Skip to content

fleetdm/fleet-terraform

BranchesTags

Repository files navigation

This module provides a basic Fleet deployment on AWS with Terraform. It is the root module for the repo and creates the VPC, database, cache, ECS cluster, ALB, and Fleet service stack. If you want to bring part of that infrastructure yourself, use one of the nested submodules instead.

To quickly list available released module tags:

git tag | grep '^tf'

Module layout:

  • Root module
  • byo-vpc
  • byo-vpc/byo-db
  • byo-vpc/byo-db/byo-ecs

KMS Coverage

This root module now exposes optional customer-managed KMS key (CMK) support for every KMS-capable surface that this stack manages directly or passes through to child modules.

At the root module level this includes:

  • VPC flow log CloudWatch log groups
  • Aurora storage encryption
  • Aurora database password secret in Secrets Manager
  • Aurora observability encryption for Performance Insights / CloudWatch Database Insights
  • Aurora exported CloudWatch log groups
  • ElastiCache at-rest encryption
  • ElastiCache CloudWatch log groups for cloudwatch-logs delivery targets
  • ECS cluster exec log groups, Fleet app log groups, Fleet private-key secret, and other nested Fleet/ECS KMS features through child-module passthroughs

Behavior rules are consistent across features:

  • cmk_enabled = true means "use a customer-managed KMS key here."
  • Set cmk_enabled = false or omit it to keep using the service-managed key.
  • For KMS options that existed in published releases before this change, legacy enabled is deprecated but still accepted. Terraform plan/apply warns when it is used, and cmk_enabled takes precedence if both are set.
  • If CMK use is enabled and no key ARN is provided, the module creates a CMK and alias.
  • If a key ARN is provided, the module uses that key and does not create one.
  • For provided keys, required IAM is managed where this repo owns an IAM principal, but external key policies must already allow the relevant AWS service to use the key.

Aurora Database Insights

AWS has announced that the Performance Insights console reaches end of life on June 30, 2026. Aurora observability is moving toward CloudWatch Database Insights.

This module exposes Aurora observability through rds_config.observability:

  • database_insights_mode = null means Terraform does not force Standard vs Advanced mode.
  • database_insights_mode = "standard" explicitly keeps the cluster in Standard Database Insights mode.
  • database_insights_mode = "advanced" enables Advanced Database Insights and therefore requires:
    • performance_insights_enabled = true
    • monitoring_interval > 0
    • retention_period >= 465

The observability CMK applies through Aurora's underlying Performance Insights encryption plane, which Database Insights builds on.

Aurora Backtrack

This module also exposes Aurora MySQL backtracking through rds_config.backtrack_window.

  • Set it to a value between 0 and 259200 seconds.
  • Set 0 to disable backtracking explicitly.
  • Leave it null to keep the default upstream behavior.

Migration Notes

  • Existing environments remain unchanged unless you opt into new KMS or Database Insights settings.
  • For provided CMKs, ensure the key policy already allows the relevant AWS service.
  • Enabling KMS on existing CloudWatch log groups may require old log streams to be purged so all retained data is under the new key.

Use the repository-root helper script for CloudWatch Logs KMS cleanup:

# Dry run
DELETE_OLD_STREAMS=false ./scripts/cloudwatch_logs_kms_migration.sh <log-group-name> <region>

# Delete old streams
./scripts/cloudwatch_logs_kms_migration.sh <log-group-name> <region>

Example

module "fleet" {
  source = "github.com/fleetdm/fleet-terraform?depth=1&ref=tf-mod-root-v1.23.0"

  certificate_arn = module.acm.acm_certificate_arn

  vpc = {
    enable_flow_log                      = true
    create_flow_log_cloudwatch_log_group = true
    flow_log_cloudwatch_log_group_kms = {
      cmk_enabled = true
    }
  }

  rds_config = {
    storage_kms = {
      cmk_enabled = true
    }
    password_secret_kms = {
      cmk_enabled = true
    }
    observability = {
      database_insights_mode = "standard"
      kms = {
        cmk_enabled = true
      }
    }
  }

  redis_config = {
    at_rest_kms = {
      cmk_enabled = true
    }
  }
}

Migrating from existing Dogfood code

The below code describes how to migrate from existing Dogfood code.

moved {
  from = module.vpc
  to   = module.main.module.vpc
}

moved {
  from = module.aurora_mysql
  to   = module.main.module.byo-vpc.module.rds
}

moved {
  from = aws_elasticache_replication_group.default
  to   = module.main.module.byo-vpc.module.redis.aws_elasticache_replication_group.default
}

This focuses on the resources that are "heavy" or store data. The ALB cannot be moved the same way because Dogfood uses aws_alb while the module uses aws_lb.

Cache Engine: Redis vs Valkey

This module supports both Redis and Valkey as the ElastiCache engine.

Provider Requirements

When using this module, ensure your AWS provider version is >= 5.73.0.

Using Valkey

redis_config = {
  engine         = "valkey"
  engine_version = "7.2"
  family         = "valkey7"
  instance_type  = "cache.m5.large"
  cluster_size   = 3
}

Using Redis

redis_config = {
  engine         = "redis"
  engine_version = "7.1"
  family         = "redis7"
  instance_type  = "cache.m5.large"
  cluster_size   = 3
}

How to improve this module

If this module does not fit your needs, open a ticket or contact Fleet. Variable changes should stay nullable when no sensible default exists and should be reflected all the way up the stack.

How to update this readme

Edit .header.md, run terraform init, then run terraform-docs markdown . > README.md.

Requirements

Name Version
terraform >= 1.5.0

Providers

Name Version
aws 6.35.1

Modules

Name Source Version
byo-vpc ./byo-vpc n/a
vpc terraform-aws-modules/vpc/aws 5.1.2

Resources

Name Type
aws_kms_alias.vpc_flow_log_cloudwatch_log_group resource
aws_kms_key.vpc_flow_log_cloudwatch_log_group resource
aws_caller_identity.current data source
aws_iam_policy_document.vpc_flow_log_cloudwatch_log_group_kms data source
aws_partition.current data source
aws_region.current data source

Inputs

Name Description Type Default Required
alb_config n/a 
object({
    name               = optional(string, "fleet")
    security_groups    = optional(list(string), [])
    access_logs        = optional(map(string), {})
    allowed_cidrs      = optional(list(string), ["0.0.0.0/0"])
    allowed_ipv6_cidrs = optional(list(string), ["::/0"])
    egress_cidrs       = optional(list(string), ["0.0.0.0/0"])
    egress_ipv6_cidrs  = optional(list(string), ["::/0"])
    fleet_target_group = optional(object({
      protocol          = optional(string, "HTTP")
      port              = optional(number, 80)
      target_type       = optional(string, "ip")
      create_attachment = optional(bool, false)
      health_check = optional(object({
        path                = optional(string, "/healthz")
        matcher             = optional(string, "200")
        port                = optional(string)
        timeout             = optional(number, 10)
        interval            = optional(number, 15)
        healthy_threshold   = optional(number, 5)
        unhealthy_threshold = optional(number, 5)
      }), {})
    }), {})
    extra_target_groups        = optional(any, [])
    https_listener_rules       = optional(any, [])
    https_overrides            = optional(any, {})
    xff_header_processing_mode = optional(string, null)
    tls_policy                 = optional(string, "ELBSecurityPolicy-TLS13-1-2-2021-06")
    idle_timeout               = optional(number, 905)
    internal                   = optional(bool, false)
    enable_deletion_protection = optional(bool, false)
  })
 {} no
certificate_arn n/a string n/a yes
ecs_cluster The config for the terraform-aws-modules/ecs/aws module. For published KMS blocks, legacy enabled is deprecated and still accepted; prefer cmk_enabled. 
object({
    autoscaling_capacity_providers = optional(any, {})
    cluster_configuration = optional(any, {
      execute_command_configuration = {
        logging = "OVERRIDE"
        log_configuration = {
          cloud_watch_log_group_name = "/aws/ecs/aws-ec2"
        }
      }
    })
    cluster_name = optional(string, "fleet")
    cloudwatch_log_group = optional(object({
      create            = optional(bool, true)
      retention_in_days = optional(number, 90)
      kms = optional(object({
        cmk_enabled        = optional(bool, null)
        enabled            = optional(bool, null)
        kms_key_arn        = optional(string, null)
        kms_alias          = optional(string, "fleet-ecs-cluster-logs")
        extra_kms_policies = optional(list(any), [])
        }), {
        cmk_enabled        = null
        enabled            = null
        kms_key_arn        = null
        kms_alias          = "fleet-ecs-cluster-logs"
        extra_kms_policies = []
      })
      }), {
      create            = true
      retention_in_days = 90
      kms = {
        cmk_enabled = null
        enabled     = null
        kms_key_arn = null
        kms_alias   = "fleet-ecs-cluster-logs"
      }
    })
    cluster_settings = optional(any, {
      "name" : "containerInsights",
      "value" : "enabled",
    })
    create                                = optional(bool, true)
    default_capacity_provider_use_fargate = optional(bool, true)
    fargate_capacity_providers = optional(any, {
      FARGATE = {
        default_capacity_provider_strategy = {
          weight = 100
        }
      }
      FARGATE_SPOT = {
        default_capacity_provider_strategy = {
          weight = 0
        }
      }
    })
    tags = optional(map(string))
  })
 
{
  "autoscaling_capacity_providers": {},
  "cloudwatch_log_group": {
    "create": true,
    "kms": {
      "cmk_enabled": null,
      "enabled": null,
      "extra_kms_policies": [],
      "kms_alias": "fleet-ecs-cluster-logs",
      "kms_key_arn": null
    },
    "retention_in_days": 90
  },
  "cluster_configuration": {
    "execute_command_configuration": {
      "log_configuration": {
        "cloud_watch_log_group_name": "/aws/ecs/aws-ec2"
      },
      "logging": "OVERRIDE"
    }
  },
  "cluster_name": "fleet",
  "cluster_settings": {
    "name": "containerInsights",
    "value": "enabled"
  },
  "create": true,
  "default_capacity_provider_use_fargate": true,
  "fargate_capacity_providers": {
    "FARGATE": {
      "default_capacity_provider_strategy": {
        "weight": 100
      }
    },
    "FARGATE_SPOT": {
      "default_capacity_provider_strategy": {
        "weight": 0
      }
    }
  },
  "tags": {}
}
 no
fleet_config The configuration object for Fleet itself. Fields that default to null will have their respective resources created if not specified. For published KMS blocks, legacy enabled is deprecated and still accepted; prefer cmk_enabled. 
object({
    task_mem = optional(number, null)
    task_cpu = optional(number, null)
    ephemeral_storage = optional(object({
      size_in_gib = number
    }), null)
    mem                          = optional(number, 4096)
    cpu                          = optional(number, 512)
    pid_mode                     = optional(string, null)
    image                        = optional(string, "fleetdm/fleet:v4.81.2")
    family                       = optional(string, "fleet")
    sidecars                     = optional(list(any), [])
    depends_on                   = optional(list(any), [])
    mount_points                 = optional(list(any), [])
    volumes                      = optional(list(any), [])
    extra_environment_variables  = optional(map(string), {})
    extra_iam_policies           = optional(list(string), [])
    extra_execution_iam_policies = optional(list(string), [])
    extra_secrets                = optional(map(string), {})
    security_group_name          = optional(string, "fleet")
    iam_role_arn                 = optional(string, null)
    repository_credentials       = optional(string, "")
    private_key_secret_name      = optional(string, "fleet-server-private-key")
    private_key_secret_kms = optional(object({
      cmk_enabled        = optional(bool, null)
      enabled            = optional(bool, null)
      kms_key_arn        = optional(string, null)
      kms_alias          = optional(string, "fleet-server-private-key")
      extra_kms_policies = optional(list(any), [])
      }), {
      cmk_enabled        = null
      enabled            = null
      kms_key_arn        = null
      kms_alias          = "fleet-server-private-key"
      extra_kms_policies = []
    })
    fargate_ephemeral_storage_kms = optional(object({
      cmk_enabled        = optional(bool, null)
      enabled            = optional(bool, null)
      kms_key_arn        = optional(string, null)
      kms_alias          = optional(string, "fleet-fargate-ephemeral-storage")
      extra_kms_policies = optional(list(any), [])
      }), {
      cmk_enabled        = null
      enabled            = null
      kms_key_arn        = null
      kms_alias          = "fleet-fargate-ephemeral-storage"
      extra_kms_policies = []
    })
    server_tls_enabled = optional(bool, false)
    service = optional(object({
      name = optional(string, "fleet")
      }), {
      name = "fleet"
    })
    database = optional(object({
      password_secret_arn         = string
      password_secret_kms_key_arn = optional(string, null)
      user                        = string
      database                    = string
      address                     = string
      rr_address                  = optional(string, null)
      }), {
      password_secret_arn         = null
      password_secret_kms_key_arn = null
      user                        = null
      database                    = null
      address                     = null
      rr_address                  = null
    })
    redis = optional(object({
      address = string
      use_tls = optional(bool, true)
      }), {
      address = null
      use_tls = true
    })
    awslogs = optional(object({
      name      = optional(string, null)
      region    = optional(string, null)
      create    = optional(bool, true)
      prefix    = optional(string, "fleet")
      retention = optional(number, 5)
      kms = optional(object({
        cmk_enabled        = optional(bool, null)
        enabled            = optional(bool, null)
        kms_key_arn        = optional(string, null)
        kms_alias          = optional(string, "fleet-application-logs")
        extra_kms_policies = optional(list(any), [])
        }), {
        cmk_enabled        = null
        enabled            = null
        kms_key_arn        = null
        kms_alias          = "fleet-application-logs"
        extra_kms_policies = []
      })
      }), {
      name      = null
      region    = null
      create    = true
      prefix    = "fleet"
      retention = 5
      kms = {
        cmk_enabled        = null
        enabled            = null
        kms_key_arn        = null
        kms_alias          = "fleet-application-logs"
        extra_kms_policies = []
      }
    })
    loadbalancer = optional(object({
      arn = string
      }), {
      arn = null
    })
    extra_load_balancers = optional(list(any), [])
    networking = optional(object({
      subnets         = optional(list(string), null)
      security_groups = optional(list(string), null)
      ingress_sources = optional(object({
        cidr_blocks      = optional(list(string), [])
        ipv6_cidr_blocks = optional(list(string), [])
        security_groups  = optional(list(string), [])
        prefix_list_ids  = optional(list(string), [])
        }), {
        cidr_blocks      = []
        ipv6_cidr_blocks = []
        security_groups  = []
        prefix_list_ids  = []
      })
      assign_public_ip = optional(bool, false)
      }), {
      subnets         = null
      security_groups = null
      ingress_sources = {
        cidr_blocks      = []
        ipv6_cidr_blocks = []
        security_groups  = []
        prefix_list_ids  = []
      }
      assign_public_ip = false
    })
    autoscaling = optional(object({
      max_capacity                 = optional(number, 5)
      min_capacity                 = optional(number, 1)
      memory_tracking_target_value = optional(number, 80)
      cpu_tracking_target_value    = optional(number, 80)
      }), {
      max_capacity                 = 5
      min_capacity                 = 1
      memory_tracking_target_value = 80
      cpu_tracking_target_value    = 80
    })
    iam = optional(object({
      role = optional(object({
        name        = optional(string, "fleet-role")
        policy_name = optional(string, "fleet-iam-policy")
        }), {
        name        = "fleet-role"
        policy_name = "fleet-iam-policy"
      })
      execution = optional(object({
        name        = optional(string, "fleet-execution-role")
        policy_name = optional(string, "fleet-execution-role")
        }), {
        name        = "fleet-execution-role"
        policy_name = "fleet-iam-policy-execution"
      })
      }), {
      name = "fleetdm-execution-role"
    })
    software_installers = optional(object({
      create_bucket                      = optional(bool, true)
      bucket_name                        = optional(string, null)
      bucket_prefix                      = optional(string, "fleet-software-installers-")
      s3_object_prefix                   = optional(string, "")
      cloudfront_distribution_arn        = optional(string, null)
      enable_bucket_versioning           = optional(bool, false)
      expire_noncurrent_versions         = optional(bool, true)
      noncurrent_version_expiration_days = optional(number, 30)
      create_kms_key                     = optional(bool, false)
      kms_key_arn                        = optional(string, null)
      kms_alias                          = optional(string, "fleet-software-installers")
      extra_kms_policies                 = optional(list(any), [])
      tags                               = optional(map(string), {})
      }), {
      create_bucket                      = true
      bucket_name                        = null
      bucket_prefix                      = "fleet-software-installers-"
      s3_object_prefix                   = ""
      cloudfront_distribution_arn        = null
      enable_bucket_versioning           = false
      expire_noncurrent_versions         = true
      noncurrent_version_expiration_days = 30
      create_kms_key                     = false
      kms_key_arn                        = null
      kms_alias                          = "fleet-software-installers"
      extra_kms_policies                 = []
      tags                               = {}
    })
  })
 
{
  "autoscaling": {
    "cpu_tracking_target_value": 80,
    "max_capacity": 5,
    "memory_tracking_target_value": 80,
    "min_capacity": 1
  },
  "awslogs": {
    "create": true,
    "kms": {
      "cmk_enabled": null,
      "enabled": null,
      "extra_kms_policies": [],
      "kms_alias": "fleet-application-logs",
      "kms_key_arn": null
    },
    "name": null,
    "prefix": "fleet",
    "region": null,
    "retention": 5
  },
  "cpu": 512,
  "database": {
    "address": null,
    "database": null,
    "password_secret_arn": null,
    "rr_address": null,
    "user": null
  },
  "depends_on": [],
  "ephemeral_storage": null,
  "extra_environment_variables": {},
  "extra_execution_iam_policies": [],
  "extra_iam_policies": [],
  "extra_load_balancers": [],
  "extra_secrets": {},
  "family": "fleet",
  "fargate_ephemeral_storage_kms": {
    "cmk_enabled": null,
    "enabled": null,
    "extra_kms_policies": [],
    "kms_alias": "fleet-fargate-ephemeral-storage",
    "kms_key_arn": null
  },
  "iam": {
    "execution": {
      "name": "fleet-execution-role",
      "policy_name": "fleet-iam-policy-execution"
    },
    "role": {
      "name": "fleet-role",
      "policy_name": "fleet-iam-policy"
    }
  },
  "iam_role_arn": null,
  "image": "fleetdm/fleet:v4.81.2",
  "loadbalancer": {
    "arn": null
  },
  "mem": 4096,
  "mount_points": [],
  "networking": {
    "assign_public_ip": false,
    "ingress_sources": {
      "cidr_blocks": [],
      "ipv6_cidr_blocks": [],
      "prefix_list_ids": [],
      "security_groups": []
    },
    "security_groups": null,
    "subnets": null
  },
  "pid_mode": null,
  "private_key_secret_kms": {
    "cmk_enabled": null,
    "enabled": null,
    "extra_kms_policies": [],
    "kms_alias": "fleet-server-private-key",
    "kms_key_arn": null
  },
  "private_key_secret_name": "fleet-server-private-key",
  "redis": {
    "address": null,
    "use_tls": true
  },
  "repository_credentials": "",
  "security_group_name": "fleet",
  "security_groups": null,
  "server_tls_enabled": false,
  "service": {
    "name": "fleet"
  },
  "sidecars": [],
  "software_installers": {
    "bucket_name": null,
    "bucket_prefix": "fleet-software-installers-",
    "cloudfront_distribution_arn": null,
    "create_bucket": true,
    "create_kms_key": false,
    "enable_bucket_versioning": false,
    "expire_noncurrent_versions": true,
    "extra_kms_policies": [],
    "kms_alias": "fleet-software-installers",
    "kms_key_arn": null,
    "noncurrent_version_expiration_days": 30,
    "s3_object_prefix": "",
    "tags": {}
  },
  "task_cpu": null,
  "task_mem": null,
  "volumes": []
}
 no
kms_base_policy Optional base KMS key-policy statements to apply to module-created CMKs before module-required service access statements are merged in. If null, the module defaults to the historical root kms:* statement. 
list(object({
    sid    = string
    effect = string
    principals = object({
      type        = string
      identifiers = list(string)
    })
    actions   = list(string)
    resources = list(string)
    conditions = optional(list(object({
      test     = string
      variable = string
      values   = list(string)
    })), [])
  }))
 null no
migration_config The configuration object for Fleet's migration task. 
object({
    mem = number
    cpu = number
  })
 
{
  "cpu": 1024,
  "mem": 2048
}
 no
rds_config The config for the terraform-aws-modules/rds-aurora/aws module 
object({
    name                            = optional(string, "fleet")
    engine_version                  = optional(string, "8.0.mysql_aurora.3.08.2")
    instance_class                  = optional(string, "db.t4g.large")
    subnets                         = optional(list(string), [])
    allowed_security_groups         = optional(list(string), [])
    allowed_cidr_blocks             = optional(list(string), [])
    apply_immediately               = optional(bool, true)
    monitoring_interval             = optional(number, 10)
    backtrack_window                = optional(number, null)
    db_parameter_group_name         = optional(string)
    db_parameters                   = optional(map(string), {})
    db_cluster_parameter_group_name = optional(string)
    db_cluster_parameters           = optional(map(string), {})
    enabled_cloudwatch_logs_exports = optional(list(string), [])
    final_snapshot_identifier       = optional(string, null)
    password_secret_kms = optional(object({
      cmk_enabled        = optional(bool, false)
      kms_key_arn        = optional(string, null)
      kms_alias          = optional(string, "fleet-rds-password-secret")
      extra_kms_policies = optional(list(any), [])
      }), {
      cmk_enabled        = false
      kms_key_arn        = null
      kms_alias          = "fleet-rds-password-secret"
      extra_kms_policies = []
    })
    storage_kms = optional(object({
      cmk_enabled        = optional(bool, false)
      kms_key_arn        = optional(string, null)
      kms_alias          = optional(string, "fleet-rds-storage")
      extra_kms_policies = optional(list(any), [])
      }), {
      cmk_enabled        = false
      kms_key_arn        = null
      kms_alias          = "fleet-rds-storage"
      extra_kms_policies = []
    })
    observability = optional(object({
      performance_insights_enabled = optional(bool, true)
      retention_period             = optional(number, null)
      database_insights_mode       = optional(string, null)
      kms = optional(object({
        cmk_enabled        = optional(bool, false)
        kms_key_arn        = optional(string, null)
        kms_alias          = optional(string, "fleet-rds-performance-insights")
        extra_kms_policies = optional(list(any), [])
        }), {
        cmk_enabled        = false
        kms_key_arn        = null
        kms_alias          = "fleet-rds-performance-insights"
        extra_kms_policies = []
      })
      }), {
      performance_insights_enabled = true
      retention_period             = null
      database_insights_mode       = null
      kms = {
        cmk_enabled        = false
        kms_key_arn        = null
        kms_alias          = "fleet-rds-performance-insights"
        extra_kms_policies = []
      }
    })
    cloudwatch_log_group = optional(object({
      retention_in_days = optional(number, null)
      skip_destroy      = optional(bool, false)
      kms = optional(object({
        cmk_enabled        = optional(bool, false)
        kms_key_arn        = optional(string, null)
        kms_alias          = optional(string, "fleet-rds-logs")
        extra_kms_policies = optional(list(any), [])
        }), {
        cmk_enabled        = false
        kms_key_arn        = null
        kms_alias          = "fleet-rds-logs"
        extra_kms_policies = []
      })
      }), {
      retention_in_days = null
      skip_destroy      = false
      kms = {
        cmk_enabled        = false
        kms_key_arn        = null
        kms_alias          = "fleet-rds-logs"
        extra_kms_policies = []
      }
    })
    master_username          = optional(string, "fleet")
    snapshot_identifier      = optional(string)
    cluster_tags             = optional(map(string), {})
    skip_final_snapshot      = optional(bool, true)
    backup_retention_period  = optional(number, 7)
    replicas                 = optional(number, 2)
    serverless               = optional(bool, false)
    serverless_min_capacity  = optional(number, 2)
    serverless_max_capacity  = optional(number, 10)
    restore_to_point_in_time = optional(map(string), {})
  })
 
{
  "allowed_cidr_blocks": [],
  "allowed_security_groups": [],
  "apply_immediately": true,
  "backtrack_window": null,
  "backup_retention_period": 7,
  "cloudwatch_log_group": {
    "kms": {
      "cmk_enabled": false,
      "extra_kms_policies": [],
      "kms_alias": "fleet-rds-logs",
      "kms_key_arn": null
    },
    "retention_in_days": null,
    "skip_destroy": false
  },
  "cluster_tags": {},
  "db_cluster_parameter_group_name": null,
  "db_cluster_parameters": {},
  "db_parameter_group_name": null,
  "db_parameters": {},
  "enabled_cloudwatch_logs_exports": [],
  "engine_version": "8.0.mysql_aurora.3.08.2",
  "final_snapshot_identifier": null,
  "instance_class": "db.t4g.large",
  "master_username": "fleet",
  "monitoring_interval": 10,
  "name": "fleet",
  "observability": {
    "database_insights_mode": null,
    "kms": {
      "cmk_enabled": false,
      "extra_kms_policies": [],
      "kms_alias": "fleet-rds-performance-insights",
      "kms_key_arn": null
    },
    "performance_insights_enabled": true,
    "retention_period": null
  },
  "password_secret_kms": {
    "cmk_enabled": false,
    "extra_kms_policies": [],
    "kms_alias": "fleet-rds-password-secret",
    "kms_key_arn": null
  },
  "replicas": 2,
  "restore_to_point_in_time": {},
  "serverless": false,
  "serverless_max_capacity": 10,
  "serverless_min_capacity": 2,
  "skip_final_snapshot": true,
  "snapshot_identifier": null,
  "storage_kms": {
    "cmk_enabled": false,
    "extra_kms_policies": [],
    "kms_alias": "fleet-rds-storage",
    "kms_key_arn": null
  },
  "subnets": []
}
 no
redis_config n/a 
object({
    name                          = optional(string, "fleet")
    replication_group_id          = optional(string)
    elasticache_subnet_group_name = optional(string)
    allowed_security_group_ids    = optional(list(string), [])
    subnets                       = optional(list(string))
    availability_zones            = optional(list(string))
    cluster_size                  = optional(number, 3)
    instance_type                 = optional(string, "cache.m5.large")
    apply_immediately             = optional(bool, true)
    automatic_failover_enabled    = optional(bool, false)
    engine                        = optional(string, "redis")
    engine_version                = optional(string, "7.1")
    family                        = optional(string, "redis7")
    at_rest_encryption_enabled    = optional(bool, true)
    at_rest_kms = optional(object({
      cmk_enabled        = optional(bool, false)
      kms_key_arn        = optional(string, null)
      kms_alias          = optional(string, "fleet-redis-at-rest")
      extra_kms_policies = optional(list(any), [])
      }), {
      cmk_enabled        = false
      kms_key_arn        = null
      kms_alias          = "fleet-redis-at-rest"
      extra_kms_policies = []
    })
    transit_encryption_enabled = optional(bool, true)
    parameter = optional(list(object({
      name  = string
      value = string
    })), [])
    cloudwatch_log_group = optional(object({
      retention_in_days = optional(number, null)
      skip_destroy      = optional(bool, false)
      kms = optional(object({
        cmk_enabled        = optional(bool, false)
        kms_key_arn        = optional(string, null)
        kms_alias          = optional(string, "fleet-redis-logs")
        extra_kms_policies = optional(list(any), [])
        }), {
        cmk_enabled        = false
        kms_key_arn        = null
        kms_alias          = "fleet-redis-logs"
        extra_kms_policies = []
      })
      }), {
      retention_in_days = null
      skip_destroy      = false
      kms = {
        cmk_enabled = false
        kms_key_arn = null
        kms_alias   = "fleet-redis-logs"
      }
    })
    log_delivery_configuration = optional(list(map(any)), [])
    tags                       = optional(map(string), {})
  })
 
{
  "allowed_security_group_ids": [],
  "apply_immediately": true,
  "at_rest_encryption_enabled": true,
  "at_rest_kms": {
    "cmk_enabled": false,
    "extra_kms_policies": [],
    "kms_alias": "fleet-redis-at-rest",
    "kms_key_arn": null
  },
  "automatic_failover_enabled": false,
  "availability_zones": null,
  "cloudwatch_log_group": {
    "kms": {
      "cmk_enabled": false,
      "extra_kms_policies": [],
      "kms_alias": "fleet-redis-logs",
      "kms_key_arn": null
    },
    "retention_in_days": null,
    "skip_destroy": false
  },
  "cluster_size": 3,
  "elasticache_subnet_group_name": null,
  "engine": "redis",
  "engine_version": "7.1",
  "family": "redis7",
  "instance_type": "cache.m5.large",
  "log_delivery_configuration": [],
  "name": "fleet",
  "parameter": [],
  "replication_group_id": null,
  "subnets": null,
  "tags": {},
  "transit_encryption_enabled": true
}
 no
vpc n/a 
object({
    name                = optional(string, "fleet")
    cidr                = optional(string, "10.10.0.0/16")
    azs                 = optional(list(string), ["us-east-2a", "us-east-2b", "us-east-2c"])
    private_subnets     = optional(list(string), ["10.10.1.0/24", "10.10.2.0/24", "10.10.3.0/24"])
    public_subnets      = optional(list(string), ["10.10.11.0/24", "10.10.12.0/24", "10.10.13.0/24"])
    database_subnets    = optional(list(string), ["10.10.21.0/24", "10.10.22.0/24", "10.10.23.0/24"])
    elasticache_subnets = optional(list(string), ["10.10.31.0/24", "10.10.32.0/24", "10.10.33.0/24"])

    create_database_subnet_group              = optional(bool, false)
    create_database_subnet_route_table        = optional(bool, true)
    create_elasticache_subnet_group           = optional(bool, true)
    create_elasticache_subnet_route_table     = optional(bool, true)
    enable_vpn_gateway                        = optional(bool, false)
    one_nat_gateway_per_az                    = optional(bool, false)
    single_nat_gateway                        = optional(bool, true)
    enable_nat_gateway                        = optional(bool, true)
    enable_dns_hostnames                      = optional(bool, false)
    enable_dns_support                        = optional(bool, true)
    enable_flow_log                           = optional(bool, false)
    create_flow_log_cloudwatch_log_group      = optional(bool, false)
    create_flow_log_cloudwatch_iam_role       = optional(bool, false)
    flow_log_max_aggregation_interval         = optional(number, 600)
    flow_log_cloudwatch_log_group_name_prefix = optional(string, "/aws/vpc-flow-log/")
    flow_log_cloudwatch_log_group_name_suffix = optional(string, "")
    flow_log_cloudwatch_log_group_kms = optional(object({
      cmk_enabled        = optional(bool, false)
      kms_key_arn        = optional(string, null)
      kms_alias          = optional(string, "fleet-vpc-flow-logs")
      extra_kms_policies = optional(list(any), [])
      }), {
      cmk_enabled        = false
      kms_key_arn        = null
      kms_alias          = "fleet-vpc-flow-logs"
      extra_kms_policies = []
    })
    vpc_flow_log_tags = optional(map(string), {})
  })
 
{
  "azs": [
    "us-east-2a",
    "us-east-2b",
    "us-east-2c"
  ],
  "cidr": "10.10.0.0/16",
  "create_database_subnet_group": false,
  "create_database_subnet_route_table": true,
  "create_elasticache_subnet_group": true,
  "create_elasticache_subnet_route_table": true,
  "create_flow_log_cloudwatch_iam_role": false,
  "create_flow_log_cloudwatch_log_group": false,
  "database_subnets": [
    "10.10.21.0/24",
    "10.10.22.0/24",
    "10.10.23.0/24"
  ],
  "elasticache_subnets": [
    "10.10.31.0/24",
    "10.10.32.0/24",
    "10.10.33.0/24"
  ],
  "enable_dns_hostnames": false,
  "enable_dns_support": true,
  "enable_flow_log": false,
  "enable_nat_gateway": true,
  "enable_vpn_gateway": false,
  "flow_log_cloudwatch_log_group_kms": {
    "cmk_enabled": false,
    "extra_kms_policies": [],
    "kms_alias": "fleet-vpc-flow-logs",
    "kms_key_arn": null
  },
  "flow_log_cloudwatch_log_group_name_prefix": "/aws/vpc-flow-log/",
  "flow_log_cloudwatch_log_group_name_suffix": "",
  "flow_log_max_aggregation_interval": 600,
  "name": "fleet",
  "one_nat_gateway_per_az": false,
  "private_subnets": [
    "10.10.1.0/24",
    "10.10.2.0/24",
    "10.10.3.0/24"
  ],
  "public_subnets": [
    "10.10.11.0/24",
    "10.10.12.0/24",
    "10.10.13.0/24"
  ],
  "single_nat_gateway": true,
  "vpc_flow_log_tags": {}
}
 no

Outputs

Name Description
byo-vpc n/a
vpc n/a

About

Fleet's Terraform modules.

Resources

Readme

License

View license
Activity
Custom properties

Stars

12 stars

Watchers

12 watching

Forks

21 forks
Report repository

Releases

161 tags

Packages

 
 
 

Contributors

Languages