Skip to content

anyscale/terraform-aws-anyscale-cloudfoundation-modules

Repository files navigation

Build Status Terraform Version AWS Provider Version

Terraform Modules for Anyscale Cloud Foundations on AWS

Terraform modules to manage cloud infrastructure for Anyscale. This builds the foundational cloud resources needed to run Anyscale in a cloud environment. This module and sub-modules support AWS Cloud.

THIS IS PROVIDED AS A STARTING POINT

USE AT YOUR OWN RISK

AWS Cloud Resources

For deploying Anyscale on AWS, the minimum required resources are detailed in the Anyscale AWS Deployment Guide. This can be used to build the resources to support Customer Defined Networking Clouds (diagrammed below) as well as a Direct Networking clouds.

Customer Defined Networking

To streamline long-term management and to enable customization, we've modularized the resources into the following Terraform sub-modules:

  • aws-anyscale-vpc - Creates a basic (opinionated) VPC for Anyscale.
  • aws-anyscale-securitygroups - Configures security groups essential for Anyscale clusters and EFS storage.
  • aws-anyscale-s3 - Creates an S3 bucket to store logs and shared resources.
  • aws-anyscale-s3-policy - Impliments an S3 bucket policy, integrating seamlessly with the aws-anyscale-iam module for comprehensive access control.
  • aws-anyscale-iam - Builds IAM roles and policies for secure cross-account access from the Anyscale control plane and EC2 instances.
  • aws-anyscale-efs - Deploys EFS storage solutions supporting Anyscale Clusters.
  • aws-anyscale-memorydb - (Optional) Sets up MemoryDB for Anyscale Services Redis Cache.

Customization

These modules are designed with best practices in mind, ensuring a secure, efficient, and scalable Anyscale deployment on AWS.Each module is standalone, allowing you the flexibility to disable any you don't need. This is handy if you're looking to incorporate custom solutions for specific resources.

If you choose to disable a module, the responsibility to create and manage that resource shifts to you. This flexibility is ideal if you have existing network setups (e.g., VPCs), or need tailored configurations for S3, IAM, EFS, or other services. The Anyscale Terraform Modules are particularly useful for integrating Anyscale components with pre-existing infrastructure, ensuring a smooth blend between what you already have and what you need.

Examples

The examples folder has a couple common use cases that have been tested. These include:

Additional examples can be requested via an issues ticket.

Specific Module Notes

IAM sub-module - Cloudwatch Logs Policy

By default, we do not create the IAM policies for enabling Cloudwatch logging. This can be enabled by setting the variable create_cluster_node_cloudwatch_policy to true.

ex:

create_cluster_node_cloudwatch_policy = true

To scope down permissions for this even further, make sure to provide the Anyscale Cloud ID and the Anyscale Org ID parameters. Full ex:

create_cluster_node_cloudwatch_policy = true
anyscale_cloud_id   = "cld_1234567890abcdefg"
anyscale_org_id     = "org_1234567890abcdefg"

MemoryDB sub-module

The aws-anyscale-memorydb sub-module is used to create a Redis cache that can be used with Anyscale Services to provide head node fault tolerance. This module is disabled by default.

To enable this sub-module, pass the following in to the root module:

create_memorydb_resources = true

Reporting Issues

We use GitHub Issues to track community reported issues and missing features.

Known Issues/Untested

Requirements

Name Version
terraform >= 1.0
aws ~> 5.0
random ~> 3.0

Providers

Name Version
random 3.6.0

Modules

Name Source Version
aws_anyscale_efs ./modules/aws-anyscale-efs n/a
aws_anyscale_iam ./modules/aws-anyscale-iam n/a
aws_anyscale_memorydb ./modules/aws-anyscale-memorydb n/a
aws_anyscale_s3 ./modules/aws-anyscale-s3 n/a
aws_anyscale_s3_policy ./modules/aws-anyscale-s3-policy n/a
aws_anyscale_securitygroup_self ./modules/aws-anyscale-securitygroups n/a
aws_anyscale_vpc ./modules/aws-anyscale-vpc n/a

Resources

Name Type
random_id.common_name resource

Inputs

Name Description Type Default Required
security_group_ingress_allow_access_from_cidr_range (Required) Comma delimited string of IPv4 CIDR range to allow access to anyscale resources.
This should be the list of CIDR ranges that have access to the clusters. Public or private IPs are supported.
This is added to the security group and allows port 443 (https) and 22 (ssh) access.

While not recommended, you can set this to 0.0.0.0/0 to allow access from anywhere.
ex:
security_group_ingress_allow_access_from_cidr_range = "10.0.1.0/24,24.1.24.24/32"
string n/a yes
anyscale_access_role_description (Optional) The IAM role description for the Anysclae IAM access role.

This role is used for cross account access from the Anyscale Controlplane to an AWS account and allows access to manage AWS resources.

ex:
anyscale_access_role_description = "Anyscale cross account access role"
string "Anyscale access role" no
anyscale_access_role_trusted_role_arns (Optional) Access Role Trusted Role ARNs.

A list of ARNs of IAM roles that are allowed to assume the Anyscale IAM access role.
Default is an empty list and the default in the aws-anyscale-iam sub-module is used.
This variable should not be used unless directed by Anyscale.
list(string) [] no
anyscale_access_servicesv2_policy_description (Optional) Anyscale servicesv2 IAM policy description.

ex:
anyscale_access_servicesv2_policy_description = "Anyscale Services v2 IAM Policy which is used by the Anyscale IAM Access Role"
string "Anyscale Services v2 IAM Policy which is used by the Anyscale IAM Access Role" no
anyscale_access_servicesv2_policy_name (Optional) Name for the Anyscale default servicesv2 IAM policy.

If left null, will default to anyscale_access_servicesv2_policy_prefix or general_prefix.
If provided, overrides the anyscale_access_servicesv2_policy_prefix variable.

ex:
anyscale_access_servicesv2_policy_name = "anyscale-servicesv2-policy"
string null no
anyscale_access_servicesv2_policy_prefix (Optional) Name prefix for the Anyscale default servicesv2 IAM policy.

If anyscale_access_servicesv2_policy_name is provided, it will override this variable.
The variable general_prefix is a fall-back prefix if this is not provided.
Default is null but is set to anyscale-servicesv2- in a local variable.

ex:
anyscale_access_servicesv2_policy_prefix = "anyscale-servicesv2-policy-"
string null no
anyscale_access_steadystate_policy_description (Optional) Anyscale steady state IAM policy description.

ex:
anyscale_access_steadystate_policy_description = "Anyscale Steady State IAM Policy which is used by the Anyscale IAM Access Role"
string "Anyscale Steady State IAM Policy which is used by the Anyscale IAM Access Role" no
anyscale_access_steadystate_policy_name (Optional) Name for the Anyscale default steady state IAM policy.

If left null, will default to anyscale_access_steadystate_policy_prefix or general_prefix.
If provided, overrides the anyscale_access_steadystate_policy_prefix variable.

ex:
anyscale_access_steadystate_policy_name = "anyscale-steadystate-policy"
string null no
anyscale_access_steadystate_policy_prefix (Optional) Name prefix for the Anyscale default steady state IAM policy.

If anyscale_access_steadystate_policy_name is provided, it will override this variable.
The variable general_prefix is a fall-back prefix if this is not provided.
Default is null but is set to anyscale-steady_state- in a local variable.

ex:
anyscale_access_steadystate_policy_prefix = "anyscale-steadystate-policy-"
string null no
anyscale_accessrole_custom_policy (Optional) Anyscale custom IAM policy.

This policy will be applied in addition to the default policies added to the Anyscale Access IAM Role.

Note: Any customizations to the IAM Role need to be carefully tested and Anyscale is not
responsible for any problems that may occur due to misconfiguring the policy and/or Anyscale Access Role.

Must be a valid IAM policy.

ex:
anyscale_accessrole_custom_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllActions",
"Effect": "Allow",
"Action": "",
"Resource": "
"
}
]
}
string null no
anyscale_accessrole_custom_policy_description (Optional) Anyscale IAM custom policy description.

ex:
anyscale_accessrole_custom_policy_description = "Anyscale custom IAM policy"
string "Anyscale custom IAM policy" no
anyscale_accessrole_custom_policy_name (Optional) Name for an Anyscale custom IAM policy.

If left null, will default to anyscale_custom_policy_name_prefix or general_prefix.
If provided, overrides the anyscale_accessrole_custom_policy_name_prefix variable.

ex:
anyscale_accessrole_custom_policy_name = "anyscale-custom-policy"
string null no
anyscale_accessrole_custom_policy_name_prefix (Optional) Name prefix for the Anyscale custom IAM policy.
If anyscale_accessrole_custom_policy_name is provided, it will override this variable.
The variable general_prefix is a fall-back prefix if this is not provided.
Default is null but is set to anyscale-crossacct-custom-policy- in a local variable.

ex:
anyscale_accessrole_custom_policy_name_prefix = "anyscale-custom-policy-"
string null no
anyscale_cloud_id (Optional) Anyscale Cloud ID.

This is used to lock down the cross account access role by Cloud ID. Because the Cloud ID is unique to each
customer, this ensures that only the customer can access their own resources. The Cloud ID is not known until the
Cloud is created, so this is an optional variable.

ex:
anyscale_cloud_id = "cld_abcdefghijklmnop1234567890"
string null no
anyscale_cluster_node_byod_custom_secrets_policy (Optional) A custom IAM policy to attach to the cluster node role with access to the Secrets Manager secrets.
If provided, this will be used instead of generating a policy automatically.

ex:
anyscale_cluster_node_byod_custom_secrets_policy = {
"Version": "2012-10-17",
"Statement": [
"Sid": "SecretsManagerGetSecretValue",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret-1",
]
}
string null no
anyscale_cluster_node_byod_secret_arns (Optional) A list of Secrets Manager ARNs.
The Secrets Manager secret ARNs that the cluster node role needs access to for BYOD clusters.

ex:
anyscale_cluster_node_secret_arns = [
"arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret-1",
"arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret-2",
]
list(string) [] no
anyscale_cluster_node_byod_secret_kms_arn (Optional) The KMS key ARN that the Secrets Manager secrets are encrypted with.
This is only used if anyscale_cluster_node_byod_secret_arns is also provided.

ex:
anyscale_cluster_node_secret_arns = [
"arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret-1",
"arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret-2",
]
anyscale_cluster_node_secret_kms_arn = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
# checkov:skip=CKV_SECRET_6
string null no
anyscale_cluster_node_byod_secrets_policy_description (Optional) Anyscale IAM cluster node Secrets policy description.

ex:
anyscale_cluster_node_secrets_policy_description = "Anyscale Cluster Node Secrets Policy"
string "Anyscale Cluster Node Secrets Policy" no
anyscale_cluster_node_byod_secrets_policy_name (Optional) Name for the Anyscale cluster node Secrets IAM policy.

If left null, will default to anyscale_cluster_node_secrets_policy_prefix or general_prefix.
If provided, overrides the anyscale_cluster_node_secrets_policy_prefix variable.

ex:
anyscale_cluster_node_secrets_policy_name = "anyscale-cluster-node-secrets-policy"
#checkov:skip=CKV_SECRET_6:Secret Policy is not a secret'
string null no
anyscale_cluster_node_byod_secrets_policy_prefix (Optional) Name prefix for the Anyscale cluster node Secrets IAM policy.

If anyscale_cluster_node_secrets_policy_name is provided, it will override this variable.
The variable general_prefix is a fall-back prefix if this is not provided.
Default is null but is set to anyscale-cluster-node-secrets- in a local variable.

ex:
anyscale_cluster_node_secrets_policy_prefix = "anyscale-cluster-node-secrets-"
#checkov:skip=CKV_SECRET_6:Secret Name Prefix is not a secret'
string null no
anyscale_cluster_node_cloudwatch_policy_description (Optional)
Anyscale IAM cluster node CloudWatch policy description.

ex:
anyscale_cluster_node_cloudwatch_policy_description = "Anyscale cluster node CloudWatch IAM policy"
string "Anyscale cluster node CloudWatch IAM policy" no
anyscale_cluster_node_cloudwatch_policy_name (Optional) Name for the Anyscale cluster node CloudWatch IAM policy.

If left null, will default to anyscale_cluster_node_cloudwatch_policy_prefix or general_prefix.
If provided, overrides the anyscale_cluster_node_cloudwatch_policy_name_prefix variable.

ex:
anyscale_cluster_node_cloudwatch_policy_name = "anyscale-cluster-node-cloudwatch-policy"
string null no
anyscale_cluster_node_cloudwatch_policy_prefix (Optional) Name prefix for the Anyscale cluster node CloudWatch IAM policy.

If anyscale_cluster_node_cloudwatch_policy_name is provided, it will override this variable.
The variable general_prefix is a fall-back prefix if this is not provided.
Default is null but is set to anyscale-cluster-node-cloudwatch-policy- in a local variable.

ex:
anyscale_cluster_node_cloudwatch_policy_prefix = "anyscale-cluster-node-cloudwatch-policy-"
string null no
anyscale_cluster_node_custom_assume_role_policy (Optional) Anyscale IAM cluster node role custom assume role policy.

This overrides the default assume role policy. It must include the sts:AssumeRole action and at a minimum,
needs to include the ec2.amazonaws.com service principal. Must be in JSON format.

ex:
anyscale_cluster_node_custom_assume_role_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Principal": {
"Service": "ec2.amazonaws.com"
}
}
]
}
string null no
anyscale_cluster_node_custom_policy (Optional) Anyscale cluster node custom IAM policy.

This policy will be applied in addition to the default policies added to the Cluster Node Role.

Note: Any customizations to the IAM Role need to be carefully tested and Anyscale is not
responsible for any problems that may occur due to misconfiguring the policy and/or Cluster Role.
Must be a valid IAM policy.

ex:
anyscale_cluster_node_custom_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllActions",
"Effect": "Allow",
"Action": "",
"Resource": "
"
}
]
}
string null no
anyscale_cluster_node_custom_policy_description (Optional) Anyscale IAM cluster node custom policy description.

ex:
anyscale_cluster_node_custom_policy_description = "Anyscale cluster node custom IAM policy"
string "Anyscale cluster node custom IAM policy" no
anyscale_cluster_node_custom_policy_name (Optional) Name for the Anyscale cluster node custom IAM policy.

If left null, will default to anyscale_cluster_node_custom_policy_prefix or general_prefix.
If provided, overrides the anyscale_cluster_node_custom_policy_name_prefix variable.

ex:
anyscale_cluster_node_custom_policy_name = "anyscale-clusternode-custom-policy"
string null no
anyscale_cluster_node_custom_policy_prefix (Optional) Name prefix for the Anyscale cluster node custom IAM policy.

If anyscale_cluster_node_custom_policy_name is provided, it will override this variable.
The variable general_prefix is a fall-back prefix if this is not provided.
Default is null but is set to anyscale-clusternode-custom-policy- in a local variable.

ex:
anyscale_cluster_node_custom_policy_prefix = "anyscale-clusternode-custom-policy-"
string null no
anyscale_cluster_node_managed_policy_arns (Optional) List of IAM policy ARNs to attach to the role.

This allows custom or managed policies to be attached to the Anyscale Cluster Role which can be used to grant additional permissions.

ex:
anyscale_cluster_node_managed_policy_arns = [
"arn:aws:iam::aws:policy/AmazonSQSReadOnlyAccess",
"arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
]
list(string) [] no
anyscale_cluster_node_role_description (Optional) The IAM Role description for the Anyscale Cluster Node Role.

This role is used by compute resources to access resources within an AWS account.

ex:
anyscale_cluster_node_role_description = "Anyscale cluster node role"
string "Anyscale cluster node role" no
anyscale_custom_s3_policy (Optional) A valid bucket policy in JSON.

This will be an additional S3 bucket policy to the required Anyscale policy.
For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide.
And for more additional examples, please look at the s3-policy sub-module examples folder.

ex:
data "aws_iam_policy_document" "bucket_policy" {
statement {
principals {
type = "AWS"
identifiers = [aws_iam_role.this.arn]
}

actions = [
"s3:ListBucket",
]

resources = [
"module.aws_anyscale_s3.s3_bucket_arn,
]
}
anyscale_custom_s3_policy = data.aws_iam_policy_document.bucket_policy.json
string null no
anyscale_deploy_env (Optional) Anyscale deployment environment.
Used in resource names and tags.

ex:
anyscale_deploy_env = "production"
string "production" no
anyscale_efs_name (Optional) Elastic file system name.

Will default to efs_anyscale if this var null and anyscale_cloud_id is also null.

ex:
anyscale_efs_name = "anyscale-efs"
string null no
anyscale_efs_tags (Optional) A map of tags for EFS resources.

Duplicate tags found in the "tags" variable will get duplicated on the resource.

ex:
anyscale_efs_tags = {
"purpose" : "storage",
"criticality" : "critical"
}
Default is an empty map.
map(string) {} no
anyscale_gateway_vpc_endpoints (Optional) A map of Gateway VPC Endpoints to provision into the VPC.

This is a map of objects with the following attributes:
- name: Short service name (either "s3" or "dynamodb")
- policy = A policy (as JSON string) to attach to the endpoint that controls access to the service. May be null for full access.

See the submodule variable for additional examples.

It is Anyscale's recommendation to have an S3 VPC Endpoint to minimize S3 costs and maximize S3 performance.

Set to an empty map {} to skip creating VPC Endpoints.

ex:
anyscale_gateway_vpc_endpoints = {
"s3" = {
name = "s3"
policy = null
}
}
map(object({
name = string
policy = string
}))
{
"s3": {
"name": "s3",
"policy": null
}
}
no
anyscale_iam_access_role_name (Optional, forces creation of new resource) The name of the Anyscale IAM access role.

If left null, the name will default to anyscale_iam_access_role_name_prefix or general_prefix.
If provided, overrides the anyscale_iam_access_role_name_prefix variable.

ex:
anyscale_iam_access_role_name = "anyscale-iam-crossacct-role"
string null no
anyscale_iam_access_role_name_prefix (Optional, forces creation of new resource) The prefix for the Anyscale IAM access role.

If anyscale_iam_access_role_name_prefix is provided, it will override this variable.
The variable general_prefix is a fall-back prefix if this is not provided.

Default is null but is set to anyscale-iam-role- in a local variable.

ex:
anyscale_iam_access_role_name_prefix = "anyscale-crossacct-role-"
string null no
anyscale_iam_cluster_node_role_name (Optional, forces creation of new resource) The name of the Anyscale IAM cluster node role.

If left null, will default to anyscale_iam_access_role_name_prefix or general_prefix.
If provided, overrides the anyscale_iam_cluster_node_role_name_prefix variable.

ex:
anyscale_iam_cluster_node_role_name = "anyscale-cluster-node-role"
string null no
anyscale_iam_cluster_node_role_name_prefix (Optional, forces creation of new resource) The prefix of the Anyscale Cluster Node IAM role.

If anyscale_iam_cluster_node_role_name is provided, it will override this variable.
The variable general_prefix is a fall-back prefix if this is not provided.
Default is null but is set to anyscale-cluster-node- in a local variable.

ex:
anyscale_iam_cluster_node_role_name_prefix = "anyscale-cluster-node-role-"
string null no
anyscale_iam_s3_policy_description (Optional) Anyscale S3 access IAM policy description.

ex:
anyscale_iam_s3_policy_description = "Anyscale S3 Access IAM Policy"
string "Anyscale S3 Access IAM Policy" no
anyscale_iam_s3_policy_name (Optional) Name for the Anyscale S3 access IAM policy.

If left null, will default to anyscale_iam_s3_policy_name_prefix or general_prefix.
If provided, overrides the anyscale_iam_s3_policy_name_prefix variable.

ex:
anyscale_iam_s3_policy_name = "anyscale-iam-s3-policy"
string null no
anyscale_iam_s3_policy_name_prefix (Optional) Name prefix for the Anyscale S3 access IAM policy.

If anyscale_iam_s3_policy_name is provided, it will override this variable.
The variable general_prefix is a fall-back prefix if this is not provided.
Default is null but is set to anyscale-iam-s3- in a local variable.

ex:
anyscale_iam_s3_policy_name_prefix = "anyscale-iam-s3-"
string null no
anyscale_iam_tags (Optional) A map of tags for IAM resources.

Duplicate tags found in the "tags" variable will get duplicated on the resources.

ex:
anyscale_iam_tags = {
"purpose" : "iam",
"criticality" : "critical"
}
map(string) {} no
anyscale_memorydb_acl_name (Optional) The name of the MemoryDB ACL.

If left null, will default to anyscale_memorydb_acl_name_prefix or general_prefix.
If provided, overrides the anyscale_memorydb_acl_name_prefix variable.

ex:
anyscale_memorydb_acl_name = "anyscale-memorydb-acl"
string null no
anyscale_memorydb_acl_name_prefix (Optional) The prefix of the MemoryDB ACL.

If anyscale_memorydb_acl_name is provided, it will override this variable.
The variable general_prefix is a fall-back prefix if this is not provided.
Default is null but is set to memorydb-acl- in a local variable.

ex:
anyscale_memorydb_acl_name_prefix = "anyscale-memorydb-acl-"
string null no
anyscale_memorydb_cluster_description (Optional) The description of the MemoryDB cluster.

ex:
anyscale_memorydb_cluster_description = "Anyscale MemoryDB cluster"
string "Anyscale MemoryDB Cluster" no
anyscale_memorydb_cluster_name (Optional) The name of the MemoryDB cluster.

If left null, will default to anyscale_memorydb_cluster_name or general_prefix.
If provided, overrides the anyscale_memorydb_cluster_name variable.

ex:
anyscale_memorydb_cluster_name = "anyscale-memorydb-cluster"
string null no
anyscale_memorydb_cluster_name_prefix (Optional) The prefix of the MemoryDB cluster.

If anyscale_memorydb_cluster_name is provided, it will override this variable.
The variable general_prefix is a fall-back prefix if this is not provided.
Default is null but is set to anyscale-memorydb-cluster- in a local variable.

ex:
anyscale_memorydb_cluster_name_prefix = "anyscale-memorydb-cluster-"
string null no
anyscale_memorydb_parameter_group_description (Optional) The description of the MemoryDB parameter group.

ex:
anyscale_memorydb_parameter_group_description = "Anyscale MemoryDB Parameter Group"
string "Anyscale MemoryDB Parameter Group" no
anyscale_memorydb_parameter_group_name (Optional) The name of the MemoryDB parameter group.

If left null, will default to anyscale_memorydb_parameter_group_name_prefix or general_prefix.
If provided, overrides the anyscale_memorydb_parameter_group_name_prefix variable.

ex:
memorydb_parameter_group_name = "anyscale-memorydb-parameter-group"
string null no
anyscale_memorydb_parameter_group_name_prefix (Optional) The prefix of the MemoryDB parameter group.

If anyscale_memorydb_parameter_group_name is provided, it will override this variable.
The variable general_prefix is a fall-back prefix if this is not provided.
Default is null but is set to anyscale-memorydb-parameter-group- in a local variable.

ex:
anyscale_memorydb_parameter_group_name_prefix = "anyscale-memorydb-parameter-group-"
string null no
anyscale_memorydb_subnet_group_description (Optional) The description of the MemoryDB subnet group.

ex:
anyscale_memorydb_subnet_group_description = "Anyscale MemoryDB Subnet Group"
string "Anyscale MemoryDB Subnet Group" no
anyscale_memorydb_subnet_group_name (Optional) The name of the MemoryDB subnet group.

If left null, will default to anyscale_memorydb_subnet_group_name_prefix or general_prefix.
If provided, overrides the memorydb_subnet_group_name_prefix variable.

ex:
anyscale_memorydb_subnet_group_name = "anyscale-memorydb-subnet-group"
string null no
anyscale_memorydb_subnet_group_name_prefix (Optional) The prefix of the MemoryDB subnet group.

If anyscale_memorydb_subnet_group_name is provided, it will override this variable.
The variable general_prefix is a fall-back prefix if this is not provided.
Default is null but is set to memorydb-subnet-group- in a local variable.

ex:
anyscale_memorydb_subnet_group_name_prefix = "anyscale-memorydb-subnet-group-"
string null no
anyscale_memorydb_tags (Optional) A map of tags for MemoryDB resources.

Duplicate tags found in the "tags" variable will get duplicated on the resource.

ex:
anyscale_memorydb_tags = {
"purpose" : "memorydb",
"criticality" : "critical"
}
Default is an empty map.
map(string) {} no
anyscale_org_id (Optional) Anyscale Organization ID.

This is used to lock down the cross account access role by Organization ID. Because the Organization ID is unique to each
customer, this ensures that only the customer can access their own resources.

ex:
anyscale_org_id = "org_abcdefghijklmn1234567890"
string null no
anyscale_s3_bucket_name (Optional - forces new resource) S3 Bucket Name.

The name of the bucket used to store Anyscale related logs and other shared resources.
If left null, will default to anyscale_s3_bucket_prefix or general_prefix.
If provided, overrides the anyscale_s3_bucket_prefix variable.

ex:
anyscale_s3_bucket_name = "anyscale-s3-bucket"
string null no
anyscale_s3_bucket_prefix (Optional - forces new resource) S3 Bucket name prefix.

Creates a unique bucket name beginning with the specified prefix.
If anyscale_s3_bucket_name is provided, it will override this variable.
The variable general_prefix is a fall-back prefix if this is not provided.
Default is null but is set to anyscale- in a local variable.

ex:
anyscale_s3_bucket_prefix = "anyscale-s3-bucket-"
string null no
anyscale_s3_force_destroy (Optional) S3 Bucket Force Destroy.

Deterimines if objects from the bucket can be destroyed without error.
If set to true and bucket is destroyed, objects are not recoverable.

Note: With the default of false, you need to empty the bucket if there are objects before terraform destroy can be completed succesfully.

ex:
anyscale_s3_force_destroy = true
bool false no
anyscale_s3_lifecycle_rule (Optional) S3 Lifecycle Rule.

List of maps containing configuration of object lifecycle management.

ex:
anyscale_s3_lifecycle_rule = [
{
id = "log"
enabled = true
filter = {
prefix = "log1/"
}
transition = [
{
days = 30
storage_class = "ONEZONE_IA"
}, {
days = 60
storage_class = "GLACIER"
}
]
noncurrent_version_transition = [
{
days = 30
storage_class = "STANDARD_IA"
},
]
}
]
Default is an empty list.
any [] no
anyscale_s3_server_side_encryption (Optional) S3 Bucket Server Side Encryption.

Configuration to enforce server side encryption (KMS or AES256).
If you are using KMS, you must proivde the KMS Key ID.

ex using KMS:
anyscale_s3_server_side_encryption = {
kms_master_key_id = "1234abcd-12ab-34cd-56ef-1234567890ab"
sse_algorithm = "aws:kms"
}
ex using AES256:
anyscale_s3_server_side_encryption = {
sse_algorithm = "AES256"
}
map(string)
{
"sse_algorithm": "AES256"
}
no
anyscale_s3_tags (Optional) A map of tags for S3 resources.

Duplicate tags found in the "tags" variable will get duplicated on the resource.

ex:
anyscale_iam_tags = {
"purpose" : "storage",
"criticality" : "critical"
}
map(string) {} no
anyscale_securitygroup_tags (Optional) A map of tags for Security Group resources.

Duplicate tags found in the "tags" variable will get duplicated on the resource.

ex:
anyscale_securitygroup_tags = {
"purpose" : "security",
"criticality" : "critical"
}
Default is an empty map.
map(string) {} no
anyscale_vpc_cidr_block (Optional) The IPv4 CIDR block for the VPC.
The CIDR block can be explicitly set or it can be derived from IPAM using ipv4_netmask_length & ipv4_ipam_pool_id.

ex:
anyscale_vpc_cidr_block = "10.0.0.0/16"
string "10.0.0.0/16" no
anyscale_vpc_name (Optional) VPC name.

If provided, will create a VPC with this name.
Defaults to vpc_<anyscale_cloud_id> in a local variable if not provided.

ex:
anyscale_vpc_name = "anyscale-vpc"
string null no
anyscale_vpc_private_subnet_tags (Optional) A map of tags for private subnets.

Duplicate tags found in the tags or anyscale_vpc_tags variables will get duplicated on the resource.

ex:
anyscale_vpc_private_subnet_tags = {
"purpose" : "networking",
"criticality" : "critical"
}
map(string) {} no
anyscale_vpc_private_subnets (Optional) A list of private subnets inside the VPC.

If this variable is provided, private subnets will be created with these CIDR blocks.

ex:
anyscale_vpc_private_subnets = [
"10.0.121.0/24",
"10.0.122.0/24",
"10.0.123.0/24"
]
list(string) [] no
anyscale_vpc_public_subnet_tags (Optional) A map of tags for public subnets.

Duplicate tags found in the tags or anyscale_vpc_tags variables will get duplicated on the resource.

ex:
anyscale_vpc_public_subnet_tags = {
"purpose" : "networking",
"criticality" : "critical"
}
map(string) {} no
anyscale_vpc_public_subnets (Optional) A list of public subnets inside the VPC.

If this variable is provided, public subnets will be created with these CIDR blocks.

ex:
anyscale_vpc_public_subnets = [
"10.0.21.0/24",
"10.0.22.0/24",
"10.0.23.0/24"
]
list(string) [] no
anyscale_vpc_tags (Optional) A map of tags for VPC resources.

Duplicate tags found in the "tags" variable will get duplicated on the resource.

ex:
anyscale_vpc_tags = {
"purpose" : "networking",
"criticality" : "critical"
}
map(string) {} no
common_prefix (Optional) Common prefix.

A common prefix to add to resources created (where prefixes are allowed).
If paired with use_common_name, this will apply to all resources.
If this is not paired with use_common_name, this applies to:
- S3 Buckets
- IAM Resources
- Security Groups
Resource specific prefixes override this variable.
Max length is 30 characters.

ex:
common_prefix = "anyscale-"
string null no
create_cluster_node_cloudwatch_policy (Optional) Create the Anyscale Cluster Node Cloudwatch Policy
Determines whether to create the CloudWatch IAM policy for the cluster node role.

ex:
create_cluster_node_cloudwatch_policy = true
bool false no
create_memorydb_resources (Optional) Determines whether to create the MemoryDB resources.

ex:
create_memorydb_resources = true
bool false no
efs_creation_token (Optional) A unique token for EFS creation.

The token is used as reference when creating the Elastic File System to ensure idempotent file system creation.
Default is null which forces Terraform to generate it.

ex:
efs_creation_token = "anyscale-efs-token-1234567890"
string null no
efs_kms_key_id (Optional) The KMS key ID used to encrypt the Elastic File System.

If not provided, the default AWS managed key will be used.

ex:
efs_kms_key_id = "1234abcd-12ab-34cd-56ef-1234567890ab"
string null no
efs_lifecycle_transition_to_ia (Optional) EFS Lifecycle Transition to Infrequent Access.

Indicates how long it takes to transition files to Infrequent Access storage class.
No value, or an empty list, means never.
Must either be an empty list or one of "AFTER_7_DAYS", "AFTER_14_DAYS", "AFTER_30_DAYS", "AFTER_60_DAYS", "AFTER_90_DAYS".
Default is AFTER_60_DAYS which will transition to IA after 60 days.

ex:
efs_lifecycle_transition_to_ia = ["AFTER_60_DAYS"]
list(string)
[
"AFTER_60_DAYS"
]
no
efs_lifecycle_transition_to_primary_storage_class (Optional) EFS Lifecycle Transition to Primary Storage.

Indicates the policy used to transition a file from Infrequent Access (IA) storage to primary storage.
Must either be an empty list or AFTER_1_ACCESS.

ex:
efs_lifecycle_transition_to_primary_storage_class = ["AFTER_1_ACCESS"]
list(string)
[
"AFTER_1_ACCESS"
]
no
existing_s3_bucket_arn (Optional) The name of an existing S3 bucket that you'd like to use.

Please make sure that it meets the minimum requirements for Anyscale including:
- Bucket Policy
- CORS Policy
- Encryption configuration

ex:
existing_s3_bucket_arn = "arn:aws:s3:::anyscale-s3-bucket"
string null no
existing_vpc_id (Optional) An existing VPC ID.

If provided, this will skip creating resources a new VPC with the Anyscale VPC module.
Subnet IDs are also required if this is provided.

ex:
existing_vpc_id = "vpc-1234567890"
string null no
existing_vpc_private_route_table_ids (Optional) Existing VPC Private Route Table IDs.

If provided, this will map new private subnets to these route table IDs.
If no new subnets are created, these route tables will be used to create VPC Endpoint(s).

ex:
existing_vpc_private_route_table_ids = ["rtb-1234567890", "rtb-0987654321"]
list(string) [] no
existing_vpc_public_route_table_ids (Optional) Existing VPC Public Route Table IDs.

If provided, these route tables will be used to create VPC Endpoint(s).

ex:
existing_vpc_public_route_table_ids = ["rtb-1234567890", "rtb-0987654321"]
list(string) [] no
existing_vpc_subnet_ids (Optional) Existing subnet IDs.

If provided, this will skip creating a new VPC with the Anyscale VPC module.
The variable existing_vpc_id also needs to be provided.

ex:
existing_vpc_subnet_ids = ["subnet-1234567890", "subnet-0987654321"]
list(string) [] no
random_name_suffix_length (Optional) Random name suffix length.

Determines the random suffix length that is used to generate a common name.
Certain AWS resources have a hard limit on name lengths and this will allow
the ability to control how many characters are added as a suffix.
Must be >= 2 and <= 30.

ex:
random_name_suffix_length = 6
number 6 no
security_group_create_anyscale_public_ingress (Optional) Determines if public ingress rules should be created.

ex:
security_group_create_anyscale_public_ingress = true
bool false no
security_group_ingress_with_existing_security_groups_map (Optional) List of security groups and rules to allow ingress from.

If this is provided, the security groups will be added to the ingress rules with the
ports in the rule section.

ex:
security_group_ingress_with_existing_security_groups_map = [
{
rule = "https-443-tcp"
security_group_id = "sg-0123456789001ab8e"
},
{
rule = "ssh-tcp"
security_group_id = "sg-0123456789001ab8e"
}
]
list(map(string)) [] no
security_group_name (Optional) The name for the security group.

If left null, will default to security_group_name_prefix or general_prefix.
If provided, overrides security_group_name_prefix.

ex:
security_group_name = "anyscale-security-group"
string null no
security_group_name_prefix (Optional) The name prefix for the security group.

If security_group_name is provided, it will override this variable.
The variable general_prefix is a fall-back prefix if this is not provided.
Default is null but is set to anyscale-security-group- in a local variable.

ex:
security_group_name_prefix = "anyscale-security-group-"
string null no
security_group_override_ingress_from_cidr_map (Optional) List of ingress rules to create with cidr ranges.

If this variable is provided/populated, the default rules will not be created. At a minimum, https and ssh need
to be allowed from a IPv4 CIDR block that allows access for the users who are using Anyscale.

ex:
security_group_override_ingress_from_cidr_map = [
{
rule = "https-443-tcp"
cidr_blocks = "10.100.10.10/32"
},
{ rule = "nfs-tcp" },
{
rule = "ssh-tcp"
cidr_blocks = "10.100.10.10/32"
}
]
list(map(string)) [] no
tags (Optional) A map of tags.

A map of default tags to be added to all resources that accept tags.
Resource dependent tags will be appended to this list.

ex:
tags = {
application = "Anyscale",
environment = "prod"
}
map(string) {} no
use_common_name (Optional) Use a common name.

Determines if a standard name should be used across all resources.
If set to true and common_prefix is also provided, the common_prefix will be used prefixed to a common name.
If set to true and common_prefix is not provided, the prefix will be anyscale-
If set to true, this will also use a random suffix to avoid name collisions.

ex:
use_common_name = true
bool false no

Outputs

Name Description
anyscale_efs_arn Anyscale Elastic File System ARN. If an EFS resource was not created, return an empty string.
anyscale_efs_id Anyscale Elastic File System ID. If an EFS resource was not created, return an empty string.
anyscale_efs_mount_target_ids Anyscale Elastic File System mount target IDs. If EFS mount targets were not created, return an empty list.
anyscale_efs_mount_target_ips Anyscale Elastic File System mount target IPs. If EFS mount targets were not created, return an empty list.
anyscale_iam_instance_profile_role_arn Anyscale IAM instance profile role arn.
anyscale_iam_role_arn Anyscale IAM access role arn.
anyscale_iam_role_cluster_node_arn Anyscale IAM cluster node role arn.
anyscale_memorydb_cluster_arn Anyscale MemoryDB Cluster ARN. If a MemoryDB cluster was not created, return an empty string.
anyscale_memorydb_cluster_endpoint_address Anyscale MemoryDB Cluster Endpoint Address. If a MemoryDB cluster was not created, return an empty string.
anyscale_memorydb_cluster_endpoint_port Anyscale MemoryDB Cluster Endpoint Port. If a MemoryDB cluster was not created, return an empty string.
anyscale_memorydb_cluster_id Anyscale MemoryDB Cluster ID. If a MemoryDB cluster was not created, return an empty string.
anyscale_s3_bucket_id Anyscale S3 Bucket ID. If a bucket was not created, return an empty string.
anyscale_security_group_id Anyscale Security Group ID. If a security group was not created, return an empty string.
anyscale_vpc_id Anyscale VPC ID. If there was not one created, return the one that was used during other resource creation.
anyscale_vpc_private_routetable_ids Anyscale VPC Private Route Table IDs. If none were created, return an empty list.
anyscale_vpc_private_subnet_ids Anyscale VPC Private Subnet IDs. If there were none created, return an empty list.
anyscale_vpc_private_subnet_ids_az_map Anyscale VPC Private Subnet IDs to AZ Map. If there were none created, return an empty map.
anyscale_vpc_public_routetable_ids Anyscale VPC Public Route Table IDs. If none were created, return an empty list.
anyscale_vpc_public_subnet_ids Anyscale VPC Public Subnet IDs. If there were none created, return an empty list.
anyscale_vpc_public_subnet_ids_az_map Anyscale VPC Public Subnet IDs to AZ Map. If there were none created, return an empty map.

About

Terraform modules to manage AWS cloud infrastructure for Anyscale.

Resources

Stars

Watchers

Forks

Packages

No packages published