Auto-generated

This page is generated by terraform-docs at build time from the infra/ repo. Do not edit manually.

Edge API¶

ECS service for the Edge API. User-facing event ingestion and identity service. Deployed behind CloudFront (for geo headers) → public ALB. Reads from ClickHouse for consent lookup, queues events to SQS.

Requirements¶

Name	Version
terraform	>= 1.6.0
aws	~> 5.0

Providers¶

Name	Version
aws	~> 5.0

Modules¶

No modules.

Resources¶

Name	Type
aws_cloudfront_distribution.edge_api	resource
aws_cloudwatch_log_group.edge_api	resource
aws_ecs_service.edge_api	resource
aws_ecs_task_definition.edge_api	resource
aws_iam_policy.read_ssm	resource
aws_iam_role.execution_role	resource
aws_iam_role.gh_deploy	resource
aws_iam_role.task_role	resource
aws_iam_role_policy.gh_deploy	resource
aws_iam_role_policy.task_sqs	resource
aws_iam_role_policy_attachment.execution_read_ssm	resource
aws_iam_role_policy_attachment.execution_role_policy	resource
aws_lb_listener_rule.edge_api	resource
aws_lb_target_group.edge_api	resource
aws_route53_record.edge_api	resource
aws_security_group_rule.clickhouse_from_edge	resource
aws_security_group_rule.edge_api_from_alb	resource
aws_ssm_parameter.clickhouse_password	resource
aws_ssm_parameter.clickhouse_url	resource
aws_ssm_parameter.clickhouse_username	resource
aws_ssm_parameter.hmac_secret	resource
aws_ssm_parameter.sqs_queue_url	resource
aws_iam_openid_connect_provider.github	data source
aws_iam_policy_document.ecs_assume_role	data source
aws_route53_zone.selected	data source

Inputs¶

Name	Description	Type	Default	Required
alb_dns_name	DNS name of the public ALB (CloudFront origin)	`string`	n/a	yes
alb_https_listener_arn	ARN of the public ALB HTTPS listener	`string`	n/a	yes
alb_security_group_id	Security group ID of the public ALB	`string`	n/a	yes
base_tags	Base tags to apply to all resources	`map(string)`	`{}`	no
clickhouse_security_group_id	Security group ID of the ClickHouse instance (ingress rule for edge ECS will be added)	`string`	n/a	yes
cloudfront_certificate_arn	ACM certificate ARN in us-east-1 for the dedicated `edge-api.{zone}` CloudFront distribution. Required when `create_dedicated_hostname = true`; ignored otherwise.	`string`	`null`	no
cluster_arn	ARN of the ECS cluster to deploy the service into. Must be passed as ARN (not name) — aws_ecs_service.cluster is a force-new attribute and Terraform treats ARN and name as different values.	`string`	n/a	yes
container_memory_reservation	Soft memory limit (MiB) for the container. Used by ECS for task placement on EC2. Set lower than task_memory to allow multiple task slots to fit on the host during rolling deploys (e.g. 4 tasks × reservation must fit in instance RAM).	`number`	`null`	no
create_dedicated_hostname	When true (default), provisions a CloudFront distribution + Route53 A record for `edge-api.{zone}` fronting the ALB. Set to false when the service is reached exclusively via external CloudFront distributions (e.g. prod routes everything through consent.cookiehub.net), so no dedicated hostname or edge-api-specific CloudFront is created.	`bool`	`true`	no
desired_count	Desired number of ECS tasks	`number`	`1`	no
ecr_repository_arn	ECR repository ARN for the edge-api image, used in the exec role's pull policy	`string`	n/a	yes
ecr_repository_url	ECR repository URL for the edge-api image (e.g. `module.edge_ecr.edge_api_repository_url`)	`string`	n/a	yes
ecs_security_group_id	Security group ID of ECS tasks (ingress rule for ALB will be added to it)	`string`	n/a	yes
environment	Environment name	`string`	n/a	yes
github_oidc_ref	Git ref pattern for OIDC trust policy	`string`	`"ref:refs/heads/main"`	no
github_repo	GitHub repository (org/repo) allowed to deploy via OIDC	`string`	`"cookiehub-com/edge-api"`	no
group	Resource group	`string`	n/a	yes
host_headers	Host headers the ALB listener rule matches to forward traffic to the edge-api target group. Empty list (default) derives a single-entry list of `["edge-api.{zone}"]` — the stage pattern. Override in environments where edge-api is reached exclusively through external hostnames (e.g. prod uses consent/ds/consent-eu/region-eu).	`list(string)`	`[]`	no
name_prefix	Prefix for resource names	`string`	n/a	yes
region	AWS region	`string`	n/a	yes
sqs_queue_arn	ARN of the SQS queue for event ingestion	`string`	n/a	yes
task_cpu	CPU units for the ECS task	`number`	`512`	no
task_memory	Hard memory limit (MiB) for the container. Container is OOM-killed if it exceeds this.	`number`	`512`	no
vpc_id	VPC ID (used for the ALB target group)	`string`	n/a	yes
zone_id	Route53 hosted zone ID	`string`	n/a	yes

Outputs¶

Name	Description
cloudfront_distribution_id	CloudFront distribution ID. Null when `create_dedicated_hostname = false`.
cloudfront_domain_name	CloudFront distribution domain name. Null when `create_dedicated_hostname = false`.
gh_deploy_role_arn	ARN of the GitHub OIDC deploy role for edge-api
target_group_arn	ARN of the ALB target group for the edge-api service
target_group_arn_suffix	Target group ARN suffix, used as the TargetGroup CloudWatch dimension.