Overview
This directory contains reference documentation for all the Panfactum OpenTofu (Terraform) modules which can be found here.
Module Types
We categorize each module into one of the following types:
- Direct: Intended to be deployed directly into your system via Terragrunt.
- Submodule: Intended to be used as child module in your own OpenTofu modules.
Common Variables
Many (not all) modules share these variables which mutate module behavior in a standard way. These are not
automatically injected by Terragrunt and require manual configuration, however we recommend setting them on
a regional or environmental basis using the extra_inputs Terragrunt variable.
While these are documented on each module's individual reference page, we also provide a complete list here for convenience:
| Value | Type | Default | Description |
|---|---|---|---|
pull_through_cache_enabled | bool | false | Whether to use the pull through cached provided by aws_ecr_pull_through_cache for sourcing container images rather than directly pulling from public registries. |
node_image_cache_enabled | bool | false | Whether to pre-pull images to every node. Requires the kube_fledged operator to have been deployed. |
sla_target | number (1, 2, or 3) | 3 | The uptime SLA level that will be targeted in the module deployment. Trades off increased uptime for higher runtime costs. |
panfactum_scheduler_enabled | bool | true | Whether to use the bin-packing scheduler provided by kube_scheduler. Using this will reduce cluster costs by approximately 25-33% with no additional impact, but requires the scheduler be deployed. |
vpa_enabled | bool | false | Whether to automatically enable vertical pod autoscaling for the Pods in the Kubernetes module. Requires kube_vpa to have been deployed. |
monitoring_enabled | bool | false | (Alpha) Whether to automatically install Prometheus scrapers and Grafana dashboards for the components in the module. Requires kube_monitoring to have been deployed. |
canary_enabled | bool | false | (Alpha) Whether to install synthetic healthchecks for the components in the module. Requires kube_argo to have been deployed. |
aws_iam_ip_allow_list | list(string) | [] | All created IAM roles are only allowed to be used by internal IP addresses. This allows you to provide extra CIDR blocks from which IAM roles can be used. |
vault_domain | string | N/A | The public domain name of Vault running in the cluster where the module is deployed. Used to set up federated authz/n. |
Provider Versions
You must use the following versions for each provider in your first-party IaC modules in order to ensure compatibility with Panfactum submodules:
| Provider | Version |
|---|---|
| authentik | 2024.8.4 |
| aws | 5.80.0 |
| helm | 2.12.1 |
| kubernetes | 2.34.0 |
| kubectl | 2.1.3 |
| pf | 0.0.7 |
| random | 3.6.3 |
| tls | 4.0.6 |
| vault | 4.5.0 |
You can set the versions in the terraform block:
terraform {
required_providers {
kubectl = {
source = "alekc/kubectl"
version = "2.1.3"
}
pf = {
source = "panfactum/pf"
version = "0.0.4"
}
...
}
}