Skip to main content
Version: 5.9.x

workflows

Requirements

NameVersion
terraform>= 1.4.0
aws>= 4.58.0, < 6.0.0

Providers

NameVersion
aws>= 4.58.0, < 6.0.0

Modules

NameSourceVersion
alerting./alertingn/a
api_crs_configuration./utils/configuration_propertiesn/a
bk./bkn/a
cci./ccin/a
core./coren/a
dashboards./alerting/alarms/cloudwatch_dashboardsn/a
delivery./deliveryn/a
gh_api_token_secret./utils/aws_secretn/a
gha./ghan/a
gl./gln/a
logging./loggingn/a
monitoring./monitoringn/a
remote_cache./remoten/a
remote_cache_external./remoten/a
warming./warmingn/a

Resources

NameType
aws_caller_identity.defaultdata source
aws_ecr_authorization_token.tokendata source
aws_region.defaultdata source

Inputs

NameDescriptionTypeDefaultRequired
account_idAccount ID of the AWS Account where CloudWatch alarms residestringnullno
aspect_artifacts_bucketS3 bucket where Aspect delivers workflows assetsstring"aspect-artifacts"no
bk_runner_groupsMapping of Buildkite runner group name to settings for that runner group
map(object({
# Common settings for all CI hosts
agent_idle_timeout_min = number
max_runners = number
min_runners = optional(number, 0)
policy_documents = optional(map(object({ json : string })), {})
policies = optional(map(string), {})
queue = string
resource_type = string
scale_out_factor = optional(number, 1)
scaling_polling_frequency = optional(number, 1)
reaper_sleep_minutes = optional(number, 1)
security_groups = optional(map(string), {})
warming = optional(bool, false)
warming_set = optional(string, "default")
exclude_oncall_alerts = optional(list(string), [])

# Settings specific to Buildkite
git_clone_depth = optional(number, 0)
}))
{}no
cci_runner_groupsMapping of CircleCI runner group name to settings for that runner group
map(object({
# Common settings for all CI hosts
agent_idle_timeout_min = number
max_runners = number
min_runners = optional(number, 0)
policy_documents = optional(map(object({ json : string })), {})
policies = optional(map(string), {})
resource_type = string
scale_out_factor = optional(number, 1)
scaling_polling_frequency = optional(number, 1)
reaper_sleep_minutes = optional(number, 1)
security_groups = optional(map(string), {})
warming = optional(bool, false)
warming_set = optional(string, "default")
exclude_oncall_alerts = optional(list(string), [])

# Settings specific to CircleCI
circleci_api_url = optional(string, "https://circleci.com")
circleci_runner_api_url = optional(string, "https://runner.circleci.com")
job_max_run_time_min = optional(number, 360)
}))
{}no
cost_allocation_tagThe tag name used for cost taggingstring"CreatedBy"no
cost_allocation_tag_valueThe value of the cost tagstringnullno
create_security_groupsWhether to create security groups automatically for all resources.booltrueno
create_vpc_endpointsWhether to create VPC endpoints automatically.booltrueno
customer_idName of the deploymentstringn/ayes
default_cli_versionThe version of the Aspect CLI to fall back to when using an unstamped development Workflows versionstring"5.9.0"no
delivery_enabledIf delivery infrastructure is enabled for Aspect Workflowsbooltrueno
experimentsA map of experiment name (as given by Aspect) to its enabled statusmap(bool){}no
external_remoteConfiguration for the externalized Bazel remote endpoint (cache and execution), specifically the ALB.
object({
public_hosted_zone_id = optional(string, null)
image_id = optional(string, null)
storage_instance_type = optional(string, "i4i.large")
# Number of shards for the remote cache storage service
cache_shards = optional(number, 3)
frontend = optional(object({
cpu = optional(number, 1024)
memory = optional(number, 2048)
max_scaling = optional(number, 20)
min_scaling = optional(number, 1)
}), {
cpu = 1024
memory = 2048
max_scaling = 20
min_scaling = 1
})
remote_execution = optional(map(object({
platform = optional(string)
image = string
min_scaling = optional(number)
max_scaling = optional(number)
ec2 = optional(object({
instance_type = optional(string)
instance_image = optional(string)
}))
ecs = optional(object({
cpu = optional(number, 1024)
memory = optional(number, 2048)
}))
additional_platform_properties = optional(map(string), {})
})), null)
})
nullno
gha_runner_groupsMapping of GitHub Actions runner group name to settings for that runner group
map(object({
# Common settings for all CI hosts
agent_idle_timeout_min = number
max_runners = number
min_runners = optional(number, 0)
policy_documents = optional(map(object({ json : string })), {})
policies = optional(map(string), {})
queue = string
resource_type = string
scale_out_factor = optional(number, 1)
scaling_polling_frequency = optional(number, 1)
reaper_sleep_minutes = optional(number, 1)
security_groups = optional(map(string), {})
warming = optional(bool, false)
warming_set = optional(string, "default")
exclude_oncall_alerts = optional(list(string), [])

# Settings specific to GitHub Actions
gh_repo = string
gha_workflow_ids = optional(list(string), [])
}))
{}no
gl_runner_groupsMapping of GitLab runner group name to settings for that runner group
map(object({
# Common settings for all CI hosts
agent_idle_timeout_min = number
max_runners = number
min_runners = optional(number, 0)
policy_documents = optional(map(object({ json : string })), {})
policies = optional(map(string), {})
queue = string
resource_type = string
scale_out_factor = optional(number, 1)
scaling_polling_frequency = optional(number, 1)
reaper_sleep_minutes = optional(number, 1)
security_groups = optional(map(string), {})
warming = optional(bool, false)
warming_set = optional(string, "default")
exclude_oncall_alerts = optional(list(string), [])

# Settings specific to GitLab
gitlab_url = optional(string, "https://gitlab.com")
project_id = string
}))
{}no
hosts####################################### CI host configuration options #list(string)n/ayes
partitionThe partition to configure services in, if not commercialstringnullno
product_versionProduct version info. Internal use only.string"0.0.0-PLACEHOLDER"no
regionThe default region to setup services instringnullno
remoteConfiguration for the Bazel remote endpoint (cache and execution), specifically the ALB.
object({
image_id = optional(string, null)
storage_instance_type = optional(string, "i4i.large")
# Number of shards for the remote cache storage service
cache_shards = optional(number, 3)
frontend = optional(object({
cpu = optional(number, 1024)
memory = optional(number, 2048)
max_scaling = optional(number, 20)
min_scaling = optional(number, 1)
}), {
cpu = 1024
memory = 2048
max_scaling = 20
min_scaling = 1
})
remote_execution = optional(map(object({
platform = optional(string)
image = string
min_scaling = optional(number)
max_scaling = optional(number)
ec2 = optional(object({
instance_type = optional(string)
instance_image = optional(string)
}))
ecs = optional(object({
cpu = optional(number, 1024)
memory = optional(number, 2048)
}))
additional_platform_properties = optional(map(string), {})
})), null)
})
n/ayes
repository_urlsThe repository URLs for the Docker images used by this module. Meant to be used in concert with the ecr_images submodule.map(string)
{
"adot_exporter": "public.ecr.aws/aws-observability/aws-otel-collector",
"bash": "public.ecr.aws/docker/library/bash",
"bb_runner_installer": "ghcr.io/buildbarn/bb-runner-installer:20240126T140954Z-fe4cf5d",
"bb_scheduler": "ghcr.io/buildbarn/bb-scheduler:20240202T053333Z-9a1e01f",
"bb_storage": "ghcr.io/buildbarn/bb-storage:20231111T202247Z-ece87ab",
"bb_worker": "ghcr.io/buildbarn/bb-worker:20240126T140954Z-fe4cf5d",
"busybox": "public.ecr.aws/docker/library/busybox",
"curl_jq": "registry.gitlab.com/gitlab-ci-utils/curl-jq:2.0.0"
}
no
resource_typesMapping of resource types name to settings for that type
map(object({
# The ID of the AMI to use for this resource
image_id = string

# A list of instance types that are acceptable in the ASG
instance_types = list(string)

# The size of the root EBS volume in GB
root_volume_size_gb = optional(number, 64)

# Tags to apply to this resource
tags = optional(map(string), {})

# Defines if spot instances should be used for this resource
use_spot = optional(bool, false)

# When using spot instances, allows further customization over the spot vs on-demand allocation
instance_policy = optional(object({
on_demand_base_capacity = optional(number, 0)
on_demand_percentage_above_base_capacity = optional(number, 0)
spot_allocation_strategy = optional(string, "price-capacity-optimized")
spot_max_price = optional(string, "")
spot_instance_pools = optional(number, 2)
}), {})
}))
{}no
security_group_idsOptional security group ID substitutions for Workflows resources.map(any){}no
supportSet of properties that allow Aspect to provide oncall support for Workflows
object({
# Integration key for PagerDuty, provided by Aspect.
pagerduty_integration_key = string

# Role ARN that allows support level access for Aspect.
support_role_name = optional(string, null)

# Role ARN that allows extended support access for Aspect.
# This role will have write access to various areas Workflows infrastructure,
# however it can only be assumed by a subset of Aspect oncall engineers.
operator_role_name = optional(string, null)

# Add policies that allow access to CI infrastructure instances via SSM
enable_ssm_access = optional(bool, false)
})
n/ayes
vpc_idID of the VPC in which to deploystringn/ayes
vpc_subnetsList of subnet IDs to use for VM infrastructurelist(string)n/ayes
vpc_subnets_publicList of subnet IDs to use for public facing VM infrastructurelist(string)[]no
warming_setsMapping of warming set to settings for that setmap(object({})){}no

Outputs

NameDescription
alarms_sns_topic_arnSNS topic ARN that provides notifications of all Workflows alarms
bk_agent_token_secret_idsMapping of BuildKite runner name to BuildKite agent token secret ID
bk_api_token_secret_idsMapping of BuildKite runner name to BuildKite API token secret ID
bk_git_ssh_key_secret_idsMapping of BuildKite runner name to ssh key secret ID
buildkite_agent_hooks_bucketsName of the bucket for storing custom buildkite agent hooks
cost_allocation_tagName of the cost allocation tag to use
cost_allocation_tag_valueThe value of the cost allocation tag
external_remote_cache_endpointThe endpoint of the Internet-facing remote cache, if enabled.
gha_lambda_webhook_secret_idsMapping of GitHub Actions runner name and repo key to the ID's of the secrets containing the webhook token that the scaling lambda will use to verify the event came from GitHub
gha_secret_idsMapping of GitHub Actions runner name and repo key to secret ID
github_token_secret_idSecret ID for a GitHub token used for making readonly calls to Github during a build
gl_secret_idsMapping of Gitlab runner name and repo key to secret ID
internal_remote_cache_certificateThe CA certificate for the VPC-facing remote cache.
internal_remote_cache_endpointThe endpoint of the VPC-facing remote cache.
license_secret_idSecret ID for the Aspect Workflows license key
managed_prometheus_endpointThe endpoint of the Amazon Managed Prometheus (AMP) endpoint
runner_secret_idsMapping of CircleCI runner name to secret ID
security_group_rulesSecurity group rules for the Workflows module
warming_management_policiesn/a