account_id | Account ID of the AWS Account where CloudWatch alarms reside | string | null | no |
aspect_artifacts_bucket | S3 bucket where Aspect delivers workflows assets | string | "aspect-artifacts" | no |
bk_runner_groups | Mapping of Buildkite runner group name to settings for that runner group | map(object({ # Common settings for all CI hosts agent_idle_timeout_min = number max_runners = number min_runners = optional(number, 0) min_free_runners = optional(number, 0) policy_documents = optional(map(object({ json : string })), {}) policies = optional(map(string), {}) queue = string resource_type = string scale_out_factor = optional(number, 1) scaling_polling_frequency = optional(number, 1) reaper_sleep_minutes = optional(number, 1) security_groups = optional(map(string), {}) warming = optional(bool, false) warming_set = optional(string, "default") exclude_oncall_alerts = optional(list(string), []) tags = optional(map(string), {}) build_logs_bucket = optional(string, "BUCKET_PLACEHOLDER") }))
| {} | no |
cci_runner_groups | Mapping of CircleCI runner group name to settings for that runner group | map(object({ # Common settings for all CI hosts agent_idle_timeout_min = number max_runners = number min_runners = optional(number, 0) min_free_runners = optional(number, 0) policy_documents = optional(map(object({ json : string })), {}) policies = optional(map(string), {}) resource_type = string scale_out_factor = optional(number, 1) scaling_polling_frequency = optional(number, 1) reaper_sleep_minutes = optional(number, 1) security_groups = optional(map(string), {}) warming = optional(bool, false) warming_set = optional(string, "default") exclude_oncall_alerts = optional(list(string), []) tags = optional(map(string), {})
# Settings specific to CircleCI circleci_api_url = optional(string, "https://circleci.com") circleci_runner_api_url = optional(string, "https://runner.circleci.com") job_max_run_time_min = optional(number, 360) }))
| {} | no |
cost_allocation_tag | (deprecated) The tag name used for cost tagging | string | "CreatedBy" | no |
cost_allocation_tag_value | (deprecated) The value of the cost tag | string | null | no |
create_security_groups | Whether to create security groups automatically for all resources. | bool | true | no |
create_vpc_endpoints | Whether to create VPC endpoints automatically. | bool | true | no |
customer_id | Unique, human-readable customer identifier provided by Aspect | string | n/a | yes |
default_cli_version | The version of the Aspect CLI to fall back to when using an unstamped development Workflows version | string | "5.10.11" | no |
delivery_enabled | If delivery infrastructure is enabled for Aspect Workflows | bool | true | no |
experiments | A map of experiment name (as given by Aspect) to its enabled status | map(bool) | {} | no |
external_remote | Configuration for the externalized Bazel remote endpoint (cache and execution), specifically the ALB. | object({ debug_tools = optional(bool, false) public_hosted_zone_id = optional(string, null) public_hosted_zone_name = optional(string, null) image_id = optional(string, null) storage_instance_type = optional(string, null) # Number of shards for the remote cache storage service cache_shards = optional(number, 3) frontend = optional(object({ cpu = optional(number, 1024) memory = optional(number, 2048) max_scaling = optional(number, 20) min_scaling = optional(number, 1) }), { cpu = 1024 memory = 2048 max_scaling = 20 min_scaling = 1 }) oidc = optional(object({ issuer = string auth_endpoint = string token_endpoint = string user_info_endpoint = string client_id = string client_secret = string session_timeout_seconds = optional(number, null) }), null) remote_execution = optional(map(object({ platform = optional(string) image = string min_scaling = optional(number) max_scaling = optional(number) isolated_actions = optional(bool) network = optional(bool) max_concurrency = optional(number) ec2 = optional(object({ instance_type = optional(string) instance_image = optional(string) docker_group = optional(string) })) ecs = optional(object({ architecture = optional(string) cpu = optional(number, 1024) memory = optional(number, 2048) })) docker_user = optional(string, null) additional_platform_properties = optional(map(string), {}) })), null) })
| null | no |
gha_runner_groups | Mapping of GitHub Actions runner group name to settings for that runner group | map(object({ # Common settings for all CI hosts agent_idle_timeout_min = number max_runners = number min_runners = optional(number, 0) min_free_runners = optional(number, 0) policy_documents = optional(map(object({ json : string })), {}) policies = optional(map(string), {}) queue = string resource_type = string scale_out_factor = optional(number, 1) scaling_polling_frequency = optional(number, 1) reaper_sleep_minutes = optional(number, 1) security_groups = optional(map(string), {}) warming = optional(bool, false) warming_set = optional(string, "default") exclude_oncall_alerts = optional(list(string), []) tags = optional(map(string), {})
# Settings specific to GitHub Actions gh_repo = string gha_workflow_ids = optional(list(string), []) }))
| {} | no |
gl_runner_groups | Mapping of GitLab runner group name to settings for that runner group | map(object({ # Common settings for all CI hosts agent_idle_timeout_min = number max_runners = number min_runners = optional(number, 0) min_free_runners = optional(number, 0) policy_documents = optional(map(object({ json : string })), {}) policies = optional(map(string), {}) queue = string resource_type = string scale_out_factor = optional(number, 1) scaling_polling_frequency = optional(number, 1) reaper_sleep_minutes = optional(number, 1) security_groups = optional(map(string), {}) warming = optional(bool, false) warming_set = optional(string, "default") exclude_oncall_alerts = optional(list(string), []) tags = optional(map(string), {})
# Settings specific to GitLab gitlab_url = optional(string, "https://gitlab.com") project_id = string }))
| {} | no |
hosts | ####################################### CI host configuration options # | list(string) | n/a | yes |
partition | The partition to configure services in, if not commercial | string | null | no |
product_version | Product version info. Internal use only. | string | "0.0.0-PLACEHOLDER" | no |
region | The default region to setup services in | string | null | no |
remote | Configuration for the Bazel remote endpoint (cache and execution), specifically the ALB. | object({ debug_tools = optional(bool, false) image_id = optional(string, null) storage_instance_type = optional(string, null) # Number of shards for the remote cache storage service cache_shards = optional(number, 3) frontend = optional(object({ cpu = optional(number, 1024) memory = optional(number, 2048) max_scaling = optional(number, 20) min_scaling = optional(number, 1) }), { cpu = 1024 memory = 2048 max_scaling = 20 min_scaling = 1 }) remote_execution = optional(map(object({ platform = optional(string) image = string min_scaling = optional(number) max_scaling = optional(number) isolated_actions = optional(bool) network = optional(bool) max_concurrency = optional(number) ec2 = optional(object({ instance_type = optional(string) instance_image = optional(string) docker_group = optional(string) })) ecs = optional(object({ architecture = optional(string) cpu = optional(number, 1024) memory = optional(number, 2048) })) docker_user = optional(string, null) additional_platform_properties = optional(map(string), {}) })), null) })
| n/a | yes |
repository_urls | The repository URLs for the Docker images used by this module. Meant to be used in concert with the ecr_images submodule. | map(string) | { "adot_exporter": "public.ecr.aws/aws-observability/aws-otel-collector", "alert_manager": "quay.io/prometheus/alertmanager:v0.27.0", "aws_cli": "public.ecr.aws/aws-cli/aws-cli", "bash": "public.ecr.aws/docker/library/bash", "bb_browser": "ghcr.io/buildbarn/bb-browser:20240613T055327Z-f0fbe96", "bb_runner_installer": "ghcr.io/buildbarn/bb-runner-installer:20240327T120038Z-7bcf9b5", "bb_scheduler": "ghcr.io/buildbarn/bb-scheduler:20240327T120038Z-7bcf9b5", "bb_storage": "ghcr.io/buildbarn/bb-storage:20240326T045855Z-53c1252", "bb_worker": "ghcr.io/buildbarn/bb-worker:20240327T120038Z-7bcf9b5", "busybox": "public.ecr.aws/docker/library/busybox", "curl_jq": "registry.gitlab.com/gitlab-ci-utils/curl-jq:3.0.0", "otel_collector_contrib": "otel/opentelemetry-collector-contrib:0.102.0", "prometheus": "quay.io/prometheus/prometheus:v2.52.0" }
| no |
resource_types | Mapping of resource types name to settings for that type | map(object({ # The ID of the AMI to use for this resource image_id = string
# A list of instance types that are acceptable in the ASG instance_types = list(string)
# The size of the root EBS volume in GB root_volume_size_gb = optional(number, 64)
# Tags to apply to this resource tags = optional(map(string), {})
# Defines if spot instances should be used for this resource use_spot = optional(bool, false)
# When using spot instances, allows further customization over the spot vs on-demand allocation instance_policy = optional(object({ on_demand_base_capacity = optional(number, 0) on_demand_percentage_above_base_capacity = optional(number, 0) spot_allocation_strategy = optional(string, "price-capacity-optimized") spot_max_price = optional(string, "") spot_instance_pools = optional(number, 2) }), {}) }))
| {} | no |
security_group_ids | Optional security group ID substitutions for Workflows resources. | map(any) | {} | no |
support | Set of properties that allow Aspect to provide oncall support for Workflows | object({ # Integration key for PagerDuty, provided by Aspect. # Deprecated, set alert_aspect to determine if alerts are sent to Aspect. pagerduty_integration_key = optional(string)
# If true, alerts generated by Workflows will be reported back to Aspect. # Depending on the severity of the alert, this may result in an oncall # engineer being paged depending on the level of support included with this # Workflows install. alert_aspect = optional(bool, true)
# A set of secret IDs that can be overriden if required. secrets = optional(object({ # Override the secret ID used for fetching the PagerDuty routing key from Aspects AWS account. aspect_pagerduty_routing_key_id = optional(string, "arn:aws:secretsmanager:us-east-2:533267407361㊙️workflows_support_pagerduty_routing_key20240717143706240900000003-tke6cM")
# Override the secret ID used for fetching the Slack token from Aspects AWS account. aspect_slack_token_secret_id = optional(string, "arn:aws:secretsmanager:us-east-2:533267407361㊙️workflows_support_alertmanager_slack_webhook_url20240717143706240800000001-diY2pK")
# Override the KMS ID used to decrypt the support secrets from Aspect. aspect_support_secret_kms_id = optional(string, "arn:aws:kms:us-east-2:533267407361:key/6f3b4abf-edde-45ec-91f4-0738bb30633d") }), {})
# Role ARN that allows support level access for Aspect. support_role_name = optional(string, null)
# Role ARN that allows extended support access for Aspect. # This role will have write access to various areas Workflows infrastructure, # however it can only be assumed by a subset of Aspect oncall engineers. operator_role_name = optional(string, null)
# Add policies that allow access to CI infrastructure instances via SSM enable_ssm_access = optional(bool, false) })
| n/a | yes |
tags | Tags to add to every resource Aspect Workflows creates | map(string) | {} | no |
telemetry | Configuration options for Workflows telemetry | object({ # Configuration for where Workflows telemetry data gets exported destinations = optional(object({ # Which exporters to set up. honeycomb = optional(object({ # Honeycome dataset to set for exports to this destination. dataset = optional(string) # Honeycomb Team secret reference, used for authentication. team_secret = object({ id = string arn = string }) })) datadog = optional(object({ # Datadog agent ingest site. site = string # Datadog API key secret reference, used for authentication. key_secret = object({ id = string arn = string }) })) generic_otlp = optional(object({ # Endpoint where to export telemetry to. endpoint = string })) }), {}) })
| {} | no |
vpc_id | ID of the VPC in which to deploy | string | n/a | yes |
vpc_subnets | List of subnet IDs to use for VM infrastructure | list(string) | n/a | yes |
vpc_subnets_public | List of subnet IDs to use for public facing VM infrastructure | list(string) | [] | no |
warming_sets | Mapping of warming set to settings for that set | map(object({})) | {} | no |