Terraform Enterprise HVD on AWS EKS

Terraform module aligned with HashiCorp Validated Designs (HVD) to deploy Terraform Enterprise on AWS Elastic Kubernetes Service (EKS). This module supports bringing your own EKS cluster, or optionally creating a new EKS cluster dedicated to running TFE. This module does not use the Kubernetes or Helm Terraform providers, but rather includes Post Steps for the application layer portion of the deployment leveraging the kubectl and helm CLIs.

Prerequisites

General

• TFE license file (e.g. terraform.hclic)
• Terraform CLI >= 1.9 installed on clients/workstations that will be used to deploy TFE
• General understanding of how to use Terraform (Community Edition)
• General understanding of how to use AWS
• General understanding of how to use Kubernetes and Helm
• git CLI and Visual Studio Code editor installed on workstations are strongly recommended
• AWS account that TFE will be deployed in with permissions to provision these resources via Terraform CLI
• (Optional) AWS S3 bucket for S3 remote state backend that will be used to manage the Terraform state of this TFE deployment (out-of-band from the TFE application) via Terraform CLI (Community Edition)

Networking

• AWS VPC ID and the following subnets:
  • Load balancer subnet IDs (can be the same as EKS subnets if desired)
  • EKS (compute) subnet IDs for TFE pods
  • RDS (database) subnet IDs
  • Redis subnet IDs (can be the same as RDS subnets if desirable)
• (Optional) S3 VPC Endpoint configured within VPC
• (Optional) AWS Route53 Hosted Zone for TFE DNS record creation
• Chosen fully qualified domain name (FQDN) for TFE (e.g. tfe.aws.example.com)

Security groups

• This module will automatically create the necessary EKS-related security groups and attach them to the applicable resources when create_eks_cluster is true
• Identify CIDR range(s) that will need to access the TFE application
• (Optional) Identify CIDR range(s) of any monitoring/observability tools that will need to access (scrape) TFE metrics endpoints
• Identify CIDR range(s) that will need to access the TFE EKS cluster
• If your EKS cluster is private, your clients/workstations must be able to access the control plane via kubectl and helm
• Be familiar with the TFE ingress requirements
• Be familiar with the TFE egress requirements
• If you are bringing your own EKS cluster (create_eks_cluster is false), then you must account for the following:
  • Allow TCP/8443 (HTTPS) and TCP/8080 (HTTP) ingress to EKS node group/TFE pods subnet from TFE load balancer subnet (for TFE application traffic)
  • Allow TCP/8201 ingress between nodes in EKS node group/TFE pods subnet (for TFE embedded Vault internal cluster traffic)
  • (Optional) Allow TCP/9091 (HTTPS) and/or TCP/9090 (HTTP) ingress to EKS node group/TFE pods subnet from metrics collection tool (for scraping TFE metrics endpoints)
  • Allow TCP/443 egress to Terraform endpoints listed here from EKS node group/TFE pods subnet

TLS certificates

• TLS certificate (e.g. cert.pem) and private key (e.g. privkey.pem) that matches your chosen fully qualified domain name (FQDN) for TFE
  • TLS certificate and private key must be in PEM format
  • Private key must not be password protected
• TLS certificate authority (CA) bundle (e.g. ca_bundle.pem) corresponding with the CA that issues your TFE TLS certificates
  • CA bundle must be in PEM format

📝 Note: The TLS certificate and private key will be created as Kubernetes secrets durint the Post Steps.

Secrets management

The following bootstrap secrets stored in AWS Secrets Manager in order to bootstrap the TFE deployment:

• RDS (PostgreSQL) database password - random characters stored as a plaintext secret; value must be between 8 and 128 characters long and must not contain '@', '"', or '/' characters
• Redis password - random characters stored as a plaintext secret; value must be between 16 and 128 characters long and must not contain '@', '"', or '/' characters

Compute (optional)

If you plan to create a new EKS cluster using this module (create_eks_cluster is true), then you may skip this section. Otherwise:

• EKS cluster with the following configurations:
  • EKS node group
  • EKS OIDC provider URL (used by module to create TFE IRSA)
  • EKS OIDC provider ARN (used by module to create TFE IRSA)
  • (Optional) AWS load balancer controller installed within EKS cluster (unless you plan to use a custom Kubernetes ingress controller load balancer)

Log Forwarding (optional)

One of the following logging destinations:

• AWS CloudWatch log group
• AWS S3 bucket

---

Usage

1. Create/configure/validate the applicable prerequisites.

2. Nested within the examples directory are subdirectories containing ready-made Terraform configurations for example scenarios on how to call and deploy this module. To get started, choose the example scenario that most closely matches your requirements. You can customize your deployment later by adding additional module inputs as you see fit (see the Deployment-Customizations doc for more details).

3. Copy all of the Terraform files from your example scenario of choice into a new destination directory to create your Terraform configuration that will manage your TFE deployment. This is a common directory structure for managing multiple TFE deployments:

   .
   └── environments
       ├── production
       │   ├── backend.tf
       │   ├── main.tf
       │   ├── outputs.tf
       │   ├── terraform.tfvars
       │   └── variables.tf
       └── sandbox
           ├── backend.tf
           ├── main.tf
           ├── outputs.tf
           ├── terraform.tfvars
           └── variables.tf
   

   📝 Note: In this example, the user will have two separate TFE deployments; one for their sandbox environment, and one for their production environment. This is recommended, but not required.

4. (Optional) Uncomment and update the S3 remote state backend configuration provided in the backend.tf file with your own custom values. While this step is highly recommended, it is technically not required to use a remote backend config for your TFE deployment (if you are in a sandbox environment, for example).

5. Populate your own custom values into the terraform.tfvars.example file that was provided (in particular, values enclosed in the <> characters). Then, remove the .example file extension such that the file is now named terraform.tfvars.

6. Navigate to the directory of your newly created Terraform configuration for your TFE deployment, and run terraform init, terraform plan, and terraform apply.

The TFE infrastructure resources have now been created. Next comes the application layer portion of the deployment (which we refer to as the Post Steps), which will involve interacting with your EKS cluster via kubectl and installing the TFE application via helm.

Post Steps

7. Authenticate to your EKS cluster:

   aws eks --region <aws-region> update-kubeconfig --name <eks-cluster-name>

   📝 Note: You can get the value of your EKS cluster name from the eks_cluster_name Terraform output if you created your EKS cluster via this module.

8. AWS recommends installing the AWS load balancer controller for EKS. If it is not already installed in your EKS cluster, install the AWS load balancer controller within the kube-system namespace via the Helm chart:

   Add the AWS eks-charts Helm chart repository:

   helm repo add eks https://aws.github.io/eks-charts

   Update your local repo to make sure that you have the most recent charts:

   helm repo update eks

   Install the AWS load balancer controller:

   helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
    --namespace kube-system \
    --set clusterName=<eks-cluster-name> \
    --set serviceAccount.create=true \
    --set serviceAccount.name=aws-load-balancer-controller \
    --set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"=<aws-lb-controller-irsa-role-arn> \
    --set region=<aws-region> \
    --set vpcId=<vpc-id>

   📝 Note: You can get the value of your AWS load balancer controller IRSA role ARN from the aws_lb_controller_irsa_role_arn Terraform output (if create_aws_lb_controller_irsa was true).

9. Create the Kubernetes namespace for TFE:

   kubectl create namespace tfe

   📝 Note: You can name your TFE namespace something different than tfe if you prefer. If you do name it differently, be sure to update your value of the tfe_kube_namespace input variable accordingly.

10. Create the required secrets for your TFE deployment within your new Kubernetes namespace for TFE. There are several ways to do this, whether it be from the CLI via kubectl, or another method involving a third-party secrets helper/tool. See the kubernetes-secrets docs for details on the required secrets and how to create them.

11. This Terraform module will automatically generate a Helm overrides file within your Terraform working directory named ./helm/module_generated_helm_overrides.yaml. This Helm overrides file contains values interpolated from some of the infrastructure resources that were created by Terraform in step 6. Within the Helm overrides file, update or validate the values for the remaining settings that are enclosed in the <> characters. You may also add any additional configuration settings into your Helm overrides file at this time (see the helm-overrides doc for more details).

12. Now that you have customized your module_generated_helm_overrides.yaml file, rename it to something more applicable to your deployment, such as prod_tfe_overrides.yaml (or whatever you prefer). Then, within your terraform.tfvars file, set the value of create_helm_overrides_file to false, as we no longer want the Terraform module to manage this file or generate a new one on a subsequent Terraform run.

13. Add the HashiCorp Helm chart repository:

    helm repo add hashicorp https://helm.releases.hashicorp.com

📝 Note: If you have already added the HashiCorp Helm registry, you should run helm repo update hashicorp to ensure you have the latest version.

14. Install the TFE application via helm:

    helm install terraform-enterprise hashicorp/terraform-enterprise --namespace <TFE_NAMESPACE> --values <TFE_OVERRIDES_FILE>

15. Verify the TFE pod(s) are starting successfully:

    View the events within the namespace:

    kubectl get events --namespace <TFE_NAMESPACE>

    View the pods within the namespace:

    kubectl get pods --namespace <TFE_NAMESPACE>

    View the logs from the pod:

    kubectl logs <TFE_POD_NAME> --namespace <TFE_NAMESPACE> -f

16. Create a DNS record for your TFE FQDN. The DNS record should resolve to your TFE load balancer, depending on how the load balancer was configured during your TFE deployment:

    • If you configured a Kubernetes service of type LoadBalancer (what the module-generated Helm overrides defaults to), the DNS record should resolve to the DNS name of your AWS network load balancer (NLB).

      kubectl get services --namespace <TFE_NAMESPACE>

    • If you configured a custom Kubernetes ingress (meaning you customized your Helm overrides during step 11), the DNS record should resolve to the IP address of your ingress controller load balancer.

      kubectl get ingress <INGRESS_NAME> --namespace <INGRESS_NAMESPACE>

    📝 Note: If you are creating your DNS record in Route53, AWS recommends creating an alias record (if your TFE load balancer is an AWS-managed load balancer resource).

17. Verify the TFE application is ready:

    curl https://<TFE_FQDN>/_health_check

18. Follow the remaining steps here to finish the installation setup, which involves creating the initial admin user.

---

Docs

Below are links to various docs related to the customization and management of your TFE deployment:

• Deployment customizations
• Helm overrides
• TFE version upgrades
• TFE TLS certificate rotation
• TFE configuration settings
• TFE Kubernetes secrets
• TFE IAM role for service accounts

---

Requirements

Name	Version
terraform	>= 1.9
aws	~> 5.63
local	2.5.1
tls	4.0.5

Providers

Name	Version
aws	~> 5.63
local	2.5.1
tls	4.0.5

Resources

Name	Type
aws_db_parameter_group.tfe	resource
aws_db_subnet_group.tfe	resource
aws_eks_access_entry.tfe_cluster_creator	resource
aws_eks_access_policy_association.tfe_cluster_creator	resource
aws_eks_cluster.tfe	resource
aws_eks_node_group.tfe	resource
aws_elasticache_replication_group.redis_cluster	resource
aws_elasticache_subnet_group.tfe	resource
aws_iam_openid_connect_provider.tfe_eks_irsa	resource
aws_iam_policy.aws_load_balancer_controller_policy	resource
aws_iam_policy.s3_crr	resource
aws_iam_policy.tfe_eks_nodegroup_custom	resource
aws_iam_policy.tfe_irsa	resource
aws_iam_policy_attachment.s3_crr	resource
aws_iam_role.aws_lb_controller_irsa	resource
aws_iam_role.eks_cluster	resource
aws_iam_role.s3_crr	resource
aws_iam_role.tfe_eks_nodegroup	resource
aws_iam_role.tfe_irsa	resource
aws_iam_role_policy_attachment.aws_load_balancer_controller_policy	resource
aws_iam_role_policy_attachment.eks_cluster_cluster_policy	resource
aws_iam_role_policy_attachment.eks_cluster_service_policy	resource
aws_iam_role_policy_attachment.eks_cluster_vpc_resource_controller_policy	resource
aws_iam_role_policy_attachment.tfe_eks_nodegroup_cni_policy	resource
aws_iam_role_policy_attachment.tfe_eks_nodegroup_container_registry_readonly	resource
aws_iam_role_policy_attachment.tfe_eks_nodegroup_ebs_kms	resource
aws_iam_role_policy_attachment.tfe_eks_nodegroup_worker_node_policy	resource
aws_iam_role_policy_attachment.tfe_irsa	resource
aws_launch_template.tfe_eks_nodegroup	resource
aws_rds_cluster.tfe	resource
aws_rds_cluster_instance.tfe	resource
aws_rds_cluster_parameter_group.tfe	resource
aws_rds_global_cluster.tfe	resource
aws_s3_bucket.tfe	resource
aws_s3_bucket_public_access_block.tfe	resource
aws_s3_bucket_replication_configuration.tfe	resource
aws_s3_bucket_server_side_encryption_configuration.tfe	resource
aws_s3_bucket_versioning.tfe	resource
aws_security_group.eks_cluster_allow	resource
aws_security_group.rds_allow_ingress	resource
aws_security_group.redis_allow_ingress	resource
aws_security_group.tfe_eks_nodegroup_allow	resource
aws_security_group.tfe_lb_allow	resource
aws_security_group_rule.eks_cluster_allow_all_egress	resource
aws_security_group_rule.eks_cluster_allow_ingress_nodegroup	resource
aws_security_group_rule.rds_allow_ingress_from_cidr	resource
aws_security_group_rule.rds_allow_ingress_from_nodegroup	resource
aws_security_group_rule.rds_allow_ingress_from_sg	resource
aws_security_group_rule.redis_allow_ingress_from_cidr	resource
aws_security_group_rule.redis_allow_ingress_from_nodegroup	resource
aws_security_group_rule.redis_allow_ingress_from_sg	resource
aws_security_group_rule.tfe_eks_nodegroup_allow_10250_from_cluster	resource
aws_security_group_rule.tfe_eks_nodegroup_allow_443_from_cluster	resource
aws_security_group_rule.tfe_eks_nodegroup_allow_443_from_lb	resource
aws_security_group_rule.tfe_eks_nodegroup_allow_4443_from_cluster	resource
aws_security_group_rule.tfe_eks_nodegroup_allow_6443_from_cluster	resource
aws_security_group_rule.tfe_eks_nodegroup_allow_8443_from_cluster	resource
aws_security_group_rule.tfe_eks_nodegroup_allow_9443_from_cluster	resource
aws_security_group_rule.tfe_eks_nodegroup_allow_all_egress	resource
aws_security_group_rule.tfe_eks_nodegroup_allow_nodes_53_tcp	resource
aws_security_group_rule.tfe_eks_nodegroup_allow_nodes_53_udp	resource
aws_security_group_rule.tfe_eks_nodegroup_allow_nodes_ephemeral	resource
aws_security_group_rule.tfe_eks_nodegroup_allow_tfe_http_from_lb	resource
aws_security_group_rule.tfe_eks_nodegroup_allow_tfe_https_from_lb	resource
aws_security_group_rule.tfe_eks_nodegroup_allow_tfe_metrics_http_from_cidr	resource
aws_security_group_rule.tfe_eks_nodegroup_allow_tfe_metrics_https_from_cidr	resource
aws_security_group_rule.tfe_lb_allow_all_egress_to_cidr	resource
aws_security_group_rule.tfe_lb_allow_all_egress_to_nodegroup	resource
aws_security_group_rule.tfe_lb_allow_all_egress_to_sg	resource
aws_security_group_rule.tfe_lb_allow_ingress_443	resource
local_file.helm_overrides_values	resource
aws_ami.tfe_eks_nodegroup_custom	data source
aws_ami.tfe_eks_nodegroup_default	data source
aws_availability_zones.available	data source
aws_caller_identity.current	data source
aws_iam_policy_document.aws_lb_controller_irsa_assume_role	data source
aws_iam_policy_document.aws_load_balancer_controller_policy	data source
aws_iam_policy_document.eks_cluster_assume_role	data source
aws_iam_policy_document.s3_crr	data source
aws_iam_policy_document.s3_crr_assume_role	data source
aws_iam_policy_document.tfe_eks_nodegroup_assume_role	data source
aws_iam_policy_document.tfe_eks_nodegroup_ebs_kms_cmk	data source
aws_iam_policy_document.tfe_irsa_assume_role	data source
aws_iam_policy_document.tfe_irsa_combined	data source
aws_iam_policy_document.tfe_irsa_cost_estimation	data source
aws_iam_policy_document.tfe_irsa_rds_kms_cmk	data source
aws_iam_policy_document.tfe_irsa_redis_kms_cmk	data source
aws_iam_policy_document.tfe_irsa_s3	data source
aws_iam_policy_document.tfe_irsa_s3_kms_cmk	data source
aws_iam_session_context.current	data source
aws_partition.current	data source
aws_region.current	data source
aws_secretsmanager_secret_version.tfe_database_password	data source
aws_secretsmanager_secret_version.tfe_redis_password	data source
tls_certificate.tfe_eks	data source

Inputs

Name	Description	Type	Default	Required
friendly_name_prefix	Friendly name prefix used for uniquely naming all AWS resources for this deployment. Most commonly set to either an environment (e.g. 'sandbox', 'prod') a team name, or a project name.	string	n/a	yes
rds_subnet_ids	List of subnet IDs to use for RDS database subnet group.	list(string)	n/a	yes
tfe_database_password_secret_arn	ARN of AWS Secrets Manager secret for the TFE RDS Aurora (PostgreSQL) database password.	string	n/a	yes
tfe_fqdn	Fully qualified domain name (FQDN) of TFE instance. This name should eventually resolve to the TFE load balancer DNS name or IP address and will be what clients use to access TFE.	string	n/a	yes
vpc_id	ID of VPC where TFE will be deployed.	string	n/a	yes
aws_lb_controller_kube_namespace	Name of Kubernetes namespace for AWS Load Balancer Controller service account (to be created by Helm chart). Used to configure EKS IRSA.	string	"kube-system"	no
aws_lb_controller_kube_svc_account	Name of Kubernetes service account for AWS Load Balancer Controller (to be created by Helm chart). Used to configure EKS IRSA.	string	"aws-load-balancer-controller"	no
cidr_allow_egress_from_tfe_lb	List of CIDR ranges to allow all outbound traffic from TFE load balancer. Only set this to your TFE pod CIDR ranges when an EKS cluster already exists outside of this module.	list(string)	null	no
cidr_allow_ingress_tfe_443	List of CIDR ranges to allow TCP/443 inbound to TFE load balancer (load balancer is managed by Helm/K8s).	list(string)	[]	no
cidr_allow_ingress_tfe_metrics_http	List of CIDR ranges to allow TCP/9090 (TFE HTTP metrics endpoint) inbound to TFE pods.	list(string)	[]	no
cidr_allow_ingress_tfe_metrics_https	List of CIDR ranges to allow TCP/9091 (TFE HTTPS metrics endpoint) inbound to TFE pods.	list(string)	[]	no
cidr_allow_ingress_to_rds	List of CIDR ranges to allow TCP/5432 (PostgreSQL) inbound to RDS cluster.	list(string)	null	no
cidr_allow_ingress_to_redis	List of CIDR ranges to allow TCP/6379 (Redis) inbound to Redis cluster.	list(string)	null	no
common_tags	Map of common tags for all taggable AWS resources.	map(string)	{}	no
create_aws_lb_controller_irsa	Boolean to create AWS Load Balancer Controller IAM role and policies to enable EKS IAM role for service accounts (IRSA).	bool	false	no
create_eks_cluster	Boolean to create new EKS cluster for TFE.	bool	false	no
create_eks_oidc_provider	Boolean to create OIDC provider used to configure AWS IRSA.	bool	false	no
create_helm_overrides_file	Boolean to generate a YAML file from template with Helm overrides values for TFE deployment.	bool	true	no
create_tfe_eks_irsa	Boolean to create TFE IAM role and policies to enable TFE EKS IAM role for service accounts (IRSA).	bool	false	no
create_tfe_lb_security_group	Boolean to create security group for TFE load balancer (load balancer is managed by Helm/K8s).	bool	true	no
eks_cluster_authentication_mode	Authentication mode for access config of EKS cluster.	string	"API_AND_CONFIG_MAP"	no
eks_cluster_endpoint_public_access	Boolean to enable public access to the EKS cluster endpoint.	bool	false	no
eks_cluster_name	Name of EKS cluster.	string	"tfe-eks-cluster"	no
eks_cluster_public_access_cidrs	List of CIDR blocks to allow public access to the EKS cluster endpoint. Only valid when eks_cluster_endpoint_public_access is true.	list(string)	null	no
eks_cluster_service_ipv4_cidr	CIDR block for the EKS cluster Kubernetes service network. Must be a valid /16 CIDR block. EKS will auto-assign from either 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks when null.	string	null	no
eks_nodegroup_ami_id	ID of AMI to use for EKS node group. Required when eks_nodegroup_ami_type is CUSTOM.	string	null	no
eks_nodegroup_ami_type	Type of AMI to use for EKS node group. Must be set to CUSTOM when eks_nodegroup_ami_id is not null.	string	"AL2023_x86_64_STANDARD"	no
eks_nodegroup_ebs_kms_key_arn	ARN of KMS customer managed key (CMK) to encrypt EKS node group EBS volumes.	string	null	no
eks_nodegroup_instance_type	Instance type for worker nodes within EKS node group.	string	"m7i.xlarge"	no
eks_nodegroup_name	Name of EKS node group.	string	"tfe-eks-nodegroup"	no
eks_nodegroup_scaling_config	Scaling configuration for EKS node group.	map(number)	{ "desired_size": 3, "max_size": 3, "min_size": 2 }	no
eks_oidc_provider_arn	ARN of existing OIDC provider for EKS cluster. Required when create_eks_oidc_provider is false.	string	null	no
eks_oidc_provider_url	URL of existing OIDC provider for EKS cluster. Required when create_eks_oidc_provider is false.	string	null	no
eks_subnet_ids	List of subnet IDs to use for EKS cluster.	list(string)	null	no
is_secondary_region	Boolean indicating whether this TFE deployment is in the 'primary' region or 'secondary' region.	bool	false	no
rds_apply_immediately	Boolean to apply changes immediately to RDS cluster instance.	bool	true	no
rds_aurora_engine_mode	RDS Aurora database engine mode.	string	"provisioned"	no
rds_aurora_engine_version	Engine version of RDS Aurora PostgreSQL.	number	16.2	no
rds_aurora_instance_class	Instance class of Aurora PostgreSQL database.	string	"db.r6i.xlarge"	no
rds_aurora_replica_count	Number of replica (reader) cluster instances to create within the RDS Aurora database cluster (within the same region).	number	1	no
rds_availability_zones	List of AWS availability zones to spread Aurora database cluster instances across. Leave as null and RDS will automatically assign 3 availability zones.	list(string)	null	no
rds_backup_retention_period	The number of days to retain backups for. Must be between 0 and 35. Must be greater than 0 if the database cluster is used as a source of a read replica cluster.	number	35	no
rds_deletion_protection	Boolean to enable deletion protection for RDS global cluster.	bool	false	no
rds_force_destroy	Boolean to enable the removal of RDS database cluster members from RDS global cluster on destroy.	bool	false	no
rds_global_cluster_id	ID of RDS global cluster. Only required only when is_secondary_region is true, otherwise leave as null.	string	null	no
rds_kms_key_arn	ARN of KMS customer managed key (CMK) to encrypt TFE RDS cluster.	string	null	no
rds_parameter_group_family	Family of Aurora PostgreSQL database parameter group.	string	"aurora-postgresql16"	no
rds_performance_insights_enabled	Boolean to enable performance insights for RDS cluster instance(s).	bool	true	no
rds_performance_insights_retention_period	Number of days to retain RDS performance insights data. Must be between 7 and 731.	number	7	no
rds_preferred_backup_window	Daily time range (UTC) for RDS backup to occur. Must not overlap with rds_preferred_maintenance_window.	string	"04:00-04:30"	no
rds_preferred_maintenance_window	Window (UTC) to perform RDS database maintenance. Must not overlap with rds_preferred_backup_window.	string	"Sun:08:00-Sun:09:00"	no
rds_replication_source_identifier	ARN of source RDS cluster or cluster instance if this cluster is to be created as a read replica. Only required when is_secondary_region is true, otherwise leave as null.	string	null	no
rds_skip_final_snapshot	Boolean to enable RDS to take a final database snapshot before destroying.	bool	false	no
rds_source_region	Source region for RDS cross-region replication. Only required when is_secondary_region is true, otherwise leave as null.	string	null	no
rds_storage_encrypted	Boolean to encrypt RDS storage. An AWS managed key will be used when true unless a value is also specified for rds_kms_key_arn.	bool	true	no
redis_apply_immediately	Boolean to apply changes immediately to Redis cluster.	bool	true	no
redis_at_rest_encryption_enabled	Boolean to enable encryption at rest on Redis cluster. An AWS managed key will be used when true unless a value is also specified for redis_kms_key_arn.	bool	true	no
redis_auto_minor_version_upgrade	Boolean to enable automatic minor version upgrades for Redis cluster.	bool	true	no
redis_automatic_failover_enabled	Boolean for deploying Redis nodes in multiple availability zones and enabling automatic failover.	bool	true	no
redis_engine_version	Redis version number.	string	"7.1"	no
redis_kms_key_arn	ARN of KMS customer managed key (CMK) to encrypt Redis cluster with.	string	null	no
redis_multi_az_enabled	Boolean to create Redis nodes across multiple availability zones. If true, redis_automatic_failover_enabled must also be true, and more than one subnet must be specified within redis_subnet_ids.	bool	true	no
redis_node_type	Type (size) of Redis node from a compute, memory, and network throughput standpoint.	string	"cache.m5.large"	no
redis_parameter_group_name	Name of parameter group to associate with Redis cluster.	string	"default.redis7"	no
redis_port	Port number the Redis nodes will accept connections on.	number	6379	no
redis_subnet_ids	List of subnet IDs to use for Redis cluster subnet group.	list(string)	null	no
redis_transit_encryption_enabled	Boolean to enable TLS encryption between TFE and the Redis cluster.	bool	true	no
s3_destination_bucket_arn	ARN of destination S3 bucket for cross-region replication configuration. Bucket should already exist in secondary region. Required when s3_enable_bucket_replication is true.	string	""	no
s3_destination_bucket_kms_key_arn	ARN of KMS key of destination S3 bucket for cross-region replication configuration if it is encrypted with a customer managed key (CMK).	string	null	no
s3_enable_bucket_replication	Boolean to enable cross-region replication for TFE S3 bucket. Do not enable when is_secondary_region is true. An s3_destination_bucket_arn is also required when true.	bool	false	no
s3_kms_key_arn	ARN of KMS customer managed key (CMK) to encrypt TFE S3 bucket with.	string	null	no
sg_allow_egress_from_tfe_lb	Security group ID of EKS node group to allow all egress traffic from TFE load balancer. Only set this to your TFE pod security group ID when an EKS cluster already exists outside of this module.	string	null	no
sg_allow_ingress_to_rds	Security group ID to allow TCP/5432 (PostgreSQL) inbound to RDS cluster.	string	null	no
sg_allow_ingress_to_redis	Security group ID to allow TCP/6379 (Redis) inbound to Redis cluster.	string	null	no
tfe_cost_estimation_iam_enabled	Boolean to add AWS pricing actions to TFE IAM role for service account (IRSA). Only implemented when create_tfe_eks_irsa is true.	string	true	no
tfe_database_name	Name of TFE database to create within RDS global cluster.	string	"tfe"	no
tfe_database_parameters	PostgreSQL server parameters for the connection URI. Used to configure the PostgreSQL connection.	string	"sslmode=require"	no
tfe_database_user	Username for TFE RDS database cluster.	string	"tfe"	no
tfe_http_port	HTTP port number that the TFE application will listen on within the TFE pods. It is recommended to leave this as the default value.	number	8080	no
tfe_https_port	HTTPS port number that the TFE application will listen on within the TFE pods. It is recommended to leave this as the default value.	number	8443	no
tfe_kube_namespace	Name of Kubernetes namespace for TFE service account (to be created by Helm chart). Used to configure EKS IRSA.	string	"tfe"	no
tfe_kube_svc_account	Name of Kubernetes service account for TFE (to be created by Helm chart). Used to configure EKS IRSA.	string	"tfe"	no
tfe_metrics_http_port	HTTP port number that the TFE metrics endpoint will listen on within the TFE pods. It is recommended to leave this as the default value.	number	9090	no
tfe_metrics_https_port	HTTPS port number that the TFE metrics endpoint will listen on within the TFE pods. It is recommended to leave this as the default value.	number	9091	no
tfe_object_storage_s3_access_key_id	Access key ID for S3 bucket. Required when tfe_object_storage_s3_use_instance_profile is false.	string	null	no
tfe_object_storage_s3_secret_access_key	Secret access key for S3 bucket. Required when tfe_object_storage_s3_use_instance_profile is false.	string	null	no
tfe_object_storage_s3_use_instance_profile	Boolean to use instance profile for S3 bucket access. If false, tfe_object_storage_s3_access_key_id and tfe_object_storage_s3_secret_access_key are required.	bool	true	no
tfe_redis_password_secret_arn	ARN of AWS Secrets Manager secret for the TFE Redis password. Value of secret must contain from 16 to 128 alphanumeric characters or symbols (excluding @, ", and /).	string	null	no

Outputs

Name	Description
aws_lb_controller_irsa_role_arn	ARN of IAM role for AWS Load Balancer Controller IRSA.
eks_cluster_name	Name of TFE EKS cluster.
elasticache_replication_group_arn	ARN of ElastiCache Replication Group (Redis) cluster.
elasticache_replication_group_id	ID of ElastiCache Replication Group (Redis) cluster.
elasticache_replication_group_primary_endpoint_address	Primary endpoint address of ElastiCache Replication Group (Redis) cluster.
rds_aurora_cluster_arn	ARN of RDS Aurora database cluster.
rds_aurora_cluster_endpoint	RDS Aurora database cluster endpoint.
rds_aurora_cluster_members	List of instances that are part of this RDS Aurora database cluster.
rds_aurora_global_cluster_id	RDS Aurora global database cluster identifier.
s3_bucket_arn	ARN of TFE S3 bucket.
s3_bucket_name	Name of TFE S3 bucket.
s3_crr_iam_role_arn	ARN of S3 cross-region replication IAM role.
tfe_database_host	PostgreSQL server endpoint in the format that TFE will connect to.
tfe_database_password	TFE PostgreSQL database password.
tfe_database_password_base64	Base64-encoded TFE PostgreSQL database password.
tfe_irsa_role_arn	ARN of IAM role for TFE EKS IRSA.
tfe_lb_security_group_id	ID of security group for TFE load balancer.
tfe_redis_password	TFE Redis password.
tfe_redis_password_base64	Base64-encoded TFE Redis password.
tfe_url	URL to access TFE application based on value of tfe_fqdn input.