Module catalog
The shared modules under terraform/modules are the stable building blocks behind both environment roots.
Core modules
| Module | Responsibility | Critical inputs | Main outputs |
|---|---|---|---|
vpc | VPC, public/private subnets, NAT, route tables, S3 gateway endpoint, shared security groups, flow logs | cidr_block, availability_zones, alb_ingress_cidrs, msk_public_access_cidrs, private_vpc_peering_routes, flow_logs_traffic_type | vpc_id, public_subnet_ids, private_subnet_ids, security group IDs |
alb | Internet-facing ALB, HTTPS listener, default target group, ALB access logs bucket | vpc_id, subnet_ids, security_group_id, certificate_arn, health_check_path, target_group_deregistration_delay_seconds | alb_arn, alb_dns_name, target_group_arn, listener_arn |
ecr | Application image repositories and lifecycle policy | repository_name, image_tag_mutability | repository_url, repository_arn |
secrets | Secrets Manager secrets seeded from a JSON template | secret_name_prefix, secret_name, secret_template | secret_arn, secret_name |
environment-operations | Dedicated start, stop, and Kafka cleanup Lambdas, plus test-only DevOps Agent investigation wiring, with EventBridge Scheduler wiring only for start/stop and an explicit schedule enable/disable toggle | ecs_cluster_name, ecs_service_desired_counts, rds_instance_identifiers, msk_cluster_arn, msk_cleanup_topic_name_prefixes, msk_cleanup_topics, schedules_enabled, alarm_investigation_* | lambda_function_names, schedule_names |
slack-alarm-delivery | Dedicated Lambda subscription that reads CloudWatch alarm notifications from the Slack SNS topic and posts them to a Slack incoming webhook | name_prefix, environment_name, sns_topic_arn, slack_webhook_url, log_retention_days | lambda_function_name |
newrelic-aws-pull-integration | AWS IAM role plus New Relic linked-account and pull-based AWS service integrations for account-level observability | enabled, name_prefix, newrelic_account_id, newrelic_trusted_account_id, linked_account_name, aws_regions | role_arn, linked_account_id |
newrelic-aws-ecs-service-dashboard | New Relic dashboard for one ECS service using AWS pull integration samples from ComputeSample and LoadBalancerSample | enabled, account_id, dashboard_name, cluster_name, service_name, target_group_name, apm_entity_guid | dashboard_guid, dashboard_permalink |
newrelic-aws-rds-dashboard | New Relic dashboard for the dashboard and Camunda RDS instances using DatastoreSample from the AWS pull integration | enabled, account_id, dashboard_name, db_instance_identifiers | dashboard_guid, dashboard_permalink |
newrelic-aws-msk-dashboard | New Relic dashboard for MSK cluster and broker metrics using AwsMskClusterSample and AwsMskBrokerSample from the AWS pull integration | enabled, account_id, dashboard_name, cluster_name | dashboard_guid, dashboard_permalink |
newrelic-clickhouse-cloud-dashboard | New Relic dashboard for ClickHouse Cloud metrics received from Prometheus remote write | enabled, account_id, name_prefix, prometheus_server_name | dashboard_guid, dashboard_permalink |
newrelic-ecs-container-sample-dashboard | Reusable New Relic dashboard for ECS services whose widgets are built from ContainerSample sidecar data plus APM entity metrics | enabled, account_id, dashboard_name, page_name, environment_name, project_name, service_name, service_display_name, apm_entity_guid | dashboard_guid, dashboard_permalink |
Compute modules
| Module | Responsibility | Critical inputs | Main outputs |
|---|---|---|---|
ecs-events-ingestion | Shared ECS cluster, task definition, service, app log group, optional New Relic sidecar log group, IAM for the events API | cluster_name, container_insights_setting, service_name, ecr_image_url, task_cpu, task_memory, secret_arn, secret_keys, enable_newrelic_sidecar, newrelic_sidecar_image, target_group_arn | cluster_name, cluster_arn, service_name |
ecs-dashboard-backend | Dashboard backend ECS task, service, target group, dedicated security group, shared ECS SG attachment, IAM for MSK, logs | cluster_arn, image, listener_arn, host_header, secret_arn, secret_keys, msk_cluster_arn, shared_ecs_security_group_id, target_group_deregistration_delay_seconds | service_name, security_group_id, target_group_arn, log_group_name |
ecs-scoring | Scoring ECS task, internal-only service, dedicated security group, Service Connect client config, IAM for MSK | cluster_arn, image, secret_arn, secret_keys, msk_cluster_arn, shared_ecs_security_group_id, additional_ingress_security_group_ids | service_name, security_group_id, log_group_name, internal_url |
ecs-camunda | Camunda ECS task, internal-only service, dedicated security group, Service Connect server config, runtime secret wiring | cluster_arn, image, secret_arn, secret_keys, scoring_security_group_id | service_name, security_group_id, log_group_name |
ecs-kafka-ui | Kafka UI ECS task, service, target group, listener rule, IAM, logs | cluster_arn, cluster_display_name, bootstrap_brokers, listener_arn, host_header, target_group_deregistration_delay_seconds | service_name, target_group_arn, log_group_name |
ecs-clickhouse-prometheus-agent | Internal ECS service that runs the official Prometheus image with an inline startup command to scrape ClickHouse Cloud and remote-write to New Relic without public ingress | cluster_arn, image, vpc_id, subnet_ids, secret_arn, secret_keys, newrelic_region, prometheus_server_name, scrape_interval | service_name, security_group_id, log_group_name |
Data modules
| Module | Responsibility | Critical inputs | Main outputs |
|---|---|---|---|
msk | Amazon MSK cluster with IAM + TLS, optional public broker access, and optional multi-VPC connectivity | cluster_name, kafka_version, broker_instance_type, ebs_volume_size_gib, cloudwatch_enhanced_monitoring, enable_public_access, subnet_ids, security_group_id | bootstrap_brokers_tls, bootstrap_brokers_public_tls, cluster_arn |
msk-connect-s3 | Optional MSK Connect S3 sink connector, execution role, log group, custom plugin | msk_cluster_arn, bootstrap_brokers, topics_regex, s3_bucket_name, plugin_file_key | connector_name, connector_arn, log_group_name |
s3-sink-bucket | Generic encrypted S3 bucket with lifecycle policy for sink data or plugin artifacts | bucket_name, expiration_days | bucket_name, bucket_arn |
rds-postgres | PostgreSQL instance, subnet groups, security group, parameter group, with either an RDS-managed master secret or a caller-supplied static master password | identifier, db_name, instance_class, subnet_group_type, allowed_cidr_blocks, application_security_group_ids, manage_master_user_password, master_password | endpoint, port, db_name, security_group_id, master_user_secret_arn |
elasticache-valkey | Private ElastiCache Valkey replication group, dedicated subnet group, and security group for backend caching | replication_group_id, subnet_group_name, private_subnet_ids, allowed_security_group_ids, engine_version, node_type, number_of_replicas | primary_endpoint_address, reader_endpoint_address, port, security_group_id, subnet_group_name |
How to pick the right layer
- Read the root
main.tffiles when you need to understand orchestration between modules. - Read the individual module files when you need the implementation details or exact variable semantics.
- Use the root
outputs.tffiles for operator workflows instead of reconstructing resource names manually.