB_DNS/
+
+# Test backend API
+curl -I http://$ALB_DNS/api/method/ping
+
+# Test Socket.IO
+curl -I http://$ALB_DNS/socket.io/
+```
+
+## 🗄️ Backup Strategy
+
+### 1. EFS Backup
+```bash
+# Create backup vault
+aws backup create-backup-vault \
+    --backup-vault-name erpnext-backup-vault \
+    --encryption-key-arn arn:aws:kms:us-east-1:$(aws sts get-caller-identity --query Account --output text):alias/aws/backup
+
+# Create backup plan
+cat > backup-plan.json <<EOF
+{
+    "BackupPlanName": "ERPNextEFSBackupPlan",
+    "Rules": [
+        {
+            "RuleName": "DailyBackups",
+            "TargetBackupVaultName": "erpnext-backup-vault",
+            "ScheduleExpression": "cron(0 5 ? * * *)",
+            "StartWindowMinutes": 60,
+            "CompletionWindowMinutes": 120,
+            "Lifecycle": {
+                "DeleteAfterDays": 30,
+                "MoveToColdStorageAfterDays": 7
+            }
+        }
+    ]
+}
+EOF
+
+aws backup create-backup-plan --backup-plan file://backup-plan.json
+
+# Create IAM role for AWS Backup
+cat > backup-role-trust.json <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "backup.amazonaws.com"
+            },
+            "Action": "sts:AssumeRole"
+        }
+    ]
+}
+EOF
+
+aws iam create-role \
+    --role-name AWSBackupServiceRole \
+    --assume-role-policy-document file://backup-role-trust.json
+
+aws iam attach-role-policy \
+    --role-name AWSBackupServiceRole \
+    --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup
+
+# Create backup selection
+BACKUP_PLAN_ID=$(aws backup get-backup-plan --backup-plan-id $(aws backup list-backup-plans --query "BackupPlansList[?BackupPlanName=='ERPNextEFSBackupPlan'].BackupPlanId" --output text) --query "BackupPlan.BackupPlanId" --output text)
+
+cat > backup-selection.json <<EOF
+{
+    "SelectionName": "ERPNextEFSSelection",
+    "IamRoleArn": "arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/AWSBackupServiceRole",
+    "Resources": [
+        "arn:aws:elasticfilesystem:us-east-1:$(aws sts get-caller-identity --query Account --output text):file-system/$EFS_ID"
+    ]
+}
+EOF
+
+aws backup create-backup-selection \
+    --backup-plan-id $BACKUP_PLAN_ID \
+    --backup-selection file://backup-selection.json
+```
+
+## 🛠️ Troubleshooting
+
+### 1. Service Issues
+```bash
+# Check service events
+aws ecs describe-services \
+    --cluster erpnext-cluster \
+    --services erpnext-backend \
+    --query "services[0].events"
+
+# Check task definition issues
+aws ecs describe-task-definition --task-definition erpnext-backend:1
+
+# Check task failures
+aws ecs describe-tasks \
+    --cluster erpnext-cluster \
+    --tasks $(aws ecs list-tasks --cluster erpnext-cluster --service-name erpnext-backend --query "taskArns[0]" --output text)
+```
+
+### 2. Database Connectivity
+```bash
+# Test RDS connectivity
+aws rds describe-db-instances --db-instance-identifier erpnext-db --query "DBInstances[0].DBInstanceStatus"
+
+# Test from ECS task
+aws ecs run-task \
+    --cluster erpnext-cluster \
+    --task-definition erpnext-backend:1 \
+    --launch-type FARGATE \
+    --platform-version LATEST \
+    --network-configuration "awsvpcConfiguration={subnets=[$PRIVATE_SUBNET_1A],securityGroups=[$APP_SG],assignPublicIp=DISABLED}" \
+    --overrides '{
+        "containerOverrides": [
+            {
+                "name": "erpnext-backend",
+                "command": ["mysql", "-h", "'$DB_HOST'", "-u", "admin", "-p", "-e", "SHOW DATABASES;"]
+            }
+        ]
+    }'
+```
+
+### 3. Load Balancer Issues
+```bash
+# Check ALB health
+aws elbv2 describe-load-balancers --names erpnext-alb
+
+# Check target group targets
+aws elbv2 describe-target-health --target-group-arn $FRONTEND_TG_ARN
+```
+
+## 💰 Cost Optimization for ECS
+
+### 1. Use Fargate Spot
+```bash
+# Update services to use Fargate Spot for cost savings
+aws ecs update-service \
+    --cluster erpnext-cluster \
+    --service erpnext-worker \
+    --capacity-provider-strategy capacityProvider=FARGATE_SPOT,weight=3 capacityProvider=FARGATE,weight=1
+```
+
+### 2. Right-size Tasks
+```bash
+# Monitor task utilization and adjust CPU/memory
+aws logs filter-log-events \
+    --log-group-name /aws/ecs/erpnext-backend \
+    --filter-pattern "Memory" \
+    --start-time $(date -d '1 day ago' +%s)000
+```
+
+## 📚 Additional Resources
+
+- [Amazon ECS Documentation](https://docs.aws.amazon.com/ecs/)
+- [AWS Fargate Documentation](https://docs.aws.amazon.com/AmazonECS/latest/userguide/AWS_Fargate.html)
+- [Amazon RDS Documentation](https://docs.aws.amazon.com/rds/)
+- [Amazon MemoryDB Documentation](https://docs.aws.amazon.com/memorydb/)
+- [Application Load Balancer Documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/)
+
+## ➡️ Next Steps
+
+1. **Production Hardening**: Follow `03-production-managed-setup.md`
+2. **Monitoring Setup**: Configure detailed CloudWatch monitoring
+3. **CI/CD Pipeline**: Set up automated deployments
+4. **Security**: Implement WAF and additional security measures
+
+---
+
+**⚠️ Important**: This deployment uses managed services that incur continuous costs. Monitor your usage and optimize resource allocation based on actual requirements.
\ No newline at end of file
diff --git a/documentation/deployment-guides/aws-managed/02-eks-managed-deployment.md b/documentation/deployment-guides/aws-managed/02-eks-managed-deployment.md
new file mode 100644
index 0000000..4eaa4f9
--- /dev/null
+++ b/documentation/deployment-guides/aws-managed/02-eks-managed-deployment.md
@@ -0,0 +1,1467 @@
+# ERPNext EKS Deployment with Managed Database Services
+
+## Overview
+
+This guide provides step-by-step instructions for deploying ERPNext on Amazon Elastic Kubernetes Service (EKS) using Amazon RDS for MySQL and Amazon MemoryDB for Redis. This approach offers enterprise-grade Kubernetes orchestration with AWS managed database services for maximum reliability and scalability.
+
+## 🏗️ EKS Cluster Setup
+
+### 1. Create EKS Cluster with eksctl
+```bash
+# Create cluster configuration file
+cat > erpnext-eks-cluster.yaml <<EOF
+apiVersion: eksctl.io/v1alpha5
+kind: ClusterConfig
+
+metadata:
+  name: erpnext-cluster
+  region: us-east-1
+  version: "1.28"
+
+availabilityZones: ["us-east-1a", "us-east-1b"]
+
+vpc:
+  id: $(aws ec2 describe-vpcs --filters "Name=tag:Name,Values=erpnext-vpc" --query "Vpcs[0].VpcId" --output text)
+  subnets:
+    private:
+      us-east-1a:
+        id: $(aws ec2 describe-subnets --filters "Name=tag:Name,Values=erpnext-private-subnet-1a" --query "Subnets[0].SubnetId" --output text)
+      us-east-1b:
+        id: $(aws ec2 describe-subnets --filters "Name=tag:Name,Values=erpnext-private-subnet-1b" --query "Subnets[0].SubnetId" --output text)
+    public:
+      us-east-1a:
+        id: $(aws ec2 describe-subnets --filters "Name=tag:Name,Values=erpnext-public-subnet-1a" --query "Subnets[0].SubnetId" --output text)
+      us-east-1b:
+        id: $(aws ec2 describe-subnets --filters "Name=tag:Name,Values=erpnext-public-subnet-1b" --query "Subnets[0].SubnetId" --output text)
+
+nodeGroups:
+  - name: erpnext-workers
+    instanceType: t3.medium
+    desiredCapacity: 3
+    minSize: 2
+    maxSize: 10
+    volumeSize: 50
+    volumeType: gp3
+    subnets:
+      - us-east-1a
+      - us-east-1b
+    privateNetworking: true
+    securityGroups:
+      attachIDs: ["$(aws ec2 describe-security-groups --filters "Name=tag:Name,Values=erpnext-app-sg" --query "SecurityGroups[0].GroupId" --output text)"]
+    ssh:
+      allow: false
+    iam:
+      withAddonPolicies:
+        ebs: true
+        fsx: true
+        efs: true
+        albIngress: true
+        autoScaler: true
+        cloudWatch: true
+        externalDNS: true
+    labels:
+      node-type: worker
+      application: erpnext
+    tags:
+      Name: erpnext-worker-node
+      Application: ERPNext
+      Environment: production
+
+cloudWatch:
+  clusterLogging:
+    enableTypes: ["api", "audit", "authenticator", "controllerManager", "scheduler"]
+
+addons:
+  - name: vpc-cni
+    version: latest
+  - name: coredns
+    version: latest
+  - name: kube-proxy
+    version: latest
+  - name: aws-ebs-csi-driver
+    version: latest
+
+iam:
+  withOIDC: true
+  serviceAccounts:
+    - metadata:
+        name: aws-load-balancer-controller
+        namespace: kube-system
+      wellKnownPolicies:
+        awsLoadBalancerController: true
+    - metadata:
+        name: efs-csi-controller-sa
+        namespace: kube-system
+      wellKnownPolicies:
+        efsCSIController: true
+    - metadata:
+        name: external-secrets-operator
+        namespace: external-secrets
+      attachPolicyARNs:
+        - "arn:aws:iam::aws:policy/SecretsManagerReadWrite"
+    - metadata:
+        name: erpnext-sa
+        namespace: erpnext
+      attachPolicyARNs:
+        - "arn:aws:iam::aws:policy/SecretsManagerReadWrite"
+        - "arn:aws:iam::aws:policy/AmazonS3FullAccess"
+EOF
+
+# Create the cluster
+eksctl create cluster -f erpnext-eks-cluster.yaml
+
+# Wait for cluster to be ready
+eksctl utils wait-cluster-ready --cluster erpnext-cluster --region us-east-1
+
+# Update kubeconfig
+aws eks update-kubeconfig --region us-east-1 --name erpnext-cluster
+
+# Verify cluster
+kubectl cluster-info
+kubectl get nodes
+```
+
+### 2. Install Required Add-ons
+
+#### AWS Load Balancer Controller
+```bash
+# Download and install AWS Load Balancer Controller
+curl -o iam_policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.7.2/docs/install/iam_policy.json
+
+aws iam create-policy \
+    --policy-name AWSLoadBalancerControllerIAMPolicy \
+    --policy-document file://iam_policy.json
+
+# Install AWS Load Balancer Controller using Helm
+helm repo add eks https://aws.github.io/eks-charts
+helm repo update
+
+helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
+  -n kube-system \
+  --set clusterName=erpnext-cluster \
+  --set serviceAccount.create=false \
+  --set serviceAccount.name=aws-load-balancer-controller
+
+# Verify installation
+kubectl get deployment -n kube-system aws-load-balancer-controller
+```
+
+#### EFS CSI Driver
+```bash
+# Install EFS CSI Driver
+helm repo add aws-efs-csi-driver https://kubernetes-sigs.github.io/aws-efs-csi-driver/
+helm repo update
+
+helm install aws-efs-csi-driver aws-efs-csi-driver/aws-efs-csi-driver \
+    --namespace kube-system \
+    --set controller.serviceAccount.create=false \
+    --set controller.serviceAccount.name=efs-csi-controller-sa
+
+# Verify installation
+kubectl get pods -n kube-system -l app=efs-csi-controller
+```
+
+#### External Secrets Operator
+```bash
+# Install External Secrets Operator
+helm repo add external-secrets https://charts.external-secrets.io
+helm repo update
+
+helm install external-secrets external-secrets/external-secrets \
+    --namespace external-secrets \
+    --create-namespace \
+    --set installCRDs=true
+
+# Verify installation
+kubectl get pods -n external-secrets
+```
+
+## 📦 Storage Setup
+
+### 1. Create EFS for Shared Storage
+```bash
+# EFS was created in prerequisites, get the ID
+EFS_ID=$(aws efs describe-file-systems \
+    --query "FileSystems[?Tags[?Key=='Name' && Value=='erpnext-sites-efs']].FileSystemId" --output text)
+
+# Create storage class for EFS
+cat > efs-storageclass.yaml <<EOF
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: efs-sc
+provisioner: efs.csi.aws.com
+parameters:
+  provisioningMode: efs-ap
+  fileSystemId: $EFS_ID
+  directoryPerms: "700"
+  gidRangeStart: "1000"
+  gidRangeEnd: "2000"
+  basePath: "/dynamic_provisioning"
+EOF
+
+kubectl apply -f efs-storageclass.yaml
+
+# Create persistent volume for sites
+cat > erpnext-efs-pv.yaml <<EOF
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: erpnext-sites-pv
+spec:
+  capacity:
+    storage: 100Gi
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: efs-sc
+  csi:
+    driver: efs.csi.aws.com
+    volumeHandle: $EFS_ID
+EOF
+
+kubectl apply -f erpnext-efs-pv.yaml
+```
+
+### 2. Create EBS Storage Class for Database Backups
+```bash
+cat > ebs-gp3-storageclass.yaml <<EOF
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: ebs-gp3
+provisioner: ebs.csi.aws.com
+volumeBindingMode: WaitForFirstConsumer
+allowVolumeExpansion: true
+parameters:
+  type: gp3
+  iops: "3000"
+  throughput: "125"
+  encrypted: "true"
+EOF
+
+kubectl apply -f ebs-gp3-storageclass.yaml
+```
+
+## 🔑 Namespace and RBAC Setup
+```bash
+# Create ERPNext namespace
+kubectl create namespace erpnext
+
+# Create service account for ERPNext
+kubectl create serviceaccount erpnext-sa -n erpnext
+
+# Annotate service account with IAM role (this was done by eksctl)
+kubectl annotate serviceaccount erpnext-sa \
+    -n erpnext \
+    eks.amazonaws.com/role-arn=arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/eksctl-erpnext-cluster-addon-iamserviceaccount-Role1-$(aws sts get-caller-identity --query Account --output text)
+```
+
+## 🔐 External Secrets Configuration
+```bash
+# Create SecretStore for AWS Secrets Manager
+cat > aws-secretstore.yaml <<EOF
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: aws-secretstore
+  namespace: erpnext
+spec:
+  provider:
+    aws:
+      service: SecretsManager
+      region: us-east-1
+      auth:
+        jwt:
+          serviceAccountRef:
+            name: external-secrets-operator
+EOF
+
+kubectl apply -f aws-secretstore.yaml
+
+# Create external secrets
+cat > erpnext-external-secrets.yaml <<EOF
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: erpnext-db-secret
+  namespace: erpnext
+spec:
+  refreshInterval: 15s
+  secretStoreRef:
+    name: aws-secretstore
+    kind: SecretStore
+  target:
+    name: erpnext-db-secret
+    creationPolicy: Owner
+  data:
+    - secretKey: password
+      remoteRef:
+        key: erpnext/database/password
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: erpnext-redis-secret
+  namespace: erpnext
+spec:
+  refreshInterval: 15s
+  secretStoreRef:
+    name: aws-secretstore
+    kind: SecretStore
+  target:
+    name: erpnext-redis-secret
+    creationPolicy: Owner
+  data:
+    - secretKey: password
+      remoteRef:
+        key: erpnext/redis/password
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: erpnext-admin-secret
+  namespace: erpnext
+spec:
+  refreshInterval: 15s
+  secretStoreRef:
+    name: aws-secretstore
+    kind: SecretStore
+  target:
+    name: erpnext-admin-secret
+    creationPolicy: Owner
+  data:
+    - secretKey: password
+      remoteRef:
+        key: erpnext/admin/password
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: erpnext-api-secret
+  namespace: erpnext
+spec:
+  refreshInterval: 15s
+  secretStoreRef:
+    name: aws-secretstore
+    kind: SecretStore
+  target:
+    name: erpnext-api-secret
+    creationPolicy: Owner
+  data:
+    - secretKey: api-key
+      remoteRef:
+        key: erpnext/api/credentials
+        property: api_key
+    - secretKey: api-secret
+      remoteRef:
+        key: erpnext/api/credentials
+        property: api_secret
+EOF
+
+kubectl apply -f erpnext-external-secrets.yaml
+```
+
+## ⚙️ ConfigMap for Application Configuration
+```bash
+# Get database and Redis endpoints from Parameter Store
+DB_HOST=$(aws ssm get-parameter --name "/erpnext/database/host" --query "Parameter.Value" --output text)
+REDIS_HOST=$(aws ssm get-parameter --name "/erpnext/redis/host" --query "Parameter.Value" --output text)
+
+cat > erpnext-configmap.yaml <<EOF
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: erpnext-config
+  namespace: erpnext
+data:
+  APP_VERSION: "v14"
+  APP_URL: "erpnext.yourdomain.com"
+  APP_USER: "Administrator"
+  APP_DB_PARAM: "db"
+  DEVELOPER_MODE: "0"
+  ENABLE_SCHEDULER: "1"
+  SOCKETIO_PORT: "9000"
+  # Database configuration
+  DB_HOST: "$DB_HOST"
+  DB_PORT: "3306"
+  DB_NAME: "erpnext"
+  DB_USER: "admin"
+  # Redis configuration
+  REDIS_CACHE_URL: "redis://$REDIS_HOST:6379/0"
+  REDIS_QUEUE_URL: "redis://$REDIS_HOST:6379/1"
+  REDIS_SOCKETIO_URL: "redis://$REDIS_HOST:6379/2"
+  # Connection settings
+  DB_TIMEOUT: "60"
+  DB_CHARSET: "utf8mb4"
+EOF
+
+kubectl apply -f erpnext-configmap.yaml
+```
+
+## 📂 Persistent Volume Claims
+```bash
+cat > erpnext-pvcs.yaml <<EOF
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: erpnext-sites-pvc
+  namespace: erpnext
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: efs-sc
+  resources:
+    requests:
+      storage: 50Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: erpnext-backups-pvc
+  namespace: erpnext
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: ebs-gp3
+  resources:
+    requests:
+      storage: 100Gi
+EOF
+
+kubectl apply -f erpnext-pvcs.yaml
+```
+
+## 🐳 Deploy ERPNext Services
+
+### 1. ERPNext Backend Deployment
+```bash
+cat > erpnext-backend.yaml <<EOF
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: erpnext-backend
+  namespace: erpnext
+  labels:
+    app: erpnext-backend
+    component: backend
+    environment: production
+    version: v14
+spec:
+  replicas: 3
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 1
+  selector:
+    matchLabels:
+      app: erpnext-backend
+  template:
+    metadata:
+      labels:
+        app: erpnext-backend
+        component: backend
+        environment: production
+        version: v14
+    spec:
+      serviceAccountName: erpnext-sa
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      initContainers:
+      - name: wait-for-db
+        image: busybox:1.35
+        command:
+        - sh
+        - -c
+        - |
+          echo 'Waiting for database to be ready...'
+          until nc -z \$DB_HOST \$DB_PORT; do
+            echo 'Waiting for database...'
+            sleep 10
+          done
+          echo 'Database is ready!'
+        envFrom:
+        - configMapRef:
+            name: erpnext-config
+      containers:
+      - name: erpnext-backend
+        image: frappe/erpnext-worker:v14
+        ports:
+        - containerPort: 8000
+          name: http
+        - containerPort: 9000
+          name: socketio
+        envFrom:
+        - configMapRef:
+            name: erpnext-config
+        env:
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-db-secret
+              key: password
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-redis-secret
+              key: password
+        volumeMounts:
+        - name: sites-data
+          mountPath: /home/frappe/frappe-bench/sites
+        - name: backups-data
+          mountPath: /home/frappe/frappe-bench/sites/backups
+        resources:
+          requests:
+            memory: "1Gi"
+            cpu: "500m"
+          limits:
+            memory: "2Gi"
+            cpu: "1000m"
+        livenessProbe:
+          httpGet:
+            path: /api/method/ping
+            port: 8000
+          initialDelaySeconds: 60
+          periodSeconds: 30
+          timeoutSeconds: 10
+          failureThreshold: 3
+        readinessProbe:
+          httpGet:
+            path: /api/method/ping
+            port: 8000
+          initialDelaySeconds: 30
+          periodSeconds: 10
+          timeoutSeconds: 5
+          failureThreshold: 3
+      volumes:
+      - name: sites-data
+        persistentVolumeClaim:
+          claimName: erpnext-sites-pvc
+      - name: backups-data
+        persistentVolumeClaim:
+          claimName: erpnext-backups-pvc
+      nodeSelector:
+        node-type: worker
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: erpnext-backend
+  namespace: erpnext
+  labels:
+    app: erpnext-backend
+spec:
+  selector:
+    app: erpnext-backend
+  ports:
+  - name: http
+    port: 8000
+    targetPort: 8000
+    protocol: TCP
+  - name: socketio
+    port: 9000
+    targetPort: 9000
+    protocol: TCP
+  type: ClusterIP
+EOF
+
+kubectl apply -f erpnext-backend.yaml
+```
+
+### 2. ERPNext Frontend Deployment
+```bash
+cat > erpnext-frontend.yaml <<EOF
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: erpnext-frontend
+  namespace: erpnext
+  labels:
+    app: erpnext-frontend
+    component: frontend
+    environment: production
+    version: v14
+spec:
+  replicas: 2
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  selector:
+    matchLabels:
+      app: erpnext-frontend
+  template:
+    metadata:
+      labels:
+        app: erpnext-frontend
+        component: frontend
+        environment: production
+        version: v14
+    spec:
+      serviceAccountName: erpnext-sa
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 101
+        runAsGroup: 101
+        fsGroup: 1000
+      containers:
+      - name: erpnext-frontend
+        image: frappe/erpnext-nginx:v14
+        ports:
+        - containerPort: 8080
+          name: http
+        volumeMounts:
+        - name: sites-data
+          mountPath: /home/frappe/frappe-bench/sites
+          readOnly: true
+        resources:
+          requests:
+            memory: "256Mi"
+            cpu: "100m"
+          limits:
+            memory: "512Mi"
+            cpu: "500m"
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 8080
+          initialDelaySeconds: 30
+          periodSeconds: 30
+          timeoutSeconds: 5
+          failureThreshold: 3
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 8080
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 5
+          failureThreshold: 3
+      volumes:
+      - name: sites-data
+        persistentVolumeClaim:
+          claimName: erpnext-sites-pvc
+      nodeSelector:
+        node-type: worker
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: erpnext-frontend
+  namespace: erpnext
+  labels:
+    app: erpnext-frontend
+spec:
+  selector:
+    app: erpnext-frontend
+  ports:
+  - name: http
+    port: 8080
+    targetPort: 8080
+    protocol: TCP
+  type: ClusterIP
+EOF
+
+kubectl apply -f erpnext-frontend.yaml
+```
+
+### 3. ERPNext Worker Deployments
+```bash
+cat > erpnext-workers.yaml <<EOF
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: erpnext-queue-default
+  namespace: erpnext
+  labels:
+    app: erpnext-queue-default
+    component: worker
+    queue: default
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: erpnext-queue-default
+  template:
+    metadata:
+      labels:
+        app: erpnext-queue-default
+        component: worker
+        queue: default
+    spec:
+      serviceAccountName: erpnext-sa
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      containers:
+      - name: queue-worker
+        image: frappe/erpnext-worker:v14
+        command: ["bench", "worker", "--queue", "default"]
+        envFrom:
+        - configMapRef:
+            name: erpnext-config
+        env:
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-db-secret
+              key: password
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-redis-secret
+              key: password
+        volumeMounts:
+        - name: sites-data
+          mountPath: /home/frappe/frappe-bench/sites
+        resources:
+          requests:
+            memory: "512Mi"
+            cpu: "250m"
+          limits:
+            memory: "1Gi"
+            cpu: "500m"
+      volumes:
+      - name: sites-data
+        persistentVolumeClaim:
+          claimName: erpnext-sites-pvc
+      nodeSelector:
+        node-type: worker
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: erpnext-queue-long
+  namespace: erpnext
+  labels:
+    app: erpnext-queue-long
+    component: worker
+    queue: long
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: erpnext-queue-long
+  template:
+    metadata:
+      labels:
+        app: erpnext-queue-long
+        component: worker
+        queue: long
+    spec:
+      serviceAccountName: erpnext-sa
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      containers:
+      - name: queue-worker
+        image: frappe/erpnext-worker:v14
+        command: ["bench", "worker", "--queue", "long"]
+        envFrom:
+        - configMapRef:
+            name: erpnext-config
+        env:
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-db-secret
+              key: password
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-redis-secret
+              key: password
+        volumeMounts:
+        - name: sites-data
+          mountPath: /home/frappe/frappe-bench/sites
+        resources:
+          requests:
+            memory: "512Mi"
+            cpu: "250m"
+          limits:
+            memory: "1Gi"
+            cpu: "500m"
+      volumes:
+      - name: sites-data
+        persistentVolumeClaim:
+          claimName: erpnext-sites-pvc
+      nodeSelector:
+        node-type: worker
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: erpnext-queue-short
+  namespace: erpnext
+  labels:
+    app: erpnext-queue-short
+    component: worker
+    queue: short
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: erpnext-queue-short
+  template:
+    metadata:
+      labels:
+        app: erpnext-queue-short
+        component: worker
+        queue: short
+    spec:
+      serviceAccountName: erpnext-sa
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      containers:
+      - name: queue-worker
+        image: frappe/erpnext-worker:v14
+        command: ["bench", "worker", "--queue", "short"]
+        envFrom:
+        - configMapRef:
+            name: erpnext-config
+        env:
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-db-secret
+              key: password
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-redis-secret
+              key: password
+        volumeMounts:
+        - name: sites-data
+          mountPath: /home/frappe/frappe-bench/sites
+        resources:
+          requests:
+            memory: "256Mi"
+            cpu: "100m"
+          limits:
+            memory: "512Mi"
+            cpu: "250m"
+      volumes:
+      - name: sites-data
+        persistentVolumeClaim:
+          claimName: erpnext-sites-pvc
+      nodeSelector:
+        node-type: worker
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: erpnext-scheduler
+  namespace: erpnext
+  labels:
+    app: erpnext-scheduler
+    component: scheduler
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: erpnext-scheduler
+  template:
+    metadata:
+      labels:
+        app: erpnext-scheduler
+        component: scheduler
+    spec:
+      serviceAccountName: erpnext-sa
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      containers:
+      - name: scheduler
+        image: frappe/erpnext-worker:v14
+        command: ["bench", "schedule"]
+        envFrom:
+        - configMapRef:
+            name: erpnext-config
+        env:
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-db-secret
+              key: password
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-redis-secret
+              key: password
+        volumeMounts:
+        - name: sites-data
+          mountPath: /home/frappe/frappe-bench/sites
+        resources:
+          requests:
+            memory: "256Mi"
+            cpu: "100m"
+          limits:
+            memory: "512Mi"
+            cpu: "250m"
+      volumes:
+      - name: sites-data
+        persistentVolumeClaim:
+          claimName: erpnext-sites-pvc
+      nodeSelector:
+        node-type: worker
+EOF
+
+kubectl apply -f erpnext-workers.yaml
+```
+
+## 🌐 Application Load Balancer and Ingress
+
+### 1. Create Ingress with AWS Load Balancer Controller
+```bash
+cat > erpnext-ingress.yaml <<EOF
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: erpnext-ingress
+  namespace: erpnext
+  annotations:
+    kubernetes.io/ingress.class: alb
+    alb.ingress.kubernetes.io/scheme: internet-facing
+    alb.ingress.kubernetes.io/target-type: ip
+    alb.ingress.kubernetes.io/backend-protocol: HTTP
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
+    alb.ingress.kubernetes.io/ssl-redirect: "443"
+    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:$(aws sts get-caller-identity --query Account --output text):certificate/your-cert-id
+    alb.ingress.kubernetes.io/load-balancer-attributes: routing.http2.enabled=true,idle_timeout.timeout_seconds=60
+    alb.ingress.kubernetes.io/healthcheck-grace-period-seconds: "60"
+    alb.ingress.kubernetes.io/healthcheck-interval-seconds: "15"
+    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: "5"
+    alb.ingress.kubernetes.io/success-codes: "200"
+    alb.ingress.kubernetes.io/tags: Environment=production,Application=ERPNext
+spec:
+  rules:
+  - host: erpnext.yourdomain.com
+    http:
+      paths:
+      - path: /socket.io
+        pathType: Prefix
+        backend:
+          service:
+            name: erpnext-backend
+            port:
+              number: 9000
+      - path: /api
+        pathType: Prefix
+        backend:
+          service:
+            name: erpnext-backend
+            port:
+              number: 8000
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: erpnext-frontend
+            port:
+              number: 8080
+EOF
+
+kubectl apply -f erpnext-ingress.yaml
+```
+
+## 🚀 Initialize ERPNext Site
+
+### 1. Create Site Initialization Job
+```bash
+cat > erpnext-create-site-job.yaml <<EOF
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: erpnext-create-site
+  namespace: erpnext
+spec:
+  backoffLimit: 3
+  template:
+    spec:
+      serviceAccountName: erpnext-sa
+      restartPolicy: Never
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      initContainers:
+      - name: wait-for-db
+        image: busybox:1.35
+        command:
+        - sh
+        - -c
+        - |
+          echo 'Waiting for database to be ready...'
+          until nc -z \$DB_HOST \$DB_PORT; do
+            echo 'Waiting for database...'
+            sleep 10
+          done
+          echo 'Database is ready!'
+          sleep 30
+        envFrom:
+        - configMapRef:
+            name: erpnext-config
+      containers:
+      - name: create-site
+        image: frappe/erpnext-worker:v14
+        command:
+        - bash
+        - -c
+        - |
+          set -e
+          echo "Starting ERPNext site creation..."
+          
+          # Check if site already exists
+          if [ -d "/home/frappe/frappe-bench/sites/frontend" ]; then
+            echo "Site 'frontend' already exists. Skipping creation."
+            exit 0
+          fi
+          
+          # Create the site
+          bench new-site frontend \
+            --admin-password "\$ADMIN_PASSWORD" \
+            --mariadb-root-password "\$DB_PASSWORD" \
+            --install-app erpnext \
+            --set-default
+          
+          echo "Site creation completed successfully!"
+        envFrom:
+        - configMapRef:
+            name: erpnext-config
+        env:
+        - name: ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-admin-secret
+              key: password
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-db-secret
+              key: password
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-redis-secret
+              key: password
+        volumeMounts:
+        - name: sites-data
+          mountPath: /home/frappe/frappe-bench/sites
+        resources:
+          requests:
+            memory: "1Gi"
+            cpu: "500m"
+          limits:
+            memory: "2Gi"
+            cpu: "1000m"
+      volumes:
+      - name: sites-data
+        persistentVolumeClaim:
+          claimName: erpnext-sites-pvc
+      nodeSelector:
+        node-type: worker
+EOF
+
+kubectl apply -f erpnext-create-site-job.yaml
+
+# Monitor job progress
+kubectl get jobs -n erpnext
+kubectl logs -f job/erpnext-create-site -n erpnext
+```
+
+## 📊 Auto-scaling Configuration
+
+### 1. Horizontal Pod Autoscaler
+```bash
+cat > erpnext-hpa.yaml <<EOF
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: erpnext-backend-hpa
+  namespace: erpnext
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: erpnext-backend
+  minReplicas: 3
+  maxReplicas: 10
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: 70
+  - type: Resource
+    resource:
+      name: memory
+      target:
+        type: Utilization
+        averageUtilization: 80
+  behavior:
+    scaleDown:
+      stabilizationWindowSeconds: 300
+      policies:
+      - type: Percent
+        value: 50
+        periodSeconds: 60
+    scaleUp:
+      stabilizationWindowSeconds: 60
+      policies:
+      - type: Percent
+        value: 100
+        periodSeconds: 60
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: erpnext-frontend-hpa
+  namespace: erpnext
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: erpnext-frontend
+  minReplicas: 2
+  maxReplicas: 8
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: 70
+  - type: Resource
+    resource:
+      name: memory
+      target:
+        type: Utilization
+        averageUtilization: 80
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: erpnext-queue-default-hpa
+  namespace: erpnext
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: erpnext-queue-default
+  minReplicas: 2
+  maxReplicas: 6
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: 80
+  - type: Resource
+    resource:
+      name: memory
+      target:
+        type: Utilization
+        averageUtilization: 85
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: erpnext-queue-short-hpa
+  namespace: erpnext
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: erpnext-queue-short
+  minReplicas: 2
+  maxReplicas: 8
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: 80
+  - type: Resource
+    resource:
+      name: memory
+      target:
+        type: Utilization
+        averageUtilization: 85
+EOF
+
+kubectl apply -f erpnext-hpa.yaml
+```
+
+### 2. Cluster Autoscaler
+```bash
+# Enable cluster autoscaler (already configured in eksctl)
+kubectl -n kube-system annotate deployment.apps/cluster-autoscaler cluster-autoscaler.kubernetes.io/safe-to-evict="false"
+
+# Update cluster autoscaler image version
+kubectl -n kube-system set image deployment.apps/cluster-autoscaler cluster-autoscaler=k8s.gcr.io/autoscaling/cluster-autoscaler:v1.28.2
+
+# Verify cluster autoscaler
+kubectl -n kube-system logs -f deployment.apps/cluster-autoscaler
+```
+
+## 🔍 Verification and Testing
+
+### 1. Check Deployment Status
+```bash
+# Check all resources
+kubectl get all -n erpnext
+
+# Check deployments
+kubectl get deployments -n erpnext
+
+# Check pods
+kubectl get pods -n erpnext -o wide
+
+# Check services
+kubectl get services -n erpnext
+
+# Check ingress
+kubectl get ingress -n erpnext
+
+# Check persistent volumes
+kubectl get pv,pvc -n erpnext
+
+# Check external secrets
+kubectl get externalsecrets -n erpnext
+
+# Check HPA status
+kubectl get hpa -n erpnext
+```
+
+### 2. Test Application Connectivity
+```bash
+# Get ALB endpoint
+ALB_ENDPOINT=$(kubectl get ingress erpnext-ingress -n erpnext -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
+
+# Test frontend
+curl -I http://$ALB_ENDPOINT/
+
+# Test backend API
+curl -I http://$ALB_ENDPOINT/api/method/ping
+
+# Test Socket.IO
+curl -I http://$ALB_ENDPOINT/socket.io/
+
+# Check SSL certificate (if HTTPS is configured)
+curl -I https://$ALB_ENDPOINT/
+```
+
+### 3. Database and Redis Connectivity Tests
+```bash
+# Test database connectivity from a pod
+kubectl run mysql-test --rm -i --tty --image=mysql:8.0 --restart=Never -n erpnext -- mysql -h $DB_HOST -u admin -p
+
+# Test Redis connectivity
+kubectl run redis-test --rm -i --tty --image=redis:alpine --restart=Never -n erpnext -- redis-cli -h $REDIS_HOST ping
+```
+
+## 🗄️ Backup Strategy
+
+### 1. Automated EFS Backup with AWS Backup
+```bash
+# This was configured in prerequisites, verify it's working
+aws backup list-backup-jobs --by-resource-arn arn:aws:elasticfilesystem:us-east-1:$(aws sts get-caller-identity --query Account --output text):file-system/$EFS_ID
+```
+
+### 2. Database Backup CronJob
+```bash
+cat > erpnext-backup-cronjob.yaml <<EOF
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: erpnext-backup
+  namespace: erpnext
+spec:
+  schedule: "0 2 * * *"  # Daily at 2 AM
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          serviceAccountName: erpnext-sa
+          restartPolicy: OnFailure
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+            runAsGroup: 1000
+            fsGroup: 1000
+          containers:
+          - name: backup
+            image: frappe/erpnext-worker:v14
+            command:
+            - bash
+            - -c
+            - |
+              set -e
+              BACKUP_DATE=\$(date +%Y%m%d_%H%M%S)
+              echo "Starting backup at \$BACKUP_DATE"
+              
+              # Create database backup
+              bench --site frontend backup --with-files
+              
+              # Upload to S3 (optional)
+              if [ -n "\$AWS_S3_BUCKET" ]; then
+                aws s3 cp /home/frappe/frappe-bench/sites/frontend/private/backups/ s3://\$AWS_S3_BUCKET/backups/\$BACKUP_DATE/ --recursive
+              fi
+              
+              echo "Backup completed successfully"
+            envFrom:
+            - configMapRef:
+                name: erpnext-config
+            env:
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: erpnext-db-secret
+                  key: password
+            - name: AWS_S3_BUCKET
+              value: "erpnext-backups-$(aws sts get-caller-identity --query Account --output text)"
+            volumeMounts:
+            - name: sites-data
+              mountPath: /home/frappe/frappe-bench/sites
+            - name: backups-data
+              mountPath: /home/frappe/frappe-bench/sites/backups
+          volumes:
+          - name: sites-data
+            persistentVolumeClaim:
+              claimName: erpnext-sites-pvc
+          - name: backups-data
+            persistentVolumeClaim:
+              claimName: erpnext-backups-pvc
+          nodeSelector:
+            node-type: worker
+EOF
+
+kubectl apply -f erpnext-backup-cronjob.yaml
+```
+
+## 🛠️ Troubleshooting
+
+### 1. Pod Issues
+```bash
+# Check pod status
+kubectl describe pods -n erpnext
+
+# Check pod logs
+kubectl logs -f deployment/erpnext-backend -n erpnext
+
+# Get events
+kubectl get events -n erpnext --sort-by=.metadata.creationTimestamp
+
+# Check resource usage
+kubectl top pods -n erpnext
+kubectl top nodes
+```
+
+### 2. Storage Issues
+```bash
+# Check PVC status
+kubectl describe pvc -n erpnext
+
+# Check EFS mount targets
+aws efs describe-mount-targets --file-system-id $EFS_ID
+
+# Check EFS access points
+aws efs describe-access-points --file-system-id $EFS_ID
+```
+
+### 3. Network Issues
+```bash
+# Check ingress
+kubectl describe ingress erpnext-ingress -n erpnext
+
+# Check service endpoints
+kubectl get endpoints -n erpnext
+
+# Check AWS Load Balancer Controller
+kubectl logs -n kube-system deployment.apps/aws-load-balancer-controller
+
+# Check security groups
+aws ec2 describe-security-groups --filters "Name=vpc-id,Values=$VPC_ID"
+```
+
+### 4. External Secrets Issues
+```bash
+# Check external secrets status
+kubectl describe externalsecrets -n erpnext
+
+# Check secret store
+kubectl describe secretstore aws-secretstore -n erpnext
+
+# Check external secrets operator
+kubectl logs -n external-secrets deployment/external-secrets
+```
+
+## 💰 Cost Optimization for EKS
+
+### 1. Use Spot Instances
+```bash
+# Add spot instance node group
+eksctl create nodegroup \
+    --cluster=erpnext-cluster \
+    --region=us-east-1 \
+    --name=erpnext-workers-spot \
+    --node-type=t3.medium \
+    --nodes=2 \
+    --nodes-min=1 \
+    --nodes-max=5 \
+    --spot \
+    --ssh-access=false \
+    --managed=true
+```
+
+### 2. Right-size Resources
+```bash
+# Install metrics server for resource monitoring
+kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
+
+# Monitor resource usage
+kubectl top pods -n erpnext
+kubectl top nodes
+
+# Use VPA for recommendations
+kubectl apply -f https://github.com/kubernetes/autoscaler/releases/latest/download/vertical-pod-autoscaler-crd.yaml
+```
+
+## 📚 Additional Resources
+
+- [Amazon EKS Documentation](https://docs.aws.amazon.com/eks/)
+- [AWS Load Balancer Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/)
+- [External Secrets Operator](https://external-secrets.io/)
+- [EFS CSI Driver](https://github.com/kubernetes-sigs/aws-efs-csi-driver)
+- [Kubernetes Autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/)
+
+## ➡️ Next Steps
+
+1. **Production Hardening**: Follow `03-production-managed-setup.md`
+2. **Monitoring Setup**: Configure Prometheus, Grafana, and CloudWatch integration
+3. **CI/CD Pipeline**: Set up GitOps with ArgoCD or Flux
+4. **Security**: Implement Pod Security Standards, Network Policies, and RBAC
+5. **Observability**: Set up distributed tracing and logging
+
+---
+
+**⚠️ Important**: This deployment uses managed services and EKS cluster that incur continuous costs. Monitor your usage and optimize resource allocation based on actual requirements.
\ No newline at end of file
diff --git a/documentation/deployment-guides/aws-managed/03-production-managed-setup.md b/documentation/deployment-guides/aws-managed/03-production-managed-setup.md
new file mode 100644
index 0000000..6ee2ee8
--- /dev/null
+++ b/documentation/deployment-guides/aws-managed/03-production-managed-setup.md
@@ -0,0 +1,1442 @@
+# ERPNext Production Setup with AWS Managed Services
+
+## Overview
+
+This guide covers production-ready configurations, security hardening, monitoring, backup strategies, and operational best practices for ERPNext using AWS managed services (Amazon RDS, MemoryDB, ECS/EKS). This setup provides enterprise-grade reliability, security, and operational efficiency.
+
+## 🔐 Enhanced Security Configuration
+
+### 1. AWS WAF (Web Application Firewall)
+```bash
+# Create WAF Web ACL for ALB protection
+cat > waf-web-acl.json <<EOF
+{
+    "Name": "ERPNextWAF",
+    "Scope": "REGIONAL",
+    "DefaultAction": {
+        "Allow": {}
+    },
+    "Rules": [
+        {
+            "Name": "AWSManagedRulesCommonRuleSet",
+            "Priority": 1,
+            "OverrideAction": {
+                "None": {}
+            },
+            "Statement": {
+                "ManagedRuleGroupStatement": {
+                    "VendorName": "AWS",
+                    "Name": "AWSManagedRulesCommonRuleSet"
+                }
+            },
+            "VisibilityConfig": {
+                "SampledRequestsEnabled": true,
+                "CloudWatchMetricsEnabled": true,
+                "MetricName": "CommonRuleSetMetric"
+            }
+        },
+        {
+            "Name": "AWSManagedRulesKnownBadInputsRuleSet",
+            "Priority": 2,
+            "OverrideAction": {
+                "None": {}
+            },
+            "Statement": {
+                "ManagedRuleGroupStatement": {
+                    "VendorName": "AWS",
+                    "Name": "AWSManagedRulesKnownBadInputsRuleSet"
+                }
+            },
+            "VisibilityConfig": {
+                "SampledRequestsEnabled": true,
+                "CloudWatchMetricsEnabled": true,
+                "MetricName": "KnownBadInputsMetric"
+            }
+        },
+        {
+            "Name": "AWSManagedRulesSQLiRuleSet",
+            "Priority": 3,
+            "OverrideAction": {
+                "None": {}
+            },
+            "Statement": {
+                "ManagedRuleGroupStatement": {
+                    "VendorName": "AWS",
+                    "Name": "AWSManagedRulesSQLiRuleSet"
+                }
+            },
+            "VisibilityConfig": {
+                "SampledRequestsEnabled": true,
+                "CloudWatchMetricsEnabled": true,
+                "MetricName": "SQLiRuleSetMetric"
+            }
+        },
+        {
+            "Name": "RateLimitRule",
+            "Priority": 4,
+            "Action": {
+                "Block": {}
+            },
+            "Statement": {
+                "RateBasedStatement": {
+                    "Limit": 1000,
+                    "AggregateKeyType": "IP"
+                }
+            },
+            "VisibilityConfig": {
+                "SampledRequestsEnabled": true,
+                "CloudWatchMetricsEnabled": true,
+                "MetricName": "RateLimitMetric"
+            }
+        }
+    ],
+    "VisibilityConfig": {
+        "SampledRequestsEnabled": true,
+        "CloudWatchMetricsEnabled": true,
+        "MetricName": "ERPNextWAFMetric"
+    }
+}
+EOF
+
+# Create the WAF Web ACL
+aws wafv2 create-web-acl \
+    --scope REGIONAL \
+    --region us-east-1 \
+    --cli-input-json file://waf-web-acl.json
+
+# Get WAF ARN
+WAF_ARN=$(aws wafv2 list-web-acls --scope REGIONAL --region us-east-1 --query "WebACLs[?Name=='ERPNextWAF'].ARN" --output text)
+
+# Associate WAF with ALB
+ALB_ARN=$(aws elbv2 describe-load-balancers --names erpnext-alb --query "LoadBalancers[0].LoadBalancerArn" --output text)
+
+aws wafv2 associate-web-acl \
+    --web-acl-arn $WAF_ARN \
+    --resource-arn $ALB_ARN
+```
+
+### 2. Enhanced RDS Security
+```bash
+# Enable RDS Performance Insights
+aws rds modify-db-instance \
+    --db-instance-identifier erpnext-db \
+    --enable-performance-insights \
+    --performance-insights-retention-period 7 \
+    --apply-immediately
+
+# Enable enhanced monitoring
+aws rds modify-db-instance \
+    --db-instance-identifier erpnext-db \
+    --monitoring-interval 60 \
+    --monitoring-role-arn arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/rds-monitoring-role \
+    --apply-immediately
+
+# Create monitoring role
+cat > rds-monitoring-role-trust.json <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "monitoring.rds.amazonaws.com"
+            },
+            "Action": "sts:AssumeRole"
+        }
+    ]
+}
+EOF
+
+aws iam create-role \
+    --role-name rds-monitoring-role \
+    --assume-role-policy-document file://rds-monitoring-role-trust.json
+
+aws iam attach-role-policy \
+    --role-name rds-monitoring-role \
+    --policy-arn arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole
+
+# Enable RDS encryption for backups
+aws rds modify-db-instance \
+    --db-instance-identifier erpnext-db \
+    --backup-retention-period 30 \
+    --backup-window 03:00-04:00 \
+    --apply-immediately
+
+# Create read replica for disaster recovery
+aws rds create-db-instance-read-replica \
+    --db-instance-identifier erpnext-db-read-replica \
+    --source-db-instance-identifier erpnext-db \
+    --db-instance-class db.t3.medium \
+    --publicly-accessible false \
+    --storage-encrypted \
+    --auto-minor-version-upgrade \
+    --tags Key=Name,Value=erpnext-db-read-replica Key=Purpose,Value=disaster-recovery
+```
+
+### 3. MemoryDB Security Enhancements
+```bash
+# Update MemoryDB with encryption in transit
+aws memorydb update-cluster \
+    --cluster-name erpnext-redis \
+    --description "ERPNext Redis with enhanced security" \
+    --maintenance-window sun:05:00-sun:06:00 \
+    --sns-topic-arn arn:aws:sns:us-east-1:$(aws sts get-caller-identity --query Account --output text):erpnext-security-alerts
+
+# Create security alerts SNS topic
+aws sns create-topic \
+    --name erpnext-security-alerts \
+    --tags Key=Application,Value=ERPNext Key=Purpose,Value=security-monitoring
+
+# Subscribe to security alerts
+aws sns subscribe \
+    --topic-arn arn:aws:sns:us-east-1:$(aws sts get-caller-identity --query Account --output text):erpnext-security-alerts \
+    --protocol email \
+    --notification-endpoint security@yourdomain.com
+```
+
+### 4. VPC Security Hardening
+```bash
+# Create VPC Flow Logs for network monitoring
+aws logs create-log-group \
+    --log-group-name /aws/vpc/flowlogs \
+    --retention-in-days 30
+
+# Create IAM role for VPC Flow Logs
+cat > vpc-flowlogs-role-trust.json <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "vpc-flow-logs.amazonaws.com"
+            },
+            "Action": "sts:AssumeRole"
+        }
+    ]
+}
+EOF
+
+aws iam create-role \
+    --role-name VPCFlowLogsRole \
+    --assume-role-policy-document file://vpc-flowlogs-role-trust.json
+
+cat > vpc-flowlogs-policy.json <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "logs:CreateLogGroup",
+                "logs:CreateLogStream",
+                "logs:PutLogEvents",
+                "logs:DescribeLogGroups",
+                "logs:DescribeLogStreams"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+
+aws iam create-policy \
+    --policy-name VPCFlowLogsPolicy \
+    --policy-document file://vpc-flowlogs-policy.json
+
+aws iam attach-role-policy \
+    --role-name VPCFlowLogsRole \
+    --policy-arn $(aws iam list-policies --query "Policies[?PolicyName=='VPCFlowLogsPolicy'].Arn" --output text)
+
+# Enable VPC Flow Logs
+VPC_ID=$(aws ec2 describe-vpcs --filters "Name=tag:Name,Values=erpnext-vpc" --query "Vpcs[0].VpcId" --output text)
+
+aws ec2 create-flow-logs \
+    --resource-type VPC \
+    --resource-ids $VPC_ID \
+    --traffic-type ALL \
+    --log-destination-type cloud-watch-logs \
+    --log-group-name /aws/vpc/flowlogs \
+    --deliver-logs-permission-arn arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/VPCFlowLogsRole \
+    --tags Key=Name,Value=erpnext-vpc-flowlogs
+```
+
+## 📊 Advanced Monitoring and Observability
+
+### 1. CloudWatch Custom Metrics and Dashboards
+```bash
+# Create custom CloudWatch dashboard
+cat > erpnext-dashboard.json <<EOF
+{
+    "widgets": [
+        {
+            "type": "metric",
+            "x": 0,
+            "y": 0,
+            "width": 12,
+            "height": 6,
+            "properties": {
+                "metrics": [
+                    [ "AWS/RDS", "CPUUtilization", "DBInstanceIdentifier", "erpnext-db" ],
+                    [ ".", "DatabaseConnections", ".", "." ],
+                    [ ".", "ReadLatency", ".", "." ],
+                    [ ".", "WriteLatency", ".", "." ]
+                ],
+                "view": "timeSeries",
+                "stacked": false,
+                "region": "us-east-1",
+                "title": "RDS Performance Metrics",
+                "period": 300
+            }
+        },
+        {
+            "type": "metric",
+            "x": 12,
+            "y": 0,
+            "width": 12,
+            "height": 6,
+            "properties": {
+                "metrics": [
+                    [ "AWS/MemoryDB", "CPUUtilization", "ClusterName", "erpnext-redis" ],
+                    [ ".", "DatabaseMemoryUsagePercentage", ".", "." ],
+                    [ ".", "NetworkBytesIn", ".", "." ],
+                    [ ".", "NetworkBytesOut", ".", "." ]
+                ],
+                "view": "timeSeries",
+                "stacked": false,
+                "region": "us-east-1",
+                "title": "MemoryDB Performance Metrics",
+                "period": 300
+            }
+        },
+        {
+            "type": "metric",
+            "x": 0,
+            "y": 6,
+            "width": 12,
+            "height": 6,
+            "properties": {
+                "metrics": [
+                    [ "AWS/ECS", "CPUUtilization", "ServiceName", "erpnext-backend", "ClusterName", "erpnext-cluster" ],
+                    [ ".", "MemoryUtilization", ".", ".", ".", "." ],
+                    [ "AWS/ApplicationELB", "TargetResponseTime", "LoadBalancer", "app/erpnext-alb/1234567890abcdef" ],
+                    [ ".", "RequestCount", ".", "." ]
+                ],
+                "view": "timeSeries",
+                "stacked": false,
+                "region": "us-east-1",
+                "title": "Application Performance Metrics",
+                "period": 300
+            }
+        },
+        {
+            "type": "log",
+            "x": 12,
+            "y": 6,
+            "width": 12,
+            "height": 6,
+            "properties": {
+                "query": "SOURCE '/aws/ecs/erpnext-backend'\n| fields @timestamp, @message\n| filter @message like /ERROR/\n| sort @timestamp desc\n| limit 20",
+                "region": "us-east-1",
+                "title": "Recent Application Errors",
+                "view": "table"
+            }
+        }
+    ]
+}
+EOF
+
+aws cloudwatch put-dashboard \
+    --dashboard-name ERPNextProduction \
+    --dashboard-body file://erpnext-dashboard.json
+```
+
+### 2. CloudWatch Alarms for Critical Metrics
+```bash
+# RDS CPU Utilization Alarm
+aws cloudwatch put-metric-alarm \
+    --alarm-name "ERPNext-RDS-High-CPU" \
+    --alarm-description "RDS CPU utilization is too high" \
+    --metric-name CPUUtilization \
+    --namespace AWS/RDS \
+    --statistic Average \
+    --period 300 \
+    --threshold 80 \
+    --comparison-operator GreaterThanThreshold \
+    --evaluation-periods 2 \
+    --alarm-actions arn:aws:sns:us-east-1:$(aws sts get-caller-identity --query Account --output text):erpnext-alerts \
+    --dimensions Name=DBInstanceIdentifier,Value=erpnext-db
+
+# RDS Connection Count Alarm
+aws cloudwatch put-metric-alarm \
+    --alarm-name "ERPNext-RDS-High-Connections" \
+    --alarm-description "RDS connection count is too high" \
+    --metric-name DatabaseConnections \
+    --namespace AWS/RDS \
+    --statistic Average \
+    --period 300 \
+    --threshold 150 \
+    --comparison-operator GreaterThanThreshold \
+    --evaluation-periods 2 \
+    --alarm-actions arn:aws:sns:us-east-1:$(aws sts get-caller-identity --query Account --output text):erpnext-alerts \
+    --dimensions Name=DBInstanceIdentifier,Value=erpnext-db
+
+# MemoryDB Memory Utilization Alarm
+aws cloudwatch put-metric-alarm \
+    --alarm-name "ERPNext-Redis-High-Memory" \
+    --alarm-description "MemoryDB memory utilization is too high" \
+    --metric-name DatabaseMemoryUsagePercentage \
+    --namespace AWS/MemoryDB \
+    --statistic Average \
+    --period 300 \
+    --threshold 85 \
+    --comparison-operator GreaterThanThreshold \
+    --evaluation-periods 2 \
+    --alarm-actions arn:aws:sns:us-east-1:$(aws sts get-caller-identity --query Account --output text):erpnext-alerts \
+    --dimensions Name=ClusterName,Value=erpnext-redis
+
+# ALB Response Time Alarm
+aws cloudwatch put-metric-alarm \
+    --alarm-name "ERPNext-ALB-High-Response-Time" \
+    --alarm-description "ALB response time is too high" \
+    --metric-name TargetResponseTime \
+    --namespace AWS/ApplicationELB \
+    --statistic Average \
+    --period 300 \
+    --threshold 2.0 \
+    --comparison-operator GreaterThanThreshold \
+    --evaluation-periods 3 \
+    --alarm-actions arn:aws:sns:us-east-1:$(aws sts get-caller-identity --query Account --output text):erpnext-alerts \
+    --dimensions Name=LoadBalancer,Value=app/erpnext-alb/$(echo $ALB_ARN | cut -d'/' -f2-)
+
+# ECS Service CPU Utilization Alarm
+aws cloudwatch put-metric-alarm \
+    --alarm-name "ERPNext-ECS-High-CPU" \
+    --alarm-description "ECS service CPU utilization is too high" \
+    --metric-name CPUUtilization \
+    --namespace AWS/ECS \
+    --statistic Average \
+    --period 300 \
+    --threshold 80 \
+    --comparison-operator GreaterThanThreshold \
+    --evaluation-periods 2 \
+    --alarm-actions arn:aws:sns:us-east-1:$(aws sts get-caller-identity --query Account --output text):erpnext-alerts \
+    --dimensions Name=ServiceName,Value=erpnext-backend Name=ClusterName,Value=erpnext-cluster
+```
+
+### 3. AWS X-Ray for Distributed Tracing
+```bash
+# Enable X-Ray tracing for ECS tasks (add to task definition)
+cat > xray-daemon-container.json <<EOF
+{
+    "name": "xray-daemon",
+    "image": "amazon/aws-xray-daemon:latest",
+    "essential": false,
+    "portMappings": [
+        {
+            "containerPort": 2000,
+            "protocol": "udp"
+        }
+    ],
+    "logConfiguration": {
+        "logDriver": "awslogs",
+        "options": {
+            "awslogs-group": "/aws/ecs/erpnext-xray",
+            "awslogs-region": "us-east-1",
+            "awslogs-stream-prefix": "xray"
+        }
+    }
+}
+EOF
+
+# Create CloudWatch log group for X-Ray
+aws logs create-log-group \
+    --log-group-name /aws/ecs/erpnext-xray \
+    --retention-in-days 7
+
+# Update IAM task role to include X-Ray permissions
+cat > xray-permissions.json <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "xray:PutTraceSegments",
+                "xray:PutTelemetryRecords"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+
+aws iam create-policy \
+    --policy-name ERPNextXRayPolicy \
+    --policy-document file://xray-permissions.json
+
+aws iam attach-role-policy \
+    --role-name ERPNextECSTaskRole \
+    --policy-arn $(aws iam list-policies --query "Policies[?PolicyName=='ERPNextXRayPolicy'].Arn" --output text)
+```
+
+## 🗄️ Advanced Backup and Disaster Recovery
+
+### 1. Multi-Region Backup Strategy
+```bash
+# Create cross-region backup bucket
+aws s3 mb s3://erpnext-backups-dr-$(aws sts get-caller-identity --query Account --output text) --region us-west-2
+
+# Enable versioning and encryption
+aws s3api put-bucket-versioning \
+    --bucket erpnext-backups-dr-$(aws sts get-caller-identity --query Account --output text) \
+    --versioning-configuration Status=Enabled
+
+aws s3api put-bucket-encryption \
+    --bucket erpnext-backups-dr-$(aws sts get-caller-identity --query Account --output text) \
+    --server-side-encryption-configuration '{
+        "Rules": [
+            {
+                "ApplyServerSideEncryptionByDefault": {
+                    "SSEAlgorithm": "AES256"
+                }
+            }
+        ]
+    }'
+
+# Set up cross-region replication
+cat > replication-config.json <<EOF
+{
+    "Role": "arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/S3ReplicationRole",
+    "Rules": [
+        {
+            "ID": "ERPNextBackupReplication",
+            "Status": "Enabled",
+            "Priority": 1,
+            "Filter": {
+                "Prefix": "backups/"
+            },
+            "Destination": {
+                "Bucket": "arn:aws:s3:::erpnext-backups-dr-$(aws sts get-caller-identity --query Account --output text)",
+                "StorageClass": "STANDARD_IA"
+            }
+        }
+    ]
+}
+EOF
+
+# Create replication role
+cat > s3-replication-role-trust.json <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "s3.amazonaws.com"
+            },
+            "Action": "sts:AssumeRole"
+        }
+    ]
+}
+EOF
+
+aws iam create-role \
+    --role-name S3ReplicationRole \
+    --assume-role-policy-document file://s3-replication-role-trust.json
+
+aws iam attach-role-policy \
+    --role-name S3ReplicationRole \
+    --policy-arn arn:aws:iam::aws:policy/service-role/AWSS3ReplicationServiceRolePolicy
+
+# Apply replication configuration
+aws s3api put-bucket-replication \
+    --bucket erpnext-backups-$(aws sts get-caller-identity --query Account --output text) \
+    --replication-configuration file://replication-config.json
+```
+
+### 2. Automated RDS Snapshot Management
+```bash
+# Create Lambda function for automated snapshot management
+cat > snapshot-management.py <<'EOF'
+import boto3
+import json
+from datetime import datetime, timedelta
+
+def lambda_handler(event, context):
+    rds = boto3.client('rds')
+    
+    # Create manual snapshot
+    snapshot_id = f"erpnext-manual-{datetime.now().strftime('%Y%m%d-%H%M%S')}"
+    
+    try:
+        response = rds.create_db_snapshot(
+            DBSnapshotIdentifier=snapshot_id,
+            DBInstanceIdentifier='erpnext-db',
+            Tags=[
+                {'Key': 'Application', 'Value': 'ERPNext'},
+                {'Key': 'Type', 'Value': 'manual'},
+                {'Key': 'CreatedBy', 'Value': 'lambda-automation'}
+            ]
+        )
+        
+        # Delete old manual snapshots (keep last 7)
+        snapshots = rds.describe_db_snapshots(
+            DBInstanceIdentifier='erpnext-db',
+            SnapshotType='manual'
+        )
+        
+        manual_snapshots = [s for s in snapshots['DBSnapshots'] 
+                          if s['DBSnapshotIdentifier'].startswith('erpnext-manual-')]
+        
+        # Sort by creation time and delete old ones
+        manual_snapshots.sort(key=lambda x: x['SnapshotCreateTime'])
+        
+        if len(manual_snapshots) > 7:
+            for snapshot in manual_snapshots[:-7]:
+                rds.delete_db_snapshot(
+                    DBSnapshotIdentifier=snapshot['DBSnapshotIdentifier']
+                )
+                print(f"Deleted old snapshot: {snapshot['DBSnapshotIdentifier']}")
+        
+        return {
+            'statusCode': 200,
+            'body': json.dumps(f'Snapshot created: {snapshot_id}')
+        }
+        
+    except Exception as e:
+        print(f"Error: {str(e)}")
+        return {
+            'statusCode': 500,
+            'body': json.dumps(f'Error creating snapshot: {str(e)}')
+        }
+EOF
+
+# Create Lambda deployment package
+zip snapshot-management.zip snapshot-management.py
+
+# Create Lambda function
+aws lambda create-function \
+    --function-name erpnext-snapshot-management \
+    --runtime python3.9 \
+    --role arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/ERPNextSnapshotLambdaRole \
+    --handler snapshot-management.lambda_handler \
+    --zip-file fileb://snapshot-management.zip \
+    --description "Automated RDS snapshot management for ERPNext" \
+    --timeout 300 \
+    --tags Application=ERPNext,Purpose=backup-automation
+
+# Create EventBridge rule for daily execution
+aws events put-rule \
+    --name erpnext-daily-snapshot \
+    --schedule-expression "cron(0 6 * * ? *)" \
+    --description "Daily ERPNext database snapshot" \
+    --state ENABLED
+
+# Add Lambda permission for EventBridge
+aws lambda add-permission \
+    --function-name erpnext-snapshot-management \
+    --statement-id allow-eventbridge \
+    --action lambda:InvokeFunction \
+    --principal events.amazonaws.com \
+    --source-arn arn:aws:events:us-east-1:$(aws sts get-caller-identity --query Account --output text):rule/erpnext-daily-snapshot
+
+# Create target for EventBridge rule
+aws events put-targets \
+    --rule erpnext-daily-snapshot \
+    --targets "Id"="1","Arn"="arn:aws:lambda:us-east-1:$(aws sts get-caller-identity --query Account --output text):function:erpnext-snapshot-management"
+```
+
+### 3. Disaster Recovery Testing Automation
+```bash
+# Create Lambda function for DR testing
+cat > dr-test.py <<'EOF'
+import boto3
+import json
+from datetime import datetime
+
+def lambda_handler(event, context):
+    rds = boto3.client('rds')
+    ecs = boto3.client('ecs')
+    
+    try:
+        # Get latest snapshot
+        snapshots = rds.describe_db_snapshots(
+            DBInstanceIdentifier='erpnext-db',
+            SnapshotType='automated'
+        )
+        
+        latest_snapshot = max(snapshots['DBSnapshots'], 
+                            key=lambda x: x['SnapshotCreateTime'])
+        
+        # Create test instance from snapshot
+        test_instance_id = f"erpnext-dr-test-{datetime.now().strftime('%Y%m%d%H%M%S')}"
+        
+        response = rds.restore_db_instance_from_db_snapshot(
+            DBInstanceIdentifier=test_instance_id,
+            DBSnapshotIdentifier=latest_snapshot['DBSnapshotIdentifier'],
+            DBInstanceClass='db.t3.small',
+            VpcSecurityGroupIds=[
+                'sg-xxxxxxxxx'  # Replace with your security group
+            ],
+            DBSubnetGroupName='erpnext-db-subnet-group',
+            Tags=[
+                {'Key': 'Application', 'Value': 'ERPNext'},
+                {'Key': 'Purpose', 'Value': 'DR-Test'},
+                {'Key': 'DeleteAfter', 'Value': datetime.now().strftime('%Y-%m-%d')}
+            ]
+        )
+        
+        # Schedule cleanup in 4 hours
+        # Implementation depends on your cleanup strategy
+        
+        return {
+            'statusCode': 200,
+            'body': json.dumps(f'DR test instance created: {test_instance_id}')
+        }
+        
+    except Exception as e:
+        return {
+            'statusCode': 500,
+            'body': json.dumps(f'DR test failed: {str(e)}')
+        }
+EOF
+
+# Create DR test Lambda function
+zip dr-test.zip dr-test.py
+
+aws lambda create-function \
+    --function-name erpnext-dr-test \
+    --runtime python3.9 \
+    --role arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/ERPNextDRTestLambdaRole \
+    --handler dr-test.lambda_handler \
+    --zip-file fileb://dr-test.zip \
+    --description "Automated DR testing for ERPNext" \
+    --timeout 300
+
+# Schedule monthly DR tests
+aws events put-rule \
+    --name erpnext-monthly-dr-test \
+    --schedule-expression "cron(0 10 1 * ? *)" \
+    --description "Monthly ERPNext DR test" \
+    --state ENABLED
+
+aws events put-targets \
+    --rule erpnext-monthly-dr-test \
+    --targets "Id"="1","Arn"="arn:aws:lambda:us-east-1:$(aws sts get-caller-identity --query Account --output text):function:erpnext-dr-test"
+```
+
+## 🚀 Performance Optimization
+
+### 1. RDS Performance Tuning
+```bash
+# Create custom parameter group for MySQL optimization
+aws rds create-db-parameter-group \
+    --db-parameter-group-name erpnext-mysql8-params \
+    --db-parameter-group-family mysql8.0 \
+    --description "Optimized parameters for ERPNext MySQL 8.0"
+
+# Set optimized parameters
+aws rds modify-db-parameter-group \
+    --db-parameter-group-name erpnext-mysql8-params \
+    --parameters \
+        "ParameterName=innodb_buffer_pool_size,ParameterValue={DBInstanceClassMemory*3/4},ApplyMethod=pending-reboot" \
+        "ParameterName=innodb_log_file_size,ParameterValue=268435456,ApplyMethod=pending-reboot" \
+        "ParameterName=innodb_flush_log_at_trx_commit,ParameterValue=2,ApplyMethod=immediate" \
+        "ParameterName=innodb_io_capacity,ParameterValue=2000,ApplyMethod=immediate" \
+        "ParameterName=innodb_read_io_threads,ParameterValue=8,ApplyMethod=pending-reboot" \
+        "ParameterName=innodb_write_io_threads,ParameterValue=8,ApplyMethod=pending-reboot" \
+        "ParameterName=max_connections,ParameterValue=200,ApplyMethod=immediate" \
+        "ParameterName=query_cache_size,ParameterValue=67108864,ApplyMethod=pending-reboot" \
+        "ParameterName=query_cache_type,ParameterValue=1,ApplyMethod=pending-reboot" \
+        "ParameterName=slow_query_log,ParameterValue=1,ApplyMethod=immediate" \
+        "ParameterName=long_query_time,ParameterValue=2,ApplyMethod=immediate"
+
+# Apply parameter group to RDS instance
+aws rds modify-db-instance \
+    --db-instance-identifier erpnext-db \
+    --db-parameter-group-name erpnext-mysql8-params \
+    --apply-immediately
+
+# Upgrade to larger instance class for production
+aws rds modify-db-instance \
+    --db-instance-identifier erpnext-db \
+    --db-instance-class db.r5.xlarge \
+    --allocated-storage 500 \
+    --storage-type gp3 \
+    --iops 3000 \
+    --apply-immediately
+```
+
+### 2. MemoryDB Performance Optimization
+```bash
+# Scale MemoryDB cluster for production workload
+aws memorydb update-cluster \
+    --cluster-name erpnext-redis \
+    --node-type db.r6g.large \
+    --num-shards 2 \
+    --num-replicas-per-shard 1
+
+# Configure Redis parameters for ERPNext
+aws memorydb create-parameter-group \
+    --parameter-group-name erpnext-redis-params \
+    --family memorydb_redis6 \
+    --description "Optimized parameters for ERPNext Redis"
+
+aws memorydb update-parameter-group \
+    --parameter-group-name erpnext-redis-params \
+    --parameter-name-values \
+        "ParameterName=maxmemory-policy,ParameterValue=allkeys-lru" \
+        "ParameterName=timeout,ParameterValue=300" \
+        "ParameterName=tcp-keepalive,ParameterValue=60" \
+        "ParameterName=maxclients,ParameterValue=20000"
+
+# Apply parameter group to cluster
+aws memorydb update-cluster \
+    --cluster-name erpnext-redis \
+    --parameter-group-name erpnext-redis-params
+```
+
+### 3. ECS/EKS Performance Optimization
+```bash
+# For ECS: Update task definitions with performance optimizations
+cat > erpnext-backend-optimized-task.json <<EOF
+{
+    "family": "erpnext-backend-optimized",
+    "networkMode": "awsvpc",
+    "requiresCompatibilities": ["FARGATE"],
+    "cpu": "2048",
+    "memory": "4096",
+    "executionRoleArn": "arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/ERPNextECSExecutionRole",
+    "taskRoleArn": "arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/ERPNextECSTaskRole",
+    "containerDefinitions": [
+        {
+            "name": "erpnext-backend",
+            "image": "frappe/erpnext-worker:v14",
+            "essential": true,
+            "portMappings": [
+                {
+                    "containerPort": 8000,
+                    "protocol": "tcp"
+                },
+                {
+                    "containerPort": 9000,
+                    "protocol": "tcp"
+                }
+            ],
+            "environment": [
+                {
+                    "name": "WORKERS",
+                    "value": "4"
+                },
+                {
+                    "name": "THREADS",
+                    "value": "2"
+                },
+                {
+                    "name": "MAX_REQUESTS",
+                    "value": "1000"
+                },
+                {
+                    "name": "MAX_REQUESTS_JITTER",
+                    "value": "100"
+                },
+                {
+                    "name": "WORKER_TIMEOUT",
+                    "value": "120"
+                },
+                {
+                    "name": "KEEPALIVE",
+                    "value": "5"
+                }
+            ],
+            "ulimits": [
+                {
+                    "name": "nofile",
+                    "softLimit": 65536,
+                    "hardLimit": 65536
+                }
+            ]
+        }
+    ]
+}
+EOF
+
+aws ecs register-task-definition --cli-input-json file://erpnext-backend-optimized-task.json
+```
+
+## 🔧 Advanced Operational Procedures
+
+### 1. Blue-Green Deployment with CodeDeploy
+```bash
+# Create CodeDeploy application
+aws deploy create-application \
+    --application-name ERPNextECS \
+    --compute-platform ECS
+
+# Create deployment group
+aws deploy create-deployment-group \
+    --application-name ERPNextECS \
+    --deployment-group-name ERPNextBlueGreen \
+    --service-role-arn arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/CodeDeployServiceRole \
+    --deployment-config-name CodeDeployDefault.ECSAllAtOnceBlueGreen \
+    --ecs-services clusterName=erpnext-cluster,serviceName=erpnext-backend \
+    --load-balancer-info targetGroupInfoList='[{name=erpnext-backend-tg}]' \
+    --blue-green-deployment-configuration '{
+        "terminateBlueInstancesOnDeploymentSuccess": {
+            "action": "TERMINATE",
+            "terminationWaitTimeInMinutes": 5
+        },
+        "deploymentReadyOption": {
+            "actionOnTimeout": "CONTINUE_DEPLOYMENT"
+        },
+        "greenFleetProvisioningOption": {
+            "action": "COPY_AUTO_SCALING_GROUP"
+        }
+    }'
+
+# Create deployment script
+cat > deploy-blue-green.sh <<'EOF'
+#!/bin/bash
+set -e
+
+APPLICATION_NAME="ERPNextECS"
+DEPLOYMENT_GROUP="ERPNextBlueGreen"
+NEW_IMAGE="$1"
+
+if [ -z "$NEW_IMAGE" ]; then
+    echo "Usage: $0 <new-image-uri>"
+    exit 1
+fi
+
+echo "Starting blue-green deployment with image: $NEW_IMAGE"
+
+# Create new task definition with updated image
+NEW_TASK_DEF=$(aws ecs describe-task-definition \
+    --task-definition erpnext-backend \
+    --query 'taskDefinition' | \
+    jq --arg IMAGE "$NEW_IMAGE" '.containerDefinitions[0].image = $IMAGE' | \
+    jq 'del(.taskDefinitionArn, .revision, .status, .requiresAttributes, .placementConstraints, .compatibilities, .registeredAt, .registeredBy)')
+
+# Register new task definition
+NEW_REVISION=$(echo $NEW_TASK_DEF | aws ecs register-task-definition --cli-input-json file:///dev/stdin --query 'taskDefinition.revision')
+
+echo "New task definition revision: $NEW_REVISION"
+
+# Create CodeDeploy deployment
+aws deploy create-deployment \
+    --application-name $APPLICATION_NAME \
+    --deployment-group-name $DEPLOYMENT_GROUP \
+    --revision '{
+        "revisionType": "S3",
+        "s3Location": {
+            "bucket": "your-deployment-bucket",
+            "key": "appspec.yaml",
+            "bundleType": "YAML"
+        }
+    }'
+
+echo "Blue-green deployment initiated"
+EOF
+
+chmod +x deploy-blue-green.sh
+```
+
+### 2. Canary Deployment for EKS
+```bash
+# Install Argo Rollouts for advanced deployment strategies
+kubectl create namespace argo-rollouts
+kubectl apply -n argo-rollouts -f https://github.com/argoproj/argo-rollouts/releases/latest/download/install.yaml
+
+# Create Rollout resource for canary deployments
+cat > erpnext-rollout.yaml <<EOF
+apiVersion: argoproj.io/v1alpha1
+kind: Rollout
+metadata:
+  name: erpnext-backend-rollout
+  namespace: erpnext
+spec:
+  replicas: 5
+  strategy:
+    canary:
+      canaryService: erpnext-backend-canary
+      stableService: erpnext-backend
+      trafficRouting:
+        alb:
+          ingress: erpnext-ingress
+          servicePort: 8000
+      steps:
+      - setWeight: 20
+      - pause: {duration: 10m}
+      - setWeight: 40
+      - pause: {duration: 10m}
+      - setWeight: 60
+      - pause: {duration: 10m}
+      - setWeight: 80
+      - pause: {duration: 10m}
+      analysis:
+        templates:
+        - templateName: success-rate
+        args:
+        - name: service-name
+          value: erpnext-backend
+  selector:
+    matchLabels:
+      app: erpnext-backend
+  template:
+    metadata:
+      labels:
+        app: erpnext-backend
+    spec:
+      serviceAccountName: erpnext-sa
+      containers:
+      - name: erpnext-backend
+        image: frappe/erpnext-worker:v14
+        ports:
+        - containerPort: 8000
+        - containerPort: 9000
+---
+apiVersion: argoproj.io/v1alpha1
+kind: AnalysisTemplate
+metadata:
+  name: success-rate
+  namespace: erpnext
+spec:
+  args:
+  - name: service-name
+  metrics:
+  - name: success-rate
+    interval: 5m
+    successCondition: result[0] >= 0.95
+    failureLimit: 3
+    provider:
+      prometheus:
+        address: http://prometheus.monitoring.svc.cluster.local:9090
+        query: |
+          sum(rate(
+            nginx_ingress_controller_requests{service="{{args.service-name}}",status!~"5.*"}[2m]
+          )) /
+          sum(rate(
+            nginx_ingress_controller_requests{service="{{args.service-name}}"}[2m]
+          ))
+EOF
+
+kubectl apply -f erpnext-rollout.yaml
+```
+
+### 3. Automated Scaling Based on Custom Metrics
+```bash
+# Create Lambda function for custom scaling logic
+cat > custom-scaler.py <<'EOF'
+import boto3
+import json
+import os
+
+def lambda_handler(event, context):
+    cloudwatch = boto3.client('cloudwatch')
+    ecs = boto3.client('ecs')
+    
+    cluster_name = os.environ['CLUSTER_NAME']
+    service_name = os.environ['SERVICE_NAME']
+    
+    # Get queue depth from CloudWatch
+    response = cloudwatch.get_metric_statistics(
+        Namespace='AWS/MemoryDB',
+        MetricName='CommandLatency',
+        Dimensions=[
+            {
+                'Name': 'ClusterName',
+                'Value': 'erpnext-redis'
+            },
+            {
+                'Name': 'Command',
+                'Value': 'llen'
+            }
+        ],
+        StartTime=datetime.utcnow() - timedelta(minutes=5),
+        EndTime=datetime.utcnow(),
+        Period=300,
+        Statistics=['Average']
+    )
+    
+    if response['Datapoints']:
+        avg_latency = response['Datapoints'][-1]['Average']
+        
+        # Scale based on latency
+        if avg_latency > 100:  # milliseconds
+            target_count = min(10, int(avg_latency / 50))
+        else:
+            target_count = 2
+        
+        # Update ECS service
+        ecs.update_service(
+            cluster=cluster_name,
+            service=service_name,
+            desiredCount=target_count
+        )
+        
+        return {
+            'statusCode': 200,
+            'body': json.dumps(f'Scaled {service_name} to {target_count} tasks')
+        }
+    
+    return {
+        'statusCode': 200,
+        'body': json.dumps('No scaling action needed')
+    }
+EOF
+
+# Deploy custom scaler
+zip custom-scaler.zip custom-scaler.py
+
+aws lambda create-function \
+    --function-name erpnext-custom-scaler \
+    --runtime python3.9 \
+    --role arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/ERPNextCustomScalerRole \
+    --handler custom-scaler.lambda_handler \
+    --zip-file fileb://custom-scaler.zip \
+    --environment Variables='{CLUSTER_NAME=erpnext-cluster,SERVICE_NAME=erpnext-worker}' \
+    --timeout 60
+
+# Schedule every 5 minutes
+aws events put-rule \
+    --name erpnext-custom-scaling \
+    --schedule-expression "rate(5 minutes)" \
+    --state ENABLED
+
+aws events put-targets \
+    --rule erpnext-custom-scaling \
+    --targets "Id"="1","Arn"="arn:aws:lambda:us-east-1:$(aws sts get-caller-identity --query Account --output text):function:erpnext-custom-scaler"
+```
+
+## 🔍 Compliance and Governance
+
+### 1. AWS Config for Compliance Monitoring
+```bash
+# Enable AWS Config
+aws configservice put-configuration-recorder \
+    --configuration-recorder name=default,roleARN=arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/aws-config-role \
+    --recording-group allSupported=true,includeGlobalResourceTypes=true
+
+aws configservice put-delivery-channel \
+    --delivery-channel name=default,s3BucketName=config-bucket-$(aws sts get-caller-identity --query Account --output text)
+
+# Start configuration recorder
+aws configservice start-configuration-recorder --configuration-recorder-name default
+
+# Add compliance rules
+aws configservice put-config-rule \
+    --config-rule '{
+        "ConfigRuleName": "rds-encryption-enabled",
+        "Source": {
+            "Owner": "AWS",
+            "SourceIdentifier": "RDS_STORAGE_ENCRYPTED"
+        }
+    }'
+
+aws configservice put-config-rule \
+    --config-rule '{
+        "ConfigRuleName": "efs-encrypted",
+        "Source": {
+            "Owner": "AWS",
+            "SourceIdentifier": "EFS_ENCRYPTED_CHECK"
+        }
+    }'
+```
+
+### 2. Security Hub for Centralized Security Findings
+```bash
+# Enable Security Hub
+aws securityhub enable-security-hub \
+    --enable-default-standards
+
+# Enable specific standards
+aws securityhub batch-enable-standards \
+    --standards-subscription-requests StandardsArn=arn:aws:securityhub:us-east-1::standard/aws-foundational-security-standard/v/1.0.0,StandardsArn=arn:aws:securityhub:us-east-1::standard/cis-aws-foundations-benchmark/v/1.2.0
+
+# Create custom insights
+aws securityhub create-insight \
+    --name "ERPNext High Severity Findings" \
+    --filters '{
+        "ProductArn": [{"Value": "arn:aws:securityhub:us-east-1::product/aws/securityhub", "Comparison": "EQUALS"}],
+        "SeverityLabel": [{"Value": "HIGH", "Comparison": "EQUALS"}, {"Value": "CRITICAL", "Comparison": "EQUALS"}],
+        "ResourceTags": [{"Key": "Application", "Value": "ERPNext", "Comparison": "EQUALS"}]
+    }' \
+    --group-by-attribute "ResourceId"
+```
+
+### 3. AWS Systems Manager for Patch Management
+```bash
+# Create patch baseline for ECS instances
+aws ssm create-patch-baseline \
+    --name "ERPNext-Amazon-Linux-Baseline" \
+    --operating-system AMAZON_LINUX_2 \
+    --approval-rules '{
+        "PatchRules": [
+            {
+                "PatchFilterGroup": {
+                    "PatchFilters": [
+                        {
+                            "Key": "CLASSIFICATION",
+                            "Values": ["Security", "Bugfix", "Critical"]
+                        },
+                        {
+                            "Key": "SEVERITY",
+                            "Values": ["Critical", "Important"]
+                        }
+                    ]
+                },
+                "ApproveAfterDays": 0,
+                "EnableNonSecurity": false
+            }
+        ]
+    }' \
+    --description "Patch baseline for ERPNext infrastructure"
+
+# Create maintenance window
+aws ssm create-maintenance-window \
+    --name "ERPNext-Maintenance-Window" \
+    --schedule "cron(0 2 ? * SUN *)" \
+    --duration 4 \
+    --cutoff 1 \
+    --allow-unassociated-targets \
+    --description "Weekly maintenance window for ERPNext infrastructure"
+```
+
+## 📈 Advanced Performance Monitoring
+
+### 1. Custom CloudWatch Metrics for Business KPIs
+```bash
+# Create custom metric for ERPNext-specific metrics
+aws logs put-metric-filter \
+    --log-group-name "/aws/ecs/erpnext-backend" \
+    --filter-name "ERPNext-User-Logins" \
+    --filter-pattern "[timestamp, request_id, level=\"INFO\", message=\"User*logged*in*\"]" \
+    --metric-transformations \
+        metricName=UserLogins,metricNamespace=ERPNext/Business,metricValue=1,defaultValue=0
+
+aws logs put-metric-filter \
+    --log-group-name "/aws/ecs/erpnext-backend" \
+    --filter-name "ERPNext-Sales-Orders" \
+    --filter-pattern "[timestamp, request_id, level=\"INFO\", message=\"*Sales Order*created*\"]" \
+    --metric-transformations \
+        metricName=SalesOrdersCreated,metricNamespace=ERPNext/Business,metricValue=1,defaultValue=0
+
+aws logs put-metric-filter \
+    --log-group-name "/aws/ecs/erpnext-backend" \
+    --filter-name "ERPNext-Payment-Errors" \
+    --filter-pattern "[timestamp, request_id, level=\"ERROR\", message=\"*payment*failed*\"]" \
+    --metric-transformations \
+        metricName=PaymentErrors,metricNamespace=ERPNext/Business,metricValue=1,defaultValue=0
+```
+
+### 2. Integration with Prometheus and Grafana (for EKS)
+```bash
+# Install kube-prometheus-stack using Helm
+helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
+helm repo update
+
+helm install prometheus-stack prometheus-community/kube-prometheus-stack \
+    --namespace monitoring \
+    --create-namespace \
+    --values - <<EOF
+prometheus:
+  prometheusSpec:
+    storageSpec:
+      volumeClaimTemplate:
+        spec:
+          storageClassName: ebs-gp3
+          accessModes: ["ReadWriteOnce"]
+          resources:
+            requests:
+              storage: 50Gi
+  ingress:
+    enabled: true
+    hosts:
+    - prometheus.yourdomain.com
+
+grafana:
+  adminPassword: YourSecureGrafanaPassword
+  persistence:
+    enabled: true
+    storageClassName: ebs-gp3
+    size: 10Gi
+  ingress:
+    enabled: true
+    hosts:
+    - grafana.yourdomain.com
+
+alertmanager:
+  alertmanagerSpec:
+    storage:
+      volumeClaimTemplate:
+        spec:
+          storageClassName: ebs-gp3
+          accessModes: ["ReadWriteOnce"]
+          resources:
+            requests:
+              storage: 10Gi
+EOF
+
+# Create ServiceMonitor for ERPNext metrics
+cat > erpnext-servicemonitor.yaml <<EOF
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: erpnext-backend
+  namespace: monitoring
+  labels:
+    app: erpnext-backend
+spec:
+  selector:
+    matchLabels:
+      app: erpnext-backend
+  endpoints:
+  - port: http
+    path: /metrics
+    interval: 30s
+EOF
+
+kubectl apply -f erpnext-servicemonitor.yaml
+```
+
+## 🧹 Maintenance and Lifecycle Management
+
+### 1. Automated Security Updates
+```bash
+# Create Lambda function for automated security updates
+cat > security-updater.py <<'EOF'
+import boto3
+import json
+
+def lambda_handler(event, context):
+    ecs = boto3.client('ecs')
+    ecr = boto3.client('ecr')
+    
+    # Get latest image from ECR
+    response = ecr.describe_images(
+        repositoryName='erpnext/backend',
+        imageIds=[{'imageTag': 'latest-security'}]
+    )
+    
+    if response['imageDetails']:
+        latest_image = f"{response['imageDetails'][0]['registryId']}.dkr.ecr.us-east-1.amazonaws.com/erpnext/backend:latest-security"
+        
+        # Update ECS service
+        ecs.update_service(
+            cluster='erpnext-cluster',
+            service='erpnext-backend',
+            forceNewDeployment=True,
+            taskDefinition='erpnext-backend:LATEST'
+        )
+        
+        return {
+            'statusCode': 200,
+            'body': json.dumps('Security update deployed successfully')
+        }
+    
+    return {
+        'statusCode': 200,
+        'body': json.dumps('No security updates available')
+    }
+EOF
+
+# Schedule weekly security updates
+aws events put-rule \
+    --name erpnext-security-updates \
+    --schedule-expression "cron(0 4 ? * MON *)" \
+    --description "Weekly security updates for ERPNext" \
+    --state ENABLED
+```
+
+### 2. Resource Cleanup and Cost Optimization
+```bash
+# Create cleanup Lambda function
+cat > resource-cleanup.py <<'EOF'
+import boto3
+from datetime import datetime, timedelta
+
+def lambda_handler(event, context):
+    rds = boto3.client('rds')
+    logs = boto3.client('logs')
+    s3 = boto3.client('s3')
+    
+    cleanup_results = []
+    
+    # Clean up old RDS snapshots (keep last 30)
+    snapshots = rds.describe_db_snapshots(
+        DBInstanceIdentifier='erpnext-db',
+        SnapshotType='manual'
+    )
+    
+    sorted_snapshots = sorted(snapshots['DBSnapshots'], 
+                            key=lambda x: x['SnapshotCreateTime'])
+    
+    if len(sorted_snapshots) > 30:
+        for snapshot in sorted_snapshots[:-30]:
+            rds.delete_db_snapshot(
+                DBSnapshotIdentifier=snapshot['DBSnapshotIdentifier']
+            )
+            cleanup_results.append(f"Deleted snapshot: {snapshot['DBSnapshotIdentifier']}")
+    
+    # Clean up old CloudWatch logs (older than 30 days)
+    cutoff_date = datetime.now() - timedelta(days=30)
+    
+    log_groups = logs.describe_log_groups(
+        logGroupNamePrefix='/aws/ecs/erpnext'
+    )
+    
+    for log_group in log_groups['logGroups']:
+        logs.put_retention_policy(
+            logGroupName=log_group['logGroupName'],
+            retentionInDays=30
+        )
+        cleanup_results.append(f"Set retention for: {log_group['logGroupName']}")
+    
+    # Clean up old S3 backup objects (older than 90 days)
+    bucket_name = f"erpnext-backups-{boto3.client('sts').get_caller_identity()['Account']}"
+    
+    response = s3.list_objects_v2(
+        Bucket=bucket_name,
+        Prefix='backups/'
+    )
+    
+    for obj in response.get('Contents', []):
+        if obj['LastModified'].replace(tzinfo=None) < cutoff_date:
+            s3.delete_object(
+                Bucket=bucket_name,
+                Key=obj['Key']
+            )
+            cleanup_results.append(f"Deleted S3 object: {obj['Key']}")
+    
+    return {
+        'statusCode': 200,
+        'body': json.dumps({
+            'message': 'Cleanup completed',
+            'results': cleanup_results
+        })
+    }
+EOF
+
+# Schedule monthly cleanup
+aws events put-rule \
+    --name erpnext-monthly-cleanup \
+    --schedule-expression "cron(0 6 1 * ? *)" \
+    --description "Monthly resource cleanup for ERPNext" \
+    --state ENABLED
+```
+
+This production setup guide provides comprehensive coverage of security hardening, advanced monitoring, disaster recovery, performance optimization, and operational procedures for ERPNext running on AWS managed services. The configuration supports both ECS and EKS deployments with enterprise-grade reliability and security.
+
+## ➡️ Next Steps
+
+1. **Security Audit**: Conduct regular security assessments using AWS Security Hub
+2. **Performance Baseline**: Establish performance benchmarks using CloudWatch and custom metrics
+3. **Disaster Recovery Testing**: Schedule and automate regular DR drills
+4. **Cost Optimization**: Monthly cost reviews using AWS Cost Explorer and Trusted Advisor
+5. **Compliance Monitoring**: Regular compliance checks using AWS Config and Security Hub
+6. **Documentation Updates**: Keep operational runbooks current with infrastructure changes
+
+---
+
+**⚠️ Important**: Regular reviews and updates of these configurations are essential for maintaining security, performance, and cost-effectiveness in production environments. Monitor AWS Service Health Dashboard for service updates and security advisories.
\ No newline at end of file
diff --git a/documentation/deployment-guides/aws-managed/README.md b/documentation/deployment-guides/aws-managed/README.md
new file mode 100644
index 0000000..f484300
--- /dev/null
+++ b/documentation/deployment-guides/aws-managed/README.md
@@ -0,0 +1,418 @@
+# ERPNext AWS Deployment with Managed Services
+
+## Overview
+
+This directory contains comprehensive guides and resources for deploying ERPNext on Amazon Web Services (AWS) using **managed database services**: Amazon RDS for MySQL and Amazon MemoryDB for Redis. This approach provides better reliability, security, and operational efficiency compared to self-hosted databases.
+
+## 🏗️ Architecture Overview
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                    Amazon Web Services                         │
+├─────────────────────────────────────────────────────────────────┤
+│                                                                 │
+│  ┌─────────────────┐    ┌─────────────────┐                   │
+│  │   Amazon ECS    │    │   Amazon EKS    │                   │
+│  │   (Fargate)     │    │  (Kubernetes)   │                   │
+│  │                 │    │                 │                   │
+│  │ ┌─────────────┐ │    │ ┌─────────────┐ │                   │
+│  │ │  Frontend   │ │    │ │    Pods     │ │                   │
+│  │ │  Backend    │ │    │ │ - Frontend  │ │                   │
+│  │ │  Workers    │ │    │ │ - Backend   │ │                   │
+│  │ │  Scheduler  │ │    │ │ - Workers   │ │                   │
+│  │ └─────────────┘ │    │ │ - Scheduler │ │                   │
+│  └─────────────────┘    │ └─────────────┘ │                   │
+│                         └─────────────────┘                   │
+│                                │                               │
+│  ┌─────────────────────────────┼─────────────────────────────┐ │
+│  │           Managed Services  │                             │ │
+│  │                            │                             │ │
+│  │  ┌──────────────┐    ┌─────────────┐    ┌──────────────┐ │ │
+│  │  │  Amazon RDS  │    │ MemoryDB    │    │   Amazon S3  │ │ │
+│  │  │   (MySQL)    │    │  (Redis)    │    │   (Files)    │ │ │
+│  │  └──────────────┘    └─────────────┘    └──────────────┘ │ │
+│  └─────────────────────────────────────────────────────────┘ │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+## 📁 Directory Structure
+
+```
+aws-managed/
+├── README.md                                    # This file
+├── 00-prerequisites-managed.md                  # Prerequisites for managed services
+├── 01-ecs-managed-deployment.md                 # ECS with managed databases
+├── 02-eks-managed-deployment.md                 # EKS with managed databases
+├── 03-production-managed-setup.md               # Production hardening
+├── kubernetes-manifests/                        # K8s manifests for managed services
+│   ├── namespace.yaml                           # Namespace with security policies
+│   ├── storage.yaml                             # EFS and EBS storage classes
+│   ├── configmap.yaml                           # Config for managed services
+│   ├── secrets.yaml                             # External Secrets integration
+│   ├── erpnext-backend.yaml                     # Backend with RDS connection
+│   ├── erpnext-frontend.yaml                    # Optimized frontend
+│   ├── erpnext-workers.yaml                     # Workers with managed DB
+│   ├── ingress.yaml                             # ALB ingress controller
+│   └── jobs.yaml                                # Site creation and backup jobs
+└── scripts/                                     # Automation scripts
+    ├── deploy-ecs.sh                            # ECS deployment script
+    └── deploy-eks.sh                            # EKS deployment script
+```
+
+## 🚀 Quick Start
+
+### Option 1: Amazon ECS with Fargate (Recommended for Simplicity)
+
+```bash
+# 1. Complete prerequisites
+cd aws-managed/
+# Follow 00-prerequisites-managed.md
+
+# 2. Deploy to ECS
+cd scripts/
+export AWS_REGION="us-east-1"
+export PROJECT_NAME="erpnext"
+export DOMAIN_NAME="erpnext.yourdomain.com"
+./deploy-ecs.sh --project-name $PROJECT_NAME --domain $DOMAIN_NAME
+```
+
+### Option 2: Amazon EKS (Recommended for Production)
+
+```bash
+# 1. Complete prerequisites
+cd aws-managed/
+# Follow 00-prerequisites-managed.md
+
+# 2. Deploy to EKS
+cd scripts/
+export AWS_REGION="us-east-1"
+export PROJECT_NAME="erpnext"
+export DOMAIN_NAME="erpnext.yourdomain.com"
+./deploy-eks.sh --project-name $PROJECT_NAME --domain $DOMAIN_NAME
+```
+
+## 🎯 Key Benefits of AWS Managed Services
+
+### 🛡️ Enhanced Reliability
+- **99.95% SLA** for RDS and MemoryDB
+- **Multi-AZ deployment** with automatic failover
+- **Point-in-time recovery** for databases
+- **Automated backups** with cross-region replication
+
+### 🔧 Operational Efficiency
+- **Zero database administration** overhead
+- **Automatic security patches** and updates
+- **Performance insights** and optimization recommendations
+- **Built-in monitoring** with CloudWatch
+
+### 🔒 Enterprise Security
+- **VPC isolation** with private subnets
+- **Encryption at rest and in transit** by default
+- **IAM integration** for access control
+- **AWS WAF** for application protection
+
+### 💰 Cost Optimization
+- **Pay-as-you-scale** pricing model
+- **Reserved Instance discounts** available
+- **Automatic storage scaling** without downtime
+- **Spot instances** for non-critical workloads
+
+## 📊 Deployment Options Comparison
+
+| Feature | ECS + Managed DB | EKS + Managed DB | Self-Hosted DB |
+|---------|------------------|------------------|-----------------|
+| **Scalability** | Auto (Fargate) | Manual/Auto HPA | Manual |
+| **Operational Overhead** | Low | Medium | High |
+| **Database Reliability** | 99.95% SLA | 99.95% SLA | Depends on setup |
+| **Cost (Small)** | ~$250/month | ~$350/month | ~$200/month |
+| **Cost (Large)** | ~$500/month | ~$700/month | ~$450/month |
+| **Cold Start** | 1-2 seconds | None | None |
+| **Customization** | Medium | High | Very High |
+| **Kubernetes Native** | No | Yes | Yes |
+| **Multi-tenancy** | Limited | Supported | Supported |
+
+## 🛠️ Managed Services Configuration
+
+### Amazon RDS (MySQL)
+- **Instance Types**: db.t3.micro to db.r5.24xlarge
+- **Storage**: 20GB to 64TB, automatic scaling
+- **Backup**: Automated daily backups with 35-day retention
+- **High Availability**: Multi-AZ deployment with automatic failover
+- **Security**: VPC isolation, encryption, IAM database authentication
+
+### Amazon MemoryDB for Redis
+- **Node Types**: db.t4g.micro to db.r6g.16xlarge
+- **Features**: Redis 6.x compatibility, persistence, clustering
+- **Performance**: Up to 100+ million requests per second
+- **Monitoring**: Built-in CloudWatch metrics and alerts
+
+### Additional AWS Services
+- **Amazon S3**: File storage and backups
+- **AWS Secrets Manager**: Secure credential management
+- **AWS Systems Manager**: Parameter Store for configuration
+- **Amazon EFS**: Shared file storage for EKS
+- **AWS Lambda**: Automation and maintenance tasks
+- **Amazon EventBridge**: Scheduled tasks and triggers
+
+## 🔧 Advanced Features
+
+### Auto-scaling Configuration
+- **ECS**: Service auto scaling based on CPU/memory
+- **EKS**: Horizontal Pod Autoscaler + Cluster Autoscaler
+- **Database**: Automatic storage scaling, manual compute scaling
+- **Redis**: Manual scaling with zero-downtime
+
+### Security Hardening
+- **Network isolation** with private subnets and security groups
+- **IAM roles** for service accounts (IRSA for EKS)
+- **AWS WAF** for application-layer protection
+- **VPC Flow Logs** for network monitoring
+- **AWS Config** for compliance monitoring
+
+### Monitoring & Observability
+- **CloudWatch** for metrics, logs, and alerts
+- **AWS X-Ray** for distributed tracing
+- **Custom dashboards** for ERPNext-specific metrics
+- **Performance Insights** for database monitoring
+- **Container Insights** for ECS/EKS monitoring
+
+### Backup & Disaster Recovery
+- **RDS**: Automated backups with point-in-time recovery
+- **Application files**: Automated backup to S3
+- **Cross-region replication** for disaster recovery
+- **Automated DR testing** with validation
+- **Lambda-based backup automation**
+
+## 💰 Cost Estimation & Optimization
+
+### Typical Monthly Costs (US-East-1)
+
+#### Small Deployment (< 50 users) - ECS
+```
+RDS (db.t3.medium): $67
+MemoryDB (1 node): $45
+ECS Fargate (2 tasks): $30
+ALB: $22
+EFS: $3
+NAT Gateway: $45
+Total: ~$212/month
+```
+
+#### Medium Deployment (50-200 users) - EKS
+```
+RDS (db.r5.large): $150
+MemoryDB (2 nodes): $90
+EKS Control Plane: $73
+EC2 (3 t3.medium): $100
+ALB: $22
+EFS: $10
+NAT Gateway: $45
+Total: ~$490/month
+```
+
+#### Large Deployment (200+ users) - EKS
+```
+RDS (db.r5.xlarge): $300
+MemoryDB (3 nodes): $135
+EKS Control Plane: $73
+EC2 (6 t3.large): $300
+ALB: $22
+EFS: $25
+NAT Gateway: $90
+Total: ~$945/month
+```
+
+### Cost Optimization Strategies
+1. **Use Reserved Instances** (up to 75% savings for predictable workloads)
+2. **Implement Spot Instances** for non-critical worker nodes
+3. **Right-size instances** based on CloudWatch metrics
+4. **Use S3 Intelligent Tiering** for file storage
+5. **Schedule scaling** during off-hours
+
+## 🚨 Migration Path from Self-Hosted
+
+### Phase 1: Assessment and Planning (Week 1)
+- [ ] Audit current infrastructure and data size
+- [ ] Identify custom configurations and dependencies
+- [ ] Plan migration windows and rollback procedures
+- [ ] Set up AWS managed services in parallel
+
+### Phase 2: Infrastructure Setup (Week 2)
+- [ ] Deploy VPC, subnets, and security groups
+- [ ] Create RDS and MemoryDB instances
+- [ ] Set up ECS/EKS cluster and supporting services
+- [ ] Configure monitoring and alerting
+
+### Phase 3: Data Migration (Week 3)
+- [ ] Export data from existing MySQL/Redis
+- [ ] Import to RDS/MemoryDB with validation
+- [ ] Migrate file storage to S3/EFS
+- [ ] Update connection strings and test thoroughly
+
+### Phase 4: Application Migration (Week 4)
+- [ ] Deploy ERPNext with managed services
+- [ ] Conduct comprehensive testing
+- [ ] DNS cutover to new deployment
+- [ ] Monitor performance and optimize
+
+### Phase 5: Optimization and Cleanup (Week 5)
+- [ ] Optimize resource allocation based on metrics
+- [ ] Implement cost optimization measures
+- [ ] Decommission old infrastructure
+- [ ] Update backup and DR procedures
+
+## 🔍 Troubleshooting Common Issues
+
+### RDS Connection Issues
+```bash
+# Test connectivity from ECS/EKS
+# For ECS
+aws ecs run-task --cluster erpnext-cluster \
+    --task-definition erpnext-backend \
+    --overrides '{"containerOverrides":[{"name":"erpnext-backend","command":["mysql","-h","RDS_ENDPOINT","-u","admin","-p"]}]}'
+
+# For EKS
+kubectl run mysql-test --rm -i --tty --image=mysql:8.0 -- mysql -h RDS_ENDPOINT -u admin -p
+```
+
+### MemoryDB Connection Issues
+```bash
+# Test Redis connectivity
+# For EKS
+kubectl run redis-test --rm -i --tty --image=redis:alpine -- redis-cli -h REDIS_ENDPOINT ping
+
+# Check AUTH configuration
+aws memorydb describe-clusters --cluster-name erpnext-redis --region us-east-1
+```
+
+### Performance Issues
+```bash
+# Check RDS performance
+aws rds describe-db-instances --db-instance-identifier erpnext-db
+aws cloudwatch get-metric-statistics --namespace AWS/RDS --metric-name CPUUtilization
+
+# Monitor MemoryDB metrics
+aws cloudwatch get-metric-statistics --namespace AWS/MemoryDB --metric-name CPUUtilization
+```
+
+### Cost Issues
+```bash
+# Analyze costs with AWS CLI
+aws ce get-cost-and-usage --time-period Start=2024-01-01,End=2024-01-31 \
+    --granularity MONTHLY --metrics BlendedCost
+
+# Get cost recommendations
+aws support describe-trusted-advisor-checks --language en
+```
+
+## 📚 Additional Resources
+
+### AWS Documentation
+- [Amazon RDS User Guide](https://docs.aws.amazon.com/rds/)
+- [Amazon MemoryDB User Guide](https://docs.aws.amazon.com/memorydb/)
+- [Amazon ECS Developer Guide](https://docs.aws.amazon.com/ecs/)
+- [Amazon EKS User Guide](https://docs.aws.amazon.com/eks/)
+- [AWS Well-Architected Framework](https://aws.amazon.com/architecture/well-architected/)
+
+### ERPNext Specific
+- [ERPNext Documentation](https://docs.erpnext.com/)
+- [Frappe Framework Documentation](https://frappeframework.com/docs)
+- [ERPNext GitHub Repository](https://github.com/frappe/erpnext)
+
+### AWS Tools and SDKs
+- [AWS CLI Documentation](https://docs.aws.amazon.com/cli/)
+- [eksctl Documentation](https://eksctl.io/)
+- [AWS CDK Documentation](https://docs.aws.amazon.com/cdk/)
+
+### Monitoring & Operations
+- [AWS CloudWatch User Guide](https://docs.aws.amazon.com/cloudwatch/)
+- [AWS X-Ray Developer Guide](https://docs.aws.amazon.com/xray/)
+- [Kubernetes Monitoring Best Practices](https://kubernetes.io/docs/tasks/debug-application-cluster/resource-usage-monitoring/)
+
+## 🎯 Decision Matrix
+
+### Choose ECS + Managed Services if:
+- ✅ Want minimal operational overhead
+- ✅ Team has limited Kubernetes experience
+- ✅ Need rapid deployment and scaling
+- ✅ Prefer AWS-native container orchestration
+- ✅ Want to minimize infrastructure complexity
+
+### Choose EKS + Managed Services if:
+- ✅ Need advanced Kubernetes features
+- ✅ Plan to run multiple applications
+- ✅ Require fine-grained control over scheduling
+- ✅ Have existing Kubernetes expertise
+- ✅ Need advanced networking capabilities
+- ✅ Want cloud-agnostic deployment patterns
+
+## 📞 Support & Contributing
+
+### Getting Help
+- **Documentation Issues**: Create issues in the repository
+- **AWS Support**: Use AWS Support Center for service issues
+- **Community**: ERPNext Community Forum and GitHub Discussions
+- **Professional Services**: AWS Professional Services for complex deployments
+
+### Contributing
+- **Documentation improvements**: Submit pull requests
+- **Script enhancements**: Share automation improvements
+- **Best practices**: Contribute lessons learned from production deployments
+- **Cost optimizations**: Share optimization strategies and findings
+
+### Feedback
+We welcome feedback on these deployment guides. Please open an issue or submit a pull request with:
+- Improvements to documentation clarity
+- Additional troubleshooting scenarios
+- Cost optimization techniques
+- Security enhancements
+- Performance optimization tips
+
+## ⚡ Quick Commands Reference
+
+### ECS Operations
+```bash
+# Check service status
+aws ecs describe-services --cluster erpnext-cluster --services erpnext-backend
+
+# View task logs
+aws logs get-log-events --log-group-name /aws/ecs/erpnext-backend
+
+# Scale service
+aws ecs update-service --cluster erpnext-cluster --service erpnext-backend --desired-count 5
+```
+
+### EKS Operations
+```bash
+# Check pod status
+kubectl get pods -n erpnext
+
+# View logs
+kubectl logs -f deployment/erpnext-backend -n erpnext
+
+# Scale deployment
+kubectl scale deployment erpnext-backend --replicas=5 -n erpnext
+```
+
+### Database Operations
+```bash
+# Create RDS snapshot
+aws rds create-db-snapshot --db-instance-identifier erpnext-db --db-snapshot-identifier manual-backup-$(date +%Y%m%d)
+
+# Monitor MemoryDB
+aws memorydb describe-clusters --cluster-name erpnext-redis
+```
+
+---
+
+**⚠️ Important Notes**:
+- Managed services incur continuous costs even when applications are idle
+- Always test deployments thoroughly in staging before production
+- Monitor costs regularly using AWS Cost Explorer
+- Keep credentials secure and rotate regularly
+- Follow AWS security best practices and compliance requirements
+- Review and update security groups and IAM policies regularly
+
+**🎯 Recommendation**: For most production deployments, EKS with managed services provides the best balance of control, reliability, and operational efficiency, while ECS offers simplicity for teams new to container orchestration.
+
+**🔄 Maintenance**: These guides are actively maintained. Check for updates regularly and ensure your AWS CLI, kubectl, and other tools are up to date.
\ No newline at end of file
diff --git a/documentation/deployment-guides/aws-managed/kubernetes-manifests/configmap.yaml b/documentation/deployment-guides/aws-managed/kubernetes-manifests/configmap.yaml
new file mode 100644
index 0000000..f103b64
--- /dev/null
+++ b/documentation/deployment-guides/aws-managed/kubernetes-manifests/configmap.yaml
@@ -0,0 +1,228 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: erpnext-config
+  namespace: erpnext
+  labels:
+    app: erpnext
+    component: config
+data:
+  # ERPNext Application Configuration
+  APP_VERSION: "v14"
+  APP_URL: "erpnext.yourdomain.com"
+  APP_USER: "Administrator"
+  APP_DB_PARAM: "db"
+  DEVELOPER_MODE: "0"
+  ENABLE_SCHEDULER: "1"
+  SOCKETIO_PORT: "9000"
+  
+  # Database Configuration (AWS RDS)
+  DB_HOST: "${DB_HOST}"  # Replace with actual RDS endpoint
+  DB_PORT: "3306"
+  DB_NAME: "erpnext"
+  DB_USER: "admin"
+  DB_TIMEOUT: "60"
+  DB_CHARSET: "utf8mb4"
+  
+  # Redis Configuration (AWS MemoryDB)
+  REDIS_CACHE_URL: "redis://${REDIS_HOST}:6379/0"
+  REDIS_QUEUE_URL: "redis://${REDIS_HOST}:6379/1"
+  REDIS_SOCKETIO_URL: "redis://${REDIS_HOST}:6379/2"
+  
+  # Performance Configuration
+  WORKERS: "4"
+  THREADS: "2"
+  MAX_REQUESTS: "1000"
+  MAX_REQUESTS_JITTER: "100"
+  WORKER_TIMEOUT: "120"
+  KEEPALIVE: "5"
+  
+  # AWS Configuration
+  AWS_DEFAULT_REGION: "us-east-1"
+  AWS_S3_BUCKET: "erpnext-files-${ACCOUNT_ID}"
+  
+  # Logging Configuration
+  LOG_LEVEL: "INFO"
+  STRUCTURED_LOGS: "true"
+  
+  # Security Configuration
+  FORCE_HTTPS: "true"
+  COOKIE_SECURE: "true"
+  SESSION_COOKIE_SAMESITE: "Lax"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: erpnext-nginx-config
+  namespace: erpnext
+  labels:
+    app: erpnext
+    component: frontend
+data:
+  nginx.conf: |
+    user nginx;
+    worker_processes auto;
+    error_log /var/log/nginx/error.log warn;
+    pid /var/run/nginx.pid;
+
+    events {
+        worker_connections 1024;
+        use epoll;
+        multi_accept on;
+    }
+
+    http {
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+
+        # Logging format
+        log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                       '$status $body_bytes_sent "$http_referer" '
+                       '"$http_user_agent" "$http_x_forwarded_for"';
+
+        access_log /var/log/nginx/access.log main;
+
+        # Performance settings
+        sendfile on;
+        tcp_nopush on;
+        tcp_nodelay on;
+        keepalive_timeout 65;
+        types_hash_max_size 2048;
+        client_max_body_size 50M;
+
+        # Gzip compression
+        gzip on;
+        gzip_vary on;
+        gzip_min_length 1024;
+        gzip_proxied any;
+        gzip_comp_level 6;
+        gzip_types
+            text/plain
+            text/css
+            text/xml
+            text/javascript
+            application/json
+            application/javascript
+            application/xml+rss
+            application/atom+xml
+            image/svg+xml;
+
+        # Security headers
+        add_header X-Frame-Options DENY;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+        upstream backend {
+            server erpnext-backend:8000;
+            keepalive 32;
+        }
+
+        upstream socketio {
+            server erpnext-backend:9000;
+            keepalive 32;
+        }
+
+        server {
+            listen 8080;
+            server_name _;
+
+            # Health check endpoint
+            location /health {
+                access_log off;
+                return 200 "healthy\n";
+                add_header Content-Type text/plain;
+            }
+
+            # Socket.IO
+            location /socket.io/ {
+                proxy_pass http://socketio;
+                proxy_http_version 1.1;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection "upgrade";
+                proxy_set_header Host $host;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto $scheme;
+                proxy_cache_bypass $http_upgrade;
+                proxy_buffering off;
+            }
+
+            # API endpoints
+            location /api/ {
+                proxy_pass http://backend;
+                proxy_set_header Host $host;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto $scheme;
+                proxy_read_timeout 300;
+                proxy_connect_timeout 300;
+            }
+
+            # Static assets
+            location /assets/ {
+                root /home/frappe/frappe-bench/sites;
+                expires 1y;
+                add_header Cache-Control "public, immutable";
+                add_header X-Content-Type-Options nosniff;
+            }
+
+            # Files
+            location /files/ {
+                root /home/frappe/frappe-bench/sites;
+                expires 1y;
+                add_header Cache-Control "public";
+                add_header X-Content-Type-Options nosniff;
+            }
+
+            # Everything else to backend
+            location / {
+                proxy_pass http://backend;
+                proxy_set_header Host $host;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto $scheme;
+                proxy_read_timeout 300;
+                proxy_connect_timeout 300;
+            }
+        }
+    }
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: fluent-bit-config
+  namespace: erpnext
+  labels:
+    app: erpnext
+    component: logging
+data:
+  fluent-bit.conf: |
+    [SERVICE]
+        Flush         1
+        Log_Level     info
+        Daemon        off
+        Parsers_File  parsers.conf
+
+    [INPUT]
+        Name              tail
+        Path              /home/frappe/frappe-bench/logs/*.log
+        Parser            erpnext
+        Tag               erpnext.*
+        Refresh_Interval  5
+
+    [OUTPUT]
+        Name cloudwatch_logs
+        Match *
+        region us-east-1
+        log_group_name /aws/eks/erpnext
+        log_stream_prefix erpnext-
+        auto_create_group true
+
+  parsers.conf: |
+    [PARSER]
+        Name        erpnext
+        Format      regex
+        Regex       ^(?<timestamp>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}),(?<milliseconds>\d{3}) (?<level>\w+) (?<message>.*)$
+        Time_Key    timestamp
+        Time_Format %Y-%m-%d %H:%M:%S
\ No newline at end of file
diff --git a/documentation/deployment-guides/aws-managed/kubernetes-manifests/erpnext-backend.yaml b/documentation/deployment-guides/aws-managed/kubernetes-manifests/erpnext-backend.yaml
new file mode 100644
index 0000000..d62e8b4
--- /dev/null
+++ b/documentation/deployment-guides/aws-managed/kubernetes-manifests/erpnext-backend.yaml
@@ -0,0 +1,328 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: erpnext-backend
+  namespace: erpnext
+  labels:
+    app: erpnext-backend
+    component: backend
+    environment: production
+    version: v14
+  annotations:
+    deployment.kubernetes.io/revision: "1"
+    description: "ERPNext backend application server"
+spec:
+  replicas: 3
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 1
+  selector:
+    matchLabels:
+      app: erpnext-backend
+  template:
+    metadata:
+      labels:
+        app: erpnext-backend
+        component: backend
+        environment: production
+        version: v14
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "8000"
+        prometheus.io/path: "/metrics"
+    spec:
+      serviceAccountName: erpnext-sa
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        fsGroupChangePolicy: "OnRootMismatch"
+      initContainers:
+      - name: wait-for-db
+        image: busybox:1.35
+        imagePullPolicy: IfNotPresent
+        command:
+        - sh
+        - -c
+        - |
+          echo 'Waiting for database to be ready...'
+          until nc -z $DB_HOST $DB_PORT; do
+            echo 'Waiting for database...'
+            sleep 10
+          done
+          echo 'Database is ready!'
+          
+          echo 'Waiting for Redis to be ready...'
+          until nc -z $(echo $REDIS_CACHE_URL | cut -d'/' -f3 | cut -d':' -f1) 6379; do
+            echo 'Waiting for Redis...'
+            sleep 10
+          done
+          echo 'Redis is ready!'
+        envFrom:
+        - configMapRef:
+            name: erpnext-config
+        resources:
+          requests:
+            cpu: 50m
+            memory: 64Mi
+          limits:
+            cpu: 100m
+            memory: 128Mi
+      containers:
+      - name: erpnext-backend
+        image: frappe/erpnext-worker:v14
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 8000
+          name: http
+          protocol: TCP
+        - containerPort: 9000
+          name: socketio
+          protocol: TCP
+        envFrom:
+        - configMapRef:
+            name: erpnext-config
+        env:
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-db-secret
+              key: password
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-redis-secret
+              key: password
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        volumeMounts:
+        - name: sites-data
+          mountPath: /home/frappe/frappe-bench/sites
+        - name: backups-data
+          mountPath: /home/frappe/frappe-bench/sites/backups
+        - name: logs-data
+          mountPath: /home/frappe/frappe-bench/logs
+        - name: tmp-volume
+          mountPath: /tmp
+        resources:
+          requests:
+            memory: "1Gi"
+            cpu: "500m"
+            ephemeral-storage: "1Gi"
+          limits:
+            memory: "2Gi"
+            cpu: "1000m"
+            ephemeral-storage: "2Gi"
+        livenessProbe:
+          httpGet:
+            path: /api/method/ping
+            port: 8000
+            scheme: HTTP
+          initialDelaySeconds: 60
+          periodSeconds: 30
+          timeoutSeconds: 10
+          failureThreshold: 3
+          successThreshold: 1
+        readinessProbe:
+          httpGet:
+            path: /api/method/ping
+            port: 8000
+            scheme: HTTP
+          initialDelaySeconds: 30
+          periodSeconds: 10
+          timeoutSeconds: 5
+          failureThreshold: 3
+          successThreshold: 1
+        startupProbe:
+          httpGet:
+            path: /api/method/ping
+            port: 8000
+            scheme: HTTP
+          initialDelaySeconds: 30
+          periodSeconds: 10
+          timeoutSeconds: 5
+          failureThreshold: 30
+          successThreshold: 1
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /bin/sh
+              - -c
+              - sleep 10
+      # Sidecar container for log collection
+      - name: fluent-bit
+        image: fluent/fluent-bit:2.2.0
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 2020
+          name: metrics
+          protocol: TCP
+        env:
+        - name: AWS_REGION
+          value: "us-east-1"
+        - name: CLUSTER_NAME
+          value: "erpnext-cluster"
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        volumeMounts:
+        - name: fluent-bit-config
+          mountPath: /fluent-bit/etc
+        - name: logs-data
+          mountPath: /home/frappe/frappe-bench/logs
+          readOnly: true
+        resources:
+          requests:
+            cpu: 50m
+            memory: 64Mi
+          limits:
+            cpu: 100m
+            memory: 128Mi
+      volumes:
+      - name: sites-data
+        persistentVolumeClaim:
+          claimName: erpnext-sites-pvc
+      - name: backups-data
+        persistentVolumeClaim:
+          claimName: erpnext-backups-pvc
+      - name: logs-data
+        persistentVolumeClaim:
+          claimName: erpnext-logs-pvc
+      - name: fluent-bit-config
+        configMap:
+          name: fluent-bit-config
+      - name: tmp-volume
+        emptyDir:
+          sizeLimit: 1Gi
+      nodeSelector:
+        node-type: worker
+        kubernetes.io/arch: amd64
+      tolerations:
+      - key: "node.kubernetes.io/not-ready"
+        operator: "Exists"
+        effect: "NoExecute"
+        tolerationSeconds: 300
+      - key: "node.kubernetes.io/unreachable"
+        operator: "Exists"
+        effect: "NoExecute"
+        tolerationSeconds: 300
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: app
+                  operator: In
+                  values:
+                  - erpnext-backend
+              topologyKey: kubernetes.io/hostname
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            preference:
+              matchExpressions:
+              - key: node-type
+                operator: In
+                values:
+                - worker
+      terminationGracePeriodSeconds: 30
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: erpnext-backend
+  namespace: erpnext
+  labels:
+    app: erpnext-backend
+    component: backend
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
+    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
+    prometheus.io/scrape: "true"
+    prometheus.io/port: "8000"
+    prometheus.io/path: "/metrics"
+spec:
+  selector:
+    app: erpnext-backend
+  ports:
+  - name: http
+    port: 8000
+    targetPort: 8000
+    protocol: TCP
+  - name: socketio
+    port: 9000
+    targetPort: 9000
+    protocol: TCP
+  type: ClusterIP
+  sessionAffinity: None
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: erpnext-backend-headless
+  namespace: erpnext
+  labels:
+    app: erpnext-backend
+    component: backend
+    service-type: headless
+spec:
+  selector:
+    app: erpnext-backend
+  ports:
+  - name: http
+    port: 8000
+    targetPort: 8000
+    protocol: TCP
+  - name: socketio
+    port: 9000
+    targetPort: 9000
+    protocol: TCP
+  type: ClusterIP
+  clusterIP: None
+---
+# ServiceMonitor for Prometheus monitoring
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: erpnext-backend
+  namespace: erpnext
+  labels:
+    app: erpnext-backend
+    component: backend
+    monitoring: prometheus
+spec:
+  selector:
+    matchLabels:
+      app: erpnext-backend
+  endpoints:
+  - port: http
+    path: /metrics
+    interval: 30s
+    scrapeTimeout: 10s
+    honorLabels: true
+  - port: socketio
+    path: /metrics
+    interval: 30s
+    scrapeTimeout: 10s
+    honorLabels: true
\ No newline at end of file
diff --git a/documentation/deployment-guides/aws-managed/kubernetes-manifests/erpnext-frontend.yaml b/documentation/deployment-guides/aws-managed/kubernetes-manifests/erpnext-frontend.yaml
new file mode 100644
index 0000000..b355f31
--- /dev/null
+++ b/documentation/deployment-guides/aws-managed/kubernetes-manifests/erpnext-frontend.yaml
@@ -0,0 +1,247 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: erpnext-frontend
+  namespace: erpnext
+  labels:
+    app: erpnext-frontend
+    component: frontend
+    environment: production
+    version: v14
+  annotations:
+    deployment.kubernetes.io/revision: "1"
+    description: "ERPNext Nginx frontend web server"
+spec:
+  replicas: 2
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  selector:
+    matchLabels:
+      app: erpnext-frontend
+  template:
+    metadata:
+      labels:
+        app: erpnext-frontend
+        component: frontend
+        environment: production
+        version: v14
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "8080"
+        prometheus.io/path: "/nginx_status"
+    spec:
+      serviceAccountName: erpnext-sa
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 101  # nginx user
+        runAsGroup: 101
+        fsGroup: 1000
+        fsGroupChangePolicy: "OnRootMismatch"
+      initContainers:
+      - name: wait-for-backend
+        image: busybox:1.35
+        imagePullPolicy: IfNotPresent
+        command:
+        - sh
+        - -c
+        - |
+          echo 'Waiting for backend to be ready...'
+          until nc -z erpnext-backend 8000; do
+            echo 'Waiting for backend...'
+            sleep 5
+          done
+          echo 'Backend is ready!'
+        resources:
+          requests:
+            cpu: 50m
+            memory: 64Mi
+          limits:
+            cpu: 100m
+            memory: 128Mi
+      containers:
+      - name: erpnext-frontend
+        image: frappe/erpnext-nginx:v14
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 8080
+          name: http
+          protocol: TCP
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        volumeMounts:
+        - name: sites-data
+          mountPath: /home/frappe/frappe-bench/sites
+          readOnly: true
+        - name: nginx-config
+          mountPath: /etc/nginx/nginx.conf
+          subPath: nginx.conf
+          readOnly: true
+        - name: nginx-cache
+          mountPath: /var/cache/nginx
+        - name: nginx-run
+          mountPath: /var/run
+        - name: tmp-volume
+          mountPath: /tmp
+        resources:
+          requests:
+            memory: "256Mi"
+            cpu: "100m"
+            ephemeral-storage: "500Mi"
+          limits:
+            memory: "512Mi"
+            cpu: "500m"
+            ephemeral-storage: "1Gi"
+        livenessProbe:
+          httpGet:
+            path: /health
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 30
+          periodSeconds: 30
+          timeoutSeconds: 5
+          failureThreshold: 3
+          successThreshold: 1
+        readinessProbe:
+          httpGet:
+            path: /health
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 5
+          failureThreshold: 3
+          successThreshold: 1
+        startupProbe:
+          httpGet:
+            path: /health
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 5
+          timeoutSeconds: 3
+          failureThreshold: 12
+          successThreshold: 1
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /bin/sh
+              - -c
+              - sleep 15
+      volumes:
+      - name: sites-data
+        persistentVolumeClaim:
+          claimName: erpnext-sites-pvc
+      - name: nginx-config
+        configMap:
+          name: erpnext-nginx-config
+          items:
+          - key: nginx.conf
+            path: nginx.conf
+      - name: nginx-cache
+        emptyDir:
+          sizeLimit: 500Mi
+      - name: nginx-run
+        emptyDir:
+          sizeLimit: 100Mi
+      - name: tmp-volume
+        emptyDir:
+          sizeLimit: 500Mi
+      nodeSelector:
+        node-type: worker
+        kubernetes.io/arch: amd64
+      tolerations:
+      - key: "node.kubernetes.io/not-ready"
+        operator: "Exists"
+        effect: "NoExecute"
+        tolerationSeconds: 300
+      - key: "node.kubernetes.io/unreachable"
+        operator: "Exists"
+        effect: "NoExecute"
+        tolerationSeconds: 300
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: app
+                  operator: In
+                  values:
+                  - erpnext-frontend
+              topologyKey: kubernetes.io/hostname
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            preference:
+              matchExpressions:
+              - key: node-type
+                operator: In
+                values:
+                - worker
+      terminationGracePeriodSeconds: 30
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: erpnext-frontend
+  namespace: erpnext
+  labels:
+    app: erpnext-frontend
+    component: frontend
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
+    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
+    prometheus.io/scrape: "true"
+    prometheus.io/port: "8080"
+    prometheus.io/path: "/nginx_status"
+spec:
+  selector:
+    app: erpnext-frontend
+  ports:
+  - name: http
+    port: 8080
+    targetPort: 8080
+    protocol: TCP
+  type: ClusterIP
+  sessionAffinity: None
+---
+# ServiceMonitor for Prometheus monitoring
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: erpnext-frontend
+  namespace: erpnext
+  labels:
+    app: erpnext-frontend
+    component: frontend
+    monitoring: prometheus
+spec:
+  selector:
+    matchLabels:
+      app: erpnext-frontend
+  endpoints:
+  - port: http
+    path: /nginx_status
+    interval: 30s
+    scrapeTimeout: 10s
+    honorLabels: true
\ No newline at end of file
diff --git a/documentation/deployment-guides/aws-managed/kubernetes-manifests/erpnext-workers.yaml b/documentation/deployment-guides/aws-managed/kubernetes-manifests/erpnext-workers.yaml
new file mode 100644
index 0000000..95fe0c5
--- /dev/null
+++ b/documentation/deployment-guides/aws-managed/kubernetes-manifests/erpnext-workers.yaml
@@ -0,0 +1,542 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: erpnext-queue-default
+  namespace: erpnext
+  labels:
+    app: erpnext-queue-default
+    component: worker
+    queue: default
+    environment: production
+    version: v14
+  annotations:
+    deployment.kubernetes.io/revision: "1"
+    description: "ERPNext default queue worker"
+spec:
+  replicas: 2
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  selector:
+    matchLabels:
+      app: erpnext-queue-default
+  template:
+    metadata:
+      labels:
+        app: erpnext-queue-default
+        component: worker
+        queue: default
+        environment: production
+        version: v14
+    spec:
+      serviceAccountName: erpnext-sa
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        fsGroupChangePolicy: "OnRootMismatch"
+      initContainers:
+      - name: wait-for-backend
+        image: busybox:1.35
+        imagePullPolicy: IfNotPresent
+        command:
+        - sh
+        - -c
+        - |
+          echo 'Waiting for backend to be ready...'
+          until nc -z erpnext-backend 8000; do
+            echo 'Waiting for backend...'
+            sleep 10
+          done
+          echo 'Backend is ready!'
+        resources:
+          requests:
+            cpu: 50m
+            memory: 64Mi
+          limits:
+            cpu: 100m
+            memory: 128Mi
+      containers:
+      - name: queue-worker
+        image: frappe/erpnext-worker:v14
+        imagePullPolicy: Always
+        command: ["bench", "worker", "--queue", "default"]
+        envFrom:
+        - configMapRef:
+            name: erpnext-config
+        env:
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-db-secret
+              key: password
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-redis-secret
+              key: password
+        - name: QUEUE_NAME
+          value: "default"
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        volumeMounts:
+        - name: sites-data
+          mountPath: /home/frappe/frappe-bench/sites
+        resources:
+          requests:
+            memory: "512Mi"
+            cpu: "250m"
+            ephemeral-storage: "1Gi"
+          limits:
+            memory: "1Gi"
+            cpu: "500m"
+            ephemeral-storage: "2Gi"
+        livenessProbe:
+          exec:
+            command:
+            - pgrep
+            - -f
+            - "bench worker"
+          initialDelaySeconds: 60
+          periodSeconds: 30
+          timeoutSeconds: 10
+          failureThreshold: 3
+        readinessProbe:
+          exec:
+            command:
+            - pgrep
+            - -f
+            - "bench worker"
+          initialDelaySeconds: 30
+          periodSeconds: 10
+          timeoutSeconds: 5
+          failureThreshold: 3
+      volumes:
+      - name: sites-data
+        persistentVolumeClaim:
+          claimName: erpnext-sites-pvc
+      nodeSelector:
+        node-type: worker
+      tolerations:
+      - key: "node.kubernetes.io/not-ready"
+        operator: "Exists"
+        effect: "NoExecute"
+        tolerationSeconds: 300
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: app
+                  operator: In
+                  values:
+                  - erpnext-queue-default
+              topologyKey: kubernetes.io/hostname
+      terminationGracePeriodSeconds: 30
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: erpnext-queue-long
+  namespace: erpnext
+  labels:
+    app: erpnext-queue-long
+    component: worker
+    queue: long
+    environment: production
+    version: v14
+spec:
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  selector:
+    matchLabels:
+      app: erpnext-queue-long
+  template:
+    metadata:
+      labels:
+        app: erpnext-queue-long
+        component: worker
+        queue: long
+        environment: production
+        version: v14
+    spec:
+      serviceAccountName: erpnext-sa
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        fsGroupChangePolicy: "OnRootMismatch"
+      initContainers:
+      - name: wait-for-backend
+        image: busybox:1.35
+        imagePullPolicy: IfNotPresent
+        command:
+        - sh
+        - -c
+        - |
+          echo 'Waiting for backend to be ready...'
+          until nc -z erpnext-backend 8000; do
+            echo 'Waiting for backend...'
+            sleep 10
+          done
+          echo 'Backend is ready!'
+        resources:
+          requests:
+            cpu: 50m
+            memory: 64Mi
+          limits:
+            cpu: 100m
+            memory: 128Mi
+      containers:
+      - name: queue-worker
+        image: frappe/erpnext-worker:v14
+        imagePullPolicy: Always
+        command: ["bench", "worker", "--queue", "long"]
+        envFrom:
+        - configMapRef:
+            name: erpnext-config
+        env:
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-db-secret
+              key: password
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-redis-secret
+              key: password
+        - name: QUEUE_NAME
+          value: "long"
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        volumeMounts:
+        - name: sites-data
+          mountPath: /home/frappe/frappe-bench/sites
+        resources:
+          requests:
+            memory: "512Mi"
+            cpu: "250m"
+            ephemeral-storage: "1Gi"
+          limits:
+            memory: "1Gi"
+            cpu: "500m"
+            ephemeral-storage: "2Gi"
+        livenessProbe:
+          exec:
+            command:
+            - pgrep
+            - -f
+            - "bench worker"
+          initialDelaySeconds: 60
+          periodSeconds: 30
+          timeoutSeconds: 10
+          failureThreshold: 3
+        readinessProbe:
+          exec:
+            command:
+            - pgrep
+            - -f
+            - "bench worker"
+          initialDelaySeconds: 30
+          periodSeconds: 10
+          timeoutSeconds: 5
+          failureThreshold: 3
+      volumes:
+      - name: sites-data
+        persistentVolumeClaim:
+          claimName: erpnext-sites-pvc
+      nodeSelector:
+        node-type: worker
+      tolerations:
+      - key: "node.kubernetes.io/not-ready"
+        operator: "Exists"
+        effect: "NoExecute"
+        tolerationSeconds: 300
+      terminationGracePeriodSeconds: 60
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: erpnext-queue-short
+  namespace: erpnext
+  labels:
+    app: erpnext-queue-short
+    component: worker
+    queue: short
+    environment: production
+    version: v14
+spec:
+  replicas: 2
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  selector:
+    matchLabels:
+      app: erpnext-queue-short
+  template:
+    metadata:
+      labels:
+        app: erpnext-queue-short
+        component: worker
+        queue: short
+        environment: production
+        version: v14
+    spec:
+      serviceAccountName: erpnext-sa
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        fsGroupChangePolicy: "OnRootMismatch"
+      initContainers:
+      - name: wait-for-backend
+        image: busybox:1.35
+        imagePullPolicy: IfNotPresent
+        command:
+        - sh
+        - -c
+        - |
+          echo 'Waiting for backend to be ready...'
+          until nc -z erpnext-backend 8000; do
+            echo 'Waiting for backend...'
+            sleep 10
+          done
+          echo 'Backend is ready!'
+        resources:
+          requests:
+            cpu: 50m
+            memory: 64Mi
+          limits:
+            cpu: 100m
+            memory: 128Mi
+      containers:
+      - name: queue-worker
+        image: frappe/erpnext-worker:v14
+        imagePullPolicy: Always
+        command: ["bench", "worker", "--queue", "short"]
+        envFrom:
+        - configMapRef:
+            name: erpnext-config
+        env:
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-db-secret
+              key: password
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-redis-secret
+              key: password
+        - name: QUEUE_NAME
+          value: "short"
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        volumeMounts:
+        - name: sites-data
+          mountPath: /home/frappe/frappe-bench/sites
+        resources:
+          requests:
+            memory: "256Mi"
+            cpu: "100m"
+            ephemeral-storage: "500Mi"
+          limits:
+            memory: "512Mi"
+            cpu: "250m"
+            ephemeral-storage: "1Gi"
+        livenessProbe:
+          exec:
+            command:
+            - pgrep
+            - -f
+            - "bench worker"
+          initialDelaySeconds: 60
+          periodSeconds: 30
+          timeoutSeconds: 10
+          failureThreshold: 3
+        readinessProbe:
+          exec:
+            command:
+            - pgrep
+            - -f
+            - "bench worker"
+          initialDelaySeconds: 30
+          periodSeconds: 10
+          timeoutSeconds: 5
+          failureThreshold: 3
+      volumes:
+      - name: sites-data
+        persistentVolumeClaim:
+          claimName: erpnext-sites-pvc
+      nodeSelector:
+        node-type: worker
+      tolerations:
+      - key: "node.kubernetes.io/not-ready"
+        operator: "Exists"
+        effect: "NoExecute"
+        tolerationSeconds: 300
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: app
+                  operator: In
+                  values:
+                  - erpnext-queue-short
+              topologyKey: kubernetes.io/hostname
+      terminationGracePeriodSeconds: 30
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: erpnext-scheduler
+  namespace: erpnext
+  labels:
+    app: erpnext-scheduler
+    component: scheduler
+    environment: production
+    version: v14
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate  # Only one scheduler should run at a time
+  selector:
+    matchLabels:
+      app: erpnext-scheduler
+  template:
+    metadata:
+      labels:
+        app: erpnext-scheduler
+        component: scheduler
+        environment: production
+        version: v14
+    spec:
+      serviceAccountName: erpnext-sa
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        fsGroupChangePolicy: "OnRootMismatch"
+      initContainers:
+      - name: wait-for-backend
+        image: busybox:1.35
+        imagePullPolicy: IfNotPresent
+        command:
+        - sh
+        - -c
+        - |
+          echo 'Waiting for backend to be ready...'
+          until nc -z erpnext-backend 8000; do
+            echo 'Waiting for backend...'
+            sleep 10
+          done
+          echo 'Backend is ready!'
+        resources:
+          requests:
+            cpu: 50m
+            memory: 64Mi
+          limits:
+            cpu: 100m
+            memory: 128Mi
+      containers:
+      - name: scheduler
+        image: frappe/erpnext-worker:v14
+        imagePullPolicy: Always
+        command: ["bench", "schedule"]
+        envFrom:
+        - configMapRef:
+            name: erpnext-config
+        env:
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-db-secret
+              key: password
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-redis-secret
+              key: password
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        volumeMounts:
+        - name: sites-data
+          mountPath: /home/frappe/frappe-bench/sites
+        resources:
+          requests:
+            memory: "256Mi"
+            cpu: "100m"
+            ephemeral-storage: "500Mi"
+          limits:
+            memory: "512Mi"
+            cpu: "250m"
+            ephemeral-storage: "1Gi"
+        livenessProbe:
+          exec:
+            command:
+            - pgrep
+            - -f
+            - "bench schedule"
+          initialDelaySeconds: 60
+          periodSeconds: 30
+          timeoutSeconds: 10
+          failureThreshold: 3
+        readinessProbe:
+          exec:
+            command:
+            - pgrep
+            - -f
+            - "bench schedule"
+          initialDelaySeconds: 30
+          periodSeconds: 10
+          timeoutSeconds: 5
+          failureThreshold: 3
+      volumes:
+      - name: sites-data
+        persistentVolumeClaim:
+          claimName: erpnext-sites-pvc
+      nodeSelector:
+        node-type: worker
+        kubernetes.io/arch: amd64
+      tolerations:
+      - key: "node.kubernetes.io/not-ready"
+        operator: "Exists"
+        effect: "NoExecute"
+        tolerationSeconds: 300
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            preference:
+              matchExpressions:
+              - key: node-type
+                operator: In
+                values:
+                - worker
+      terminationGracePeriodSeconds: 30
\ No newline at end of file
diff --git a/documentation/deployment-guides/aws-managed/kubernetes-manifests/ingress.yaml b/documentation/deployment-guides/aws-managed/kubernetes-manifests/ingress.yaml
new file mode 100644
index 0000000..60e5efa
--- /dev/null
+++ b/documentation/deployment-guides/aws-managed/kubernetes-manifests/ingress.yaml
@@ -0,0 +1,274 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: erpnext-ingress
+  namespace: erpnext
+  labels:
+    app: erpnext
+    component: ingress
+    environment: production
+  annotations:
+    # AWS Load Balancer Controller annotations
+    kubernetes.io/ingress.class: alb
+    alb.ingress.kubernetes.io/scheme: internet-facing
+    alb.ingress.kubernetes.io/target-type: ip
+    alb.ingress.kubernetes.io/backend-protocol: HTTP
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
+    alb.ingress.kubernetes.io/ssl-redirect: "443"
+    
+    # SSL/TLS Configuration
+    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:${ACCOUNT_ID}:certificate/${CERT_ID}
+    alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-2-2017-01
+    
+    # Load Balancer Attributes
+    alb.ingress.kubernetes.io/load-balancer-attributes: |
+      routing.http2.enabled=true,
+      idle_timeout.timeout_seconds=60,
+      access_logs.s3.enabled=true,
+      access_logs.s3.bucket=erpnext-alb-logs-${ACCOUNT_ID},
+      access_logs.s3.prefix=erpnext-alb
+    
+    # Health Check Configuration
+    alb.ingress.kubernetes.io/healthcheck-grace-period-seconds: "60"
+    alb.ingress.kubernetes.io/healthcheck-interval-seconds: "15"
+    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: "5"
+    alb.ingress.kubernetes.io/healthy-threshold-count: "2"
+    alb.ingress.kubernetes.io/unhealthy-threshold-count: "3"
+    alb.ingress.kubernetes.io/success-codes: "200,201,202"
+    
+    # Security and Performance
+    alb.ingress.kubernetes.io/security-groups: sg-${SECURITY_GROUP_ID}
+    alb.ingress.kubernetes.io/subnets: subnet-${PUBLIC_SUBNET_1A},subnet-${PUBLIC_SUBNET_1B}
+    alb.ingress.kubernetes.io/wafv2-acl-arn: arn:aws:wafv2:us-east-1:${ACCOUNT_ID}:regional/webacl/ERPNextWAF/${WAF_ID}
+    
+    # Tags for Cost Allocation
+    alb.ingress.kubernetes.io/tags: |
+      Environment=production,
+      Application=ERPNext,
+      Team=Infrastructure,
+      CostCenter=IT,
+      Project=ERP
+    
+    # Additional annotations for performance
+    nginx.ingress.kubernetes.io/proxy-body-size: "50m"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+    nginx.ingress.kubernetes.io/client-body-buffer-size: "1m"
+    nginx.ingress.kubernetes.io/proxy-buffering: "on"
+    nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
+    nginx.ingress.kubernetes.io/proxy-buffers: "8 8k"
+    
+    # Security headers
+    nginx.ingress.kubernetes.io/server-snippet: |
+      add_header X-Frame-Options DENY;
+      add_header X-Content-Type-Options nosniff;
+      add_header X-XSS-Protection "1; mode=block";
+      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+      add_header Referrer-Policy "strict-origin-when-cross-origin";
+      add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' wss:";
+spec:
+  tls:
+  - hosts:
+    - erpnext.yourdomain.com
+    - www.erpnext.yourdomain.com
+    secretName: erpnext-ssl-certs
+  rules:
+  - host: erpnext.yourdomain.com
+    http:
+      paths:
+      # Socket.IO traffic - highest priority
+      - path: /socket.io
+        pathType: Prefix
+        backend:
+          service:
+            name: erpnext-backend
+            port:
+              number: 9000
+      
+      # API endpoints
+      - path: /api
+        pathType: Prefix
+        backend:
+          service:
+            name: erpnext-backend
+            port:
+              number: 8000
+      
+      # File downloads and uploads
+      - path: /files
+        pathType: Prefix
+        backend:
+          service:
+            name: erpnext-frontend
+            port:
+              number: 8080
+      
+      # Static assets
+      - path: /assets
+        pathType: Prefix
+        backend:
+          service:
+            name: erpnext-frontend
+            port:
+              number: 8080
+      
+      # Health check endpoint
+      - path: /health
+        pathType: Exact
+        backend:
+          service:
+            name: erpnext-frontend
+            port:
+              number: 8080
+      
+      # All other traffic to frontend
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: erpnext-frontend
+            port:
+              number: 8080
+  
+  # Redirect www to non-www
+  - host: www.erpnext.yourdomain.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: erpnext-frontend
+            port:
+              number: 8080
+---
+# Additional ingress for internal monitoring (optional)
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: erpnext-monitoring-ingress
+  namespace: erpnext
+  labels:
+    app: erpnext
+    component: monitoring
+    environment: production
+  annotations:
+    kubernetes.io/ingress.class: alb
+    alb.ingress.kubernetes.io/scheme: internal
+    alb.ingress.kubernetes.io/target-type: ip
+    alb.ingress.kubernetes.io/backend-protocol: HTTP
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]'
+    alb.ingress.kubernetes.io/subnets: subnet-${PRIVATE_SUBNET_1A},subnet-${PRIVATE_SUBNET_1B}
+    alb.ingress.kubernetes.io/security-groups: sg-${MONITORING_SECURITY_GROUP_ID}
+    alb.ingress.kubernetes.io/tags: |
+      Environment=production,
+      Application=ERPNext,
+      Component=Monitoring,
+      Access=Internal
+spec:
+  rules:
+  - host: erpnext-monitoring.internal
+    http:
+      paths:
+      # Prometheus metrics
+      - path: /metrics
+        pathType: Prefix
+        backend:
+          service:
+            name: erpnext-backend
+            port:
+              number: 8000
+      
+      # Health checks
+      - path: /health
+        pathType: Prefix
+        backend:
+          service:
+            name: erpnext-frontend
+            port:
+              number: 8080
+---
+# Network Policy to restrict ingress traffic
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: erpnext-ingress-policy
+  namespace: erpnext
+  labels:
+    app: erpnext
+    component: network-policy
+spec:
+  podSelector:
+    matchLabels:
+      app: erpnext-frontend
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          name: kube-system
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: aws-load-balancer-controller
+    ports:
+    - protocol: TCP
+      port: 8080
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          name: erpnext
+    - podSelector:
+        matchLabels:
+          component: backend
+    ports:
+    - protocol: TCP
+      port: 8080
+---
+# HorizontalPodAutoscaler for frontend based on ALB metrics
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: erpnext-frontend-hpa
+  namespace: erpnext
+  labels:
+    app: erpnext-frontend
+    component: autoscaling
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: erpnext-frontend
+  minReplicas: 2
+  maxReplicas: 8
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: 70
+  - type: Resource
+    resource:
+      name: memory
+      target:
+        type: Utilization
+        averageUtilization: 80
+  behavior:
+    scaleDown:
+      stabilizationWindowSeconds: 300
+      policies:
+      - type: Percent
+        value: 50
+        periodSeconds: 60
+    scaleUp:
+      stabilizationWindowSeconds: 60
+      policies:
+      - type: Percent
+        value: 100
+        periodSeconds: 60
+      - type: Pods
+        value: 2
+        periodSeconds: 60
+      selectPolicy: Max
\ No newline at end of file
diff --git a/documentation/deployment-guides/aws-managed/kubernetes-manifests/jobs.yaml b/documentation/deployment-guides/aws-managed/kubernetes-manifests/jobs.yaml
new file mode 100644
index 0000000..f46015d
--- /dev/null
+++ b/documentation/deployment-guides/aws-managed/kubernetes-manifests/jobs.yaml
@@ -0,0 +1,436 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: erpnext-create-site
+  namespace: erpnext
+  labels:
+    app: erpnext
+    component: setup
+    job-type: create-site
+  annotations:
+    description: "Initialize ERPNext site with database and default configuration"
+spec:
+  backoffLimit: 3
+  completions: 1
+  parallelism: 1
+  activeDeadlineSeconds: 3600  # 1 hour timeout
+  template:
+    metadata:
+      labels:
+        app: erpnext
+        component: setup
+        job-type: create-site
+    spec:
+      serviceAccountName: erpnext-sa
+      restartPolicy: Never
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        fsGroupChangePolicy: "OnRootMismatch"
+      initContainers:
+      - name: wait-for-services
+        image: busybox:1.35
+        imagePullPolicy: IfNotPresent
+        command:
+        - sh
+        - -c
+        - |
+          echo 'Waiting for database to be ready...'
+          until nc -z $DB_HOST $DB_PORT; do
+            echo 'Waiting for database...'
+            sleep 10
+          done
+          echo 'Database is ready!'
+          
+          echo 'Waiting for Redis to be ready...'
+          REDIS_HOST=$(echo $REDIS_CACHE_URL | cut -d'/' -f3 | cut -d':' -f1)
+          until nc -z $REDIS_HOST 6379; do
+            echo 'Waiting for Redis...'
+            sleep 10
+          done
+          echo 'Redis is ready!'
+          
+          # Additional wait for services to stabilize
+          echo 'Waiting for services to stabilize...'
+          sleep 30
+          echo 'Services are ready!'
+        envFrom:
+        - configMapRef:
+            name: erpnext-config
+        resources:
+          requests:
+            cpu: 50m
+            memory: 64Mi
+          limits:
+            cpu: 100m
+            memory: 128Mi
+      containers:
+      - name: create-site
+        image: frappe/erpnext-worker:v14
+        imagePullPolicy: Always
+        command:
+        - bash
+        - -c
+        - |
+          set -e
+          echo "Starting ERPNext site creation process..."
+          
+          # Check if site already exists
+          if [ -d "/home/frappe/frappe-bench/sites/frontend" ]; then
+            echo "Site 'frontend' already exists. Checking if it's properly configured..."
+            
+            # Verify site configuration
+            if bench --site frontend list-apps | grep -q erpnext; then
+              echo "Site is properly configured with ERPNext. Skipping creation."
+              exit 0
+            else
+              echo "Site exists but ERPNext is not installed. Installing ERPNext..."
+              bench --site frontend install-app erpnext
+              echo "ERPNext installation completed."
+              exit 0
+            fi
+          fi
+          
+          echo "Creating new ERPNext site 'frontend'..."
+          
+          # Set database connection parameters
+          export DB_HOST="$DB_HOST"
+          export DB_PORT="$DB_PORT"
+          export DB_NAME="$DB_NAME"
+          export DB_USER="$DB_USER"
+          
+          # Create the site with ERPNext
+          bench new-site frontend \
+            --admin-password "$ADMIN_PASSWORD" \
+            --mariadb-root-password "$DB_PASSWORD" \
+            --install-app erpnext \
+            --set-default \
+            --verbose
+          
+          # Configure site for production
+          echo "Configuring site for production..."
+          
+          # Set maintenance mode off
+          bench --site frontend set-maintenance-mode off
+          
+          # Clear cache
+          bench --site frontend clear-cache
+          
+          # Set up site configuration
+          bench --site frontend set-config developer_mode 0
+          bench --site frontend set-config maintenance_mode 0
+          bench --site frontend set-config enable_scheduler 1
+          
+          # Create a backup
+          echo "Creating initial backup..."
+          bench --site frontend backup --with-files
+          
+          echo "Site creation and configuration completed successfully!"
+          echo "Site URL: $APP_URL"
+          echo "Admin User: $APP_USER"
+          echo "Site is ready for use."
+        envFrom:
+        - configMapRef:
+            name: erpnext-config
+        env:
+        - name: ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-admin-secret
+              key: password
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-db-secret
+              key: password
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-redis-secret
+              key: password
+        volumeMounts:
+        - name: sites-data
+          mountPath: /home/frappe/frappe-bench/sites
+        - name: backups-data
+          mountPath: /home/frappe/frappe-bench/sites/backups
+        resources:
+          requests:
+            memory: "1Gi"
+            cpu: "500m"
+            ephemeral-storage: "2Gi"
+          limits:
+            memory: "2Gi"
+            cpu: "1000m"
+            ephemeral-storage: "4Gi"
+      volumes:
+      - name: sites-data
+        persistentVolumeClaim:
+          claimName: erpnext-sites-pvc
+      - name: backups-data
+        persistentVolumeClaim:
+          claimName: erpnext-backups-pvc
+      nodeSelector:
+        node-type: worker
+        kubernetes.io/arch: amd64
+      tolerations:
+      - key: "node.kubernetes.io/not-ready"
+        operator: "Exists"
+        effect: "NoExecute"
+        tolerationSeconds: 300
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: erpnext-backup
+  namespace: erpnext
+  labels:
+    app: erpnext
+    component: backup
+    schedule-type: daily
+  annotations:
+    description: "Daily backup of ERPNext database and files to S3"
+spec:
+  schedule: "0 2 * * *"  # Daily at 2 AM UTC
+  timeZone: "UTC"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  startingDeadlineSeconds: 300
+  jobTemplate:
+    metadata:
+      labels:
+        app: erpnext
+        component: backup
+        schedule-type: daily
+    spec:
+      backoffLimit: 2
+      activeDeadlineSeconds: 7200  # 2 hours timeout
+      template:
+        metadata:
+          labels:
+            app: erpnext
+            component: backup
+            schedule-type: daily
+        spec:
+          serviceAccountName: erpnext-sa
+          restartPolicy: OnFailure
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+            runAsGroup: 1000
+            fsGroup: 1000
+            fsGroupChangePolicy: "OnRootMismatch"
+          containers:
+          - name: backup
+            image: frappe/erpnext-worker:v14
+            imagePullPolicy: Always
+            command:
+            - bash
+            - -c
+            - |
+              set -e
+              
+              BACKUP_DATE=$(date +%Y%m%d_%H%M%S)
+              BACKUP_DIR="/home/frappe/frappe-bench/sites/backups"
+              S3_BUCKET="${AWS_S3_BUCKET:-erpnext-backups-${ACCOUNT_ID}}"
+              
+              echo "Starting backup process at $BACKUP_DATE"
+              
+              # Ensure backup directory exists
+              mkdir -p "$BACKUP_DIR"
+              
+              # Create database backup with files
+              echo "Creating database backup..."
+              bench --site frontend backup --with-files --backup-path "$BACKUP_DIR"
+              
+              # List created backup files
+              echo "Backup files created:"
+              ls -la "$BACKUP_DIR"
+              
+              # Upload to S3 if configured
+              if [ -n "$S3_BUCKET" ] && command -v aws >/dev/null 2>&1; then
+                echo "Uploading backups to S3 bucket: $S3_BUCKET"
+                
+                # Create S3 path with date
+                S3_PATH="s3://$S3_BUCKET/backups/$BACKUP_DATE/"
+                
+                # Upload all backup files
+                aws s3 cp "$BACKUP_DIR/" "$S3_PATH" --recursive --exclude "*" --include "*.sql.gz" --include "*.tar"
+                
+                if [ $? -eq 0 ]; then
+                  echo "Backup successfully uploaded to $S3_PATH"
+                  
+                  # Clean up local backup files older than 7 days
+                  find "$BACKUP_DIR" -name "*.sql.gz" -mtime +7 -delete
+                  find "$BACKUP_DIR" -name "*.tar" -mtime +7 -delete
+                  echo "Cleaned up local backup files older than 7 days"
+                else
+                  echo "Failed to upload backup to S3"
+                  exit 1
+                fi
+              else
+                echo "S3 upload not configured or AWS CLI not available"
+                echo "Keeping backups locally"
+              fi
+              
+              # Generate backup report
+              echo "Backup Summary:"
+              echo "- Backup Date: $BACKUP_DATE"
+              echo "- Backup Location: $BACKUP_DIR"
+              if [ -n "$S3_BUCKET" ]; then
+                echo "- S3 Location: $S3_PATH"
+              fi
+              echo "- Backup Status: SUCCESS"
+              
+              echo "Backup process completed successfully"
+            envFrom:
+            - configMapRef:
+                name: erpnext-config
+            env:
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: erpnext-db-secret
+                  key: password
+            - name: REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: erpnext-redis-secret
+                  key: password
+            - name: ACCOUNT_ID
+              value: "${ACCOUNT_ID}"
+            volumeMounts:
+            - name: sites-data
+              mountPath: /home/frappe/frappe-bench/sites
+            - name: backups-data
+              mountPath: /home/frappe/frappe-bench/sites/backups
+            resources:
+              requests:
+                memory: "512Mi"
+                cpu: "250m"
+                ephemeral-storage: "2Gi"
+              limits:
+                memory: "1Gi"
+                cpu: "500m"
+                ephemeral-storage: "4Gi"
+          volumes:
+          - name: sites-data
+            persistentVolumeClaim:
+              claimName: erpnext-sites-pvc
+          - name: backups-data
+            persistentVolumeClaim:
+              claimName: erpnext-backups-pvc
+          nodeSelector:
+            node-type: worker
+            kubernetes.io/arch: amd64
+          tolerations:
+          - key: "node.kubernetes.io/not-ready"
+            operator: "Exists"
+            effect: "NoExecute"
+            tolerationSeconds: 300
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: erpnext-maintenance
+  namespace: erpnext
+  labels:
+    app: erpnext
+    component: maintenance
+    schedule-type: weekly
+  annotations:
+    description: "Weekly maintenance tasks for ERPNext"
+spec:
+  schedule: "0 3 * * 0"  # Weekly on Sunday at 3 AM UTC
+  timeZone: "UTC"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 2
+  failedJobsHistoryLimit: 2
+  startingDeadlineSeconds: 600
+  jobTemplate:
+    metadata:
+      labels:
+        app: erpnext
+        component: maintenance
+        schedule-type: weekly
+    spec:
+      backoffLimit: 1
+      activeDeadlineSeconds: 3600  # 1 hour timeout
+      template:
+        metadata:
+          labels:
+            app: erpnext
+            component: maintenance
+            schedule-type: weekly
+        spec:
+          serviceAccountName: erpnext-sa
+          restartPolicy: OnFailure
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+            runAsGroup: 1000
+            fsGroup: 1000
+          containers:
+          - name: maintenance
+            image: frappe/erpnext-worker:v14
+            imagePullPolicy: Always
+            command:
+            - bash
+            - -c
+            - |
+              set -e
+              
+              echo "Starting weekly maintenance tasks..."
+              
+              # Clear cache and optimize
+              echo "Clearing cache..."
+              bench --site frontend clear-cache
+              
+              # Run database optimization
+              echo "Running database maintenance..."
+              bench --site frontend execute "frappe.utils.bench_manager.run_patches()"
+              
+              # Clean up logs
+              echo "Cleaning up old logs..."
+              find /home/frappe/frappe-bench/logs -name "*.log" -mtime +30 -delete
+              
+              # Generate system health report
+              echo "Generating system health report..."
+              bench --site frontend execute "frappe.utils.doctor.get_system_info()"
+              
+              echo "Weekly maintenance completed successfully"
+            envFrom:
+            - configMapRef:
+                name: erpnext-config
+            env:
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: erpnext-db-secret
+                  key: password
+            - name: REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: erpnext-redis-secret
+                  key: password
+            volumeMounts:
+            - name: sites-data
+              mountPath: /home/frappe/frappe-bench/sites
+            resources:
+              requests:
+                memory: "256Mi"
+                cpu: "100m"
+                ephemeral-storage: "1Gi"
+              limits:
+                memory: "512Mi"
+                cpu: "250m"
+                ephemeral-storage: "2Gi"
+          volumes:
+          - name: sites-data
+            persistentVolumeClaim:
+              claimName: erpnext-sites-pvc
+          nodeSelector:
+            node-type: worker
+            kubernetes.io/arch: amd64
\ No newline at end of file
diff --git a/documentation/deployment-guides/aws-managed/kubernetes-manifests/namespace.yaml b/documentation/deployment-guides/aws-managed/kubernetes-manifests/namespace.yaml
new file mode 100644
index 0000000..305ae83
--- /dev/null
+++ b/documentation/deployment-guides/aws-managed/kubernetes-manifests/namespace.yaml
@@ -0,0 +1,92 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: erpnext
+  labels:
+    name: erpnext
+    application: erpnext
+    environment: production
+  annotations:
+    description: "ERPNext application namespace for AWS EKS deployment"
+---
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: erpnext-quota
+  namespace: erpnext
+spec:
+  hard:
+    requests.cpu: "10"
+    requests.memory: 20Gi
+    limits.cpu: "20"
+    limits.memory: 40Gi
+    pods: "50"
+    persistentvolumeclaims: "10"
+    services: "10"
+    secrets: "20"
+    configmaps: "10"
+---
+apiVersion: v1
+kind: LimitRange
+metadata:
+  name: erpnext-limits
+  namespace: erpnext
+spec:
+  limits:
+  - default:
+      cpu: "1000m"
+      memory: "2Gi"
+    defaultRequest:
+      cpu: "100m"
+      memory: "128Mi"
+    type: Container
+  - max:
+      cpu: "4000m"
+      memory: "8Gi"
+    min:
+      cpu: "50m"
+      memory: "64Mi"
+    type: Container
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: erpnext-network-policy
+  namespace: erpnext
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          name: kube-system
+    - namespaceSelector:
+        matchLabels:
+          name: erpnext
+    - namespaceSelector:
+        matchLabels:
+          name: ingress-nginx
+  egress:
+  - to: []
+    ports:
+    - protocol: TCP
+      port: 53
+    - protocol: UDP
+      port: 53
+  - to: []
+    ports:
+    - protocol: TCP
+      port: 443
+    - protocol: TCP
+      port: 80
+  - to: []
+    ports:
+    - protocol: TCP
+      port: 3306  # RDS MySQL
+  - to: []
+    ports:
+    - protocol: TCP
+      port: 6379  # MemoryDB Redis
\ No newline at end of file
diff --git a/documentation/deployment-guides/aws-managed/kubernetes-manifests/secrets.yaml b/documentation/deployment-guides/aws-managed/kubernetes-manifests/secrets.yaml
new file mode 100644
index 0000000..f0ad8aa
--- /dev/null
+++ b/documentation/deployment-guides/aws-managed/kubernetes-manifests/secrets.yaml
@@ -0,0 +1,209 @@
+# External Secrets Operator configuration for AWS Secrets Manager integration
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: aws-secretstore
+  namespace: erpnext
+  labels:
+    app: erpnext
+    component: secrets
+spec:
+  provider:
+    aws:
+      service: SecretsManager
+      region: us-east-1
+      auth:
+        jwt:
+          serviceAccountRef:
+            name: erpnext-sa
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: erpnext-db-secret
+  namespace: erpnext
+  labels:
+    app: erpnext
+    component: database
+spec:
+  refreshInterval: 15s
+  secretStoreRef:
+    name: aws-secretstore
+    kind: SecretStore
+  target:
+    name: erpnext-db-secret
+    creationPolicy: Owner
+    template:
+      type: Opaque
+      metadata:
+        labels:
+          app: erpnext
+          component: database
+      data:
+        password: "{{ .password }}"
+        # Additional database connection string templates
+        mysql-uri: "mysql://admin:{{ .password }}@${DB_HOST}:3306/erpnext"
+  data:
+    - secretKey: password
+      remoteRef:
+        key: erpnext/database/password
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: erpnext-redis-secret
+  namespace: erpnext
+  labels:
+    app: erpnext
+    component: cache
+spec:
+  refreshInterval: 15s
+  secretStoreRef:
+    name: aws-secretstore
+    kind: SecretStore
+  target:
+    name: erpnext-redis-secret
+    creationPolicy: Owner
+    template:
+      type: Opaque
+      metadata:
+        labels:
+          app: erpnext
+          component: cache
+      data:
+        password: "{{ .password }}"
+        # Redis connection strings with auth
+        redis-cache-url: "redis://:{{ .password }}@${REDIS_HOST}:6379/0"
+        redis-queue-url: "redis://:{{ .password }}@${REDIS_HOST}:6379/1"
+        redis-socketio-url: "redis://:{{ .password }}@${REDIS_HOST}:6379/2"
+  data:
+    - secretKey: password
+      remoteRef:
+        key: erpnext/redis/password
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: erpnext-admin-secret
+  namespace: erpnext
+  labels:
+    app: erpnext
+    component: admin
+spec:
+  refreshInterval: 15s
+  secretStoreRef:
+    name: aws-secretstore
+    kind: SecretStore
+  target:
+    name: erpnext-admin-secret
+    creationPolicy: Owner
+    template:
+      type: Opaque
+      metadata:
+        labels:
+          app: erpnext
+          component: admin
+      data:
+        password: "{{ .password }}"
+  data:
+    - secretKey: password
+      remoteRef:
+        key: erpnext/admin/password
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: erpnext-api-secret
+  namespace: erpnext
+  labels:
+    app: erpnext
+    component: api
+spec:
+  refreshInterval: 15s
+  secretStoreRef:
+    name: aws-secretstore
+    kind: SecretStore
+  target:
+    name: erpnext-api-secret
+    creationPolicy: Owner
+    template:
+      type: Opaque
+      metadata:
+        labels:
+          app: erpnext
+          component: api
+      data:
+        api-key: "{{ .api_key }}"
+        api-secret: "{{ .api_secret }}"
+  data:
+    - secretKey: api_key
+      remoteRef:
+        key: erpnext/api/credentials
+        property: api_key
+    - secretKey: api_secret
+      remoteRef:
+        key: erpnext/api/credentials
+        property: api_secret
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: erpnext-ssl-certs
+  namespace: erpnext
+  labels:
+    app: erpnext
+    component: ssl
+spec:
+  refreshInterval: 24h
+  secretStoreRef:
+    name: aws-secretstore
+    kind: SecretStore
+  target:
+    name: erpnext-ssl-certs
+    creationPolicy: Owner
+    template:
+      type: kubernetes.io/tls
+      metadata:
+        labels:
+          app: erpnext
+          component: ssl
+      data:
+        tls.crt: "{{ .certificate }}"
+        tls.key: "{{ .private_key }}"
+        ca.crt: "{{ .ca_certificate }}"
+  data:
+    - secretKey: certificate
+      remoteRef:
+        key: erpnext/ssl/certificate
+    - secretKey: private_key
+      remoteRef:
+        key: erpnext/ssl/private_key
+    - secretKey: ca_certificate
+      remoteRef:
+        key: erpnext/ssl/ca_certificate
+---
+# Service Account with IRSA (IAM Roles for Service Accounts) annotations
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: erpnext-sa
+  namespace: erpnext
+  labels:
+    app: erpnext
+    component: serviceaccount
+  annotations:
+    eks.amazonaws.com/role-arn: arn:aws:iam::${ACCOUNT_ID}:role/eksctl-erpnext-cluster-addon-iamserviceaccount-erpnext-erpnext-sa-Role1-${ROLE_SUFFIX}
+automountServiceAccountToken: true
+---
+# Additional service account for external secrets operator
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: external-secrets-sa
+  namespace: erpnext
+  labels:
+    app: erpnext
+    component: external-secrets
+  annotations:
+    eks.amazonaws.com/role-arn: arn:aws:iam::${ACCOUNT_ID}:role/eksctl-erpnext-cluster-addon-iamserviceaccount-external-secrets-external-secrets-operator-Role1-${ROLE_SUFFIX}
+automountServiceAccountToken: true
\ No newline at end of file
diff --git a/documentation/deployment-guides/aws-managed/kubernetes-manifests/storage.yaml b/documentation/deployment-guides/aws-managed/kubernetes-manifests/storage.yaml
new file mode 100644
index 0000000..3e4416e
--- /dev/null
+++ b/documentation/deployment-guides/aws-managed/kubernetes-manifests/storage.yaml
@@ -0,0 +1,101 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: efs-sc
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "false"
+provisioner: efs.csi.aws.com
+parameters:
+  provisioningMode: efs-ap
+  fileSystemId: ${EFS_ID}  # Replace with actual EFS ID
+  directoryPerms: "700"
+  gidRangeStart: "1000"
+  gidRangeEnd: "2000"
+  basePath: "/dynamic_provisioning"
+volumeBindingMode: Immediate
+allowVolumeExpansion: true
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: ebs-gp3
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+provisioner: ebs.csi.aws.com
+volumeBindingMode: WaitForFirstConsumer
+allowVolumeExpansion: true
+parameters:
+  type: gp3
+  iops: "3000"
+  throughput: "125"
+  encrypted: "true"
+  fsType: ext4
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: erpnext-sites-pv
+  labels:
+    app: erpnext
+    component: storage
+spec:
+  capacity:
+    storage: 100Gi
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: efs-sc
+  csi:
+    driver: efs.csi.aws.com
+    volumeHandle: ${EFS_ID}  # Replace with actual EFS ID
+    volumeAttributes:
+      path: "/"
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: erpnext-sites-pvc
+  namespace: erpnext
+  labels:
+    app: erpnext
+    component: storage
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: efs-sc
+  resources:
+    requests:
+      storage: 50Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: erpnext-backups-pvc
+  namespace: erpnext
+  labels:
+    app: erpnext
+    component: backups
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: ebs-gp3
+  resources:
+    requests:
+      storage: 100Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: erpnext-logs-pvc
+  namespace: erpnext
+  labels:
+    app: erpnext
+    component: logs
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: ebs-gp3
+  resources:
+    requests:
+      storage: 20Gi
\ No newline at end of file
diff --git a/documentation/deployment-guides/aws-managed/scripts/deploy-ecs.sh b/documentation/deployment-guides/aws-managed/scripts/deploy-ecs.sh
new file mode 100755
index 0000000..fd97610
--- /dev/null
+++ b/documentation/deployment-guides/aws-managed/scripts/deploy-ecs.sh
@@ -0,0 +1,1182 @@
+#!/bin/bash
+
+# ERPNext ECS Deployment Script for AWS Managed Services
+# This script automates the deployment of ERPNext on Amazon ECS with RDS and MemoryDB
+
+set -e
+
+# Color codes for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+# Default configuration
+AWS_REGION=${AWS_REGION:-us-east-1}
+AWS_PROFILE=${AWS_PROFILE:-default}
+CLUSTER_NAME=${CLUSTER_NAME:-erpnext-cluster}
+PROJECT_NAME=${PROJECT_NAME:-erpnext}
+DOMAIN_NAME=${DOMAIN_NAME:-erpnext.yourdomain.com}
+ENVIRONMENT=${ENVIRONMENT:-production}
+
+# Infrastructure settings
+DB_INSTANCE_CLASS=${DB_INSTANCE_CLASS:-db.t3.medium}
+REDIS_NODE_TYPE=${REDIS_NODE_TYPE:-db.t4g.small}
+ECS_TASK_CPU=${ECS_TASK_CPU:-1024}
+ECS_TASK_MEMORY=${ECS_TASK_MEMORY:-2048}
+
+# Function to print colored output
+print_status() {
+    echo -e "${GREEN}[INFO]${NC} $1"
+}
+
+print_warning() {
+    echo -e "${YELLOW}[WARNING]${NC} $1"
+}
+
+print_error() {
+    echo -e "${RED}[ERROR]${NC} $1"
+}
+
+print_header() {
+    echo -e "${BLUE}[DEPLOY]${NC} $1"
+}
+
+# Function to check prerequisites
+check_prerequisites() {
+    print_header "Checking prerequisites..."
+    
+    # Check AWS CLI
+    if ! command -v aws &> /dev/null; then
+        print_error "AWS CLI is not installed. Please install it first."
+        exit 1
+    fi
+    
+    # Check jq
+    if ! command -v jq &> /dev/null; then
+        print_error "jq is not installed. Please install it first."
+        exit 1
+    fi
+    
+    # Check AWS credentials
+    if ! aws sts get-caller-identity --profile $AWS_PROFILE &> /dev/null; then
+        print_error "AWS credentials not configured properly."
+        exit 1
+    fi
+    
+    # Get Account ID
+    ACCOUNT_ID=$(aws sts get-caller-identity --profile $AWS_PROFILE --query Account --output text)
+    print_status "AWS Account ID: $ACCOUNT_ID"
+    print_status "AWS Region: $AWS_REGION"
+    print_status "AWS Profile: $AWS_PROFILE"
+}
+
+# Function to check if VPC exists
+check_vpc() {
+    print_header "Checking VPC configuration..."
+    
+    VPC_ID=$(aws ec2 describe-vpcs \
+        --filters "Name=tag:Name,Values=${PROJECT_NAME}-vpc" \
+        --query "Vpcs[0].VpcId" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE 2>/dev/null || echo "None")
+    
+    if [ "$VPC_ID" = "None" ] || [ -z "$VPC_ID" ]; then
+        print_error "VPC not found. Please run the prerequisites setup first."
+        exit 1
+    fi
+    
+    print_status "Found VPC: $VPC_ID"
+    
+    # Get subnet IDs
+    PRIVATE_SUBNET_1A=$(aws ec2 describe-subnets \
+        --filters "Name=tag:Name,Values=${PROJECT_NAME}-private-subnet-1a" \
+        --query "Subnets[0].SubnetId" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE)
+    
+    PRIVATE_SUBNET_1B=$(aws ec2 describe-subnets \
+        --filters "Name=tag:Name,Values=${PROJECT_NAME}-private-subnet-1b" \
+        --query "Subnets[0].SubnetId" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE)
+    
+    PUBLIC_SUBNET_1A=$(aws ec2 describe-subnets \
+        --filters "Name=tag:Name,Values=${PROJECT_NAME}-public-subnet-1a" \
+        --query "Subnets[0].SubnetId" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE)
+    
+    PUBLIC_SUBNET_1B=$(aws ec2 describe-subnets \
+        --filters "Name=tag:Name,Values=${PROJECT_NAME}-public-subnet-1b" \
+        --query "Subnets[0].SubnetId" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE)
+    
+    print_status "Private Subnets: $PRIVATE_SUBNET_1A, $PRIVATE_SUBNET_1B"
+    print_status "Public Subnets: $PUBLIC_SUBNET_1A, $PUBLIC_SUBNET_1B"
+}
+
+# Function to get security group IDs
+get_security_groups() {
+    print_header "Getting security group IDs..."
+    
+    ALB_SG=$(aws ec2 describe-security-groups \
+        --filters "Name=tag:Name,Values=${PROJECT_NAME}-alb-sg" \
+        --query "SecurityGroups[0].GroupId" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE)
+    
+    APP_SG=$(aws ec2 describe-security-groups \
+        --filters "Name=tag:Name,Values=${PROJECT_NAME}-app-sg" \
+        --query "SecurityGroups[0].GroupId" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE)
+    
+    print_status "ALB Security Group: $ALB_SG"
+    print_status "Application Security Group: $APP_SG"
+}
+
+# Function to get database endpoints
+get_database_endpoints() {
+    print_header "Getting database endpoints..."
+    
+    # Get RDS endpoint
+    DB_HOST=$(aws rds describe-db-instances \
+        --db-instance-identifier ${PROJECT_NAME}-db \
+        --query "DBInstances[0].Endpoint.Address" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE 2>/dev/null || echo "")
+    
+    if [ -z "$DB_HOST" ]; then
+        print_error "RDS instance not found. Please create it first."
+        exit 1
+    fi
+    
+    # Get Redis endpoint
+    REDIS_HOST=$(aws memorydb describe-clusters \
+        --cluster-name ${PROJECT_NAME}-redis \
+        --query "Clusters[0].ClusterEndpoint.Address" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE 2>/dev/null || echo "")
+    
+    if [ -z "$REDIS_HOST" ]; then
+        print_error "MemoryDB cluster not found. Please create it first."
+        exit 1
+    fi
+    
+    print_status "Database Host: $DB_HOST"
+    print_status "Redis Host: $REDIS_HOST"
+}
+
+# Function to create EFS file system
+create_efs() {
+    print_header "Creating EFS file system..."
+    
+    # Check if EFS already exists
+    EFS_ID=$(aws efs describe-file-systems \
+        --query "FileSystems[?Tags[?Key=='Name' && Value=='${PROJECT_NAME}-sites-efs']].FileSystemId" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE 2>/dev/null || echo "")
+    
+    if [ -z "$EFS_ID" ]; then
+        print_status "Creating EFS file system..."
+        EFS_ID=$(aws efs create-file-system \
+            --creation-token ${PROJECT_NAME}-sites-$(date +%s) \
+            --performance-mode generalPurpose \
+            --throughput-mode provisioned \
+            --provisioned-throughput-in-mibps 100 \
+            --encrypted \
+            --tags Key=Name,Value=${PROJECT_NAME}-sites-efs Key=Application,Value=ERPNext \
+            --query "FileSystemId" \
+            --output text \
+            --region $AWS_REGION \
+            --profile $AWS_PROFILE)
+        
+        print_status "Created EFS: $EFS_ID"
+        
+        # Wait for EFS to be available
+        print_status "Waiting for EFS to be available..."
+        aws efs wait file-system-available --file-system-id $EFS_ID --region $AWS_REGION --profile $AWS_PROFILE
+        
+        # Create mount targets
+        print_status "Creating EFS mount targets..."
+        aws efs create-mount-target \
+            --file-system-id $EFS_ID \
+            --subnet-id $PRIVATE_SUBNET_1A \
+            --security-groups $APP_SG \
+            --region $AWS_REGION \
+            --profile $AWS_PROFILE
+        
+        aws efs create-mount-target \
+            --file-system-id $EFS_ID \
+            --subnet-id $PRIVATE_SUBNET_1B \
+            --security-groups $APP_SG \
+            --region $AWS_REGION \
+            --profile $AWS_PROFILE
+        
+        # Create access point
+        ACCESS_POINT_ID=$(aws efs create-access-point \
+            --file-system-id $EFS_ID \
+            --posix-user Uid=1000,Gid=1000 \
+            --root-directory Path="/sites",CreationInfo='{OwnerUid=1000,OwnerGid=1000,Permissions=755}' \
+            --tags Key=Name,Value=${PROJECT_NAME}-sites-access-point \
+            --query "AccessPointId" \
+            --output text \
+            --region $AWS_REGION \
+            --profile $AWS_PROFILE)
+        
+        print_status "Created EFS Access Point: $ACCESS_POINT_ID"
+    else
+        print_status "Using existing EFS: $EFS_ID"
+        
+        # Get access point ID
+        ACCESS_POINT_ID=$(aws efs describe-access-points \
+            --file-system-id $EFS_ID \
+            --query "AccessPoints[?Tags[?Key=='Name' && Value=='${PROJECT_NAME}-sites-access-point']].AccessPointId" \
+            --output text \
+            --region $AWS_REGION \
+            --profile $AWS_PROFILE)
+    fi
+}
+
+# Function to create ECS cluster
+create_ecs_cluster() {
+    print_header "Creating ECS cluster..."
+    
+    # Check if cluster exists
+    CLUSTER_EXISTS=$(aws ecs describe-clusters \
+        --clusters $CLUSTER_NAME \
+        --query "clusters[0].status" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE 2>/dev/null || echo "")
+    
+    if [ "$CLUSTER_EXISTS" != "ACTIVE" ]; then
+        print_status "Creating ECS cluster: $CLUSTER_NAME"
+        aws ecs create-cluster \
+            --cluster-name $CLUSTER_NAME \
+            --capacity-providers FARGATE FARGATE_SPOT \
+            --default-capacity-provider-strategy capacityProvider=FARGATE,weight=1 \
+            --settings name=containerInsights,value=enabled \
+            --tags key=Name,value=$CLUSTER_NAME key=Application,value=ERPNext \
+            --region $AWS_REGION \
+            --profile $AWS_PROFILE
+    else
+        print_status "Using existing ECS cluster: $CLUSTER_NAME"
+    fi
+}
+
+# Function to create ALB
+create_alb() {
+    print_header "Creating Application Load Balancer..."
+    
+    # Check if ALB exists
+    ALB_ARN=$(aws elbv2 describe-load-balancers \
+        --names ${PROJECT_NAME}-alb \
+        --query "LoadBalancers[0].LoadBalancerArn" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE 2>/dev/null || echo "")
+    
+    if [ -z "$ALB_ARN" ] || [ "$ALB_ARN" = "None" ]; then
+        print_status "Creating Application Load Balancer..."
+        ALB_ARN=$(aws elbv2 create-load-balancer \
+            --name ${PROJECT_NAME}-alb \
+            --subnets $PUBLIC_SUBNET_1A $PUBLIC_SUBNET_1B \
+            --security-groups $ALB_SG \
+            --scheme internet-facing \
+            --type application \
+            --ip-address-type ipv4 \
+            --tags Key=Name,Value=${PROJECT_NAME}-alb Key=Application,Value=ERPNext \
+            --query "LoadBalancers[0].LoadBalancerArn" \
+            --output text \
+            --region $AWS_REGION \
+            --profile $AWS_PROFILE)
+        
+        print_status "Created ALB: $ALB_ARN"
+        
+        # Wait for ALB to be active
+        print_status "Waiting for ALB to be active..."
+        aws elbv2 wait load-balancer-available --load-balancer-arns $ALB_ARN --region $AWS_REGION --profile $AWS_PROFILE
+    else
+        print_status "Using existing ALB: $ALB_ARN"
+    fi
+    
+    # Create target groups
+    create_target_groups
+    
+    # Create listeners
+    create_listeners
+}
+
+# Function to create target groups
+create_target_groups() {
+    print_header "Creating target groups..."
+    
+    # Frontend target group
+    FRONTEND_TG_ARN=$(aws elbv2 create-target-group \
+        --name ${PROJECT_NAME}-frontend-tg \
+        --protocol HTTP \
+        --port 8080 \
+        --vpc-id $VPC_ID \
+        --target-type ip \
+        --health-check-path /health \
+        --health-check-interval-seconds 30 \
+        --health-check-timeout-seconds 5 \
+        --healthy-threshold-count 2 \
+        --unhealthy-threshold-count 5 \
+        --tags Key=Name,Value=${PROJECT_NAME}-frontend-tg \
+        --query "TargetGroups[0].TargetGroupArn" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE 2>/dev/null || \
+        aws elbv2 describe-target-groups \
+            --names ${PROJECT_NAME}-frontend-tg \
+            --query "TargetGroups[0].TargetGroupArn" \
+            --output text \
+            --region $AWS_REGION \
+            --profile $AWS_PROFILE)
+    
+    # Backend target group
+    BACKEND_TG_ARN=$(aws elbv2 create-target-group \
+        --name ${PROJECT_NAME}-backend-tg \
+        --protocol HTTP \
+        --port 8000 \
+        --vpc-id $VPC_ID \
+        --target-type ip \
+        --health-check-path /api/method/ping \
+        --health-check-interval-seconds 30 \
+        --health-check-timeout-seconds 5 \
+        --healthy-threshold-count 2 \
+        --unhealthy-threshold-count 5 \
+        --tags Key=Name,Value=${PROJECT_NAME}-backend-tg \
+        --query "TargetGroups[0].TargetGroupArn" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE 2>/dev/null || \
+        aws elbv2 describe-target-groups \
+            --names ${PROJECT_NAME}-backend-tg \
+            --query "TargetGroups[0].TargetGroupArn" \
+            --output text \
+            --region $AWS_REGION \
+            --profile $AWS_PROFILE)
+    
+    # Socket.IO target group
+    SOCKETIO_TG_ARN=$(aws elbv2 create-target-group \
+        --name ${PROJECT_NAME}-socketio-tg \
+        --protocol HTTP \
+        --port 9000 \
+        --vpc-id $VPC_ID \
+        --target-type ip \
+        --health-check-path /socket.io/ \
+        --health-check-interval-seconds 30 \
+        --health-check-timeout-seconds 5 \
+        --healthy-threshold-count 2 \
+        --unhealthy-threshold-count 5 \
+        --tags Key=Name,Value=${PROJECT_NAME}-socketio-tg \
+        --query "TargetGroups[0].TargetGroupArn" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE 2>/dev/null || \
+        aws elbv2 describe-target-groups \
+            --names ${PROJECT_NAME}-socketio-tg \
+            --query "TargetGroups[0].TargetGroupArn" \
+            --output text \
+            --region $AWS_REGION \
+            --profile $AWS_PROFILE)
+    
+    print_status "Target Groups created:"
+    print_status "  Frontend: $FRONTEND_TG_ARN"
+    print_status "  Backend: $BACKEND_TG_ARN"
+    print_status "  Socket.IO: $SOCKETIO_TG_ARN"
+}
+
+# Function to create listeners
+create_listeners() {
+    print_header "Creating ALB listeners..."
+    
+    # HTTP listener (redirects to HTTPS)
+    LISTENER_ARN=$(aws elbv2 create-listener \
+        --load-balancer-arn $ALB_ARN \
+        --protocol HTTP \
+        --port 80 \
+        --default-actions Type=forward,TargetGroupArn=$FRONTEND_TG_ARN \
+        --tags Key=Name,Value=${PROJECT_NAME}-alb-listener-80 \
+        --query "Listeners[0].ListenerArn" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE 2>/dev/null || \
+        aws elbv2 describe-listeners \
+            --load-balancer-arn $ALB_ARN \
+            --query "Listeners[?Port==\`80\`].ListenerArn" \
+            --output text \
+            --region $AWS_REGION \
+            --profile $AWS_PROFILE)
+    
+    # Create listener rules
+    create_listener_rules $LISTENER_ARN
+}
+
+# Function to create listener rules
+create_listener_rules() {
+    local listener_arn=$1
+    
+    print_header "Creating listener rules..."
+    
+    # Rule for Socket.IO traffic
+    aws elbv2 create-rule \
+        --listener-arn $listener_arn \
+        --priority 100 \
+        --conditions Field=path-pattern,Values="/socket.io/*" \
+        --actions Type=forward,TargetGroupArn=$SOCKETIO_TG_ARN \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE 2>/dev/null || true
+    
+    # Rule for API traffic
+    aws elbv2 create-rule \
+        --listener-arn $listener_arn \
+        --priority 200 \
+        --conditions Field=path-pattern,Values="/api/*" \
+        --actions Type=forward,TargetGroupArn=$BACKEND_TG_ARN \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE 2>/dev/null || true
+}
+
+# Function to register task definitions
+register_task_definitions() {
+    print_header "Registering ECS task definitions..."
+    
+    # Create backend task definition
+    create_backend_task_definition
+    
+    # Create frontend task definition
+    create_frontend_task_definition
+    
+    # Create worker task definition
+    create_worker_task_definition
+    
+    # Create scheduler task definition
+    create_scheduler_task_definition
+}
+
+# Function to create backend task definition
+create_backend_task_definition() {
+    print_status "Creating backend task definition..."
+    
+    cat > /tmp/erpnext-backend-task.json <<EOF
+{
+    "family": "${PROJECT_NAME}-backend",
+    "networkMode": "awsvpc",
+    "requiresCompatibilities": ["FARGATE"],
+    "cpu": "$ECS_TASK_CPU",
+    "memory": "$ECS_TASK_MEMORY",
+    "executionRoleArn": "arn:aws:iam::$ACCOUNT_ID:role/ERPNextECSExecutionRole",
+    "taskRoleArn": "arn:aws:iam::$ACCOUNT_ID:role/ERPNextECSTaskRole",
+    "containerDefinitions": [
+        {
+            "name": "${PROJECT_NAME}-backend",
+            "image": "frappe/erpnext-worker:v14",
+            "essential": true,
+            "portMappings": [
+                {
+                    "containerPort": 8000,
+                    "protocol": "tcp"
+                },
+                {
+                    "containerPort": 9000,
+                    "protocol": "tcp"
+                }
+            ],
+            "environment": [
+                {
+                    "name": "APP_VERSION",
+                    "value": "v14"
+                },
+                {
+                    "name": "APP_URL",
+                    "value": "$DOMAIN_NAME"
+                },
+                {
+                    "name": "DB_HOST",
+                    "value": "$DB_HOST"
+                },
+                {
+                    "name": "DB_PORT",
+                    "value": "3306"
+                },
+                {
+                    "name": "DB_NAME",
+                    "value": "erpnext"
+                },
+                {
+                    "name": "DB_USER",
+                    "value": "admin"
+                },
+                {
+                    "name": "REDIS_CACHE_URL",
+                    "value": "redis://$REDIS_HOST:6379/0"
+                },
+                {
+                    "name": "REDIS_QUEUE_URL",
+                    "value": "redis://$REDIS_HOST:6379/1"
+                },
+                {
+                    "name": "REDIS_SOCKETIO_URL",
+                    "value": "redis://$REDIS_HOST:6379/2"
+                }
+            ],
+            "secrets": [
+                {
+                    "name": "DB_PASSWORD",
+                    "valueFrom": "arn:aws:secretsmanager:$AWS_REGION:$ACCOUNT_ID:secret:${PROJECT_NAME}/database/password"
+                },
+                {
+                    "name": "REDIS_PASSWORD",
+                    "valueFrom": "arn:aws:secretsmanager:$AWS_REGION:$ACCOUNT_ID:secret:${PROJECT_NAME}/redis/password"
+                }
+            ],
+            "mountPoints": [
+                {
+                    "sourceVolume": "${PROJECT_NAME}-sites",
+                    "containerPath": "/home/frappe/frappe-bench/sites"
+                }
+            ],
+            "logConfiguration": {
+                "logDriver": "awslogs",
+                "options": {
+                    "awslogs-group": "/aws/ecs/${PROJECT_NAME}-backend",
+                    "awslogs-region": "$AWS_REGION",
+                    "awslogs-stream-prefix": "ecs"
+                }
+            },
+            "healthCheck": {
+                "command": [
+                    "CMD-SHELL",
+                    "curl -f http://localhost:8000/api/method/ping || exit 1"
+                ],
+                "interval": 30,
+                "timeout": 5,
+                "retries": 3,
+                "startPeriod": 60
+            }
+        }
+    ],
+    "volumes": [
+        {
+            "name": "${PROJECT_NAME}-sites",
+            "efsVolumeConfiguration": {
+                "fileSystemId": "$EFS_ID",
+                "transitEncryption": "ENABLED",
+                "accessPointId": "$ACCESS_POINT_ID"
+            }
+        }
+    ]
+}
+EOF
+
+    aws ecs register-task-definition \
+        --cli-input-json file:///tmp/erpnext-backend-task.json \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE > /dev/null
+    
+    print_status "Backend task definition registered"
+}
+
+# Function to create frontend task definition
+create_frontend_task_definition() {
+    print_status "Creating frontend task definition..."
+    
+    cat > /tmp/erpnext-frontend-task.json <<EOF
+{
+    "family": "${PROJECT_NAME}-frontend",
+    "networkMode": "awsvpc",
+    "requiresCompatibilities": ["FARGATE"],
+    "cpu": "512",
+    "memory": "1024",
+    "executionRoleArn": "arn:aws:iam::$ACCOUNT_ID:role/ERPNextECSExecutionRole",
+    "taskRoleArn": "arn:aws:iam::$ACCOUNT_ID:role/ERPNextECSTaskRole",
+    "containerDefinitions": [
+        {
+            "name": "${PROJECT_NAME}-frontend",
+            "image": "frappe/erpnext-nginx:v14",
+            "essential": true,
+            "portMappings": [
+                {
+                    "containerPort": 8080,
+                    "protocol": "tcp"
+                }
+            ],
+            "mountPoints": [
+                {
+                    "sourceVolume": "${PROJECT_NAME}-sites",
+                    "containerPath": "/home/frappe/frappe-bench/sites",
+                    "readOnly": true
+                }
+            ],
+            "logConfiguration": {
+                "logDriver": "awslogs",
+                "options": {
+                    "awslogs-group": "/aws/ecs/${PROJECT_NAME}-frontend",
+                    "awslogs-region": "$AWS_REGION",
+                    "awslogs-stream-prefix": "ecs"
+                }
+            },
+            "healthCheck": {
+                "command": [
+                    "CMD-SHELL",
+                    "curl -f http://localhost:8080/health || exit 1"
+                ],
+                "interval": 30,
+                "timeout": 5,
+                "retries": 3,
+                "startPeriod": 30
+            }
+        }
+    ],
+    "volumes": [
+        {
+            "name": "${PROJECT_NAME}-sites",
+            "efsVolumeConfiguration": {
+                "fileSystemId": "$EFS_ID",
+                "transitEncryption": "ENABLED",
+                "accessPointId": "$ACCESS_POINT_ID"
+            }
+        }
+    ]
+}
+EOF
+
+    aws ecs register-task-definition \
+        --cli-input-json file:///tmp/erpnext-frontend-task.json \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE > /dev/null
+    
+    print_status "Frontend task definition registered"
+}
+
+# Function to create worker task definition
+create_worker_task_definition() {
+    print_status "Creating worker task definition..."
+    
+    cat > /tmp/erpnext-worker-task.json <<EOF
+{
+    "family": "${PROJECT_NAME}-worker",
+    "networkMode": "awsvpc",
+    "requiresCompatibilities": ["FARGATE"],
+    "cpu": "512",
+    "memory": "1024",
+    "executionRoleArn": "arn:aws:iam::$ACCOUNT_ID:role/ERPNextECSExecutionRole",
+    "taskRoleArn": "arn:aws:iam::$ACCOUNT_ID:role/ERPNextECSTaskRole",
+    "containerDefinitions": [
+        {
+            "name": "${PROJECT_NAME}-worker-default",
+            "image": "frappe/erpnext-worker:v14",
+            "essential": true,
+            "command": ["bench", "worker", "--queue", "default"],
+            "environment": [
+                {
+                    "name": "DB_HOST",
+                    "value": "$DB_HOST"
+                },
+                {
+                    "name": "DB_PORT",
+                    "value": "3306"
+                },
+                {
+                    "name": "DB_NAME",
+                    "value": "erpnext"
+                },
+                {
+                    "name": "DB_USER",
+                    "value": "admin"
+                },
+                {
+                    "name": "REDIS_CACHE_URL",
+                    "value": "redis://$REDIS_HOST:6379/0"
+                },
+                {
+                    "name": "REDIS_QUEUE_URL",
+                    "value": "redis://$REDIS_HOST:6379/1"
+                },
+                {
+                    "name": "REDIS_SOCKETIO_URL",
+                    "value": "redis://$REDIS_HOST:6379/2"
+                }
+            ],
+            "secrets": [
+                {
+                    "name": "DB_PASSWORD",
+                    "valueFrom": "arn:aws:secretsmanager:$AWS_REGION:$ACCOUNT_ID:secret:${PROJECT_NAME}/database/password"
+                },
+                {
+                    "name": "REDIS_PASSWORD",
+                    "valueFrom": "arn:aws:secretsmanager:$AWS_REGION:$ACCOUNT_ID:secret:${PROJECT_NAME}/redis/password"
+                }
+            ],
+            "mountPoints": [
+                {
+                    "sourceVolume": "${PROJECT_NAME}-sites",
+                    "containerPath": "/home/frappe/frappe-bench/sites"
+                }
+            ],
+            "logConfiguration": {
+                "logDriver": "awslogs",
+                "options": {
+                    "awslogs-group": "/aws/ecs/${PROJECT_NAME}-worker",
+                    "awslogs-region": "$AWS_REGION",
+                    "awslogs-stream-prefix": "ecs"
+                }
+            }
+        }
+    ],
+    "volumes": [
+        {
+            "name": "${PROJECT_NAME}-sites",
+            "efsVolumeConfiguration": {
+                "fileSystemId": "$EFS_ID",
+                "transitEncryption": "ENABLED",
+                "accessPointId": "$ACCESS_POINT_ID"
+            }
+        }
+    ]
+}
+EOF
+
+    aws ecs register-task-definition \
+        --cli-input-json file:///tmp/erpnext-worker-task.json \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE > /dev/null
+    
+    print_status "Worker task definition registered"
+}
+
+# Function to create scheduler task definition
+create_scheduler_task_definition() {
+    print_status "Creating scheduler task definition..."
+    
+    cat > /tmp/erpnext-scheduler-task.json <<EOF
+{
+    "family": "${PROJECT_NAME}-scheduler",
+    "networkMode": "awsvpc",
+    "requiresCompatibilities": ["FARGATE"],
+    "cpu": "256",
+    "memory": "512",
+    "executionRoleArn": "arn:aws:iam::$ACCOUNT_ID:role/ERPNextECSExecutionRole",
+    "taskRoleArn": "arn:aws:iam::$ACCOUNT_ID:role/ERPNextECSTaskRole",
+    "containerDefinitions": [
+        {
+            "name": "${PROJECT_NAME}-scheduler",
+            "image": "frappe/erpnext-worker:v14",
+            "essential": true,
+            "command": ["bench", "schedule"],
+            "environment": [
+                {
+                    "name": "DB_HOST",
+                    "value": "$DB_HOST"
+                },
+                {
+                    "name": "DB_PORT",
+                    "value": "3306"
+                },
+                {
+                    "name": "DB_NAME",
+                    "value": "erpnext"
+                },
+                {
+                    "name": "DB_USER",
+                    "value": "admin"
+                },
+                {
+                    "name": "REDIS_CACHE_URL",
+                    "value": "redis://$REDIS_HOST:6379/0"
+                },
+                {
+                    "name": "REDIS_QUEUE_URL",
+                    "value": "redis://$REDIS_HOST:6379/1"
+                },
+                {
+                    "name": "REDIS_SOCKETIO_URL",
+                    "value": "redis://$REDIS_HOST:6379/2"
+                }
+            ],
+            "secrets": [
+                {
+                    "name": "DB_PASSWORD",
+                    "valueFrom": "arn:aws:secretsmanager:$AWS_REGION:$ACCOUNT_ID:secret:${PROJECT_NAME}/database/password"
+                },
+                {
+                    "name": "REDIS_PASSWORD",
+                    "valueFrom": "arn:aws:secretsmanager:$AWS_REGION:$ACCOUNT_ID:secret:${PROJECT_NAME}/redis/password"
+                }
+            ],
+            "mountPoints": [
+                {
+                    "sourceVolume": "${PROJECT_NAME}-sites",
+                    "containerPath": "/home/frappe/frappe-bench/sites"
+                }
+            ],
+            "logConfiguration": {
+                "logDriver": "awslogs",
+                "options": {
+                    "awslogs-group": "/aws/ecs/${PROJECT_NAME}-worker",
+                    "awslogs-region": "$AWS_REGION",
+                    "awslogs-stream-prefix": "scheduler"
+                }
+            }
+        }
+    ],
+    "volumes": [
+        {
+            "name": "${PROJECT_NAME}-sites",
+            "efsVolumeConfiguration": {
+                "fileSystemId": "$EFS_ID",
+                "transitEncryption": "ENABLED",
+                "accessPointId": "$ACCESS_POINT_ID"
+            }
+        }
+    ]
+}
+EOF
+
+    aws ecs register-task-definition \
+        --cli-input-json file:///tmp/erpnext-scheduler-task.json \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE > /dev/null
+    
+    print_status "Scheduler task definition registered"
+}
+
+# Function to create ECS services
+create_ecs_services() {
+    print_header "Creating ECS services..."
+    
+    # Create backend service
+    print_status "Creating backend service..."
+    aws ecs create-service \
+        --cluster $CLUSTER_NAME \
+        --service-name ${PROJECT_NAME}-backend \
+        --task-definition ${PROJECT_NAME}-backend:1 \
+        --desired-count 2 \
+        --launch-type FARGATE \
+        --platform-version LATEST \
+        --network-configuration "awsvpcConfiguration={subnets=[$PRIVATE_SUBNET_1A,$PRIVATE_SUBNET_1B],securityGroups=[$APP_SG],assignPublicIp=DISABLED}" \
+        --load-balancers targetGroupArn=$BACKEND_TG_ARN,containerName=${PROJECT_NAME}-backend,containerPort=8000 targetGroupArn=$SOCKETIO_TG_ARN,containerName=${PROJECT_NAME}-backend,containerPort=9000 \
+        --health-check-grace-period-seconds 60 \
+        --tags key=Name,value=${PROJECT_NAME}-backend key=Application,value=ERPNext \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE > /dev/null
+    
+    # Create frontend service
+    print_status "Creating frontend service..."
+    aws ecs create-service \
+        --cluster $CLUSTER_NAME \
+        --service-name ${PROJECT_NAME}-frontend \
+        --task-definition ${PROJECT_NAME}-frontend:1 \
+        --desired-count 2 \
+        --launch-type FARGATE \
+        --platform-version LATEST \
+        --network-configuration "awsvpcConfiguration={subnets=[$PRIVATE_SUBNET_1A,$PRIVATE_SUBNET_1B],securityGroups=[$APP_SG],assignPublicIp=DISABLED}" \
+        --load-balancers targetGroupArn=$FRONTEND_TG_ARN,containerName=${PROJECT_NAME}-frontend,containerPort=8080 \
+        --health-check-grace-period-seconds 30 \
+        --tags key=Name,value=${PROJECT_NAME}-frontend key=Application,value=ERPNext \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE > /dev/null
+    
+    # Create worker service
+    print_status "Creating worker service..."
+    aws ecs create-service \
+        --cluster $CLUSTER_NAME \
+        --service-name ${PROJECT_NAME}-worker \
+        --task-definition ${PROJECT_NAME}-worker:1 \
+        --desired-count 2 \
+        --launch-type FARGATE \
+        --platform-version LATEST \
+        --network-configuration "awsvpcConfiguration={subnets=[$PRIVATE_SUBNET_1A,$PRIVATE_SUBNET_1B],securityGroups=[$APP_SG],assignPublicIp=DISABLED}" \
+        --tags key=Name,value=${PROJECT_NAME}-worker key=Application,value=ERPNext \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE > /dev/null
+    
+    # Create scheduler service
+    print_status "Creating scheduler service..."
+    aws ecs create-service \
+        --cluster $CLUSTER_NAME \
+        --service-name ${PROJECT_NAME}-scheduler \
+        --task-definition ${PROJECT_NAME}-scheduler:1 \
+        --desired-count 1 \
+        --launch-type FARGATE \
+        --platform-version LATEST \
+        --network-configuration "awsvpcConfiguration={subnets=[$PRIVATE_SUBNET_1A,$PRIVATE_SUBNET_1B],securityGroups=[$APP_SG],assignPublicIp=DISABLED}" \
+        --tags key=Name,value=${PROJECT_NAME}-scheduler key=Application,value=ERPNext \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE > /dev/null
+}
+
+# Function to create site
+create_site() {
+    print_header "Creating ERPNext site..."
+    
+    print_status "Running site creation task..."
+    
+    # Create site task definition (temporary)
+    cat > /tmp/erpnext-create-site-task.json <<EOF
+{
+    "family": "${PROJECT_NAME}-create-site",
+    "networkMode": "awsvpc",
+    "requiresCompatibilities": ["FARGATE"],
+    "cpu": "1024",
+    "memory": "2048",
+    "executionRoleArn": "arn:aws:iam::$ACCOUNT_ID:role/ERPNextECSExecutionRole",
+    "taskRoleArn": "arn:aws:iam::$ACCOUNT_ID:role/ERPNextECSTaskRole",
+    "containerDefinitions": [
+        {
+            "name": "create-site",
+            "image": "frappe/erpnext-worker:v14",
+            "essential": true,
+            "command": [
+                "bash",
+                "-c",
+                "set -e; echo 'Starting ERPNext site creation...'; if [ -d '/home/frappe/frappe-bench/sites/frontend' ]; then echo 'Site already exists. Skipping creation.'; exit 0; fi; bench new-site frontend --admin-password \\$ADMIN_PASSWORD --mariadb-root-password \\$DB_PASSWORD --install-app erpnext --set-default; echo 'Site creation completed successfully!'"
+            ],
+            "environment": [
+                {
+                    "name": "DB_HOST",
+                    "value": "$DB_HOST"
+                },
+                {
+                    "name": "DB_PORT",
+                    "value": "3306"
+                },
+                {
+                    "name": "DB_NAME",
+                    "value": "erpnext"
+                },
+                {
+                    "name": "DB_USER",
+                    "value": "admin"
+                },
+                {
+                    "name": "REDIS_CACHE_URL",
+                    "value": "redis://$REDIS_HOST:6379/0"
+                },
+                {
+                    "name": "REDIS_QUEUE_URL",
+                    "value": "redis://$REDIS_HOST:6379/1"
+                },
+                {
+                    "name": "REDIS_SOCKETIO_URL",
+                    "value": "redis://$REDIS_HOST:6379/2"
+                }
+            ],
+            "secrets": [
+                {
+                    "name": "DB_PASSWORD",
+                    "valueFrom": "arn:aws:secretsmanager:$AWS_REGION:$ACCOUNT_ID:secret:${PROJECT_NAME}/database/password"
+                },
+                {
+                    "name": "ADMIN_PASSWORD",
+                    "valueFrom": "arn:aws:secretsmanager:$AWS_REGION:$ACCOUNT_ID:secret:${PROJECT_NAME}/admin/password"
+                }
+            ],
+            "mountPoints": [
+                {
+                    "sourceVolume": "${PROJECT_NAME}-sites",
+                    "containerPath": "/home/frappe/frappe-bench/sites"
+                }
+            ],
+            "logConfiguration": {
+                "logDriver": "awslogs",
+                "options": {
+                    "awslogs-group": "/aws/ecs/${PROJECT_NAME}-backend",
+                    "awslogs-region": "$AWS_REGION",
+                    "awslogs-stream-prefix": "create-site"
+                }
+            }
+        }
+    ],
+    "volumes": [
+        {
+            "name": "${PROJECT_NAME}-sites",
+            "efsVolumeConfiguration": {
+                "fileSystemId": "$EFS_ID",
+                "transitEncryption": "ENABLED",
+                "accessPointId": "$ACCESS_POINT_ID"
+            }
+        }
+    ]
+}
+EOF
+
+    # Register task definition
+    aws ecs register-task-definition \
+        --cli-input-json file:///tmp/erpnext-create-site-task.json \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE > /dev/null
+    
+    # Run the task
+    TASK_ARN=$(aws ecs run-task \
+        --cluster $CLUSTER_NAME \
+        --task-definition ${PROJECT_NAME}-create-site:1 \
+        --launch-type FARGATE \
+        --platform-version LATEST \
+        --network-configuration "awsvpcConfiguration={subnets=[$PRIVATE_SUBNET_1A],securityGroups=[$APP_SG],assignPublicIp=DISABLED}" \
+        --query "tasks[0].taskArn" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE)
+    
+    print_status "Site creation task started: $TASK_ARN"
+    print_status "Waiting for site creation to complete..."
+    
+    # Wait for task to complete
+    aws ecs wait tasks-stopped \
+        --cluster $CLUSTER_NAME \
+        --tasks $TASK_ARN \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE
+    
+    # Check task exit code
+    EXIT_CODE=$(aws ecs describe-tasks \
+        --cluster $CLUSTER_NAME \
+        --tasks $TASK_ARN \
+        --query "tasks[0].containers[0].exitCode" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE)
+    
+    if [ "$EXIT_CODE" = "0" ]; then
+        print_status "Site creation completed successfully!"
+    else
+        print_error "Site creation failed with exit code: $EXIT_CODE"
+        print_error "Check the logs for more details:"
+        print_error "aws logs get-log-events --log-group-name /aws/ecs/${PROJECT_NAME}-backend --log-stream-name ecs/create-site/$(echo $TASK_ARN | cut -d'/' -f3) --region $AWS_REGION"
+        exit 1
+    fi
+}
+
+# Function to display deployment summary
+display_summary() {
+    print_header "Deployment Summary"
+    
+    # Get ALB DNS name
+    ALB_DNS=$(aws elbv2 describe-load-balancers \
+        --names ${PROJECT_NAME}-alb \
+        --query "LoadBalancers[0].DNSName" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE)
+    
+    echo ""
+    print_status "ERPNext ECS deployment completed successfully!"
+    echo ""
+    print_status "Access Information:"
+    print_status "  Application URL: http://$ALB_DNS"
+    print_status "  Domain: $DOMAIN_NAME (configure DNS to point to $ALB_DNS)"
+    print_status "  Admin Username: Administrator"
+    print_status "  Admin Password: Check AWS Secrets Manager (${PROJECT_NAME}/admin/password)"
+    echo ""
+    print_status "AWS Resources Created:"
+    print_status "  ECS Cluster: $CLUSTER_NAME"
+    print_status "  Load Balancer: ${PROJECT_NAME}-alb"
+    print_status "  EFS File System: $EFS_ID"
+    print_status "  VPC: $VPC_ID"
+    echo ""
+    print_status "Next Steps:"
+    print_status "  1. Configure DNS to point $DOMAIN_NAME to $ALB_DNS"
+    print_status "  2. Set up SSL certificate in ACM and update ALB listener"
+    print_status "  3. Configure monitoring and alerts"
+    print_status "  4. Set up backup procedures"
+    echo ""
+    print_warning "Note: This deployment uses HTTP only. Configure HTTPS for production use."
+}
+
+# Function to clean up temporary files
+cleanup() {
+    print_status "Cleaning up temporary files..."
+    rm -f /tmp/erpnext-*-task.json
+}
+
+# Main execution function
+main() {
+    print_header "Starting ERPNext ECS Deployment"
+    
+    # Parse command line arguments
+    while [[ $# -gt 0 ]]; do
+        case $1 in
+            --region)
+                AWS_REGION="$2"
+                shift 2
+                ;;
+            --profile)
+                AWS_PROFILE="$2"
+                shift 2
+                ;;
+            --cluster-name)
+                CLUSTER_NAME="$2"
+                shift 2
+                ;;
+            --project-name)
+                PROJECT_NAME="$2"
+                shift 2
+                ;;
+            --domain)
+                DOMAIN_NAME="$2"
+                shift 2
+                ;;
+            --help)
+                echo "Usage: $0 [OPTIONS]"
+                echo ""
+                echo "Options:"
+                echo "  --region REGION        AWS region (default: us-east-1)"
+                echo "  --profile PROFILE      AWS profile (default: default)"
+                echo "  --cluster-name NAME    ECS cluster name (default: erpnext-cluster)"
+                echo "  --project-name NAME    Project name prefix (default: erpnext)"
+                echo "  --domain DOMAIN        Domain name (default: erpnext.yourdomain.com)"
+                echo "  --help                 Show this help message"
+                exit 0
+                ;;
+            *)
+                print_error "Unknown option: $1"
+                exit 1
+                ;;
+        esac
+    done
+    
+    # Execute deployment steps
+    check_prerequisites
+    check_vpc
+    get_security_groups
+    get_database_endpoints
+    create_efs
+    create_ecs_cluster
+    create_alb
+    register_task_definitions
+    create_ecs_services
+    
+    # Wait for services to stabilize
+    print_header "Waiting for services to stabilize..."
+    sleep 60
+    
+    create_site
+    display_summary
+    cleanup
+    
+    print_header "Deployment completed successfully!"
+}
+
+# Set trap to cleanup on exit
+trap cleanup EXIT
+
+# Execute main function with all arguments
+main "$@"
\ No newline at end of file
diff --git a/documentation/deployment-guides/aws-managed/scripts/deploy-eks.sh b/documentation/deployment-guides/aws-managed/scripts/deploy-eks.sh
new file mode 100755
index 0000000..46a41e1
--- /dev/null
+++ b/documentation/deployment-guides/aws-managed/scripts/deploy-eks.sh
@@ -0,0 +1,1278 @@
+#!/bin/bash
+
+# ERPNext EKS Deployment Script for AWS Managed Services
+# This script automates the deployment of ERPNext on Amazon EKS with RDS and MemoryDB
+
+set -e
+
+# Color codes for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+# Default configuration
+AWS_REGION=${AWS_REGION:-us-east-1}
+AWS_PROFILE=${AWS_PROFILE:-default}
+CLUSTER_NAME=${CLUSTER_NAME:-erpnext-cluster}
+PROJECT_NAME=${PROJECT_NAME:-erpnext}
+DOMAIN_NAME=${DOMAIN_NAME:-erpnext.yourdomain.com}
+ENVIRONMENT=${ENVIRONMENT:-production}
+
+# EKS configuration
+KUBERNETES_VERSION=${KUBERNETES_VERSION:-1.28}
+NODE_INSTANCE_TYPE=${NODE_INSTANCE_TYPE:-t3.medium}
+NODE_GROUP_MIN_SIZE=${NODE_GROUP_MIN_SIZE:-2}
+NODE_GROUP_MAX_SIZE=${NODE_GROUP_MAX_SIZE:-10}
+NODE_GROUP_DESIRED_SIZE=${NODE_GROUP_DESIRED_SIZE:-3}
+
+# Function to print colored output
+print_status() {
+    echo -e "${GREEN}[INFO]${NC} $1"
+}
+
+print_warning() {
+    echo -e "${YELLOW}[WARNING]${NC} $1"
+}
+
+print_error() {
+    echo -e "${RED}[ERROR]${NC} $1"
+}
+
+print_header() {
+    echo -e "${BLUE}[DEPLOY]${NC} $1"
+}
+
+# Function to check prerequisites
+check_prerequisites() {
+    print_header "Checking prerequisites..."
+    
+    # Check required tools
+    local required_tools=("aws" "kubectl" "eksctl" "helm" "jq")
+    for tool in "${required_tools[@]}"; do
+        if ! command -v $tool &> /dev/null; then
+            print_error "$tool is not installed. Please install it first."
+            exit 1
+        fi
+    done
+    
+    # Check AWS credentials
+    if ! aws sts get-caller-identity --profile $AWS_PROFILE &> /dev/null; then
+        print_error "AWS credentials not configured properly."
+        exit 1
+    fi
+    
+    # Get Account ID
+    ACCOUNT_ID=$(aws sts get-caller-identity --profile $AWS_PROFILE --query Account --output text)
+    print_status "AWS Account ID: $ACCOUNT_ID"
+    print_status "AWS Region: $AWS_REGION"
+    print_status "AWS Profile: $AWS_PROFILE"
+}
+
+# Function to check if VPC exists
+check_vpc() {
+    print_header "Checking VPC configuration..."
+    
+    VPC_ID=$(aws ec2 describe-vpcs \
+        --filters "Name=tag:Name,Values=${PROJECT_NAME}-vpc" \
+        --query "Vpcs[0].VpcId" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE 2>/dev/null || echo "None")
+    
+    if [ "$VPC_ID" = "None" ] || [ -z "$VPC_ID" ]; then
+        print_error "VPC not found. Please run the prerequisites setup first."
+        exit 1
+    fi
+    
+    print_status "Found VPC: $VPC_ID"
+    
+    # Get subnet IDs
+    PRIVATE_SUBNET_1A=$(aws ec2 describe-subnets \
+        --filters "Name=tag:Name,Values=${PROJECT_NAME}-private-subnet-1a" \
+        --query "Subnets[0].SubnetId" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE)
+    
+    PRIVATE_SUBNET_1B=$(aws ec2 describe-subnets \
+        --filters "Name=tag:Name,Values=${PROJECT_NAME}-private-subnet-1b" \
+        --query "Subnets[0].SubnetId" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE)
+    
+    PUBLIC_SUBNET_1A=$(aws ec2 describe-subnets \
+        --filters "Name=tag:Name,Values=${PROJECT_NAME}-public-subnet-1a" \
+        --query "Subnets[0].SubnetId" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE)
+    
+    PUBLIC_SUBNET_1B=$(aws ec2 describe-subnets \
+        --filters "Name=tag:Name,Values=${PROJECT_NAME}-public-subnet-1b" \
+        --query "Subnets[0].SubnetId" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE)
+    
+    print_status "Private Subnets: $PRIVATE_SUBNET_1A, $PRIVATE_SUBNET_1B"
+    print_status "Public Subnets: $PUBLIC_SUBNET_1A, $PUBLIC_SUBNET_1B"
+}
+
+# Function to get security group IDs
+get_security_groups() {
+    print_header "Getting security group IDs..."
+    
+    APP_SG=$(aws ec2 describe-security-groups \
+        --filters "Name=tag:Name,Values=${PROJECT_NAME}-app-sg" \
+        --query "SecurityGroups[0].GroupId" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE)
+    
+    print_status "Application Security Group: $APP_SG"
+}
+
+# Function to get database endpoints
+get_database_endpoints() {
+    print_header "Getting database endpoints..."
+    
+    # Get RDS endpoint
+    DB_HOST=$(aws rds describe-db-instances \
+        --db-instance-identifier ${PROJECT_NAME}-db \
+        --query "DBInstances[0].Endpoint.Address" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE 2>/dev/null || echo "")
+    
+    if [ -z "$DB_HOST" ]; then
+        print_error "RDS instance not found. Please create it first."
+        exit 1
+    fi
+    
+    # Get Redis endpoint
+    REDIS_HOST=$(aws memorydb describe-clusters \
+        --cluster-name ${PROJECT_NAME}-redis \
+        --query "Clusters[0].ClusterEndpoint.Address" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE 2>/dev/null || echo "")
+    
+    if [ -z "$REDIS_HOST" ]; then
+        print_error "MemoryDB cluster not found. Please create it first."
+        exit 1
+    fi
+    
+    print_status "Database Host: $DB_HOST"
+    print_status "Redis Host: $REDIS_HOST"
+}
+
+# Function to create EFS file system
+create_efs() {
+    print_header "Creating EFS file system..."
+    
+    # Check if EFS already exists
+    EFS_ID=$(aws efs describe-file-systems \
+        --query "FileSystems[?Tags[?Key=='Name' && Value=='${PROJECT_NAME}-sites-efs']].FileSystemId" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE 2>/dev/null || echo "")
+    
+    if [ -z "$EFS_ID" ]; then
+        print_status "Creating EFS file system..."
+        EFS_ID=$(aws efs create-file-system \
+            --creation-token ${PROJECT_NAME}-sites-$(date +%s) \
+            --performance-mode generalPurpose \
+            --throughput-mode provisioned \
+            --provisioned-throughput-in-mibps 100 \
+            --encrypted \
+            --tags Key=Name,Value=${PROJECT_NAME}-sites-efs Key=Application,Value=ERPNext \
+            --query "FileSystemId" \
+            --output text \
+            --region $AWS_REGION \
+            --profile $AWS_PROFILE)
+        
+        print_status "Created EFS: $EFS_ID"
+        
+        # Wait for EFS to be available
+        print_status "Waiting for EFS to be available..."
+        aws efs wait file-system-available --file-system-id $EFS_ID --region $AWS_REGION --profile $AWS_PROFILE
+        
+        # Create mount targets
+        print_status "Creating EFS mount targets..."
+        aws efs create-mount-target \
+            --file-system-id $EFS_ID \
+            --subnet-id $PRIVATE_SUBNET_1A \
+            --security-groups $APP_SG \
+            --region $AWS_REGION \
+            --profile $AWS_PROFILE
+        
+        aws efs create-mount-target \
+            --file-system-id $EFS_ID \
+            --subnet-id $PRIVATE_SUBNET_1B \
+            --security-groups $APP_SG \
+            --region $AWS_REGION \
+            --profile $AWS_PROFILE
+    else
+        print_status "Using existing EFS: $EFS_ID"
+    fi
+}
+
+# Function to create EKS cluster configuration
+create_cluster_config() {
+    print_header "Creating EKS cluster configuration..."
+    
+    cat > /tmp/erpnext-eks-cluster.yaml <<EOF
+apiVersion: eksctl.io/v1alpha5
+kind: ClusterConfig
+
+metadata:
+  name: $CLUSTER_NAME
+  region: $AWS_REGION
+  version: "$KUBERNETES_VERSION"
+
+availabilityZones: ["${AWS_REGION}a", "${AWS_REGION}b"]
+
+vpc:
+  id: $VPC_ID
+  subnets:
+    private:
+      ${AWS_REGION}a:
+        id: $PRIVATE_SUBNET_1A
+      ${AWS_REGION}b:
+        id: $PRIVATE_SUBNET_1B
+    public:
+      ${AWS_REGION}a:
+        id: $PUBLIC_SUBNET_1A
+      ${AWS_REGION}b:
+        id: $PUBLIC_SUBNET_1B
+
+nodeGroups:
+  - name: ${PROJECT_NAME}-workers
+    instanceType: $NODE_INSTANCE_TYPE
+    desiredCapacity: $NODE_GROUP_DESIRED_SIZE
+    minSize: $NODE_GROUP_MIN_SIZE
+    maxSize: $NODE_GROUP_MAX_SIZE
+    volumeSize: 50
+    volumeType: gp3
+    subnets:
+      - $PRIVATE_SUBNET_1A
+      - $PRIVATE_SUBNET_1B
+    privateNetworking: true
+    securityGroups:
+      attachIDs: ["$APP_SG"]
+    ssh:
+      allow: false
+    iam:
+      withAddonPolicies:
+        ebs: true
+        fsx: true
+        efs: true
+        albIngress: true
+        autoScaler: true
+        cloudWatch: true
+        externalDNS: true
+    labels:
+      node-type: worker
+      application: erpnext
+    tags:
+      Name: ${PROJECT_NAME}-worker-node
+      Application: ERPNext
+      Environment: $ENVIRONMENT
+
+cloudWatch:
+  clusterLogging:
+    enableTypes: ["api", "audit", "authenticator", "controllerManager", "scheduler"]
+
+addons:
+  - name: vpc-cni
+    version: latest
+  - name: coredns
+    version: latest
+  - name: kube-proxy
+    version: latest
+  - name: aws-ebs-csi-driver
+    version: latest
+
+iam:
+  withOIDC: true
+  serviceAccounts:
+    - metadata:
+        name: aws-load-balancer-controller
+        namespace: kube-system
+      wellKnownPolicies:
+        awsLoadBalancerController: true
+    - metadata:
+        name: efs-csi-controller-sa
+        namespace: kube-system
+      wellKnownPolicies:
+        efsCSIController: true
+    - metadata:
+        name: external-secrets-operator
+        namespace: external-secrets
+      attachPolicyARNs:
+        - "arn:aws:iam::aws:policy/SecretsManagerReadWrite"
+    - metadata:
+        name: erpnext-sa
+        namespace: erpnext
+      attachPolicyARNs:
+        - "arn:aws:iam::aws:policy/SecretsManagerReadWrite"
+        - "arn:aws:iam::aws:policy/AmazonS3FullAccess"
+EOF
+
+    print_status "EKS cluster configuration created"
+}
+
+# Function to create EKS cluster
+create_eks_cluster() {
+    print_header "Creating EKS cluster..."
+    
+    # Check if cluster already exists
+    CLUSTER_STATUS=$(aws eks describe-cluster \
+        --name $CLUSTER_NAME \
+        --query "cluster.status" \
+        --output text \
+        --region $AWS_REGION \
+        --profile $AWS_PROFILE 2>/dev/null || echo "")
+    
+    if [ "$CLUSTER_STATUS" = "ACTIVE" ]; then
+        print_status "EKS cluster already exists and is active"
+    else
+        print_status "Creating EKS cluster (this may take 15-20 minutes)..."
+        eksctl create cluster -f /tmp/erpnext-eks-cluster.yaml --profile $AWS_PROFILE
+        print_status "EKS cluster created successfully"
+    fi
+    
+    # Update kubeconfig
+    print_status "Updating kubeconfig..."
+    aws eks update-kubeconfig \
+        --region $AWS_REGION \
+        --name $CLUSTER_NAME \
+        --profile $AWS_PROFILE
+    
+    # Verify cluster access
+    print_status "Verifying cluster access..."
+    kubectl cluster-info
+    kubectl get nodes
+}
+
+# Function to install required add-ons
+install_addons() {
+    print_header "Installing required add-ons..."
+    
+    # Install AWS Load Balancer Controller
+    install_aws_load_balancer_controller
+    
+    # Install EFS CSI Driver
+    install_efs_csi_driver
+    
+    # Install External Secrets Operator
+    install_external_secrets_operator
+    
+    # Install metrics server
+    install_metrics_server
+}
+
+# Function to install AWS Load Balancer Controller
+install_aws_load_balancer_controller() {
+    print_status "Installing AWS Load Balancer Controller..."
+    
+    # Download IAM policy
+    curl -o /tmp/iam_policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.7.2/docs/install/iam_policy.json
+    
+    # Create IAM policy (ignore if already exists)
+    aws iam create-policy \
+        --policy-name AWSLoadBalancerControllerIAMPolicy \
+        --policy-document file:///tmp/iam_policy.json \
+        --profile $AWS_PROFILE 2>/dev/null || true
+    
+    # Install using Helm
+    helm repo add eks https://aws.github.io/eks-charts
+    helm repo update
+    
+    helm upgrade --install aws-load-balancer-controller eks/aws-load-balancer-controller \
+        -n kube-system \
+        --set clusterName=$CLUSTER_NAME \
+        --set serviceAccount.create=false \
+        --set serviceAccount.name=aws-load-balancer-controller \
+        --wait
+    
+    print_status "AWS Load Balancer Controller installed"
+}
+
+# Function to install EFS CSI Driver
+install_efs_csi_driver() {
+    print_status "Installing EFS CSI Driver..."
+    
+    helm repo add aws-efs-csi-driver https://kubernetes-sigs.github.io/aws-efs-csi-driver/
+    helm repo update
+    
+    helm upgrade --install aws-efs-csi-driver aws-efs-csi-driver/aws-efs-csi-driver \
+        --namespace kube-system \
+        --set controller.serviceAccount.create=false \
+        --set controller.serviceAccount.name=efs-csi-controller-sa \
+        --wait
+    
+    print_status "EFS CSI Driver installed"
+}
+
+# Function to install External Secrets Operator
+install_external_secrets_operator() {
+    print_status "Installing External Secrets Operator..."
+    
+    helm repo add external-secrets https://charts.external-secrets.io
+    helm repo update
+    
+    helm upgrade --install external-secrets external-secrets/external-secrets \
+        --namespace external-secrets \
+        --create-namespace \
+        --set installCRDs=true \
+        --wait
+    
+    print_status "External Secrets Operator installed"
+}
+
+# Function to install metrics server
+install_metrics_server() {
+    print_status "Installing Metrics Server..."
+    
+    kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
+    
+    # Wait for metrics server to be ready
+    kubectl wait --for=condition=available --timeout=300s deployment/metrics-server -n kube-system
+    
+    print_status "Metrics Server installed"
+}
+
+# Function to create Kubernetes manifests
+create_kubernetes_manifests() {
+    print_header "Creating Kubernetes manifests..."
+    
+    # Create manifest directory
+    mkdir -p /tmp/k8s-manifests
+    
+    # Create namespace and storage manifests
+    create_namespace_manifest
+    create_storage_manifest
+    create_configmap_manifest
+    create_secrets_manifest
+    create_backend_manifest
+    create_frontend_manifest
+    create_workers_manifest
+    create_ingress_manifest
+    create_jobs_manifest
+}
+
+# Function to create namespace manifest
+create_namespace_manifest() {
+    cat > /tmp/k8s-manifests/namespace.yaml <<EOF
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: erpnext
+  labels:
+    name: erpnext
+    application: erpnext
+    environment: $ENVIRONMENT
+EOF
+}
+
+# Function to create storage manifest
+create_storage_manifest() {
+    cat > /tmp/k8s-manifests/storage.yaml <<EOF
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: efs-sc
+provisioner: efs.csi.aws.com
+parameters:
+  provisioningMode: efs-ap
+  fileSystemId: $EFS_ID
+  directoryPerms: "700"
+  gidRangeStart: "1000"
+  gidRangeEnd: "2000"
+  basePath: "/dynamic_provisioning"
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: ebs-gp3
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+provisioner: ebs.csi.aws.com
+volumeBindingMode: WaitForFirstConsumer
+allowVolumeExpansion: true
+parameters:
+  type: gp3
+  iops: "3000"
+  throughput: "125"
+  encrypted: "true"
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: erpnext-sites-pvc
+  namespace: erpnext
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: efs-sc
+  resources:
+    requests:
+      storage: 50Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: erpnext-backups-pvc
+  namespace: erpnext
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: ebs-gp3
+  resources:
+    requests:
+      storage: 100Gi
+EOF
+}
+
+# Function to create configmap manifest
+create_configmap_manifest() {
+    cat > /tmp/k8s-manifests/configmap.yaml <<EOF
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: erpnext-config
+  namespace: erpnext
+data:
+  APP_VERSION: "v14"
+  APP_URL: "$DOMAIN_NAME"
+  APP_USER: "Administrator"
+  APP_DB_PARAM: "db"
+  DEVELOPER_MODE: "0"
+  ENABLE_SCHEDULER: "1"
+  SOCKETIO_PORT: "9000"
+  DB_HOST: "$DB_HOST"
+  DB_PORT: "3306"
+  DB_NAME: "erpnext"
+  DB_USER: "admin"
+  DB_TIMEOUT: "60"
+  DB_CHARSET: "utf8mb4"
+  REDIS_CACHE_URL: "redis://$REDIS_HOST:6379/0"
+  REDIS_QUEUE_URL: "redis://$REDIS_HOST:6379/1"
+  REDIS_SOCKETIO_URL: "redis://$REDIS_HOST:6379/2"
+  AWS_DEFAULT_REGION: "$AWS_REGION"
+  AWS_S3_BUCKET: "${PROJECT_NAME}-files-$ACCOUNT_ID"
+EOF
+}
+
+# Function to create secrets manifest
+create_secrets_manifest() {
+    cat > /tmp/k8s-manifests/secrets.yaml <<EOF
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: aws-secretstore
+  namespace: erpnext
+spec:
+  provider:
+    aws:
+      service: SecretsManager
+      region: $AWS_REGION
+      auth:
+        jwt:
+          serviceAccountRef:
+            name: erpnext-sa
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: erpnext-db-secret
+  namespace: erpnext
+spec:
+  refreshInterval: 15s
+  secretStoreRef:
+    name: aws-secretstore
+    kind: SecretStore
+  target:
+    name: erpnext-db-secret
+    creationPolicy: Owner
+  data:
+    - secretKey: password
+      remoteRef:
+        key: ${PROJECT_NAME}/database/password
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: erpnext-redis-secret
+  namespace: erpnext
+spec:
+  refreshInterval: 15s
+  secretStoreRef:
+    name: aws-secretstore
+    kind: SecretStore
+  target:
+    name: erpnext-redis-secret
+    creationPolicy: Owner
+  data:
+    - secretKey: password
+      remoteRef:
+        key: ${PROJECT_NAME}/redis/password
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: erpnext-admin-secret
+  namespace: erpnext
+spec:
+  refreshInterval: 15s
+  secretStoreRef:
+    name: aws-secretstore
+    kind: SecretStore
+  target:
+    name: erpnext-admin-secret
+    creationPolicy: Owner
+  data:
+    - secretKey: password
+      remoteRef:
+        key: ${PROJECT_NAME}/admin/password
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: erpnext-sa
+  namespace: erpnext
+  annotations:
+    eks.amazonaws.com/role-arn: arn:aws:iam::$ACCOUNT_ID:role/eksctl-$CLUSTER_NAME-addon-iamserviceaccount-erpnext-erpnext-sa-Role1-XXXXXX
+automountServiceAccountToken: true
+EOF
+}
+
+# Function to create backend manifest
+create_backend_manifest() {
+    cat > /tmp/k8s-manifests/backend.yaml <<EOF
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: erpnext-backend
+  namespace: erpnext
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: erpnext-backend
+  template:
+    metadata:
+      labels:
+        app: erpnext-backend
+    spec:
+      serviceAccountName: erpnext-sa
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      containers:
+      - name: erpnext-backend
+        image: frappe/erpnext-worker:v14
+        ports:
+        - containerPort: 8000
+        - containerPort: 9000
+        envFrom:
+        - configMapRef:
+            name: erpnext-config
+        env:
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-db-secret
+              key: password
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-redis-secret
+              key: password
+        volumeMounts:
+        - name: sites-data
+          mountPath: /home/frappe/frappe-bench/sites
+        - name: backups-data
+          mountPath: /home/frappe/frappe-bench/sites/backups
+        resources:
+          requests:
+            memory: "1Gi"
+            cpu: "500m"
+          limits:
+            memory: "2Gi"
+            cpu: "1000m"
+        livenessProbe:
+          httpGet:
+            path: /api/method/ping
+            port: 8000
+          initialDelaySeconds: 60
+          periodSeconds: 30
+        readinessProbe:
+          httpGet:
+            path: /api/method/ping
+            port: 8000
+          initialDelaySeconds: 30
+          periodSeconds: 10
+      volumes:
+      - name: sites-data
+        persistentVolumeClaim:
+          claimName: erpnext-sites-pvc
+      - name: backups-data
+        persistentVolumeClaim:
+          claimName: erpnext-backups-pvc
+      nodeSelector:
+        node-type: worker
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: erpnext-backend
+  namespace: erpnext
+spec:
+  selector:
+    app: erpnext-backend
+  ports:
+  - name: http
+    port: 8000
+    targetPort: 8000
+  - name: socketio
+    port: 9000
+    targetPort: 9000
+EOF
+}
+
+# Function to create frontend manifest
+create_frontend_manifest() {
+    cat > /tmp/k8s-manifests/frontend.yaml <<EOF
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: erpnext-frontend
+  namespace: erpnext
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: erpnext-frontend
+  template:
+    metadata:
+      labels:
+        app: erpnext-frontend
+    spec:
+      serviceAccountName: erpnext-sa
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 101
+        runAsGroup: 101
+        fsGroup: 1000
+      containers:
+      - name: erpnext-frontend
+        image: frappe/erpnext-nginx:v14
+        ports:
+        - containerPort: 8080
+        volumeMounts:
+        - name: sites-data
+          mountPath: /home/frappe/frappe-bench/sites
+          readOnly: true
+        resources:
+          requests:
+            memory: "256Mi"
+            cpu: "100m"
+          limits:
+            memory: "512Mi"
+            cpu: "500m"
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 8080
+          initialDelaySeconds: 30
+          periodSeconds: 30
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 8080
+          initialDelaySeconds: 10
+          periodSeconds: 10
+      volumes:
+      - name: sites-data
+        persistentVolumeClaim:
+          claimName: erpnext-sites-pvc
+      nodeSelector:
+        node-type: worker
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: erpnext-frontend
+  namespace: erpnext
+spec:
+  selector:
+    app: erpnext-frontend
+  ports:
+  - port: 8080
+    targetPort: 8080
+EOF
+}
+
+# Function to create workers manifest
+create_workers_manifest() {
+    cat > /tmp/k8s-manifests/workers.yaml <<EOF
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: erpnext-queue-default
+  namespace: erpnext
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: erpnext-queue-default
+  template:
+    metadata:
+      labels:
+        app: erpnext-queue-default
+    spec:
+      serviceAccountName: erpnext-sa
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      containers:
+      - name: queue-worker
+        image: frappe/erpnext-worker:v14
+        command: ["bench", "worker", "--queue", "default"]
+        envFrom:
+        - configMapRef:
+            name: erpnext-config
+        env:
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-db-secret
+              key: password
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-redis-secret
+              key: password
+        volumeMounts:
+        - name: sites-data
+          mountPath: /home/frappe/frappe-bench/sites
+        resources:
+          requests:
+            memory: "512Mi"
+            cpu: "250m"
+          limits:
+            memory: "1Gi"
+            cpu: "500m"
+      volumes:
+      - name: sites-data
+        persistentVolumeClaim:
+          claimName: erpnext-sites-pvc
+      nodeSelector:
+        node-type: worker
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: erpnext-scheduler
+  namespace: erpnext
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: erpnext-scheduler
+  template:
+    metadata:
+      labels:
+        app: erpnext-scheduler
+    spec:
+      serviceAccountName: erpnext-sa
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      containers:
+      - name: scheduler
+        image: frappe/erpnext-worker:v14
+        command: ["bench", "schedule"]
+        envFrom:
+        - configMapRef:
+            name: erpnext-config
+        env:
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-db-secret
+              key: password
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-redis-secret
+              key: password
+        volumeMounts:
+        - name: sites-data
+          mountPath: /home/frappe/frappe-bench/sites
+        resources:
+          requests:
+            memory: "256Mi"
+            cpu: "100m"
+          limits:
+            memory: "512Mi"
+            cpu: "250m"
+      volumes:
+      - name: sites-data
+        persistentVolumeClaim:
+          claimName: erpnext-sites-pvc
+      nodeSelector:
+        node-type: worker
+EOF
+}
+
+# Function to create ingress manifest
+create_ingress_manifest() {
+    cat > /tmp/k8s-manifests/ingress.yaml <<EOF
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: erpnext-ingress
+  namespace: erpnext
+  annotations:
+    kubernetes.io/ingress.class: alb
+    alb.ingress.kubernetes.io/scheme: internet-facing
+    alb.ingress.kubernetes.io/target-type: ip
+    alb.ingress.kubernetes.io/backend-protocol: HTTP
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]'
+    alb.ingress.kubernetes.io/healthcheck-grace-period-seconds: "60"
+    alb.ingress.kubernetes.io/healthcheck-interval-seconds: "15"
+    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: "5"
+    alb.ingress.kubernetes.io/success-codes: "200,201,202"
+    alb.ingress.kubernetes.io/tags: |
+      Environment=$ENVIRONMENT,
+      Application=ERPNext,
+      Project=$PROJECT_NAME
+spec:
+  rules:
+  - host: $DOMAIN_NAME
+    http:
+      paths:
+      - path: /socket.io
+        pathType: Prefix
+        backend:
+          service:
+            name: erpnext-backend
+            port:
+              number: 9000
+      - path: /api
+        pathType: Prefix
+        backend:
+          service:
+            name: erpnext-backend
+            port:
+              number: 8000
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: erpnext-frontend
+            port:
+              number: 8080
+EOF
+}
+
+# Function to create jobs manifest
+create_jobs_manifest() {
+    cat > /tmp/k8s-manifests/jobs.yaml <<EOF
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: erpnext-create-site
+  namespace: erpnext
+spec:
+  backoffLimit: 3
+  template:
+    spec:
+      serviceAccountName: erpnext-sa
+      restartPolicy: Never
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      containers:
+      - name: create-site
+        image: frappe/erpnext-worker:v14
+        command:
+        - bash
+        - -c
+        - |
+          set -e
+          echo "Starting ERPNext site creation..."
+          if [ -d "/home/frappe/frappe-bench/sites/frontend" ]; then
+            echo "Site 'frontend' already exists. Skipping creation."
+            exit 0
+          fi
+          bench new-site frontend \
+            --admin-password "\$ADMIN_PASSWORD" \
+            --mariadb-root-password "\$DB_PASSWORD" \
+            --install-app erpnext \
+            --set-default
+          echo "Site creation completed successfully!"
+        envFrom:
+        - configMapRef:
+            name: erpnext-config
+        env:
+        - name: ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-admin-secret
+              key: password
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-db-secret
+              key: password
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: erpnext-redis-secret
+              key: password
+        volumeMounts:
+        - name: sites-data
+          mountPath: /home/frappe/frappe-bench/sites
+        - name: backups-data
+          mountPath: /home/frappe/frappe-bench/sites/backups
+        resources:
+          requests:
+            memory: "1Gi"
+            cpu: "500m"
+          limits:
+            memory: "2Gi"
+            cpu: "1000m"
+      volumes:
+      - name: sites-data
+        persistentVolumeClaim:
+          claimName: erpnext-sites-pvc
+      - name: backups-data
+        persistentVolumeClaim:
+          claimName: erpnext-backups-pvc
+      nodeSelector:
+        node-type: worker
+EOF
+}
+
+# Function to deploy to Kubernetes
+deploy_to_kubernetes() {
+    print_header "Deploying to Kubernetes..."
+    
+    # Apply manifests in order
+    print_status "Creating namespace..."
+    kubectl apply -f /tmp/k8s-manifests/namespace.yaml
+    
+    print_status "Creating storage resources..."
+    kubectl apply -f /tmp/k8s-manifests/storage.yaml
+    
+    print_status "Creating configuration..."
+    kubectl apply -f /tmp/k8s-manifests/configmap.yaml
+    
+    print_status "Creating secrets..."
+    kubectl apply -f /tmp/k8s-manifests/secrets.yaml
+    
+    # Wait for external secrets to be ready
+    print_status "Waiting for external secrets to be ready..."
+    sleep 30
+    
+    print_status "Deploying backend..."
+    kubectl apply -f /tmp/k8s-manifests/backend.yaml
+    
+    print_status "Deploying frontend..."
+    kubectl apply -f /tmp/k8s-manifests/frontend.yaml
+    
+    print_status "Deploying workers..."
+    kubectl apply -f /tmp/k8s-manifests/workers.yaml
+    
+    print_status "Creating ingress..."
+    kubectl apply -f /tmp/k8s-manifests/ingress.yaml
+    
+    # Wait for deployments to be ready
+    print_status "Waiting for deployments to be ready..."
+    kubectl wait --for=condition=available --timeout=300s deployment/erpnext-backend -n erpnext
+    kubectl wait --for=condition=available --timeout=300s deployment/erpnext-frontend -n erpnext
+    kubectl wait --for=condition=available --timeout=300s deployment/erpnext-queue-default -n erpnext
+    kubectl wait --for=condition=available --timeout=300s deployment/erpnext-scheduler -n erpnext
+    
+    # Create site
+    print_status "Creating ERPNext site..."
+    kubectl apply -f /tmp/k8s-manifests/jobs.yaml
+    
+    # Wait for job to complete
+    kubectl wait --for=condition=complete --timeout=600s job/erpnext-create-site -n erpnext
+    
+    print_status "Deployment completed successfully!"
+}
+
+# Function to configure autoscaling
+configure_autoscaling() {
+    print_header "Configuring autoscaling..."
+    
+    # Create HPA for backend
+    kubectl autoscale deployment erpnext-backend \
+        --namespace=erpnext \
+        --cpu-percent=70 \
+        --min=3 \
+        --max=10
+    
+    # Create HPA for frontend
+    kubectl autoscale deployment erpnext-frontend \
+        --namespace=erpnext \
+        --cpu-percent=70 \
+        --min=2 \
+        --max=8
+    
+    # Create HPA for workers
+    kubectl autoscale deployment erpnext-queue-default \
+        --namespace=erpnext \
+        --cpu-percent=80 \
+        --min=2 \
+        --max=6
+    
+    print_status "Autoscaling configured"
+}
+
+# Function to display deployment summary
+display_summary() {
+    print_header "Deployment Summary"
+    
+    # Get ALB endpoint
+    ALB_ENDPOINT=$(kubectl get ingress erpnext-ingress -n erpnext -o jsonpath='{.status.loadBalancer.ingress[0].hostname}' 2>/dev/null || echo "")
+    
+    echo ""
+    print_status "ERPNext EKS deployment completed successfully!"
+    echo ""
+    print_status "Access Information:"
+    if [ -n "$ALB_ENDPOINT" ]; then
+        print_status "  Application URL: http://$ALB_ENDPOINT"
+    else
+        print_status "  Application URL: Check ALB endpoint with 'kubectl get ingress -n erpnext'"
+    fi
+    print_status "  Domain: $DOMAIN_NAME (configure DNS to point to ALB endpoint)"
+    print_status "  Admin Username: Administrator"
+    print_status "  Admin Password: Check AWS Secrets Manager (${PROJECT_NAME}/admin/password)"
+    echo ""
+    print_status "AWS Resources Created:"
+    print_status "  EKS Cluster: $CLUSTER_NAME"
+    print_status "  EFS File System: $EFS_ID"
+    print_status "  VPC: $VPC_ID"
+    echo ""
+    print_status "Kubernetes Resources:"
+    print_status "  Namespace: erpnext"
+    print_status "  Deployments: erpnext-backend, erpnext-frontend, erpnext-queue-default, erpnext-scheduler"
+    print_status "  Services: erpnext-backend, erpnext-frontend"
+    print_status "  Ingress: erpnext-ingress"
+    echo ""
+    print_status "Next Steps:"
+    print_status "  1. Configure DNS to point $DOMAIN_NAME to ALB endpoint"
+    print_status "  2. Set up SSL certificate in ACM and update ingress"
+    print_status "  3. Configure monitoring with Prometheus/Grafana"
+    print_status "  4. Set up backup procedures"
+    echo ""
+    print_status "Useful Commands:"
+    print_status "  kubectl get pods -n erpnext"
+    print_status "  kubectl logs -f deployment/erpnext-backend -n erpnext"
+    print_status "  kubectl get ingress -n erpnext"
+    echo ""
+}
+
+# Function to clean up temporary files
+cleanup() {
+    print_status "Cleaning up temporary files..."
+    rm -rf /tmp/erpnext-eks-cluster.yaml /tmp/k8s-manifests /tmp/iam_policy.json
+}
+
+# Main execution function
+main() {
+    print_header "Starting ERPNext EKS Deployment"
+    
+    # Parse command line arguments
+    while [[ $# -gt 0 ]]; do
+        case $1 in
+            --region)
+                AWS_REGION="$2"
+                shift 2
+                ;;
+            --profile)
+                AWS_PROFILE="$2"
+                shift 2
+                ;;
+            --cluster-name)
+                CLUSTER_NAME="$2"
+                shift 2
+                ;;
+            --project-name)
+                PROJECT_NAME="$2"
+                shift 2
+                ;;
+            --domain)
+                DOMAIN_NAME="$2"
+                shift 2
+                ;;
+            --kubernetes-version)
+                KUBERNETES_VERSION="$2"
+                shift 2
+                ;;
+            --node-type)
+                NODE_INSTANCE_TYPE="$2"
+                shift 2
+                ;;
+            --help)
+                echo "Usage: $0 [OPTIONS]"
+                echo ""
+                echo "Options:"
+                echo "  --region REGION              AWS region (default: us-east-1)"
+                echo "  --profile PROFILE            AWS profile (default: default)"
+                echo "  --cluster-name NAME          EKS cluster name (default: erpnext-cluster)"
+                echo "  --project-name NAME          Project name prefix (default: erpnext)"
+                echo "  --domain DOMAIN              Domain name (default: erpnext.yourdomain.com)"
+                echo "  --kubernetes-version VERSION Kubernetes version (default: 1.28)"
+                echo "  --node-type TYPE             EC2 instance type for nodes (default: t3.medium)"
+                echo "  --help                       Show this help message"
+                exit 0
+                ;;
+            *)
+                print_error "Unknown option: $1"
+                exit 1
+                ;;
+        esac
+    done
+    
+    # Execute deployment steps
+    check_prerequisites
+    check_vpc
+    get_security_groups
+    get_database_endpoints
+    create_efs
+    create_cluster_config
+    create_eks_cluster
+    install_addons
+    create_kubernetes_manifests
+    deploy_to_kubernetes
+    configure_autoscaling
+    display_summary
+    cleanup
+    
+    print_header "Deployment completed successfully!"
+}
+
+# Set trap to cleanup on exit
+trap cleanup EXIT
+
+# Execute main function with all arguments
+main "$@"
\ No newline at end of file