Auto-generated
This page is generated by terraform-docs at build time from the infra/ repo. Do not edit manually.
Vault API¶
ECS service for the Vault analytics API. Provides query endpoints for analytics data stored in ClickHouse. Deployed behind the internal ALB with SSM-backed secrets for ClickHouse credentials and API authentication.
Requirements¶
| Name | Version |
|---|---|
| terraform | >= 1.6.0 |
| aws | ~> 5.0 |
Providers¶
| Name | Version |
|---|---|
| aws | ~> 5.0 |
Modules¶
No modules.
Resources¶
Inputs¶
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| alb_dns_name | DNS name of the internal ALB (for Route53 alias target) | string |
n/a | yes |
| alb_https_listener_arn | ARN of the internal ALB HTTPS listener | string |
n/a | yes |
| alb_security_group_id | Security group ID of the internal ALB | string |
n/a | yes |
| alb_zone_id | Canonical hosted zone ID of the internal ALB (for Route53 alias) | string |
n/a | yes |
| base_tags | Base tags to apply to all resources | map(string) |
{} |
no |
| clickhouse_max_execution_time | ClickHouse query timeout in seconds. Bumped above the default 10 because the per-day INSERT INTO s3() can take longer for big customers. | number |
60 |
no |
| cluster_name | ECS cluster name to deploy the service into | string |
n/a | yes |
| deployment_maximum_percent | ECS rolling deploy maximum percent. 200 = double during rollout (default), 100 = stop-before-start when paired with min=0. | number |
200 |
no |
| deployment_minimum_healthy_percent | ECS rolling deploy minimum healthy percent. Set to 0 on capacity-constrained clusters to allow stop-before-start; 100 elsewhere. | number |
100 |
no |
| desired_count | Desired number of ECS tasks | number |
1 |
no |
| ecs_security_group_id | Security group ID of ECS tasks (ingress rule for ALB will be added to it) | string |
n/a | yes |
| environment | Environment name | string |
n/a | yes |
| exports_s3_bucket_arn | ARN of the S3 bucket where consent log export zips land. | string |
n/a | yes |
| exports_s3_bucket_name | Name of the S3 bucket where consent log export zips land. | string |
n/a | yes |
| exports_s3_prefix | S3 key prefix under which consent log exports live (zips at |
string |
"vault-exports" |
no |
| github_oidc_ref | Git ref pattern for OIDC trust policy (e.g. refs/heads/main for branch, refs/tags/* for releases) | string |
"ref:refs/heads/main" |
no |
| github_repo | GitHub repository (org/repo) allowed to deploy via OIDC | string |
"cookiehub-com/vault-api" |
no |
| group | Resource group | string |
n/a | yes |
| name_prefix | Prefix for resource names | string |
n/a | yes |
| region | AWS region | string |
n/a | yes |
| task_cpu | CPU units for the ECS task | number |
1024 |
no |
| task_memory | Memory in MB for the ECS task | number |
1024 |
no |
| vpc_id | VPC ID (used for the ALB target group) | string |
n/a | yes |
| zone_id | Route53 private hosted zone ID | string |
n/a | yes |
Outputs¶
| Name | Description |
|---|---|
| gh_deploy_role_arn | ARN of the GitHub OIDC deploy role for vault-api |
| target_group_arn | ARN of the ALB target group for the vault-api service |
| target_group_arn_suffix | Target group ARN suffix, used as the TargetGroup CloudWatch dimension. |