Documentation Index
Fetch the complete documentation index at: https://langchain-5e9cc07a-preview-featse-1779998369-ad736a3.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
Reference for every input variable exposed by the AWS Terraform modules. Set non-sensitive variables in infra/terraform.tfvars. For sensitive variables (license key, passwords, encryption keys), make setup-env writes them to AWS SSM Parameter Store and External Secrets Operator syncs them into the cluster.
Core
| Variable | Default | Required | Description |
|---|
name_prefix | — | yes | Prefix for all resource names (1 to 11 chars, lowercase). |
environment | dev | no | Environment tag: dev, staging, prod, test, uat. |
region | us-west-2 | no | AWS region for all resources. |
owner | "" | no | Owner tag applied to all resources. |
cost_center | "" | no | Cost center tag for billing. |
tags | {} | no | Additional tags applied to all resources. |
Networking
| Variable | Default | Required | Description |
|---|
create_vpc | true | no | Create a new VPC. Set false to use an existing one. |
vpc_id | null | when !create_vpc | Existing VPC ID. |
private_subnets | [] | when !create_vpc | Existing private subnet IDs. |
public_subnets | [] | when !create_vpc | Existing public subnet IDs. |
vpc_cidr_block | null | when !create_vpc | Existing VPC CIDR block. |
EKS
| Variable | Default | Required | Description |
|---|
enable_public_eks_cluster | true | no | Enable the public EKS API endpoint. Set false for a private cluster (requires create_bastion). |
eks_public_access_cidrs | ["0.0.0.0/0"] | no | CIDRs allowed to reach the public EKS API endpoint. |
eks_cluster_version | 1.31 | no | EKS Kubernetes version. |
eks_managed_node_group_defaults | {ami_type: AL2023} | no | Default config for managed node groups. |
eks_managed_node_groups | {default: m5.4xlarge} | no | Managed node group definitions. |
create_gp3_storage_class | true | no | Create and set gp3 as the default StorageClass. |
eks_cluster_enabled_log_types | ["api", "audit", ...] | no | EKS control plane log types sent to CloudWatch. |
eks_addons | {} | no | EKS managed add-on configurations. |
create_langsmith_irsa_role | true | no | Create the IRSA role for LangSmith pods (S3 access). |
PostgreSQL (RDS)
| Variable | Default | Required | Description |
|---|
postgres_source | external | no | external (RDS) or in-cluster (Helm). |
postgres_instance_type | db.t3.large | no | RDS instance class. |
postgres_storage_gb | 10 | no | Initial RDS storage in GB. |
postgres_max_storage_gb | 100 | no | Maximum RDS storage in GB (autoscaling). |
postgres_username | langsmith | no | RDS database username. |
postgres_engine_version | 16 | no | PostgreSQL engine version for RDS. |
postgres_password | "" | when external | RDS password. Use TF_VAR_postgres_password. |
postgres_iam_database_authentication_enabled | true | no | Enable IAM database authentication on RDS. |
postgres_deletion_protection | true | no | Enable deletion protection on RDS. |
postgres_backup_retention_period | 7 | no | Days to retain automated RDS backups (0 = disabled). |
Redis (ElastiCache)
| Variable | Default | Required | Description |
|---|
redis_source | external | no | external (ElastiCache) or in-cluster (Helm). |
redis_instance_type | cache.m6g.xlarge | no | ElastiCache node type. |
redis_auth_token | "" | when external | ElastiCache auth token (min 16 chars). Use TF_VAR_redis_auth_token. |
| Variable | Default | Required | Description |
|---|
s3_ttl_enabled | true | no | Enable S3 lifecycle rules for trace TTL. |
s3_ttl_short_days | 14 | no | TTL for ttl_s/ prefix in days. |
s3_ttl_long_days | 400 | no | TTL for ttl_l/ prefix in days. |
s3_kms_key_arn | "" | no | KMS CMK ARN for S3 encryption (empty = SSE-S3). |
s3_versioning_enabled | false | no | Enable S3 bucket versioning. |
TLS and DNS
| Variable | Default | Required | Description |
|---|
tls_certificate_source | acm | no | acm, letsencrypt, or none. |
acm_certificate_arn | "" | when acm | ACM certificate ARN. |
letsencrypt_email | "" | when letsencrypt | Email for Let’s Encrypt notifications. |
langsmith_domain | "" | no | Custom hostname (empty = use ALB DNS name). |
langsmith_namespace | langsmith | no | Kubernetes namespace for LangSmith. |
ClickHouse and ingress
| Variable | Default | Required | Description |
|---|
clickhouse_source | in-cluster | no | in-cluster or external. |
alb_scheme | internet-facing | no | ALB scheme: internet-facing or internal. |
alb_access_logs_enabled | false | no | Enable ALB access logging to S3. |
enable_envoy_gateway | false | no | Install Envoy Gateway instead of ALB. Required for multi-namespace dataplane deployments. |
Bastion (private cluster)
| Variable | Default | Required | Description |
|---|
create_bastion | false | no | Create an EC2 bastion host for private cluster access (SSM or SSH). |
bastion_instance_type | t3.micro | no | EC2 instance type for the bastion. |
bastion_key_name | null | no | EC2 key pair for SSH (empty = SSM only). |
bastion_enable_ssh | false | no | Open port 22 on the bastion security group. |
bastion_ssh_allowed_cidrs | [] | no | CIDRs allowed to SSH to the bastion. |
bastion_root_volume_size_gb | 20 | no | Root EBS volume size for the bastion. |
Security and audit
| Variable | Default | Required | Description |
|---|
create_cloudtrail | false | no | Create a CloudTrail trail for AWS API audit. |
cloudtrail_multi_region | true | no | Record API calls across all regions. |
cloudtrail_log_retention_days | 365 | no | Days to retain CloudTrail logs. |
create_waf | false | no | Attach a WAFv2 Web ACL to the ALB. |
create_firewall | false | no | Deploy AWS Network Firewall for FQDN-based egress filtering. Requires create_vpc = true. Cost: about $0.395/hr/endpoint plus $0.065/GB. |
firewall_allowed_fqdns | ["beacon.langchain.com"] | no | Domains allowed for outbound internet traffic when create_firewall = true. Matched against TLS SNI (HTTPS) and HTTP Host header. All other destinations are dropped. |
firewall_subnet_cidr | "10.0.64.0/21" | no | CIDR for the firewall subnet. Must not overlap with private (10.0.0.0/21 to 10.0.32.0/21) or public (10.0.40.0/21 to 10.0.56.0/21) subnets. |
Sizing and feature flags
sizing_profile and the enable_* flags are read by init-values.sh and deploy.sh; Terraform ignores them. They affect which Helm overlay files the scripts generate.
| Variable | Default | Required | Description |
|---|
sizing_profile | default | no | Helm sizing: production, production-large, dev, minimum, default. |
enable_deployments | false | no | Enable LangSmith Deployment (listener, operator, host-backend). |
enable_agent_builder | false | no | Enable Agent Builder. Requires enable_deployments = true. |
enable_insights | false | no | Enable ClickHouse-backed analytics. |
enable_polly | false | no | Enable Polly AI eval and monitoring. Requires enable_deployments = true. |
enable_usage_telemetry | false | no | Enable extended usage telemetry reporting. |
Sensitive variables (set with setup-env.sh)
make setup-env writes these to AWS SSM Parameter Store. External Secrets Operator syncs them into the cluster as Kubernetes secrets. Never set these inline in terraform.tfvars.
| Variable | Description |
|---|
langsmith_license_key | LangSmith enterprise license key. |
langsmith_admin_password | Initial org admin password. |
langsmith_api_key_salt | Salt for hashing API keys. Must stay stable after first deploy. |
langsmith_jwt_secret | JWT secret for Basic Auth sessions. |
langsmith_deployments_encryption_key | Fernet key for LangSmith Deployment. Must never change. |
langsmith_agent_builder_encryption_key | Fernet key for Agent Builder. Must never change. |
langsmith_insights_encryption_key | Fernet key for Insights. Must never change. |
langsmith_polly_encryption_key | Fernet key for Polly. Must never change. |
