terraform.tfvars for the first time or tuning an existing deployment.
Variables come in two categories:
- Non-sensitive (region, sizing, feature flags): set in
infra/terraform.tfvars. - Sensitive (license key, passwords, encryption keys): sourced through
infra/scripts/setup-env.sh, which writes them to AWS SSM Parameter Store; External Secrets Operator then syncs them into the cluster.
Core
| Variable | Default | Required | Description |
|---|---|---|---|
name_prefix | — | yes | Prefix for all resource names. Maximum 15 characters: lowercase letters, digits, and hyphens, starting with a letter. Format: {prefix}-{environment}-{resource}. |
environment | dev | no | Environment tag: dev, staging, prod, test, or uat. |
region | us-west-2 | no | AWS region for all resources. |
owner | "" | no | Team or individual responsible for the deployment. Applied as a tag. |
cost_center | "" | no | Cost center or billing label. Applied as a tag when non-empty. |
tags | {} | no | Additional tags applied to all resources. |
Networking
| Variable | Default | Required | Description |
|---|---|---|---|
create_vpc | true | no | Create a new VPC. Set false to use an existing one. |
vpc_id | null | when !create_vpc | Existing VPC ID. |
private_subnets | [] | when !create_vpc | Existing private subnet IDs. |
public_subnets | [] | when !create_vpc | Existing public subnet IDs. |
vpc_cidr_block | null | when !create_vpc | Existing VPC CIDR block. |
vpc_private_subnets | [] | no | Override CIDRs for private subnets when create_vpc = true. Empty uses the module default. |
vpc_public_subnets | [] | no | Override CIDRs for public subnets when create_vpc = true. Empty uses the module default. |
EKS
| Variable | Default | Required | Description |
|---|---|---|---|
enable_public_eks_cluster | true | no | Enable the public EKS API endpoint. Set false for a private cluster and enable create_bastion to run Terraform and Helm from the bastion via SSM. |
eks_public_access_cidrs | ["0.0.0.0/0"] | no | CIDRs allowed to reach the public EKS API endpoint. Restrict to corporate VPN egress CIDRs to lock down access. |
eks_cluster_version | 1.33 | no | EKS Kubernetes version. |
eks_managed_node_group_defaults | {ami_type = "AL2023_x86_64_STANDARD"} | no | Default configuration applied to all managed node groups. |
eks_managed_node_groups | one default group: m5.4xlarge, min 3 / max 10 | no | Managed node group definitions. desired_size defaults to min_size when omitted. |
create_gp3_storage_class | true | no | Create gp3 and set it as the default StorageClass with volume expansion enabled. |
eks_cluster_enabled_log_types | ["api", "audit", "authenticator", "controllerManager", "scheduler"] | no | EKS control plane log types sent to CloudWatch. Set [] to disable. |
eks_addons | {} | no | EKS managed add-on configurations (coredns, kube-proxy, vpc-cni, and similar). |
create_langsmith_irsa_role | true | no | Create the IRSA role for LangSmith pods (S3 access). |
PostgreSQL (RDS)
| Variable | Default | Required | Description |
|---|---|---|---|
postgres_source | external | no | external (RDS with private access) or in-cluster (deployed via Helm). |
postgres_instance_type | db.t3.large | no | RDS instance class. |
postgres_storage_gb | 10 | no | Initial RDS storage in GB. |
postgres_max_storage_gb | 100 | no | Maximum RDS storage in GB (autoscaling). |
postgres_username | langsmith | no | RDS database username. |
postgres_engine_version | 16 | no | PostgreSQL engine version. PG 14 reaches EOL in November 2026; 16 is recommended for new deployments. |
postgres_password | "" | when external | RDS password. Set via TF_VAR_postgres_password, or auto-generated and stored in SSM by setup-env.sh. |
postgres_iam_database_authentication_enabled | true | no | Enable IAM database authentication on RDS. |
postgres_iam_database_user | null | no | Database user for IAM authentication. Must exist in PostgreSQL with GRANT rds_iam TO <user>. |
postgres_deletion_protection | true | no | Prevent accidental RDS deletion. Set false for dev/test environments. |
postgres_backup_retention_period | 7 | no | Days to retain automated RDS backups. 0 disables backups. |
Redis (ElastiCache)
| Variable | Default | Required | Description |
|---|---|---|---|
redis_source | external | no | external (ElastiCache with private access) or in-cluster (deployed via Helm). |
redis_instance_type | cache.m6g.xlarge | no | ElastiCache node type. |
redis_auth_token | "" | when external | ElastiCache auth token. Auto-generated by setup-env.sh and stored in SSM. Set via TF_VAR_redis_auth_token. |
S3
| Variable | Default | Required | Description |
|---|---|---|---|
s3_ttl_enabled | true | no | Enable S3 lifecycle rules to expire trace blobs. |
s3_ttl_short_days | 14 | no | Days before expiring short-lived objects (ttl_s/ prefix). |
s3_ttl_long_days | 400 | no | Days before expiring long-lived objects (ttl_l/ prefix). |
s3_kms_key_arn | "" | no | KMS CMK ARN for S3 encryption. Empty uses SSE-S3 (AES256). |
s3_versioning_enabled | false | no | Enable S3 bucket versioning. Increases storage cost as prior versions are retained. |
TLS and DNS
| Variable | Default | Required | Description |
|---|---|---|---|
tls_certificate_source | acm | no | TLS source: acm, letsencrypt (cert-manager HTTP-01 ACME solved through the ALB), or none. For DNS-01 challenges through Route 53 (in-cluster gateways), use create_cert_manager_irsa instead; the two are mutually exclusive. |
acm_certificate_arn | "" | when acm | Existing ACM certificate ARN. |
letsencrypt_email | "" | when letsencrypt | Email for Let’s Encrypt ACME registration. |
langsmith_domain | "" | no | Custom domain. When set (and acm_certificate_arn is empty), provisions a Route 53 hosted zone, ACM certificate, and alias record. Empty uses the ALB hostname. |
dns_include_wildcard_san | false | no | Add a wildcard SAN (*.<langsmith_domain>) to the ACM certificate. Needed for HTTPS on subdomains. |
langsmith_namespace | langsmith | no | Kubernetes namespace for LangSmith. |
Ingress
| Variable | Default | Required | Description |
|---|---|---|---|
alb_scheme | internet-facing | no | ALB scheme: internet-facing (public subnets) or internal (private subnets, reachable via VPN, peering, or PrivateLink). |
alb_allowed_cidr_blocks | ["0.0.0.0/0"] | no | CIDRs allowed to reach the ALB on HTTP/HTTPS. Restrict to VPN or office CIDRs for limited-access deployments. |
alb_access_logs_enabled | false | no | Enable ALB access logging to a dedicated S3 bucket. |
enable_envoy_gateway | false | no | Install Envoy Gateway (Kubernetes Gateway API) instead of ALB Ingress. Required for multi-namespace dataplane deployments. |
enable_nginx_ingress | false | no | Install the NGINX ingress controller. The ALB forwards to NGINX controller pods via a TargetGroupBinding. |
enable_istio_gateway | false | no | Open port 15017 on the node security group for the istiod sidecar-injector webhook. Required when running Istio on EKS. |
istio_nlb_scheme | internet-facing | no | Scheme for the Istio ingress gateway NLB: internet-facing or internal. Written to tfvars by the setup wizard but not yet consumed by any module; the Istio path currently uses a ClusterIP service behind the ALB TargetGroupBinding. |
create_cert_manager_irsa | false | no | Create the IRSA role for cert-manager DNS-01 challenges via Route 53. Required for Let’s Encrypt with Istio Gateway. Run make tls after apply. |
cert_manager_hosted_zone_id | "" | when create_cert_manager_irsa | Route 53 hosted zone ID for cert-manager DNS-01 TXT records. |
ClickHouse
| Variable | Default | Required | Description |
|---|---|---|---|
clickhouse_source | in-cluster | no | in-cluster (dev/POC only) or external (LangChain Managed ClickHouse, recommended for production). |
Bastion (private cluster)
| Variable | Default | Required | Description |
|---|---|---|---|
create_bastion | false | no | Create an EC2 bastion in a public subnet for private cluster access via SSM Session Manager or SSH. |
bastion_instance_type | t3.micro | no | EC2 instance type for the bastion. |
bastion_key_name | null | no | EC2 key pair for SSH. Empty uses SSM Session Manager only. |
bastion_enable_ssh | false | no | Open port 22 on the bastion security group. |
bastion_ssh_allowed_cidrs | [] | no | CIDRs allowed to SSH to the bastion. Used only when bastion_enable_ssh = true. |
bastion_root_volume_size_gb | 20 | no | Root EBS volume size in GB for the bastion. |
Security and audit
| Variable | Default | Required | Description |
|---|---|---|---|
create_cloudtrail | false | no | Create a CloudTrail trail logging AWS API calls to S3. Skip if an account-level or org-level trail already exists. |
cloudtrail_multi_region | true | no | Record API calls across all regions. |
cloudtrail_log_retention_days | 365 | no | Days to retain CloudTrail logs in S3. 0 keeps them indefinitely. |
create_waf | false | no | Attach a WAFv2 Web ACL to the ALB (AWS managed rules for OWASP Top 10, IP reputation, bad inputs). Cost: about $8 to $10/mo base. |
create_firewall | false | no | Deploy AWS Network Firewall for FQDN-based egress filtering. Requires create_vpc = true. Cost: about $0.395/hr per endpoint plus $0.065/GB. |
firewall_allowed_fqdns | ["beacon.langchain.com"] | no | Domains allowed for outbound traffic when create_firewall = true. Matched against TLS SNI and HTTP Host headers. All other destinations are dropped. |
firewall_subnet_cidr | 10.0.64.0/21 | no | CIDR for the firewall subnet. Must be within the VPC CIDR and must not overlap private or public subnets. |
Sizing and feature flags
sizing_profile and most enable_* flags are read by init-values.sh and deploy.sh; Terraform does not act on them directly. They affect which Helm overlay files the scripts generate. The three standalone flags (enable_fleet, enable_standalone_polly, enable_standalone_insights) are the exception: Terraform reads them to create database-init Jobs and Kubernetes secrets, and enforces plan-time preconditions on the external Postgres and Redis inputs they require.
| Variable | Default | Required | Description |
|---|---|---|---|
sizing_profile | default | no | Helm sizing: production, production-large, dev, minimum, or default. |
enable_deployments | false | no | Enable LangSmith Deployment (listener, operator, host-backend). Requires the Deployments license entitlement. |
enable_agent_builder | false | no | Enable Agent Builder. Requires enable_deployments = true and the Agent Builder entitlement. |
enable_insights | false | no | Enable Insights (ClickHouse-backed analytics). Requires the Insights entitlement. |
enable_polly | false | no | Enable Polly (AI evaluation and monitoring). Requires enable_deployments = true and the Polly entitlement. |
enable_usage_telemetry | false | no | Enable extended usage telemetry reporting. |
enable_fleet | false | no | Enable Fleet standalone deployment (chart v0.15+). Requires enable_deployments = true and external Postgres and Redis. |
enable_standalone_polly | false | no | Enable Polly standalone deployment (chart v0.15+). Does not require enable_deployments. Requires external Postgres and Redis. |
enable_standalone_insights | false | no | Enable Insights standalone deployment (chart v0.15+). Does not require enable_deployments. Requires external Postgres and Redis. |
Sensitive values (set with setup-env.sh)
Sourcing infra/scripts/setup-env.sh writes these to AWS SSM Parameter Store. External Secrets Operator syncs them into the cluster as Kubernetes secrets. These are not declared Terraform variables and have no place in terraform.tfvars; set them only through SSM.
| Variable | Description |
|---|---|
langsmith_license_key | LangSmith enterprise license key. |
langsmith_admin_password | Initial org admin password. Minimum 12 characters, with lowercase, uppercase, and a symbol. |
langsmith_api_key_salt | Salt for hashing API keys. Must stay stable after first deploy. |
langsmith_jwt_secret | JWT secret for Basic Auth sessions. Must stay stable. |
langsmith_deployments_encryption_key | Fernet key for LangSmith Deployments. Must never change. |
langsmith_agent_builder_encryption_key | Fernet key for Agent Builder. Must never change. |
langsmith_insights_encryption_key | Fernet key for Insights. Must never change. |
langsmith_polly_encryption_key | Fernet key for Polly. Must never change. |
Connect these docs to Claude, VSCode, and more via MCP for real-time answers.

