Requirements
| Name | Version |
|---|---|
| terraform | ~> 1.11 |
| aws | ~> 5.97.0 |
Providers
| Name | Version |
|---|---|
| aws | 5.97.0 |
| aws.us_east_1 | 5.97.0 |
| random | 3.7.2 |
Modules
No modules.
Resources
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| alb_logs_retention_days | Number of days to retain ALB access logs | number | 90 | no |
| allowed_ips | A list of IP addresses/ranges that are allowed to make inbound requests to the Fides API. | list(string) | n/a | yes |
| aws_region | The AWS region to which the Fides resources will be deployed. | string | "us-east-1" | no |
| cloudwatch_log_group | The ARN of the CloudWatch Logs group to use. If not specified, one will be created. | string | "" | no |
| custom_domain | Custom domain name to use for the CloudFront distribution | string | "" | no |
| custom_domain_points_to_cdn | Whether the custom domain points to the CloudFront distribution. If true, the custom domain will be added as an alias to the CloudFront distribution. | bool | false | no |
| docker_credentials | Docker Hub credentials configuration for private images. If username and password are provided, private images will be used. | object({ username = string password = string registry = string }) | { "password": "", "registry": "docker.io", "username": "" } | no |
| elasticache_auto_failover | Enable automatic failover on the Elasticache cluster. | bool | false | no |
| elasticache_node_type | The node type of the Fides Elasticache cluster. | string | "cache.t3.micro" | no |
| environment_name | The environment name or identifier used to delineate separate Fides instances, e.g. qa, staging, production, etc. | string | "staging" | no |
| environment_type | The environment type, prod or dev, prod is recommended for non-development environments. This controls which endpoints require authentication. | string | "prod" | no |
| fides_additional_cors_origins | A list of CORS origins besides the privacy center and Fides Admin UI to allow. These can also be specified in the Fides Admin UI. | list(string) | [] | no |
| fides_additional_environment_variables | Additional environment variables to be passed to the container. | list(object({ name = string, value = string })) | [] | no |
| fides_alternate_subnet | The subnet ID of the alternate subnet that may contain Fides resources. This subnet should be in a different availability zone from "var.fides_primary_subnet". | string | n/a | yes |
| fides_celery | Celery configuration for Fides. | object({ event_queue_prefix = optional(string, "fides_worker") task_default_queue = optional(string, "fides") }) | {} | no |
| fides_consent_tcf | Consent configuration for Fides. Requires a Fides Enterprise license. | object({ tcf_enabled = bool # Enables the IAB Transparency and Consent Framework. This feature requires additional configuration in the privacy center as well as a Fides Enterprise license. ac_enabled = optional(bool, false) # Enables the Google Ads additional consent string. Requires TCF and a Fides Enterprise license. override_vendor_purposes = optional(bool, false) # Allows for overriding the flexible legal legal basis of some TCF purposes. tcf_publisher_country_code = optional(string, "") # The country code of the country that determines the legislation of reference. Commonly, this corresponds to the country in which the publisher's business entity is established. privacy_experiences_tcf_db_cache_enabled = optional(bool, true) # Enables caching of the TCF database in the privacy center. privacy_experiences_error_on_cache_miss = optional(bool, false) # When set to True, the privacy center will display an error message if the TCF database cache is missed. gvl_source_url = optional(string, "https://vendor-list.consensu.org/v3/vendor-list.json") # The URL from which to fetch the official GVL vendor list. }) | { "tcf_enabled": false } | no |
| fides_consent_translations | Translation configuration for Fides. | object({ enable_translations = optional(bool, false) # Enables a customer to set their own content in various languages. enable_oob_translations = optional(bool, false) # Enables translations on out-of-the-box Experiences and Notices. enable_auto_tcf_translations = optional(bool, false) # Enables automatic (server-side) translations of the minimal TCF experience response to the user's preferred language based on the Accept-Language header. WARNING: this can significantly decrease cache hit ratios and reduce performance. }) | {} | no |
| fides_consent_webhook_access_token_expire_minutes | The time in minutes for which consent webhook access tokens will be valid. | number | 129600 | no |
| fides_cors_origin_regex | A regex to use to allowlist CORS origins, in addition to the 'fides_additional_cors_origins' list. For example: 'https://.*.example.com (opens in a new tab)' | string | "" | no |
| fides_cpu | The number of CPU units to dedicate to the Fides container. | number | 1024 | no |
| fides_database_api_engine_keepalives_count | Maximum number of TCP keepalive retries before the client considers the connection dead and closes it. | number | 5 | no |
| fides_database_api_engine_keepalives_idle | The number of seconds to wait before sending a keepalive to the database. | number | 30 | no |
| fides_database_api_engine_keepalives_interval | The number of seconds to wait between keepalives. | number | 10 | no |
| fides_database_api_engine_max_overflow | The maximum number of connections to keep open to the database. | number | 50 | no |
| fides_database_api_engine_pool_size | The number of connections to keep open to the database. | number | 50 | no |
| fides_database_task_engine_keepalives_count | Maximum number of TCP keepalive retries before the client considers the connection dead and closes it. | number | 5 | no |
| fides_database_task_engine_keepalives_idle | Number of seconds of inactivity before the client sends a TCP keepalive packet to verify the database connection is still alive. | number | 30 | no |
| fides_database_task_engine_keepalives_interval | Number of seconds between TCP keepalive retries if the initial keepalive packet receives no response. | number | 10 | no |
| fides_database_task_engine_max_overflow | The maximum number of connections to keep open to the database. | number | 50 | no |
| fides_database_task_engine_pool_size | The number of connections to keep open to the database. | number | 50 | no |
| fides_detection_and_discovery_website_monitor | Detection and discovery configuration for Fides. | object({ enabled = optional(bool, false) service_url = optional(string, "") polling_timeout_seconds = optional(number, 300) website_monitor_results_page_size = optional(number, 100) }) | {} | no |
| fides_detection_and_discovery_website_monitor_api_key | The API key for the website monitor. | string | "" | no |
| fides_dictionary | Compass configuration for Fides. | object({ enabled = optional(bool, false) dictionary_service_url = optional(string, "") }) | {} | no |
| fides_dictionary_api_key | The API key for the dictionary service. | string | "" | no |
| fides_endpoint_cache_get_property_by_path_cache_ttl | The TTL for the get property by path cache. Set to 0 to disable caching. | number | 3600 | no |
| fides_endpoint_cache_privacy_experience_cache_ttl | The TTL for the privacy experience cache. Set to 0 to disable caching. | number | 3600 | no |
| fides_endpoint_cache_privacy_experience_gvl_translations_cache_ttl | The TTL for the GVL translations cache. Set to 0 to disable caching. | number | 86400 | no |
| fides_endpoint_cache_privacy_experience_meta_cache_size | The size of the meta cache. Set to 0 to disable caching. | number | 1000 | no |
| fides_endpoint_cache_privacy_experience_meta_cache_ttl | The TTL for the privacy experience meta cache. Set to 0 to disable caching. | number | 3600 | no |
| fides_execution_custom_privacy_request_fields | Allows the collection and execution of custom privacy request fields from incoming privacy requests. | object({ allow_collection = bool allow_execution = optional(bool, false) }) | { "allow_collection": false, "allow_execution": false } | no |
| fides_execution_interrupted_task_requeue_interval | Seconds between polling for interrupted tasks to requeue. | number | 300 | no |
| fides_execution_masking_strict | If set to True, only use UPDATE requests to mask data. If False, Fides will use any defined DELETE or GDPR DELETE endpoints to remove PII, which may extend beyond the specific data categories that configured in your execution policy. | bool | false | no |
| fides_execution_request_task_ttl | The number of seconds a Request Task should live (Privacy Request subtasks). Older request tasks will be cleaned up from completed Privacy Requests periodically. | number | 604800 | no |
| fides_execution_state_polling_interval | The number of seconds between a scheduled process that checks to see if a Privacy Request's subtasks have "completed" and the overall Privacy Request needs to be placed in an errored state so it can be reprocessed. | number | 30 | no |
| fides_execution_use_dsr_3_0 | Enables DSR 3.0 for Fides versions <2.70.0. | bool | true | no |
| fides_identity_verification | Whether to require subject identity verification for privacy requests. | bool | false | no |
| fides_image | The Fides Docker image to deploy. | string | "ethyca/fides" | no |
| fides_log_format | The format of the log messages. | string | "json" | no |
| fides_log_level | The logging level of Fides. | string | "INFO" | no |
| fides_memory | The amount of memory, in MiB, to dedicate to the Fides container. | number | 2048 | no |
| fides_primary_subnet | The subnet ID of the primary subnet that will contain Fides resources. | string | n/a | yes |
| fides_redis_default_ttl_seconds | The default TTL for Redis keys. | number | 604800 | no |
| fides_redis_identity_verification_code_ttl_seconds | The TTL for Redis keys used for identity verification codes. | number | 600 | no |
| fides_require_manual_request_approval | Whether to require privacy requests to be approved before processing. | bool | false | no |
| fides_root_password | The root user password to create. If one is not provided, one will be generated. | string | "" | no |
| fides_root_user | The root username to create. | string | "fidesroot" | no |
| fides_security_dsr_testing_tools_enabled | Whether to enable DSR testing tools. This should be disabled in production environments. | bool | false | no |
| fides_security_identity_verification_attempt_limit | The number of attempts allowed for identity verification. | number | 3 | no |
| fides_security_oauth_access_token_expire_minutes | The number of minutes before the access token expires. | number | 11520 | no |
| fides_security_public_request_rate_limit_per_minute | The number of requests per minute allowed for the Fides API. | number | 1000 | no |
| fides_security_request_rate_limit_per_minute | The number of requests per minute allowed for the Fides API. | number | 1000 | no |
| fides_system_scanner | System scanner configuration for Fides. | object({ enabled = optional(bool, false) cluster_id = optional(string, "") use_encryption = optional(bool, false) pixie_cloud_server_url = optional(string, "work.getcosmic.ai") }) | {} | no |
| fides_system_scanner_pixie_api_key | The API key for the Pixie system scanner. | string | "" | no |
| fides_version | The Fides version to deploy. Must be a valid Docker tag. | string | "2.60.0" | no |
| lb_name | The name of the load balancer. If one is not provided, one will be generated. | string | "" | no |
| privacy_center_allow_html_description | Allow HTML description in privacy center. | bool | false | no |
| privacy_center_configuration_file | The file path of a config.json file with which to configure the Privacy Center. | string | "" | no |
| privacy_center_cpu | The number of CPU units to dedicate to the Privacy Center container. | number | 512 | no |
| privacy_center_css_file | The file path of a config.css file with which to style the Privacy Center. | string | "" | no |
| privacy_center_image | The Fides Docker image to deploy. | string | "ethyca/fides-privacy-center" | no |
| privacy_center_is_overlay_enabled | Enable overlay mode for privacy center. | bool | true | no |
| privacy_center_memory | The amount of memory, in MiB, to dedicate to the Privacy Center container. | number | 1024 | no |
| privacy_center_root_property_path | Root property path for privacy center. | string | "" | no |
| privacy_center_use_api_config | Use API-based configuration instead of static files. | bool | false | no |
| privacy_center_version | The Privacy Center version to deploy. Must be a valid Docker tag. | string | "2.60.0" | no |
| rds_allocated_storage | The amount of storage, in GiB, to assign to the RDS instance. | number | 10 | no |
| rds_apply_immediately | Apply RDS changes immediately. | bool | false | no |
| rds_instance_class | The instance class of the RDS instance. | string | "db.t3.micro" | no |
| rds_multi_az | Configure RDS to use a multi-AZ deployment. | bool | false | no |
| rds_name | The name of the RDS instance. If one is not provided, one will be generated. | string | "" | no |
| rds_postgres_version | The version of the RDS PostgreSQL engine. | string | "14.17" | no |
| route53_config | Route53 DNS configuration for Fides and Privacy Center. Setting these values also creates a TLS certificate and serves traffic over port 443. In order to use these, you must have a hosted zone for the root domain. | object({ existing_hosted_zone_name = string # e.g. example.com fides_subdomain = string # e.g. fides.example.com privacy_center_subdomain = string # e.g. privacy.example.com }) | null | no |
| s3_bucket_name_prefix | The prefix for all S3 buckets to ensure a globally unique name. | string | n/a | yes |
| ssm_parameter_prefix | The prefix for AWS SSM Parameter Store entries related to Fides. | string | "/fides" | no |
| workers | The configuration for the worker container. | list(object({ name = string queues = optional(list(string)) exclude_queues = optional(list(string)) count = optional(number, 1) cpu = number memory = number })) | [ { "cpu": 1024, "memory": 2048, "name": "dsr", "queues": [ "fides.dsr" ] }, { "cpu": 512, "memory": 1024, "name": "privacy-preferences", "queues": [ "fides.privacy_preferences" ] }, { "cpu": 512, "exclude_queues": [ "fides.dsr", "fides.privacy_preferences" ], "memory": 1024, "name": "other" } ] | no |
Outputs
| Name | Description |
|---|---|
| elasticache_arn | The primary endpoint for the Fides Redis instance. |
| fides_endpoint | The URL of the Fides load balancer. |
| fides_root_password | The root Fides user's password. |
| fides_root_username | The root Fides user's username. |
| postgres_endpoint | The connection endpoint for the Fides Postgres database. |
| privacy_center_endpoint | The URL of the Privacy Center load balancer. |
| rds_arn | The ARN of the RDS instance. |
| redis_endpoint | The primary endpoint for the Fides Redis instance. |