terraform.tfvars for the first time or tuning an existing deployment.
Variables come in two categories:
- Non-sensitive (region, sizing, feature flags): set in
infra/terraform.tfvars. - Sensitive (license key, passwords, encryption keys): sourced through
infra/scripts/setup-env.sh, which writes them to AWS SSM Parameter Store; External Secrets Operator then syncs them into the cluster.
Core
Networking
EKS
PostgreSQL (RDS)
Redis (ElastiCache)
S3
TLS and DNS
Ingress
ClickHouse
Bastion (private cluster)
Security and audit
Sizing and feature flags
sizing_profile and most enable_* flags are read by init-values.sh and deploy.sh; Terraform does not act on them directly. They affect which Helm overlay files the scripts generate. The three standalone flags (enable_fleet, enable_standalone_polly, enable_standalone_insights) are the exception: Terraform reads them to create database-init Jobs and Kubernetes secrets, and enforces plan-time preconditions on the external Postgres and Redis inputs they require.
Sensitive values (set with setup-env.sh)
Sourcing infra/scripts/setup-env.sh writes these to AWS SSM Parameter Store. External Secrets Operator syncs them into the cluster as Kubernetes secrets. These are not declared Terraform variables and have no place in terraform.tfvars; set them only through SSM.
Connect these docs to Claude, VSCode, and more via MCP for real-time answers.

