Skip to content


Folders and files

Last commit message
Last commit date

Latest commit


Repository files navigation


Name Version
terraform >= 0.13.5
argocd 6.0.2
aws 5.68.0
github 5.34.0
helm >= 2.15.0
htpasswd 1.0.4
keycloak 4.3.1
kubectl 1.14.0
kubernetes >= 2.33.0
random ~>3.5.1
time 0.9.1
vault 3.22.0


Name Version
argocd 6.0.2
aws 5.68.0 5.68.0
aws.dns-control 5.68.0
external 2.3.4
github 5.34.0
helm 2.16.1
htpasswd 1.0.4
kubectl 1.14.0
kubernetes 2.33.0
local 2.5.2
null 3.2.3
random 3.5.1
time 0.9.1
tls 4.0.6
vault 3.22.0


Name Source Version
argo-registration 1.2.2
cluster 8.2.3
efs-storage 2.0.0
efs-storage-local-registry 0.0.1
fsx-storage 2.0.0
harness_delegate ./modules/harness n/a
k8s_dashboard ./modules/aws/k8s_dashboard n/a
keycloak ./modules/aws/keycloak n/a
kms_key 2.1.2
lambda-sns-forwarder 2.0.0
networking 2.1.0
public_networking 1.2.2
s3-storage 3.3.1
secrets-operator-setup ./modules/common/vault-secrets-operator-setup n/a
security-group 3.0.0
sqs_sns 1.2.0


Name Type
argocd_application.ipa resource
aws_acm_certificate.alb resource
aws_acm_certificate_validation.alb resource
aws_efs_access_point.local-registry resource
aws_eks_addon.guardduty resource resource
aws_route53_record.alb resource
aws_route53_record.alertmanager-caa resource
aws_route53_record.grafana-caa resource
aws_route53_record.ipa-app-caa resource
aws_route53_record.prometheus-caa resource
aws_security_group.eks_vpc_endpoint_guardduty resource
aws_vpc_endpoint.eks_vpc_guardduty resource
aws_wafv2_web_acl.wafv2-acl resource
github_repository_file.alb-values-yaml resource
github_repository_file.argocd-application-yaml resource
github_repository_file.crds-values-yaml resource
github_repository_file.custom-application-yaml resource
github_repository_file.pre-reqs-values-yaml resource
github_repository_file.smoketest-application-yaml resource
helm_release.external-secrets resource
helm_release.ipa-crds resource
helm_release.ipa-pre-requisites resource
helm_release.ipa-vso resource
helm_release.keda-monitoring resource
helm_release.local-registry resource
helm_release.monitoring resource
helm_release.nfs-provider resource
helm_release.opentelemetry-collector resource
helm_release.terraform-smoketests resource
htpasswd_password.hash resource
kubectl_manifest.gp2-storageclass resource
kubectl_manifest.nfs_server resource
kubectl_manifest.nfs_server_service resource
kubectl_manifest.nfs_volume resource
kubectl_manifest.snapshot-cluster-role resource
kubectl_manifest.snapshot-cluster-role-binding resource
kubectl_manifest.snapshot-service-account resource
kubernetes_cluster_role_binding.cod-role-bindings resource
kubernetes_cluster_role_binding.devops-rbac-bindings resource
kubernetes_cluster_role_binding.eng-qa-rbac-bindings resource
kubernetes_config_map.terraform-variables resource
kubernetes_job.snapshot-restore-job resource
kubernetes_namespace.local-registry resource
kubernetes_persistent_volume.local-registry resource
kubernetes_persistent_volume_claim.local-registry resource
kubernetes_secret.harbor-pull-secret resource
kubernetes_secret.issuer-secret resource
kubernetes_secret.readapi resource
kubernetes_storage_class_v1.local-registry resource
null_resource.enable-oidc resource
null_resource.get_nfs_server_ip resource
null_resource.s3-delete-data-bucket resource
null_resource.s3-delete-data-pgbackup-bucket resource
null_resource.update_storage_class resource
null_resource.wait-for-tf-cod-chart-build resource
random_password.monitoring-password resource
random_password.password resource
random_password.salt resource
time_sleep.wait_1_minutes_after_crds resource
time_sleep.wait_1_minutes_after_pre_reqs resource resource
aws_caller_identity.current data source
aws_eks_cluster.local data source
aws_eks_cluster.thanos data source
aws_eks_cluster_auth.local data source
aws_eks_cluster_auth.thanos data source
aws_iam_policy_document.eks_vpc_guardduty data source
aws_route53_zone.primary data source
aws_vpc_endpoint_service.guardduty data source
external_external.git_information data source
github_repository.argo-github-repo data source data source data source
local_file.nfs_ip data source
vault_kv_secret_v2.account-robot-credentials data source
vault_kv_secret_v2.delegate_secrets data source
vault_kv_secret_v2.harbor-api-token data source
vault_kv_secret_v2.readapi_secret data source
vault_kv_secret_v2.zerossl_data data source


Name Description Type Default Required
acm_arn arn of a pre-existing acm certificate string "" no
additional_tags Additonal tags to add to each resource map(string) null no
alerting_email_enabled enable alerts via email bool false no
alerting_email_from alerting_email_from. string "blank" no
alerting_email_host alerting_email_host string "blank" no
alerting_email_password alerting_email_password string "blank" no
alerting_email_to alerting_email_to string "blank" no
alerting_email_username alerting_email_username string "blank" no
alerting_enabled enable alerts bool false no
alerting_pagerduty_enabled enable alerts via pagerduty bool false no
alerting_pagerduty_integration_key Secret pagerduty_integration_key. string "blank" no
alerting_slack_channel Slack channel for sending notifications from alertmanager. string "blank" no
alerting_slack_enabled enable alerts via slack bool false no
alerting_slack_token Secret url with embedded token needed for slack webhook delivery. string "blank" no
applications n/a
name = string
repo = string
chart = string
version = string
values = string,
namespace = string,
createNamespace = bool,
vaultPath = string
{} no
argo_branch Branch to use on argo_repo string "" no
argo_enabled n/a bool true no
argo_github_team_owner The GitHub Team that has owner-level access to this Argo Project string "devops-core-admins" no
argo_host n/a string "" no
argo_namespace n/a string "argo" no
argo_password n/a string "not used" no
argo_path Path within the argo_repo containing yaml string "." no
argo_repo Argo Github Repository containing the IPA Application string "" no
argo_username n/a string "admin" no
aws_access_key The AWS access key to use for deployment string n/a yes
aws_account The Name of the AWS Acccount this cluster lives in string n/a yes
aws_primary_dns_role_arn The AWS arn for the role needed to manage route53 DNS in a different account. string "" no
aws_secret_key The AWS secret key to use for deployment string n/a yes
aws_session_token The AWS session token to use for deployment string null no
az_count Number of availability zones for nodes number 2 no
azure_indico_io_client_id Old provider configuration to remove orphaned readapi resources string "" no
azure_indico_io_client_secret n/a string "" no
azure_indico_io_subscription_id n/a string "" no
azure_indico_io_tenant_id n/a string "" no
azure_readapi_client_id n/a string "" no
azure_readapi_client_secret n/a string "" no
azure_readapi_subscription_id n/a string "" no
azure_readapi_tenant_id n/a string "" no
bucket_versioning Enable bucket object versioning bool true no
cluster_api_endpoint_public If enabled this allow public access to the cluster api endpoint. bool true no
cluster_name Name of the EKS cluster string "indico-cluster" no
cluster_node_policies Additonal IAM policies to add to the cluster IAM role list(any)
crds-values-yaml-b64 n/a string "Cg==" no
create_guardduty_vpc_endpoint If true this will create a vpc endpoint for guardduty. bool true no
csi_driver_nfs_version Version of csi-driver-nfs helm chart string "v4.0.9" no
default_tags Default tags to add to each resource map(string) null no
deletion_protection_enabled Enable deletion protection if set to true bool true no
devops_tools_cluster_ca_certificate n/a string "provided from the varset devops-tools-cluster" no
devops_tools_cluster_host n/a string "provided from the varset devops-tools-cluster" no
direct_connect Sets up the direct connect configuration if true; else use public subnets bool false no
dns_zone_name Name of the dns zone used to control DNS string "" no
domain_host domain host name. string "" no
domain_suffix Domain suffix string "" no
efs_filesystem_name The filesystem name of an existing efs instance string "" no
efs_type n/a string "create" no
eks_addon_version_guardduty enable guardduty bool true no
eks_cluster_iam_role Name of the IAM role to assign to the EKS cluster; will be created if not supplied string null no
eks_cluster_nodes_iam_role Name of the IAM role to assign to the EKS cluster nodes; will be created if not supplied string null no
enable_firewall If enabled this will create firewall and internet gateway bool false no
enable_k8s_dashboard n/a bool true no
enable_readapi ReadAPI stuff bool true no
enable_s3_access_logging If true this will enable access logging on the s3 buckets bool true no
enable_s3_backup Allow backing up data bucket on s3 bool true no
enable_vpc_flow_logs If enabled this will create flow logs for the VPC bool true no
enable_waf enables aws alb controller for app-edge, also creates waf rules. bool false no
enable_weather_station whether or not to enable the weather station internal metrics collection service bool false no
environment The environment of the cluster, determines which account readapi to use, options production/development string "development" no
existing_kms_key Name of kms key if it exists in the account (eg. 'alias/') string "" no
external_secrets_version Version of external-secrets helm chart string "0.10.5" no
firewall_allow_list n/a list(string)
firewall_subnet_cidrs CIDR ranges for the firewall subnets list(string) [] no
fsx_deployment_type The deployment type to launch string "PERSISTENT_1" no
fsx_rox_arn ARN of the ROX FSx Lustre file system string null no
fsx_rox_id ID of the existing FSx Lustre file system for ROX string null no
fsx_rwx_arn ARN of the RWX FSx Lustre file system string null no
fsx_rwx_dns_name DNS name for the RWX FSx Lustre file system string null no
fsx_rwx_id ID of the existing FSx Lustre file system for RWX string null no
fsx_rwx_mount_name Mount name for the RWX FSx Lustre file system string null no
fsx_rwx_security_group_ids Security group IDs for the RWX FSx Lustre file system list(string) [] no
fsx_rwx_subnet_ids Subnet IDs for the RWX FSx Lustre file system list(string) [] no
fsx_type n/a string "create" no
git_pat n/a string "" no
harbor_pull_secret_b64 Harbor pull secret from Vault string n/a yes
harness_delegate n/a bool false no
harness_delegate_replicas n/a number 1 no
harness_mount_path n/a string "harness" no
hibernation_enabled n/a bool false no
image_registry docker image registry to use for pulling images. string "" no
include_efs Create efs bool true no
include_fsx Create a fsx file system(s) bool false no
include_pgbackup Create a read only FSx file system bool true no
include_rox Create a read only FSx file system bool false no
indico_aws_access_key_id The AWS access key for controlling dns in an alternate account string "" no
indico_aws_secret_access_key The AWS secret key for controlling dns in an alternate account string "" no
indico_aws_session_token The AWS session token to use for deployment in an alternate account string null no
indico_devops_aws_access_key_id The Indico-Devops account access key string "" no
indico_devops_aws_region The Indico-Devops devops cluster region string "" no
indico_devops_aws_secret_access_key The Indico-Devops account secret string "" no
indico_devops_aws_session_token Indico-Devops account AWS session token to use for deployment string null no
instance_volume_size The size of EBS volume to attach to the cluster nodes number 60 no
instance_volume_type The type of EBS volume to attach to the cluster nodes string "gp2" no
internal_elb_use_public_subnets If enabled, this will use public subnets for the internal elb. Otherwise use the private subnets bool true no
ipa_crds_version n/a string "0.2.1" no
ipa_enabled n/a bool true no
ipa_pre_reqs_version n/a string "0.4.0" no
ipa_repo n/a string "" no
ipa_smoketest_enabled n/a bool true no
ipa_smoketest_repo n/a string "" no
ipa_smoketest_values n/a string "Cg==" no
ipa_smoketest_version n/a string "0.1.8" no
ipa_values n/a string "" no
ipa_version n/a string "0.12.1" no
is_alternate_account_domain domain name is controlled by a different aws account string "false" no
is_aws n/a bool true no
is_azure n/a bool false no
k8s_version The EKS version to use string "1.31" no
keda_version n/a string "2.15.2" no
keycloak_enabled n/a bool true no
kms_encrypt_secrets Encrypt EKS secrets with KMS bool true no
label The unique string to be prepended to resources names string "indico" no
lambda_sns_forwarder_destination_endpoint destination URL for the lambda sns forwarder string "" no
lambda_sns_forwarder_enabled If enabled a lamda will be provisioned to forward sns messages to an external endpoint. bool false no
lambda_sns_forwarder_function_variables A map of variables for the lambda_sns_forwarder code to use map(any) {} no
lambda_sns_forwarder_github_branch The github branch / tag containing the lambda_sns_forwarder code to use string "main" no
lambda_sns_forwarder_github_organization The github organization containing the lambda_sns_forwarder code to use string "IndicoDataSolutions" no
lambda_sns_forwarder_github_repository The github repository containing the lambda_sns_forwarder code to use string "" no
lambda_sns_forwarder_github_zip_path Full path to the lambda zip file string "zip/" no
lambda_sns_forwarder_topic_arn SNS topic to triger lambda forwarder. string "" no
load_vpc_id This is required if loading a network rather than creating one. string "" no
local_registry_enabled n/a bool false no
local_registry_version n/a string "unused" no
message The commit message for updates string "Managed by Terraform" no
monitoring_enabled n/a bool true no
monitoring_version n/a string "3.0.0" no
name Name to use in all cluster resources names string "indico" no
network_allow_public If enabled this will create public subnets, IGW, and NAT gateway. bool true no
network_module n/a string "networking" no
network_type n/a string "create" no
nfs_subdir_external_provisioner_version Version of nfs_subdir_external_provisioner_version helm chart string "4.0.18" no
node_bootstrap_arguments Additional arguments when bootstrapping the EKS node. string "" no
node_disk_size The root device size for the worker nodes. string "150" no
node_groups n/a any n/a yes
node_user_data Additional user data used when bootstrapping the EC2 instance. string "" no
oidc_client_id n/a string "kube-oidc-proxy" no
oidc_config_name n/a string "indico-google-ws" no
oidc_enabled Enable OIDC Auhentication bool true no
oidc_groups_claim n/a string "groups" no
oidc_groups_prefix n/a string "oidcgroup:" no
oidc_issuer_url n/a string "" no
oidc_username_claim n/a string "sub" no
oidc_username_prefix n/a string "oidcuser:" no
on_prem_test n/a bool false no
opentelemetry_collector_version n/a string "0.108.0" no
per_unit_storage_throughput Throughput for each 1 TiB or storage (max 200) for RWX FSx number 100 no
performance_bucket Add permission to connect to indico-locust-benchmark-test-results bool false no
pre-reqs-values-yaml-b64 n/a string "Cg==" no
private_subnet_cidrs CIDR ranges for the private subnets list(string) n/a yes
private_subnet_tag_name n/a string "Name" no
private_subnet_tag_value n/a string "*private*" no
public_ip Should the cluster manager have a public IP assigned bool true no
public_subnet_cidrs CIDR ranges for the public subnets list(string) n/a yes
public_subnet_tag_name n/a string "Name" no
public_subnet_tag_value n/a string "*public*" no
readapi_customer Name of the customer readapi is being deployed in behalf. string null no
region The AWS region in which to launch the indico stack string "us-east-1" no
restore_snapshot_enabled Flag for restoring cluster from snapshot bool false no
restore_snapshot_name Name of snapshot in account's s3 bucket string "" no
s3_endpoint_enabled If set to true, an S3 VPC endpoint will be created. If this variable is set, the region variable must also be set bool false no
secrets_operator_enabled Use to enable the secrets operator which is used for maintaining thanos connection bool true no
sg_tag_name n/a string "Name" no
sg_tag_value n/a string "*-allow-subnets" no
skip_final_snapshot Skip taking a final snapshot before deletion; not recommended to enable bool false no
snapshot_id The ebs snapshot of read-only data to use string "" no
sqs_sns Flag for enabling SQS/SNS bool true no
ssl_static_secret_name secret_name for static ssl certificate string "indico-ssl-static-cert" no
storage_capacity Storage capacity in GiB for RWX FSx number 1200 no
storage_gateway_size The size of the storage gateway VM string "m5.xlarge" no
submission_expiry The number of days to retain submissions number 30 no
subnet_az_zones Availability zones for the subnets list(string) n/a yes
terraform_smoketests_enabled n/a bool true no
terraform_vault_mount_path n/a string "terraform" no
thanos_cluster_ca_certificate n/a string "provided from the varset thanos" no
thanos_cluster_host n/a string "provided from the varset thanos" no
thanos_cluster_name n/a string "thanos" no
thanos_enabled n/a bool true no
thanos_grafana_admin_password n/a string "provided from the varset thanos" no
thanos_grafana_admin_username n/a string "provided from the varset devops-tools-cluster" no
uploads_expiry The number of days to retain uploads number 30 no
use_acm create cluster that will use acm bool false no
use_nlb If true this will create a NLB loadbalancer instead of a classic VPC ELB bool false no
use_static_ssl_certificates use static ssl certificates for clusters which cannot use certmanager and external dns. bool false no
vault_address n/a string "" no
vault_mount_path n/a string "terraform" no
vault_password n/a any n/a yes
vault_secrets_operator_version n/a string "0.7.0" no
vault_username n/a any n/a yes
vpc_cidr The VPC for the entire indico stack string n/a yes
vpc_flow_logs_iam_role_arn The IAM role to use for the flow logs string "" no
vpc_name The VPC name string "indico_vpc" no


Name Description
acm_arn arn of the acm
api_models_s3_bucket_name Name of the api-models s3 bucket
argo_branch n/a
argo_path n/a
argo_repo n/a
cluster_name n/a
cluster_region n/a
data_s3_bucket_name Name of the data s3 bucket
dns_name n/a
efs_filesystem_id ID of the EFS filesystem
fsx_rox_id Read only filesystem
fsx_rwx_id Read write filesystem
fsx_storage_fsx_rwx_dns_name n/a
fsx_storage_fsx_rwx_mount_name n/a
fsx_storage_fsx_rwx_subnet_id n/a
fsx_storage_fsx_rwx_volume_handle n/a
git_branch n/a
git_sha n/a
harbor-api-token n/a
harness_delegate_name n/a
ipa_version n/a
key_pem Generated private key for key pair
kube_ca_certificate n/a
kube_host n/a
kube_token n/a
local_registry_password n/a
local_registry_username n/a
monitoring-password n/a
monitoring-username n/a
monitoring_enabled n/a
ns n/a
s3_role_id ID of the S3 role
smoketest_chart_version n/a
wafv2_arn arn of the wafv2 acl
zerossl n/a