Skip to content

IndicoDataSolutions/tf_cod

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Requirements

Name Version
terraform >= 0.13.5
argocd 6.0.2
aws 5.68.0
github 5.34.0
helm >= 2.15.0
htpasswd 1.0.4
keycloak 4.3.1
kubectl 1.14.0
kubernetes >= 2.33.0
random ~>3.5.1
time 0.9.1
vault 3.22.0

Providers

Name Version
argocd 6.0.2
aws 5.68.0
aws.aws-indico-devops 5.68.0
aws.dns-control 5.68.0
external 2.3.4
github 5.34.0
helm 2.16.1
htpasswd 1.0.4
kubectl 1.14.0
kubernetes 2.33.0
local 2.5.2
null 3.2.3
random 3.5.1
time 0.9.1
tls 4.0.6
vault 3.22.0

Modules

Name Source Version
argo-registration app.terraform.io/indico/indico-argo-registration/mod 1.2.2
cluster app.terraform.io/indico/indico-aws-eks-cluster/mod 8.2.3
efs-storage app.terraform.io/indico/indico-aws-efs/mod 2.0.0
efs-storage-local-registry app.terraform.io/indico/indico-aws-efs/mod 0.0.1
fsx-storage app.terraform.io/indico/indico-aws-fsx/mod 2.0.0
harness_delegate ./modules/harness n/a
k8s_dashboard ./modules/aws/k8s_dashboard n/a
keycloak ./modules/aws/keycloak n/a
kms_key app.terraform.io/indico/indico-aws-kms/mod 2.1.2
lambda-sns-forwarder app.terraform.io/indico/indico-lambda-sns-forwarder/mod 2.0.0
networking app.terraform.io/indico/indico-aws-network/mod 2.1.0
public_networking app.terraform.io/indico/indico-aws-network/mod 1.2.2
s3-storage app.terraform.io/indico/indico-aws-buckets/mod 3.3.1
secrets-operator-setup ./modules/common/vault-secrets-operator-setup n/a
security-group app.terraform.io/indico/indico-aws-security-group/mod 3.0.0
sqs_sns app.terraform.io/indico/indico-aws-sqs-sns/mod 1.2.0

Resources

Name Type
argocd_application.ipa resource
aws_acm_certificate.alb resource
aws_acm_certificate_validation.alb resource
aws_efs_access_point.local-registry resource
aws_eks_addon.guardduty resource
aws_key_pair.kp resource
aws_route53_record.alb resource
aws_route53_record.alertmanager-caa resource
aws_route53_record.grafana-caa resource
aws_route53_record.ipa-app-caa resource
aws_route53_record.prometheus-caa resource
aws_security_group.eks_vpc_endpoint_guardduty resource
aws_vpc_endpoint.eks_vpc_guardduty resource
aws_wafv2_web_acl.wafv2-acl resource
github_repository_file.alb-values-yaml resource
github_repository_file.argocd-application-yaml resource
github_repository_file.crds-values-yaml resource
github_repository_file.custom-application-yaml resource
github_repository_file.pre-reqs-values-yaml resource
github_repository_file.smoketest-application-yaml resource
helm_release.external-secrets resource
helm_release.ipa-crds resource
helm_release.ipa-pre-requisites resource
helm_release.ipa-vso resource
helm_release.keda-monitoring resource
helm_release.local-registry resource
helm_release.monitoring resource
helm_release.nfs-provider resource
helm_release.opentelemetry-collector resource
helm_release.terraform-smoketests resource
htpasswd_password.hash resource
kubectl_manifest.gp2-storageclass resource
kubectl_manifest.nfs_server resource
kubectl_manifest.nfs_server_service resource
kubectl_manifest.nfs_volume resource
kubectl_manifest.snapshot-cluster-role resource
kubectl_manifest.snapshot-cluster-role-binding resource
kubectl_manifest.snapshot-service-account resource
kubernetes_cluster_role_binding.cod-role-bindings resource
kubernetes_cluster_role_binding.devops-rbac-bindings resource
kubernetes_cluster_role_binding.eng-qa-rbac-bindings resource
kubernetes_config_map.terraform-variables resource
kubernetes_job.snapshot-restore-job resource
kubernetes_namespace.local-registry resource
kubernetes_persistent_volume.local-registry resource
kubernetes_persistent_volume_claim.local-registry resource
kubernetes_secret.harbor-pull-secret resource
kubernetes_secret.issuer-secret resource
kubernetes_secret.readapi resource
kubernetes_storage_class_v1.local-registry resource
null_resource.enable-oidc resource
null_resource.get_nfs_server_ip resource
null_resource.s3-delete-data-bucket resource
null_resource.s3-delete-data-pgbackup-bucket resource
null_resource.update_storage_class resource
null_resource.wait-for-tf-cod-chart-build resource
random_password.monitoring-password resource
random_password.password resource
random_password.salt resource
time_sleep.wait_1_minutes_after_crds resource
time_sleep.wait_1_minutes_after_pre_reqs resource
tls_private_key.pk resource
aws_caller_identity.current data source
aws_eks_cluster.local data source
aws_eks_cluster.thanos data source
aws_eks_cluster_auth.local data source
aws_eks_cluster_auth.thanos data source
aws_iam_policy_document.eks_vpc_guardduty data source
aws_route53_zone.primary data source
aws_vpc_endpoint_service.guardduty data source
external_external.git_information data source
github_repository.argo-github-repo data source
github_repository_file.data-crds-values data source
github_repository_file.data-pre-reqs-values data source
local_file.nfs_ip data source
vault_kv_secret_v2.account-robot-credentials data source
vault_kv_secret_v2.delegate_secrets data source
vault_kv_secret_v2.harbor-api-token data source
vault_kv_secret_v2.readapi_secret data source
vault_kv_secret_v2.zerossl_data data source

Inputs

Name Description Type Default Required
acm_arn arn of a pre-existing acm certificate string "" no
additional_tags Additonal tags to add to each resource map(string) null no
alerting_email_enabled enable alerts via email bool false no
alerting_email_from alerting_email_from. string "blank" no
alerting_email_host alerting_email_host string "blank" no
alerting_email_password alerting_email_password string "blank" no
alerting_email_to alerting_email_to string "blank" no
alerting_email_username alerting_email_username string "blank" no
alerting_enabled enable alerts bool false no
alerting_pagerduty_enabled enable alerts via pagerduty bool false no
alerting_pagerduty_integration_key Secret pagerduty_integration_key. string "blank" no
alerting_slack_channel Slack channel for sending notifications from alertmanager. string "blank" no
alerting_slack_enabled enable alerts via slack bool false no
alerting_slack_token Secret url with embedded token needed for slack webhook delivery. string "blank" no
applications n/a
map(object({
name = string
repo = string
chart = string
version = string
values = string,
namespace = string,
createNamespace = bool,
vaultPath = string
}))
{} no
argo_branch Branch to use on argo_repo string "" no
argo_enabled n/a bool true no
argo_github_team_owner The GitHub Team that has owner-level access to this Argo Project string "devops-core-admins" no
argo_host n/a string "argo.devops.indico.io" no
argo_namespace n/a string "argo" no
argo_password n/a string "not used" no
argo_path Path within the argo_repo containing yaml string "." no
argo_repo Argo Github Repository containing the IPA Application string "" no
argo_username n/a string "admin" no
aws_access_key The AWS access key to use for deployment string n/a yes
aws_account The Name of the AWS Acccount this cluster lives in string n/a yes
aws_primary_dns_role_arn The AWS arn for the role needed to manage route53 DNS in a different account. string "" no
aws_secret_key The AWS secret key to use for deployment string n/a yes
aws_session_token The AWS session token to use for deployment string null no
az_count Number of availability zones for nodes number 2 no
azure_indico_io_client_id Old provider configuration to remove orphaned readapi resources string "" no
azure_indico_io_client_secret n/a string "" no
azure_indico_io_subscription_id n/a string "" no
azure_indico_io_tenant_id n/a string "" no
azure_readapi_client_id n/a string "" no
azure_readapi_client_secret n/a string "" no
azure_readapi_subscription_id n/a string "" no
azure_readapi_tenant_id n/a string "" no
bucket_versioning Enable bucket object versioning bool true no
cluster_api_endpoint_public If enabled this allow public access to the cluster api endpoint. bool true no
cluster_name Name of the EKS cluster string "indico-cluster" no
cluster_node_policies Additonal IAM policies to add to the cluster IAM role list(any)
[
"IAMReadOnlyAccess"
]
no
crds-values-yaml-b64 n/a string "Cg==" no
create_guardduty_vpc_endpoint If true this will create a vpc endpoint for guardduty. bool true no
csi_driver_nfs_version Version of csi-driver-nfs helm chart string "v4.0.9" no
default_tags Default tags to add to each resource map(string) null no
deletion_protection_enabled Enable deletion protection if set to true bool true no
devops_tools_cluster_ca_certificate n/a string "provided from the varset devops-tools-cluster" no
devops_tools_cluster_host n/a string "provided from the varset devops-tools-cluster" no
direct_connect Sets up the direct connect configuration if true; else use public subnets bool false no
dns_zone_name Name of the dns zone used to control DNS string "" no
domain_host domain host name. string "" no
domain_suffix Domain suffix string "indico.io" no
efs_filesystem_name The filesystem name of an existing efs instance string "" no
efs_type n/a string "create" no
eks_addon_version_guardduty enable guardduty bool true no
eks_cluster_iam_role Name of the IAM role to assign to the EKS cluster; will be created if not supplied string null no
eks_cluster_nodes_iam_role Name of the IAM role to assign to the EKS cluster nodes; will be created if not supplied string null no
enable_firewall If enabled this will create firewall and internet gateway bool false no
enable_k8s_dashboard n/a bool true no
enable_readapi ReadAPI stuff bool true no
enable_s3_access_logging If true this will enable access logging on the s3 buckets bool true no
enable_s3_backup Allow backing up data bucket on s3 bool true no
enable_vpc_flow_logs If enabled this will create flow logs for the VPC bool true no
enable_waf enables aws alb controller for app-edge, also creates waf rules. bool false no
enable_weather_station whether or not to enable the weather station internal metrics collection service bool false no
environment The environment of the cluster, determines which account readapi to use, options production/development string "development" no
existing_kms_key Name of kms key if it exists in the account (eg. 'alias/') string "" no
external_secrets_version Version of external-secrets helm chart string "0.10.5" no
firewall_allow_list n/a list(string)
[
".cognitiveservices.azure.com"
]
no
firewall_subnet_cidrs CIDR ranges for the firewall subnets list(string) [] no
fsx_deployment_type The deployment type to launch string "PERSISTENT_1" no
fsx_rox_arn ARN of the ROX FSx Lustre file system string null no
fsx_rox_id ID of the existing FSx Lustre file system for ROX string null no
fsx_rwx_arn ARN of the RWX FSx Lustre file system string null no
fsx_rwx_dns_name DNS name for the RWX FSx Lustre file system string null no
fsx_rwx_id ID of the existing FSx Lustre file system for RWX string null no
fsx_rwx_mount_name Mount name for the RWX FSx Lustre file system string null no
fsx_rwx_security_group_ids Security group IDs for the RWX FSx Lustre file system list(string) [] no
fsx_rwx_subnet_ids Subnet IDs for the RWX FSx Lustre file system list(string) [] no
fsx_type n/a string "create" no
git_pat n/a string "" no
harbor_pull_secret_b64 Harbor pull secret from Vault string n/a yes
harness_delegate n/a bool false no
harness_delegate_replicas n/a number 1 no
harness_mount_path n/a string "harness" no
hibernation_enabled n/a bool false no
image_registry docker image registry to use for pulling images. string "harbor.devops.indico.io" no
include_efs Create efs bool true no
include_fsx Create a fsx file system(s) bool false no
include_pgbackup Create a read only FSx file system bool true no
include_rox Create a read only FSx file system bool false no
indico_aws_access_key_id The AWS access key for controlling dns in an alternate account string "" no
indico_aws_secret_access_key The AWS secret key for controlling dns in an alternate account string "" no
indico_aws_session_token The AWS session token to use for deployment in an alternate account string null no
indico_devops_aws_access_key_id The Indico-Devops account access key string "" no
indico_devops_aws_region The Indico-Devops devops cluster region string "" no
indico_devops_aws_secret_access_key The Indico-Devops account secret string "" no
indico_devops_aws_session_token Indico-Devops account AWS session token to use for deployment string null no
instance_volume_size The size of EBS volume to attach to the cluster nodes number 60 no
instance_volume_type The type of EBS volume to attach to the cluster nodes string "gp2" no
internal_elb_use_public_subnets If enabled, this will use public subnets for the internal elb. Otherwise use the private subnets bool true no
ipa_crds_version n/a string "0.2.1" no
ipa_enabled n/a bool true no
ipa_pre_reqs_version n/a string "0.4.0" no
ipa_repo n/a string "https://harbor.devops.indico.io/chartrepo/indico-charts" no
ipa_smoketest_enabled n/a bool true no
ipa_smoketest_repo n/a string "https://harbor.devops.indico.io/chartrepo/indico-charts" no
ipa_smoketest_values n/a string "Cg==" no
ipa_smoketest_version n/a string "0.1.8" no
ipa_values n/a string "" no
ipa_version n/a string "0.12.1" no
is_alternate_account_domain domain name is controlled by a different aws account string "false" no
is_aws n/a bool true no
is_azure n/a bool false no
k8s_version The EKS version to use string "1.31" no
keda_version n/a string "2.15.2" no
keycloak_enabled n/a bool true no
kms_encrypt_secrets Encrypt EKS secrets with KMS bool true no
label The unique string to be prepended to resources names string "indico" no
lambda_sns_forwarder_destination_endpoint destination URL for the lambda sns forwarder string "" no
lambda_sns_forwarder_enabled If enabled a lamda will be provisioned to forward sns messages to an external endpoint. bool false no
lambda_sns_forwarder_function_variables A map of variables for the lambda_sns_forwarder code to use map(any) {} no
lambda_sns_forwarder_github_branch The github branch / tag containing the lambda_sns_forwarder code to use string "main" no
lambda_sns_forwarder_github_organization The github organization containing the lambda_sns_forwarder code to use string "IndicoDataSolutions" no
lambda_sns_forwarder_github_repository The github repository containing the lambda_sns_forwarder code to use string "" no
lambda_sns_forwarder_github_zip_path Full path to the lambda zip file string "zip/lambda.zip" no
lambda_sns_forwarder_topic_arn SNS topic to triger lambda forwarder. string "" no
load_vpc_id This is required if loading a network rather than creating one. string "" no
local_registry_enabled n/a bool false no
local_registry_version n/a string "unused" no
message The commit message for updates string "Managed by Terraform" no
monitoring_enabled n/a bool true no
monitoring_version n/a string "3.0.0" no
name Name to use in all cluster resources names string "indico" no
network_allow_public If enabled this will create public subnets, IGW, and NAT gateway. bool true no
network_module n/a string "networking" no
network_type n/a string "create" no
nfs_subdir_external_provisioner_version Version of nfs_subdir_external_provisioner_version helm chart string "4.0.18" no
node_bootstrap_arguments Additional arguments when bootstrapping the EKS node. string "" no
node_disk_size The root device size for the worker nodes. string "150" no
node_groups n/a any n/a yes
node_user_data Additional user data used when bootstrapping the EC2 instance. string "" no
oidc_client_id n/a string "kube-oidc-proxy" no
oidc_config_name n/a string "indico-google-ws" no
oidc_enabled Enable OIDC Auhentication bool true no
oidc_groups_claim n/a string "groups" no
oidc_groups_prefix n/a string "oidcgroup:" no
oidc_issuer_url n/a string "https://keycloak.devops.indico.io/auth/realms/GoogleAuth" no
oidc_username_claim n/a string "sub" no
oidc_username_prefix n/a string "oidcuser:" no
on_prem_test n/a bool false no
opentelemetry_collector_version n/a string "0.108.0" no
per_unit_storage_throughput Throughput for each 1 TiB or storage (max 200) for RWX FSx number 100 no
performance_bucket Add permission to connect to indico-locust-benchmark-test-results bool false no
pre-reqs-values-yaml-b64 n/a string "Cg==" no
private_subnet_cidrs CIDR ranges for the private subnets list(string) n/a yes
private_subnet_tag_name n/a string "Name" no
private_subnet_tag_value n/a string "*private*" no
public_ip Should the cluster manager have a public IP assigned bool true no
public_subnet_cidrs CIDR ranges for the public subnets list(string) n/a yes
public_subnet_tag_name n/a string "Name" no
public_subnet_tag_value n/a string "*public*" no
readapi_customer Name of the customer readapi is being deployed in behalf. string null no
region The AWS region in which to launch the indico stack string "us-east-1" no
restore_snapshot_enabled Flag for restoring cluster from snapshot bool false no
restore_snapshot_name Name of snapshot in account's s3 bucket string "" no
s3_endpoint_enabled If set to true, an S3 VPC endpoint will be created. If this variable is set, the region variable must also be set bool false no
secrets_operator_enabled Use to enable the secrets operator which is used for maintaining thanos connection bool true no
sg_tag_name n/a string "Name" no
sg_tag_value n/a string "*-allow-subnets" no
skip_final_snapshot Skip taking a final snapshot before deletion; not recommended to enable bool false no
snapshot_id The ebs snapshot of read-only data to use string "" no
sqs_sns Flag for enabling SQS/SNS bool true no
ssl_static_secret_name secret_name for static ssl certificate string "indico-ssl-static-cert" no
storage_capacity Storage capacity in GiB for RWX FSx number 1200 no
storage_gateway_size The size of the storage gateway VM string "m5.xlarge" no
submission_expiry The number of days to retain submissions number 30 no
subnet_az_zones Availability zones for the subnets list(string) n/a yes
terraform_smoketests_enabled n/a bool true no
terraform_vault_mount_path n/a string "terraform" no
thanos_cluster_ca_certificate n/a string "provided from the varset thanos" no
thanos_cluster_host n/a string "provided from the varset thanos" no
thanos_cluster_name n/a string "thanos" no
thanos_enabled n/a bool true no
thanos_grafana_admin_password n/a string "provided from the varset thanos" no
thanos_grafana_admin_username n/a string "provided from the varset devops-tools-cluster" no
uploads_expiry The number of days to retain uploads number 30 no
use_acm create cluster that will use acm bool false no
use_nlb If true this will create a NLB loadbalancer instead of a classic VPC ELB bool false no
use_static_ssl_certificates use static ssl certificates for clusters which cannot use certmanager and external dns. bool false no
vault_address n/a string "https://vault.devops.indico.io" no
vault_mount_path n/a string "terraform" no
vault_password n/a any n/a yes
vault_secrets_operator_version n/a string "0.7.0" no
vault_username n/a any n/a yes
vpc_cidr The VPC for the entire indico stack string n/a yes
vpc_flow_logs_iam_role_arn The IAM role to use for the flow logs string "" no
vpc_name The VPC name string "indico_vpc" no

Outputs

Name Description
acm_arn arn of the acm
api_models_s3_bucket_name Name of the api-models s3 bucket
argo_branch n/a
argo_path n/a
argo_repo n/a
cluster_name n/a
cluster_region n/a
data_s3_bucket_name Name of the data s3 bucket
dns_name n/a
efs_filesystem_id ID of the EFS filesystem
fsx_rox_id Read only filesystem
fsx_rwx_id Read write filesystem
fsx_storage_fsx_rwx_dns_name n/a
fsx_storage_fsx_rwx_mount_name n/a
fsx_storage_fsx_rwx_subnet_id n/a
fsx_storage_fsx_rwx_volume_handle n/a
git_branch n/a
git_sha n/a
harbor-api-token n/a
harness_delegate_name n/a
ipa_version n/a
key_pem Generated private key for key pair
kube_ca_certificate n/a
kube_host n/a
kube_token n/a
local_registry_password n/a
local_registry_username n/a
monitoring-password n/a
monitoring-username n/a
monitoring_enabled n/a
ns n/a
s3_role_id ID of the S3 role
smoketest_chart_version n/a
wafv2_arn arn of the wafv2 acl
zerossl n/a

About

Terraform repository for Clusters on Demand (COD)

Resources

Stars

Watchers

Forks

Packages

No packages published