Module catalog
The shared modules under terraform/modules are the stable building blocks behind both environment roots.
Core modules
| Module | Responsibility | Critical inputs | Main outputs |
|---|---|---|---|
vpc | VPC, public/private subnets, NAT, route tables, S3 gateway endpoint, shared security groups, flow logs | cidr_block, availability_zones, alb_ingress_cidrs, msk_public_access_cidrs, private_vpc_peering_routes | vpc_id, public_subnet_ids, private_subnet_ids, security group IDs |
alb | Internet-facing ALB, HTTPS listener, default target group, ALB access logs bucket | vpc_id, subnet_ids, security_group_id, certificate_arn, health_check_path | alb_arn, alb_dns_name, target_group_arn, listener_arn |
ecr | Application image repositories and lifecycle policy | repository_name, image_tag_mutability | repository_url, repository_arn |
secrets | Secrets Manager secrets seeded from a JSON template | secret_name_prefix, secret_name, secret_template | secret_arn, secret_name |
Compute modules
| Module | Responsibility | Critical inputs | Main outputs |
|---|---|---|---|
ecs-events-ingestion | Shared ECS cluster, task definition, service, CloudWatch logs, IAM for the events API | cluster_name, service_name, ecr_image_url, msk_cluster_arn, secret_arn, target_group_arn | cluster_name, cluster_arn, service_name |
ecs-dashboard-backend | Dashboard backend ECS task, service, target group, dedicated security group, IAM, logs | cluster_arn, image, listener_arn, host_header, secret_arn, secret_keys | service_name, security_group_id, target_group_arn, log_group_name |
ecs-kafka-ui | Kafka UI ECS task, service, target group, listener rule, IAM, logs | cluster_arn, cluster_display_name, bootstrap_brokers, listener_arn, host_header | service_name, target_group_arn, log_group_name |
Data modules
| Module | Responsibility | Critical inputs | Main outputs |
|---|---|---|---|
msk | Amazon MSK cluster with IAM + TLS and optional multi-VPC connectivity | cluster_name, kafka_version, broker_instance_type, subnet_ids, security_group_id | bootstrap_brokers_tls, bootstrap_brokers_public_tls, cluster_arn |
msk-connect-s3 | Optional MSK Connect S3 sink connector, execution role, log group, custom plugin | msk_cluster_arn, bootstrap_brokers, topics_regex, s3_bucket_name, plugin_file_key | connector_name, connector_arn, log_group_name |
s3-sink-bucket | Generic encrypted S3 bucket with lifecycle policy for sink data or plugin artifacts | bucket_name, expiration_days | bucket_name, bucket_arn |
rds-postgres | PostgreSQL instance, subnet groups, security group, parameter group, managed master secret | identifier, db_name, instance_class, subnet_group_type, allowed_cidr_blocks, application_security_group_ids | endpoint, port, db_name, security_group_id, master_user_secret_arn |
How to pick the right layer
- Read the root
main.tffiles when you need to understand orchestration between modules. - Read the individual module files when you need the implementation details or exact variable semantics.
- Use the root
outputs.tffiles for operator workflows instead of reconstructing resource names manually.