This step configures all the variables that Terraform uses to provision your infrastructure. You will:
After completing this page, your terraform.tfvars file will contain all values needed to provision infrastructure.
Terraform uses variables to customize deployments. Instead of editing the Terraform code directly, you provide values in a terraform.tfvars file. This keeps your configuration separate from the code, making updates easier.
The repository includes template files with sensible defaults. You copy a template and fill in your specific values.
Navigate to the AWS Terraform directory:
Copy the appropriate environment template:
What’s the difference? The staging template uses smaller instance sizes and fewer nodes to reduce costs. The production template uses larger instances and more replicas for reliability. You can adjust these after copying.
Open terraform.tfvars in your editor. The following sections explain each variable group.
These variables name and identify your deployment:
Region selection matters. Choose a region close to your users and compliant with your data residency requirements. Once deployed, you cannot easily change regions—it requires a full redeployment.
Organization region restrictions: Some organizations only allow deployments in specific regions. Verify your region is approved before proceeding.
If you’re creating a new VPC, configure the IP address ranges:
Understanding CIDR blocks:
CIDR notation defines IP address ranges. 10.0.0.0/16 means “all addresses from 10.0.0.0 to 10.0.255.255” (65,536 addresses). The /16 indicates how many bits are fixed.
CIDR conflicts cause connectivity failures. If your corporate network uses the same IP range (e.g., 10.0.x.x), you’ll have problems connecting via VPN. Common conflict-free alternatives:
172.16.0.0/16 (172.16.x.x)192.168.0.0/16 (192.168.x.x)10.100.0.0/16 (10.100.x.x)Check with your network team before choosing.
Why two availability zones?
EKS requires subnets in at least two AZs for high availability. If one AZ has an outage, your workloads continue running in the other. The defaults use us-east-1a and us-east-1b—change these if using a different region.
If deploying into an existing VPC, disable VPC creation and provide the existing resource IDs:
Using an existing VPC requires coordination with your network team. You need:
Many existing VPCs have restrictive Network ACLs or missing NAT Gateways that will cause deployment failures.
These settings control the EC2 instances that run your Kubernetes workloads:
Recommended sizes:
Instance type availability varies by region. If you get errors about unavailable instance types during provisioning, check which instance types are available in your region and AZs.
EC2 service quotas can block deployment. AWS accounts have default limits on how many vCPUs you can run. If you’ve never used EKS before, you may hit these limits.
Check your quotas: AWS Console → Service Quotas → Amazon EC2 → “Running On-Demand Standard instances”
Request an increase if your limit is below: (desired_size × vCPUs per instance)
RDS PostgreSQL settings:
Generate a strong database password. Use openssl rand -base64 24 to create a secure
random password. This value is stored in AWS Secrets Manager by Terraform. Do not commit
it to version control.
RDS instance class affects cost significantly. db.t4g.large costs
~400/month. Start with the
recommended size and upgrade based on actual performance needs.
These URLs configure where Confident AI is accessible and how authentication cookies work:
The subdomain must be the root domain, not a subdomain.
Correct: confident_subdomain = "acme.com"
Wrong: confident_subdomain = "confidentai.acme.com"
Authentication cookies are set on the subdomain and must be accessible by both frontend and backend. If you use the full subdomain, cookies won’t work correctly.
Trusted origins must include the protocol. Use
https://app.yourdomain.com not app.yourdomain.com. Missing protocol causes
authentication to fail silently.
OpenAI API key requires sufficient quota. Evaluations can consume significant tokens. Ensure your OpenAI account has appropriate rate limits and spending caps configured.
These variables control internal naming conventions for AWS resources. The defaults are suitable for most deployments:
When to change these: You typically don’t need to modify these unless your organization has specific resource naming or tagging requirements.
Public EKS is only recommended for testing. Setting confident_public_eks = true disables HTTPS and makes the EKS API server accessible from the internet. Never use this in production.
These settings control database maintenance and backup windows:
Schedule maintenance during low-traffic periods. The defaults use early Monday morning UTC. Adjust to match your team’s off-peak hours.
Terraform creates separate S3 buckets for different data types:
Bucket names are constructed as <application_name>-<environment>-<suffix>-bucket (e.g., confidentai-stage-testcases-bucket).
ClickHouse serves as the analytics database, deployed via the ClickHouse Operator on EKS:
Do not change confident_clickhouse_user from default. The ClickHouse Operator expects this
username. Changing it will cause connectivity failures.
A separate S3 bucket is created for ClickHouse backups:
These credentials allow your EKS cluster to pull Confident AI container images:
These values are provided by your Confident AI representative. Don’t modify them unless instructed.
Terraform tracks what resources it created in a “state file.” This should be stored remotely so multiple team members can collaborate and state isn’t lost if your laptop dies.
Edit provider.tf to configure your S3 backend:
If the bucket doesn’t exist, create it:
Your organization may have existing Terraform state infrastructure. Many companies have:
Check with your infrastructure team before creating a new bucket.
Never delete or modify the state file manually. Terraform state tracks the mapping between your configuration and real AWS resources. Corrupting it can cause Terraform to lose track of resources, leading to orphaned infrastructure or accidental deletions.
Before proceeding, verify these security considerations:
terraform.tfvars is in .gitignore (never commit secrets)Once configuration is complete, proceed to Provisioning to create the AWS infrastructure.