Skip to main content
Complete reference for every input variable exposed by the AWS Terraform modules. Use it while filling in terraform.tfvars for the first time or tuning an existing deployment. Variables come in two categories:
  • Non-sensitive (region, sizing, feature flags): set in infra/terraform.tfvars.
  • Sensitive (license key, passwords, encryption keys): sourced through infra/scripts/setup-env.sh, which writes them to AWS SSM Parameter Store; External Secrets Operator then syncs them into the cluster.
For the end-to-end install, refer to the deploy guide. For how the modules fit together, refer to the architecture reference.

Core

Networking

EKS

PostgreSQL (RDS)

Redis (ElastiCache)

S3

TLS and DNS

Ingress

ClickHouse

Bastion (private cluster)

Security and audit

Sizing and feature flags

sizing_profile and most enable_* flags are read by init-values.sh and deploy.sh; Terraform does not act on them directly. They affect which Helm overlay files the scripts generate. The three standalone flags (enable_fleet, enable_standalone_polly, enable_standalone_insights) are the exception: Terraform reads them to create database-init Jobs and Kubernetes secrets, and enforces plan-time preconditions on the external Postgres and Redis inputs they require.

Sensitive values (set with setup-env.sh)

Sourcing infra/scripts/setup-env.sh writes these to AWS SSM Parameter Store. External Secrets Operator syncs them into the cluster as Kubernetes secrets. These are not declared Terraform variables and have no place in terraform.tfvars; set them only through SSM.