Terraform Variables Reference
Below you can find a full description of all variables in the RI Platform Terraform configuration (main.tf).
variable "create_managed_helm_release" {
description = <<EOT
Whether to deploy a RIME Helm chart onto the provisioned infrastructure managed by Terraform.
Changing the state of this variable will either install/uninstall the RIME deployment
once the change is applied in Terraform. If you want to install the RIME package manually,
set this to false and use the generated values YAML file to deploy the release
on the provisioned infrastructure.
EOT
type = bool
default = false
}
variable "helm_values_output_dir" {
description = <<EOT
The directory where to write the generated values YAML files used to configure each Helm release.
For each namespace in `k8s_namespaces`, a Helm chart "$helm_values_output_dir/values_$namespace.yaml"
will be created. For each rime agent namespace, a values file will be created in an agents/ subdirectory.
EOT
type = string
default = ""
}
variable "image_registry_config" {
description = <<EOT
The configuration for the RIME Image Registry service, which manages custom images
for running RIME stress tests with different Python model requirements:
* enable: whether or not to enable the RIME Image Registry service.
* allow_external_custom_images: whether to allow custom external images that are not
managed by the image registry for model testing.
* repository_prefix: the prefix used for all repositories created
and managed by the RIME Image Registry service.
EOT
type = object({
enable = bool
allow_external_custom_images = bool
repository_prefix = string
})
default = {
enable = true
allow_external_custom_images = false
repository_prefix = "rime-managed-images"
}
# See https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-create.html
# for repository naming rules.
validation {
condition = !var.image_registry_config.enable || can(regex("^[a-z][a-z0-9]*(?:[/_-][a-z0-9]+)*$", var.image_registry_config.repository_prefix))
error_message = "The repository prefix must be 1 or more lowercase alphanumeric words separated by a '-', '_', or '/' where the first character is a letter."
}
}
variable "k8s_namespaces" {
description = <<EOT
All Kubernetes namespaces where the RIME Helm chart is to be installed.
A Helm chart will be constructed for each of these called "$helm_values_output_dir/values_$namespace.yaml".
For manual installation of these Helm charts, be sure to install them in their intended namespace.
EOT
type = list(object({
namespace = string
primary = bool
}))
default = [
{
namespace = "default"
primary = true
}
]
# These conditions should match the conditions of modules that rely on this variable.
# Currently the modules that rely on these conditions are:
# - rime_helm_release/s3_blob_store (each k8s_namespace is included in the blob-store S3 bucket name, which has a limit on length and what characters can be included)
validation {
condition = (
length([for n in var.k8s_namespaces : n if n.primary]) == 1 &&
alltrue([for n in var.k8s_namespaces : length(n.namespace) <= 12 && can(regex("^[a-z0-9.-]+$", n.namespace))])
)
error_message = "Must have one and only one primary namespace, and each namespace must be <= 12 in characters and contain only letters, numbers, dots (.), and hyphens (-)."
}
}
variable "resource_name_suffix" {
description = <<EOT
A suffix to use with the names of resources created by this module.
EOT
type = string
# These conditions should match the conditions of modules that rely on this variable.
# Currently the modules that rely on these conditions are:
# - rime_helm_release/s3_blob_store (resource_name_suffix is included in the blob-store S3 bucket name, which has a limit on length and what characters can be included)
validation {
condition = (
length(var.resource_name_suffix) <= 25 &&
can(regex("^[a-z0-9.-]+$", var.resource_name_suffix))
)
error_message = "Must not be longer than 25 characters and must contain only letters, numbers, dots (.), and hyphens (-)."
}
}
variable "rime_docker_backend_image" {
description = "The name of the Docker image for RIME's backend services."
type = string
default = "robustintelligencehq/rime-backend"
}
variable "rime_docker_agent_image" {
description = "The name of the Docker image for RIME agent, not including a tag."
type = string
default = "robustintelligencehq/rime-agent"
}
variable "rime_docker_frontend_image" {
description = "The name of the Docker image for RIME's frontend services."
type = string
default = "robustintelligencehq/rime-frontend"
}
variable "rime_docker_image_builder_image" {
description = "The name of the Docker image for RIME's image builder service."
type = string
default = "robustintelligencehq/rime-image-builder"
}
# Note: this docker image must be specified as the specific image for a given
# client's model testing so it does not have a default.
variable "rime_docker_model_testing_image" {
description = "The name of the Docker image for RIME's model testing jobs."
type = string
}
variable "rime_docker_secret_name" {
description = "The name of the Kubernetes secret used to pull the Docker image for RIME's backend services."
type = string
default = "rimecreds"
}
variable "dns_config" {
description = <<EOT
Configuration for rime dns config. Should be structured like
{
create_route53: bool (default true)
rime_domain: string (required)
acm_domain: string (default rime_domain) Only add this if your acm cert base domain is different from the rime domain
}
If create_route53 is false, it is expected that you have a valid zone and cert for rime_domain already created
EOT
type = map(any)
}
variable "rime_repository" {
description = "Repository URL where to locate the requested RIME chart for the give `rime_version`."
type = string
}
variable "rime_version" {
description = "The version of the RIME software to be installed."
type = string
}
variable "s3_authorized_bucket_path_arns" {
description = <<EOT
A list of all S3 bucket path arns of which RIME will be granted access to.
Each path must be of the form:
arn:aws:s3:::<BUCKET>/sub/path
where <BUCKET> is the name of the S3 bucket and `sub/path` comprises
some path within the bucket. You can also use wildcards '?' or '*' within
the arn specification (e.g. 'arn:aws:s3:::datasets/*').
EOT
type = list(string)
}
variable "install_cluster_autoscaler" {
description = "Whether or not to install the cluster autoscaler."
type = bool
default = false
}
variable "cluster_name" {
description = "Name of eks cluster."
type = string
default = ""
}
variable "install_external_dns" {
description = "Whether or not to install external dns."
type = bool
default = false
}
variable "install_datadog" {
description = "Whether or not to install the Datadog Agent."
type = bool
default = false
}
variable "create_eks" {
description = "Whether or not to create a new EKS cluster to run RIME on. If false, cluster_name must be the name of an already provisioned cluster."
type = bool
default = true
}
variable "vpc_id" {
description = "VPC where the cluster and workers will be deployed. Must be specified if create_eks is true."
type = string
default = ""
}
variable "private_subnet_ids" {
description = "A list of private subnet ids to place the EKS cluster and workers within. Must be specified if create_eks is true"
type = list(string)
default = []
}
variable "public_subnet_ids" {
description = "A list of public subnet ids for EKS cluster load balancers to work in"
type = list(string)
default = []
}
variable "cluster_version" {
description = "Kubernetes version to use for the EKS cluster."
type = string
default = "1.20"
}
variable "node_ssh_key" {
description = "EC2 ssh key to be added to nodes for ssh access. This is only applicable if create_eks is true"
type = string
default = ""
}
variable "tags" {
description = "A map of tags to add to all resources. Tags added to launch configuration or templates override these values for ASG Tags only."
type = map(string)
default = {}
}
variable "server_worker_group_min_size" {
description = "Minimum size of the server worker group. Must be >= 1"
type = number
default = 4
validation {
condition = var.server_worker_group_min_size >= 1
error_message = "Server worker group min size must be greater than or equal to 1."
}
}
variable "server_worker_group_max_size" {
description = "Maximum size of the server worker group. Must be >= min size. For best performance we recommend >= 10 nodes as the max size."
type = number
default = 10
}
variable "model_testing_worker_group_instance_types" {
description = "Instance types for the model testing worker group."
type = list(string)
default = ["t2.xlarge", "t3.xlarge", "t3a.xlarge"]
}
variable "model_testing_worker_group_min_size" {
description = "Minimum size of the model testing worker group. Must be >= 1"
type = number
default = 0
validation {
condition = var.model_testing_worker_group_min_size >= 0
error_message = "Model testing worker group min size must be greater than or equal to 0."
}
}
variable "model_testing_worker_group_max_size" {
description = "Maximum size of the model testing worker group. Must be >= min size. For best performance we recommend >= 10 nodes as the max size."
type = number
default = 10
}
variable "model_testing_worker_group_use_spot" {
description = "Use spot instances for model testing worker group."
type = bool
default = true
}
variable "map_roles" {
description = "Additional IAM roles to add to the aws-auth configmap. You will need to set this for any role you want to allow access to eks"
type = list(object({
rolearn = string
username = string
groups = list(string)
}))
default = []
}
variable "map_users" {
description = "Additional IAM users to add to the aws-auth configmap. You will need to set this for any role you want to allow access to eks."
type = list(object({
userarn = string
username = string
groups = list(string)
}))
default = []
}
variable "mongo_db_size" {
description = "MongoDb volume size"
type = string
default = "32Gi"
}
variable "install_velero" {
description = "Whether or not to install Velero."
type = bool
default = false
}
variable "velero_backup_schedule" {
description = "Backup schedule time in cron time string format."
type = string
default = "0 2 * * *"
}
variable "velero_backup_ttl" {
description = "A suffix to name the IAM policy and role with."
type = string
default = "336h"
}
variable "allow_ecr_pull" {
description = "Allow nodes to pull from ecr"
type = bool
default = true
}
variable "lb_security_group_rules" {
description = <<EOT
Configuration for lb security group rules. Should be structured like
{
type = string
from_port = string
to_port = string
protocol = string
description = string
cidr_blocks = string
ipv6_cidr_blocks = list(string)
self = bool
prefix_list_ids = list(string)
source_security_group_id = string
}
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule for details
EOT
type = list(object({
type = string
from_port = number
to_port = number
protocol = string
description = string
cidr_blocks = list(string)
ipv6_cidr_blocks = list(string)
self = bool
prefix_list_ids = list(string)
source_security_group_id = string
}))
default = []
}
// TODO(chris): change to verbosity level instead of boolean
variable "verbose" {
description = "Whether to use verbose mode for RIME application services."
type = bool
default = false
}
variable "rime_secrets_name" {
description = "Name of secrets manager secret where Rime values are stored"
type = string
default = "rime-secrets"
}
variable "use_blob_store" {
description = "Whether to use blob store for the cluster."
type = bool
default = true
}
variable "enable_log_archival" {
description = "Whether to archive logs to blob store."
type = bool
default = false
}
variable "use_file_upload_service" {
description = "Whether to use file upload service."
type = bool
default = true
}
variable "eks_cluster_node_iam_policies" {
description = "Policies to attach to eks worker nodes."
type = list(string)
default = []
}
variable "internal_lbs" {
description = "Whether or not the load balancers should be spun up as internal."
type = bool
default = false
}
variable "ip_allowlist" {
# Note: external client IP addresses are preserved by the load balancer. You may also want to include the external IP
# address for the cluster on the allowlist if OIDC is being used, since OIDC will make a callback to the auth-server
# using that IP address.
description = "A set of CIDR routes to add to the allowlist for all ingresses. If not specified, all IP addresses are allowed."
type = list(string)
default = []
}
variable "enable_api_key_auth" {
description = "Use api keys to authenticate api requests"
type = bool
default = true
}
variable "enable_additional_mongo_metrics" {
description = "If enabled, mongo will expose additional collection-level metrics to the datadog agent"
type = bool
default = true
}
variable "rime_agent_configs" {
description = <<EOT
Custom configuration agent deployments, providing access to separate-namespace deployments and custom value files.
NOTE: If you want to deploy agents together with the control plane, simply do not include this variable.
If not specified, agents will automatically be deployed into same namespaces as control planes.
Note that the rime agent deployments will still adhere to the setting of
create_managed_helm_release, and will only be installed if this is enabled.
* namespace: the k8s namespace for the rime-agent deployment
* custom_values_file_path: path to custom values file for rime-agent helm chart
* cp_namespace: the namespace where the control plane for this rime agent is
* cp_release_name: the release name of the control plane, which is prepended to service names and necessary
for the rime agent to be able to locate the correct CP services.
If not specified, defaults to "rime."
In dev environments, we often deploy CP with release name rime-workspace1, etc.
EOT
type = list(object({
namespace = string
custom_values_file_path = string
cp_namespace = string
cp_release_name = string
}))
default = []
}
variable "include_internal_agent" {
description = "If false, deploys all control planes without an internal agent (i.e. a 'split' deployment)"
type = bool
default = true
}
variable "use_rmq_health" {
description = "Whether to start the rmq-health service."
type = bool
default = true
}
variable "use_rmq_resource_cleaner" {
description = "Whether to use the rmq resource cleaner given that the rmq-health service is used."
type = bool
default = true
}
variable "rmq_resource_cleaner_frequency" {
description = "The frequency for running the rmq resource cleaner."
type = string
default = "5m"
}
variable "use_rmq_metrics_updater" {
description = "Whether to use the rmq metrics updater given that the rmq-health service is used."
type = bool
default = true
}
variable "rmq_metrics_updater_frequency" {
description = "The frequency for updating the rmq metrics."
type = string
default = "1s"
}
variable "docker_registry" {
description = "The name of the Docker registry that holds the chart images"
type = string
default = "docker.io"
}
variable "server_worker_groups_overrides" {
description = "A dictionary that specifies overrides for the server worker group launch templates. See https://github.com/terraform-aws-modules/terraform-aws-eks/blob/v17.24.0/locals.tf#L36 for valid values."
type = any
default = {}
}
variable "model_testing_worker_groups_overrides" {
description = "A dictionary that specifies overrides for the model testing worker group launch templates. See https://github.com/terraform-aws-modules/terraform-aws-eks/blob/v17.24.0/locals.tf#L36 for valid values."
type = any
default = {}
}
variable "overwrite_license" {
description = "Whether to use the license from the configured Secret Store to overwrite the cluster license. This variable is ignored during the first deployment."
type = bool
default = false
}
variable "create_scheduled_ct" {
description = "Whether to deploy a RIME Scheduled CT Cron Job"
type = bool
default = false
}