| acm_arn |
arn of a pre-existing acm certificate |
string |
"" |
no |
| additional_tags |
Additonal tags to add to each resource |
map(string) |
null |
no |
| alerting_email_enabled |
enable alerts via email |
bool |
false |
no |
| alerting_email_from |
alerting_email_from. |
string |
"blank" |
no |
| alerting_email_host |
alerting_email_host |
string |
"blank" |
no |
| alerting_email_password |
alerting_email_password |
string |
"blank" |
no |
| alerting_email_to |
alerting_email_to |
string |
"blank" |
no |
| alerting_email_username |
alerting_email_username |
string |
"blank" |
no |
| alerting_enabled |
enable alerts |
bool |
false |
no |
| alerting_pagerduty_enabled |
enable alerts via pagerduty |
bool |
false |
no |
| alerting_pagerduty_integration_key |
Secret pagerduty_integration_key. |
string |
"blank" |
no |
| alerting_slack_channel |
Slack channel for sending notifications from alertmanager. |
string |
"blank" |
no |
| alerting_slack_enabled |
enable alerts via slack |
bool |
false |
no |
| alerting_slack_token |
Secret url with embedded token needed for slack webhook delivery. |
string |
"blank" |
no |
| applications |
n/a |
map(object({
name = string
repo = string
chart = string
version = string
values = string,
namespace = string,
createNamespace = bool,
vaultPath = string
})) |
{} |
no |
| argo_branch |
Branch to use on argo_repo |
string |
"" |
no |
| argo_enabled |
n/a |
bool |
true |
no |
| argo_github_team_owner |
The GitHub Team that has owner-level access to this Argo Project |
string |
"devops-core-admins" |
no |
| argo_host |
n/a |
string |
"argo.devops.indico.io" |
no |
| argo_namespace |
n/a |
string |
"argo" |
no |
| argo_password |
n/a |
string |
"not used" |
no |
| argo_path |
Path within the argo_repo containing yaml |
string |
"." |
no |
| argo_repo |
Argo Github Repository containing the IPA Application |
string |
"" |
no |
| argo_username |
n/a |
string |
"admin" |
no |
| aws_access_key |
The AWS access key to use for deployment |
string |
n/a |
yes |
| aws_account |
The Name of the AWS Acccount this cluster lives in |
string |
n/a |
yes |
| aws_primary_dns_role_arn |
The AWS arn for the role needed to manage route53 DNS in a different account. |
string |
"" |
no |
| aws_secret_key |
The AWS secret key to use for deployment |
string |
n/a |
yes |
| aws_session_token |
The AWS session token to use for deployment |
string |
null |
no |
| az_count |
Number of availability zones for nodes |
number |
2 |
no |
| azure_indico_io_client_id |
Old provider configuration to remove orphaned readapi resources |
string |
"" |
no |
| azure_indico_io_client_secret |
n/a |
string |
"" |
no |
| azure_indico_io_subscription_id |
n/a |
string |
"" |
no |
| azure_indico_io_tenant_id |
n/a |
string |
"" |
no |
| azure_readapi_client_id |
n/a |
string |
"" |
no |
| azure_readapi_client_secret |
n/a |
string |
"" |
no |
| azure_readapi_subscription_id |
n/a |
string |
"" |
no |
| azure_readapi_tenant_id |
n/a |
string |
"" |
no |
| bucket_versioning |
Enable bucket object versioning |
bool |
true |
no |
| cluster_api_endpoint_public |
If enabled this allow public access to the cluster api endpoint. |
bool |
true |
no |
| cluster_name |
Name of the EKS cluster |
string |
"indico-cluster" |
no |
| cluster_node_policies |
Additonal IAM policies to add to the cluster IAM role |
list(any) |
[
"IAMReadOnlyAccess"
] |
no |
| crds-values-yaml-b64 |
n/a |
string |
"Cg==" |
no |
| create_guardduty_vpc_endpoint |
If true this will create a vpc endpoint for guardduty. |
bool |
true |
no |
| csi_driver_nfs_version |
Version of csi-driver-nfs helm chart |
string |
"v4.0.9" |
no |
| default_tags |
Default tags to add to each resource |
map(string) |
null |
no |
| deletion_protection_enabled |
Enable deletion protection if set to true |
bool |
true |
no |
| devops_tools_cluster_ca_certificate |
n/a |
string |
"provided from the varset devops-tools-cluster" |
no |
| devops_tools_cluster_host |
n/a |
string |
"provided from the varset devops-tools-cluster" |
no |
| direct_connect |
Sets up the direct connect configuration if true; else use public subnets |
bool |
false |
no |
| dns_zone_name |
Name of the dns zone used to control DNS |
string |
"" |
no |
| domain_host |
domain host name. |
string |
"" |
no |
| domain_suffix |
Domain suffix |
string |
"indico.io" |
no |
| efs_filesystem_name |
The filesystem name of an existing efs instance |
string |
"" |
no |
| efs_type |
n/a |
string |
"create" |
no |
| eks_addon_version_guardduty |
enable guardduty |
bool |
true |
no |
| eks_cluster_iam_role |
Name of the IAM role to assign to the EKS cluster; will be created if not supplied |
string |
null |
no |
| eks_cluster_nodes_iam_role |
Name of the IAM role to assign to the EKS cluster nodes; will be created if not supplied |
string |
null |
no |
| enable_firewall |
If enabled this will create firewall and internet gateway |
bool |
false |
no |
| enable_k8s_dashboard |
n/a |
bool |
true |
no |
| enable_readapi |
ReadAPI stuff |
bool |
true |
no |
| enable_s3_access_logging |
If true this will enable access logging on the s3 buckets |
bool |
true |
no |
| enable_s3_backup |
Allow backing up data bucket on s3 |
bool |
true |
no |
| enable_vpc_flow_logs |
If enabled this will create flow logs for the VPC |
bool |
true |
no |
| enable_waf |
enables aws alb controller for app-edge, also creates waf rules. |
bool |
false |
no |
| enable_weather_station |
whether or not to enable the weather station internal metrics collection service |
bool |
false |
no |
| environment |
The environment of the cluster, determines which account readapi to use, options production/development |
string |
"development" |
no |
| existing_kms_key |
Name of kms key if it exists in the account (eg. 'alias/') |
string |
"" |
no |
| external_secrets_version |
Version of external-secrets helm chart |
string |
"0.10.5" |
no |
| firewall_allow_list |
n/a |
list(string) |
[
".cognitiveservices.azure.com"
] |
no |
| firewall_subnet_cidrs |
CIDR ranges for the firewall subnets |
list(string) |
[] |
no |
| fsx_deployment_type |
The deployment type to launch |
string |
"PERSISTENT_1" |
no |
| fsx_rox_arn |
ARN of the ROX FSx Lustre file system |
string |
null |
no |
| fsx_rox_id |
ID of the existing FSx Lustre file system for ROX |
string |
null |
no |
| fsx_rwx_arn |
ARN of the RWX FSx Lustre file system |
string |
null |
no |
| fsx_rwx_dns_name |
DNS name for the RWX FSx Lustre file system |
string |
null |
no |
| fsx_rwx_id |
ID of the existing FSx Lustre file system for RWX |
string |
null |
no |
| fsx_rwx_mount_name |
Mount name for the RWX FSx Lustre file system |
string |
null |
no |
| fsx_rwx_security_group_ids |
Security group IDs for the RWX FSx Lustre file system |
list(string) |
[] |
no |
| fsx_rwx_subnet_ids |
Subnet IDs for the RWX FSx Lustre file system |
list(string) |
[] |
no |
| fsx_type |
n/a |
string |
"create" |
no |
| git_pat |
n/a |
string |
"" |
no |
| harbor_pull_secret_b64 |
Harbor pull secret from Vault |
string |
n/a |
yes |
| harness_delegate |
n/a |
bool |
false |
no |
| harness_delegate_replicas |
n/a |
number |
1 |
no |
| harness_mount_path |
n/a |
string |
"harness" |
no |
| hibernation_enabled |
n/a |
bool |
false |
no |
| image_registry |
docker image registry to use for pulling images. |
string |
"harbor.devops.indico.io" |
no |
| include_efs |
Create efs |
bool |
true |
no |
| include_fsx |
Create a fsx file system(s) |
bool |
false |
no |
| include_pgbackup |
Create a read only FSx file system |
bool |
true |
no |
| include_rox |
Create a read only FSx file system |
bool |
false |
no |
| indico_aws_access_key_id |
The AWS access key for controlling dns in an alternate account |
string |
"" |
no |
| indico_aws_secret_access_key |
The AWS secret key for controlling dns in an alternate account |
string |
"" |
no |
| indico_aws_session_token |
The AWS session token to use for deployment in an alternate account |
string |
null |
no |
| indico_devops_aws_access_key_id |
The Indico-Devops account access key |
string |
"" |
no |
| indico_devops_aws_region |
The Indico-Devops devops cluster region |
string |
"" |
no |
| indico_devops_aws_secret_access_key |
The Indico-Devops account secret |
string |
"" |
no |
| indico_devops_aws_session_token |
Indico-Devops account AWS session token to use for deployment |
string |
null |
no |
| instance_volume_size |
The size of EBS volume to attach to the cluster nodes |
number |
60 |
no |
| instance_volume_type |
The type of EBS volume to attach to the cluster nodes |
string |
"gp2" |
no |
| internal_elb_use_public_subnets |
If enabled, this will use public subnets for the internal elb. Otherwise use the private subnets |
bool |
true |
no |
| ipa_crds_version |
n/a |
string |
"0.2.1" |
no |
| ipa_enabled |
n/a |
bool |
true |
no |
| ipa_pre_reqs_version |
n/a |
string |
"0.4.0" |
no |
| ipa_repo |
n/a |
string |
"https://harbor.devops.indico.io/chartrepo/indico-charts" |
no |
| ipa_smoketest_enabled |
n/a |
bool |
true |
no |
| ipa_smoketest_repo |
n/a |
string |
"https://harbor.devops.indico.io/chartrepo/indico-charts" |
no |
| ipa_smoketest_values |
n/a |
string |
"Cg==" |
no |
| ipa_smoketest_version |
n/a |
string |
"0.1.8" |
no |
| ipa_values |
n/a |
string |
"" |
no |
| ipa_version |
n/a |
string |
"0.12.1" |
no |
| is_alternate_account_domain |
domain name is controlled by a different aws account |
string |
"false" |
no |
| is_aws |
n/a |
bool |
true |
no |
| is_azure |
n/a |
bool |
false |
no |
| k8s_version |
The EKS version to use |
string |
"1.31" |
no |
| keda_version |
n/a |
string |
"2.15.2" |
no |
| keycloak_enabled |
n/a |
bool |
true |
no |
| kms_encrypt_secrets |
Encrypt EKS secrets with KMS |
bool |
true |
no |
| label |
The unique string to be prepended to resources names |
string |
"indico" |
no |
| lambda_sns_forwarder_destination_endpoint |
destination URL for the lambda sns forwarder |
string |
"" |
no |
| lambda_sns_forwarder_enabled |
If enabled a lamda will be provisioned to forward sns messages to an external endpoint. |
bool |
false |
no |
| lambda_sns_forwarder_function_variables |
A map of variables for the lambda_sns_forwarder code to use |
map(any) |
{} |
no |
| lambda_sns_forwarder_github_branch |
The github branch / tag containing the lambda_sns_forwarder code to use |
string |
"main" |
no |
| lambda_sns_forwarder_github_organization |
The github organization containing the lambda_sns_forwarder code to use |
string |
"IndicoDataSolutions" |
no |
| lambda_sns_forwarder_github_repository |
The github repository containing the lambda_sns_forwarder code to use |
string |
"" |
no |
| lambda_sns_forwarder_github_zip_path |
Full path to the lambda zip file |
string |
"zip/lambda.zip" |
no |
| lambda_sns_forwarder_topic_arn |
SNS topic to triger lambda forwarder. |
string |
"" |
no |
| load_vpc_id |
This is required if loading a network rather than creating one. |
string |
"" |
no |
| local_registry_enabled |
n/a |
bool |
false |
no |
| local_registry_version |
n/a |
string |
"unused" |
no |
| message |
The commit message for updates |
string |
"Managed by Terraform" |
no |
| monitoring_enabled |
n/a |
bool |
true |
no |
| monitoring_version |
n/a |
string |
"3.0.0" |
no |
| name |
Name to use in all cluster resources names |
string |
"indico" |
no |
| network_allow_public |
If enabled this will create public subnets, IGW, and NAT gateway. |
bool |
true |
no |
| network_module |
n/a |
string |
"networking" |
no |
| network_type |
n/a |
string |
"create" |
no |
| nfs_subdir_external_provisioner_version |
Version of nfs_subdir_external_provisioner_version helm chart |
string |
"4.0.18" |
no |
| node_bootstrap_arguments |
Additional arguments when bootstrapping the EKS node. |
string |
"" |
no |
| node_disk_size |
The root device size for the worker nodes. |
string |
"150" |
no |
| node_groups |
n/a |
any |
n/a |
yes |
| node_user_data |
Additional user data used when bootstrapping the EC2 instance. |
string |
"" |
no |
| oidc_client_id |
n/a |
string |
"kube-oidc-proxy" |
no |
| oidc_config_name |
n/a |
string |
"indico-google-ws" |
no |
| oidc_enabled |
Enable OIDC Auhentication |
bool |
true |
no |
| oidc_groups_claim |
n/a |
string |
"groups" |
no |
| oidc_groups_prefix |
n/a |
string |
"oidcgroup:" |
no |
| oidc_issuer_url |
n/a |
string |
"https://keycloak.devops.indico.io/auth/realms/GoogleAuth" |
no |
| oidc_username_claim |
n/a |
string |
"sub" |
no |
| oidc_username_prefix |
n/a |
string |
"oidcuser:" |
no |
| on_prem_test |
n/a |
bool |
false |
no |
| opentelemetry_collector_version |
n/a |
string |
"0.108.0" |
no |
| per_unit_storage_throughput |
Throughput for each 1 TiB or storage (max 200) for RWX FSx |
number |
100 |
no |
| performance_bucket |
Add permission to connect to indico-locust-benchmark-test-results |
bool |
false |
no |
| pre-reqs-values-yaml-b64 |
n/a |
string |
"Cg==" |
no |
| private_subnet_cidrs |
CIDR ranges for the private subnets |
list(string) |
n/a |
yes |
| private_subnet_tag_name |
n/a |
string |
"Name" |
no |
| private_subnet_tag_value |
n/a |
string |
"*private*" |
no |
| public_ip |
Should the cluster manager have a public IP assigned |
bool |
true |
no |
| public_subnet_cidrs |
CIDR ranges for the public subnets |
list(string) |
n/a |
yes |
| public_subnet_tag_name |
n/a |
string |
"Name" |
no |
| public_subnet_tag_value |
n/a |
string |
"*public*" |
no |
| readapi_customer |
Name of the customer readapi is being deployed in behalf. |
string |
null |
no |
| region |
The AWS region in which to launch the indico stack |
string |
"us-east-1" |
no |
| restore_snapshot_enabled |
Flag for restoring cluster from snapshot |
bool |
false |
no |
| restore_snapshot_name |
Name of snapshot in account's s3 bucket |
string |
"" |
no |
| s3_endpoint_enabled |
If set to true, an S3 VPC endpoint will be created. If this variable is set, the region variable must also be set |
bool |
false |
no |
| secrets_operator_enabled |
Use to enable the secrets operator which is used for maintaining thanos connection |
bool |
true |
no |
| sg_tag_name |
n/a |
string |
"Name" |
no |
| sg_tag_value |
n/a |
string |
"*-allow-subnets" |
no |
| skip_final_snapshot |
Skip taking a final snapshot before deletion; not recommended to enable |
bool |
false |
no |
| snapshot_id |
The ebs snapshot of read-only data to use |
string |
"" |
no |
| sqs_sns |
Flag for enabling SQS/SNS |
bool |
true |
no |
| ssl_static_secret_name |
secret_name for static ssl certificate |
string |
"indico-ssl-static-cert" |
no |
| storage_capacity |
Storage capacity in GiB for RWX FSx |
number |
1200 |
no |
| storage_gateway_size |
The size of the storage gateway VM |
string |
"m5.xlarge" |
no |
| submission_expiry |
The number of days to retain submissions |
number |
30 |
no |
| subnet_az_zones |
Availability zones for the subnets |
list(string) |
n/a |
yes |
| terraform_smoketests_enabled |
n/a |
bool |
true |
no |
| terraform_vault_mount_path |
n/a |
string |
"terraform" |
no |
| thanos_cluster_ca_certificate |
n/a |
string |
"provided from the varset thanos" |
no |
| thanos_cluster_host |
n/a |
string |
"provided from the varset thanos" |
no |
| thanos_cluster_name |
n/a |
string |
"thanos" |
no |
| thanos_enabled |
n/a |
bool |
true |
no |
| thanos_grafana_admin_password |
n/a |
string |
"provided from the varset thanos" |
no |
| thanos_grafana_admin_username |
n/a |
string |
"provided from the varset devops-tools-cluster" |
no |
| uploads_expiry |
The number of days to retain uploads |
number |
30 |
no |
| use_acm |
create cluster that will use acm |
bool |
false |
no |
| use_nlb |
If true this will create a NLB loadbalancer instead of a classic VPC ELB |
bool |
false |
no |
| use_static_ssl_certificates |
use static ssl certificates for clusters which cannot use certmanager and external dns. |
bool |
false |
no |
| vault_address |
n/a |
string |
"https://vault.devops.indico.io" |
no |
| vault_mount_path |
n/a |
string |
"terraform" |
no |
| vault_password |
n/a |
any |
n/a |
yes |
| vault_secrets_operator_version |
n/a |
string |
"0.7.0" |
no |
| vault_username |
n/a |
any |
n/a |
yes |
| vpc_cidr |
The VPC for the entire indico stack |
string |
n/a |
yes |
| vpc_flow_logs_iam_role_arn |
The IAM role to use for the flow logs |
string |
"" |
no |
| vpc_name |
The VPC name |
string |
"indico_vpc" |
no |