From 567d5e677ac54482cb095f95acbeda3df36a0f86 Mon Sep 17 00:00:00 2001 From: steffen911 Date: Mon, 23 Jun 2025 14:14:16 +0200 Subject: [PATCH 1/3] feat: add custom encryption key options --- README.md | 178 ++++++++++++++++++++++++++++++ examples/quickstart/quickstart.tf | 8 ++ gke.tf | 9 ++ langfuse.tf | 2 +- postgres.tf | 1 + redis.tf | 1 + storage.tf | 7 ++ variables.tf | 12 ++ 8 files changed, 217 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index db8c23b..6e29c97 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,9 @@ module "langfuse" { # Optional: Configure the Langfuse Helm chart version langfuse_chart_version = "1.2.15" + + # Optional: Use customer-managed encryption keys for enhanced security + # customer_managed_encryption_key = "projects/my-project/locations/us-central1/keyRings/my-ring/cryptoKeys/my-key" } provider "kubernetes" { @@ -78,6 +81,179 @@ terraform apply 5. Start using Langfuse by navigating to `https://` in your browser. +## Customer-Managed Encryption Keys (CMEK) + +This module supports customer-managed encryption keys (CMEK) for enhanced security. When enabled, your encryption keys are managed by you using Google Cloud KMS, providing additional control over data encryption. + +### Supported Resources + +The following resources support CMEK when the `customer_managed_encryption_key` variable is provided: + +- **Cloud Storage bucket** - Encrypts all stored objects (media uploads, exports, events) +- **Cloud SQL PostgreSQL instance** - Encrypts database data at rest +- **Redis instance** - Encrypts cache data at rest +- **GKE cluster** - Encrypts etcd data (Kubernetes secrets and configuration) +- **ClickHouse persistent volumes** - Encrypts ClickHouse data when using a CMEK-protected storage class + +### Required IAM Permissions + +The following service accounts need the `roles/cloudkms.cryptoKeyEncrypterDecrypter` role on your KMS key: + +- `service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.com` (for GKE, Redis, and persistent disks) +- `service-PROJECT_NUMBER@gcp-sa-cloud-sql.iam.gserviceaccount.com` (for Cloud SQL) +- `service-PROJECT_NUMBER@gs-project-accounts.iam.gserviceaccount.com` (for Cloud Storage) + +### Prerequisites + +Before using CMEK, you need to: + +1. Create a Cloud KMS key ring and crypto key in your project +2. Grant the necessary IAM permissions to Google Cloud services to use the key +3. Ensure the key is in the same region as your Langfuse deployment +4. Create a custom storage class for ClickHouse persistent volumes (if using CMEK) + +### Deployment Order + +When using CMEK, follow this deployment order: + +1. **Deploy KMS resources and IAM bindings** first +2. **Deploy the GKE cluster** (this will create the cluster with CMEK-encrypted etcd) +3. **Create the CMEK-protected storage class** on the cluster +4. **Deploy the Langfuse module** with the storage class configuration + +### Example with CMEK + +```hcl +# First, create the KMS resources +resource "google_kms_key_ring" "langfuse" { + name = "langfuse-keyring" + location = "us-central1" +} + +resource "google_kms_crypto_key" "langfuse" { + name = "langfuse-key" + key_ring = google_kms_key_ring.langfuse.id + purpose = "ENCRYPT_DECRYPT" + + lifecycle { + prevent_destroy = true + } +} + +# Grant necessary permissions for all services +data "google_project" "current" {} + +# Cloud SQL service account +resource "google_kms_crypto_key_iam_binding" "sql_service_account" { + crypto_key_id = google_kms_crypto_key.langfuse.id + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + members = [ + "serviceAccount:service-${data.google_project.current.number}@gcp-sa-cloud-sql.iam.gserviceaccount.com", + ] +} + +# Compute Engine service account (for GKE, Redis, and persistent disks) +resource "google_kms_crypto_key_iam_binding" "compute_service_account" { + crypto_key_id = google_kms_crypto_key.langfuse.id + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + members = [ + "serviceAccount:service-${data.google_project.current.number}@compute-system.iam.gserviceaccount.com", + ] +} + +# Cloud Storage service account +resource "google_kms_crypto_key_iam_binding" "storage_service_account" { + crypto_key_id = google_kms_crypto_key.langfuse.id + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + members = [ + "serviceAccount:service-${data.google_project.current.number}@gs-project-accounts.iam.gserviceaccount.com", + ] +} + +# Create CMEK-protected storage class for ClickHouse +resource "kubernetes_storage_class" "cmek_storage_class" { + metadata { + name = "cmek-storage-class" + } + + storage_provisioner = "pd.csi.storage.gke.io" + volume_binding_mode = "WaitForFirstConsumer" + allow_volume_expansion = true + + parameters = { + type = "pd-ssd" + disk-encryption-kms-key = google_kms_crypto_key.langfuse.id + } + + depends_on = [ + google_kms_crypto_key_iam_binding.compute_service_account + ] +} + +# Use the key with Langfuse module +module "langfuse" { + source = "github.com/langfuse/langfuse-terraform-gcp?ref=0.1.2" + + domain = "langfuse.example.com" + customer_managed_encryption_key = google_kms_crypto_key.langfuse.id + storage_class_name = kubernetes_storage_class.cmek_storage_class.metadata[0].name + + depends_on = [ + kubernetes_storage_class.cmek_storage_class + ] +} +``` + +### ClickHouse Persistent Volume Encryption + +ClickHouse uses persistent volumes for data storage. To ensure ClickHouse data is encrypted with your CMEK, you need to create a custom storage class and configure the module to use it. + +#### Creating a CMEK-Protected Storage Class + +1. **Create the storage class YAML file** (`cmek-storage-class.yaml`): + +```yaml +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: cmek-storage-class +provisioner: pd.csi.storage.gke.io +volumeBindingMode: "WaitForFirstConsumer" +allowVolumeExpansion: true +parameters: + type: pd-ssd + disk-encryption-kms-key: projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME] +``` + +2. **Apply the storage class to your cluster**: + +```bash +kubectl apply -f cmek-storage-class.yaml +``` + +3. **Configure the Langfuse module to use the custom storage class**: + +```hcl +module "langfuse" { + source = "github.com/langfuse/langfuse-terraform-gcp?ref=0.1.2" + + domain = "langfuse.example.com" + customer_managed_encryption_key = google_kms_crypto_key.langfuse.id + storage_class_name = "cmek-storage-class" +} +``` + +**Important**: The storage class must be created **before** deploying the Langfuse module, as ClickHouse will need it during initial deployment. + +### Security Considerations + +- **Key Management**: You are responsible for managing the lifecycle of your encryption keys +- **Access Control**: Ensure proper IAM policies are in place to control key access +- **Backup**: Consider key backup and recovery procedures +- **Compliance**: CMEK helps meet compliance requirements for data encryption +- **Performance**: CMEK may have minimal performance impact compared to Google-managed keys +- **Storage Class**: When using CMEK, create a custom storage class for ClickHouse persistent volumes to ensure complete encryption coverage + ### Known issues 1. Getting an `ERR_SSL_VERSION_OR_CIPHER_MISMATCH` error after installation on the HTTPS endpoint. @@ -181,6 +357,8 @@ This module creates a complete Langfuse stack with the following components: | cache_memory_size_gb | Redis memory size in GB | number | 1 | no | | deletion_protection | Whether or not to enable deletion_protection on data sensitive resources | bool | true | no | | langfuse_chart_version | Version of the Langfuse Helm chart to deploy | string | "1.2.15" | no | +| customer_managed_encryption_key | The Cloud KMS key name to use for customer-managed encryption across all supported resources (Cloud Storage, Cloud SQL, Redis, GKE). Format: projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. If not provided, Google-managed encryption keys will be used. | string | null | no | +| storage_class_name | Name of the Kubernetes storage class to use for ClickHouse persistent volumes. When using customer-managed encryption keys, you should create a custom storage class with CMEK configuration and provide its name here. If not provided, the cluster's default storage class will be used. | string | null | no | ## Outputs diff --git a/examples/quickstart/quickstart.tf b/examples/quickstart/quickstart.tf index ce52f2a..d1a6502 100644 --- a/examples/quickstart/quickstart.tf +++ b/examples/quickstart/quickstart.tf @@ -24,6 +24,14 @@ module "langfuse" { # Optional: Configure the Langfuse Helm chart version langfuse_chart_version = "1.2.15" + + # Optional: Use customer-managed encryption keys for enhanced security + # Uncomment and provide your KMS key to enable CMEK + # customer_managed_encryption_key = "projects/my-project/locations/us-central1/keyRings/my-ring/cryptoKeys/my-key" + + # Optional: Use a custom storage class for ClickHouse persistent volumes + # Required when using CMEK to ensure ClickHouse data is encrypted + # storage_class_name = "cmek-storage-class" } provider "kubernetes" { diff --git a/gke.tf b/gke.tf index 196e77a..3b09687 100644 --- a/gke.tf +++ b/gke.tf @@ -13,5 +13,14 @@ resource "google_container_cluster" "this" { network = google_compute_network.this.name subnetwork = google_compute_subnetwork.this.name + # Enable database encryption with customer-managed key if provided + dynamic "database_encryption" { + for_each = var.customer_managed_encryption_key != null ? [1] : [] + content { + state = "ENCRYPTED" + key_name = var.customer_managed_encryption_key + } + } + deletion_protection = var.deletion_protection } diff --git a/langfuse.tf b/langfuse.tf index ef84fd2..42c585e 100644 --- a/langfuse.tf +++ b/langfuse.tf @@ -40,7 +40,7 @@ postgresql: clickhouse: auth: existingSecret: ${kubernetes_secret.langfuse.metadata[0].name} - existingSecretKey: clickhouse-password + existingSecretKey: clickhouse-password${var.storage_class_name != null ? "\n persistence:\n storageClass: ${var.storage_class_name}" : ""} redis: deploy: false host: ${google_redis_instance.this.host} diff --git a/postgres.tf b/postgres.tf index 4853171..dfa38f2 100644 --- a/postgres.tf +++ b/postgres.tf @@ -2,6 +2,7 @@ resource "google_sql_database_instance" "this" { name = var.name region = data.google_client_config.current.region database_version = "POSTGRES_15" + encryption_key_name = var.customer_managed_encryption_key settings { tier = var.database_instance_tier diff --git a/redis.tf b/redis.tf index 7bb839c..4fdeb9e 100644 --- a/redis.tf +++ b/redis.tf @@ -7,6 +7,7 @@ resource "google_redis_instance" "this" { connect_mode = "PRIVATE_SERVICE_ACCESS" transit_encryption_mode = "SERVER_AUTHENTICATION" display_name = "${local.tag_name} Redis Instance" + customer_managed_key = var.customer_managed_encryption_key auth_enabled = true diff --git a/storage.tf b/storage.tf index e70b068..ed2f6a5 100644 --- a/storage.tf +++ b/storage.tf @@ -13,6 +13,13 @@ resource "google_storage_bucket" "langfuse" { versioning { enabled = true } + + dynamic "encryption" { + for_each = var.customer_managed_encryption_key != null ? [1] : [] + content { + default_kms_key_name = var.customer_managed_encryption_key + } + } } # Allow all access on bucket for langfuse user diff --git a/variables.tf b/variables.tf index 475dbbf..fd9add7 100644 --- a/variables.tf +++ b/variables.tf @@ -68,3 +68,15 @@ variable "langfuse_chart_version" { type = string default = "1.2.15" } + +variable "customer_managed_encryption_key" { + description = "The Cloud KMS key name to use for customer-managed encryption across all supported resources (Cloud Storage, Cloud SQL, Redis, GKE). Format: projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. If not provided, Google-managed encryption keys will be used." + type = string + default = null +} + +variable "storage_class_name" { + description = "Name of the Kubernetes storage class to use for ClickHouse persistent volumes. When using customer-managed encryption keys, you should create a custom storage class with CMEK configuration and provide its name here. If not provided, the cluster's default storage class will be used." + type = string + default = null +} From 336552ed2f0f13210ab55240b1943b1be954e157 Mon Sep 17 00:00:00 2001 From: steffen911 Date: Mon, 23 Jun 2025 14:17:35 +0200 Subject: [PATCH 2/3] chore: revert quickstart update --- examples/quickstart/quickstart.tf | 8 -------- 1 file changed, 8 deletions(-) diff --git a/examples/quickstart/quickstart.tf b/examples/quickstart/quickstart.tf index d1a6502..ce52f2a 100644 --- a/examples/quickstart/quickstart.tf +++ b/examples/quickstart/quickstart.tf @@ -24,14 +24,6 @@ module "langfuse" { # Optional: Configure the Langfuse Helm chart version langfuse_chart_version = "1.2.15" - - # Optional: Use customer-managed encryption keys for enhanced security - # Uncomment and provide your KMS key to enable CMEK - # customer_managed_encryption_key = "projects/my-project/locations/us-central1/keyRings/my-ring/cryptoKeys/my-key" - - # Optional: Use a custom storage class for ClickHouse persistent volumes - # Required when using CMEK to ensure ClickHouse data is encrypted - # storage_class_name = "cmek-storage-class" } provider "kubernetes" { From c50f945f1418ba32f43f048a5224973600061c1c Mon Sep 17 00:00:00 2001 From: steffen911 Date: Mon, 23 Jun 2025 14:23:47 +0200 Subject: [PATCH 3/3] chore: set global default storageclass --- README.md | 238 ++++++++++++++-------------------------------------- langfuse.tf | 4 +- 2 files changed, 68 insertions(+), 174 deletions(-) diff --git a/README.md b/README.md index 6e29c97..da58792 100644 --- a/README.md +++ b/README.md @@ -40,9 +40,6 @@ module "langfuse" { # Optional: Configure the Langfuse Helm chart version langfuse_chart_version = "1.2.15" - - # Optional: Use customer-managed encryption keys for enhanced security - # customer_managed_encryption_key = "projects/my-project/locations/us-central1/keyRings/my-ring/cryptoKeys/my-key" } provider "kubernetes" { @@ -81,9 +78,56 @@ terraform apply 5. Start using Langfuse by navigating to `https://` in your browser. +## Known issues + +1. Getting an `ERR_SSL_VERSION_OR_CIPHER_MISMATCH` error after installation on the HTTPS endpoint. + +Since Google Cloud takes a while (~20 Minutes) to provision new certificates, an invalid TLS certificate is presented for a while after initial installation of this module. Please use `gcloud compute ssl-certificates list` to check the current provisioning status. If it is still in `PROVISIONING` state this issue is expected. E.g. + +```bash +$ gcloud compute ssl-certificates list +NAME TYPE CREATION_TIMESTAMP EXPIRE_TIME REGION MANAGED_STATUS +langfuse MANAGED 2025-04-06T03:41:54.791-07:00 PROVISIONING + : PROVISIONING +``` + +When the certificate becomes active the ingress controller should pick it up and present a valid TLS certificate: + +```bash +$ gcloud compute ssl-certificates list +NAME TYPE CREATION_TIMESTAMP EXPIRE_TIME REGION MANAGED_STATUS +langfuse MANAGED 2025-04-06T03:41:54.791-07:00 2025-07-05T03:41:56.000-07:00 ACTIVE + : ACTIVE +``` + +## Features + +This module creates a complete Langfuse stack with the following components: + +- VPC with public and private subnets +- GKE cluster with node pools +- Cloud SQL PostgreSQL instance +- Cloud Memorystore Redis instance +- Cloud Storage bucket for storage +- TLS certificates and Cloud DNS configuration +- Required IAM roles and firewall rules +- GKE Ingress Controller for ingress +- Filestore CSI Driver for persistent storage + +## Requirements + +| Name | Version | +|-------------|---------| +| terraform | >= 1.0 | +| google | >= 5.0 | +| google-beta | >= 5.0 | +| kubernetes | >= 2.10 | +| helm | >= 2.5 | + ## Customer-Managed Encryption Keys (CMEK) -This module supports customer-managed encryption keys (CMEK) for enhanced security. When enabled, your encryption keys are managed by you using Google Cloud KMS, providing additional control over data encryption. +This module supports customer-managed encryption keys (CMEK) for enhanced security. +When enabled, your encryption keys are managed by you using Google Cloud KMS, providing additional control over data encryption. ### Supported Resources @@ -95,13 +139,8 @@ The following resources support CMEK when the `customer_managed_encryption_key` - **GKE cluster** - Encrypts etcd data (Kubernetes secrets and configuration) - **ClickHouse persistent volumes** - Encrypts ClickHouse data when using a CMEK-protected storage class -### Required IAM Permissions - -The following service accounts need the `roles/cloudkms.cryptoKeyEncrypterDecrypter` role on your KMS key: - -- `service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.com` (for GKE, Redis, and persistent disks) -- `service-PROJECT_NUMBER@gcp-sa-cloud-sql.iam.gserviceaccount.com` (for Cloud SQL) -- `service-PROJECT_NUMBER@gs-project-accounts.iam.gserviceaccount.com` (for Cloud Storage) +It is important that the respective service accounts have the necessary permissions to use the KMS key. +Please consult the Google Cloud documentation for further details. ### Prerequisites @@ -112,98 +151,6 @@ Before using CMEK, you need to: 3. Ensure the key is in the same region as your Langfuse deployment 4. Create a custom storage class for ClickHouse persistent volumes (if using CMEK) -### Deployment Order - -When using CMEK, follow this deployment order: - -1. **Deploy KMS resources and IAM bindings** first -2. **Deploy the GKE cluster** (this will create the cluster with CMEK-encrypted etcd) -3. **Create the CMEK-protected storage class** on the cluster -4. **Deploy the Langfuse module** with the storage class configuration - -### Example with CMEK - -```hcl -# First, create the KMS resources -resource "google_kms_key_ring" "langfuse" { - name = "langfuse-keyring" - location = "us-central1" -} - -resource "google_kms_crypto_key" "langfuse" { - name = "langfuse-key" - key_ring = google_kms_key_ring.langfuse.id - purpose = "ENCRYPT_DECRYPT" - - lifecycle { - prevent_destroy = true - } -} - -# Grant necessary permissions for all services -data "google_project" "current" {} - -# Cloud SQL service account -resource "google_kms_crypto_key_iam_binding" "sql_service_account" { - crypto_key_id = google_kms_crypto_key.langfuse.id - role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:service-${data.google_project.current.number}@gcp-sa-cloud-sql.iam.gserviceaccount.com", - ] -} - -# Compute Engine service account (for GKE, Redis, and persistent disks) -resource "google_kms_crypto_key_iam_binding" "compute_service_account" { - crypto_key_id = google_kms_crypto_key.langfuse.id - role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:service-${data.google_project.current.number}@compute-system.iam.gserviceaccount.com", - ] -} - -# Cloud Storage service account -resource "google_kms_crypto_key_iam_binding" "storage_service_account" { - crypto_key_id = google_kms_crypto_key.langfuse.id - role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:service-${data.google_project.current.number}@gs-project-accounts.iam.gserviceaccount.com", - ] -} - -# Create CMEK-protected storage class for ClickHouse -resource "kubernetes_storage_class" "cmek_storage_class" { - metadata { - name = "cmek-storage-class" - } - - storage_provisioner = "pd.csi.storage.gke.io" - volume_binding_mode = "WaitForFirstConsumer" - allow_volume_expansion = true - - parameters = { - type = "pd-ssd" - disk-encryption-kms-key = google_kms_crypto_key.langfuse.id - } - - depends_on = [ - google_kms_crypto_key_iam_binding.compute_service_account - ] -} - -# Use the key with Langfuse module -module "langfuse" { - source = "github.com/langfuse/langfuse-terraform-gcp?ref=0.1.2" - - domain = "langfuse.example.com" - customer_managed_encryption_key = google_kms_crypto_key.langfuse.id - storage_class_name = kubernetes_storage_class.cmek_storage_class.metadata[0].name - - depends_on = [ - kubernetes_storage_class.cmek_storage_class - ] -} -``` - ### ClickHouse Persistent Volume Encryption ClickHouse uses persistent volumes for data storage. To ensure ClickHouse data is encrypted with your CMEK, you need to create a custom storage class and configure the module to use it. @@ -245,61 +192,6 @@ module "langfuse" { **Important**: The storage class must be created **before** deploying the Langfuse module, as ClickHouse will need it during initial deployment. -### Security Considerations - -- **Key Management**: You are responsible for managing the lifecycle of your encryption keys -- **Access Control**: Ensure proper IAM policies are in place to control key access -- **Backup**: Consider key backup and recovery procedures -- **Compliance**: CMEK helps meet compliance requirements for data encryption -- **Performance**: CMEK may have minimal performance impact compared to Google-managed keys -- **Storage Class**: When using CMEK, create a custom storage class for ClickHouse persistent volumes to ensure complete encryption coverage - -### Known issues - -1. Getting an `ERR_SSL_VERSION_OR_CIPHER_MISMATCH` error after installation on the HTTPS endpoint. - -Since Google Cloud takes a while (~20 Minutes) to provision new certificates, an invalid TLS certificate is presented for a while after initial installation of this module. Please use `gcloud compute ssl-certificates list` to check the current provisioning status. If it is still in `PROVISIONING` state this issue is expected. E.g. - -```bash -$ gcloud compute ssl-certificates list -NAME TYPE CREATION_TIMESTAMP EXPIRE_TIME REGION MANAGED_STATUS -langfuse MANAGED 2025-04-06T03:41:54.791-07:00 PROVISIONING - : PROVISIONING -``` - -When the certificate becomes active the ingress controller should pick it up and present a valid TLS certificate: - -```bash -$ gcloud compute ssl-certificates list -NAME TYPE CREATION_TIMESTAMP EXPIRE_TIME REGION MANAGED_STATUS -langfuse MANAGED 2025-04-06T03:41:54.791-07:00 2025-07-05T03:41:56.000-07:00 ACTIVE - : ACTIVE -``` - -## Features - -This module creates a complete Langfuse stack with the following components: - -- VPC with public and private subnets -- GKE cluster with node pools -- Cloud SQL PostgreSQL instance -- Cloud Memorystore Redis instance -- Cloud Storage bucket for storage -- TLS certificates and Cloud DNS configuration -- Required IAM roles and firewall rules -- GKE Ingress Controller for ingress -- Filestore CSI Driver for persistent storage - -## Requirements - -| Name | Version | -|-------------|---------| -| terraform | >= 1.0 | -| google | >= 5.0 | -| google-beta | >= 5.0 | -| kubernetes | >= 2.10 | -| helm | >= 2.5 | - ## Providers | Name | Version | @@ -343,22 +235,22 @@ This module creates a complete Langfuse stack with the following components: ## Inputs -| Name | Description | Type | Default | Required | -|-------------------------------------|------------------------------------------------------------------------------------------------|--------|-------------------------|:--------:| -| name | Name to use for or prefix resources with | string | "langfuse" | no | -| domain | Domain name used to host langfuse on (e.g., langfuse.company.com) | string | n/a | yes | -| use_encryption_key | Wheter or not to use an Encryption key for LLM API credential and integration credential store | bool | true | no | -| kubernetes_namespace | Namespace to deploy langfuse to | string | "langfuse" | no | -| subnetwork_cidr | CIDR block for Subnetwork | string | "10.0.0.0/16" | no | -| database_instance_tier | The machine type to use for the database instance | string | "db-perf-optimized-N-2" | no | -| database_instance_edition | The edition to use for the database instance | string | "ENTERPRISE_PLUS" | no | -| database_instance_availability_type | The availability type to use for the database instance | string | "REGIONAL" | no | -| cache_tier | The service tier of the instance | string | "STANDARD_HA" | no | -| cache_memory_size_gb | Redis memory size in GB | number | 1 | no | -| deletion_protection | Whether or not to enable deletion_protection on data sensitive resources | bool | true | no | -| langfuse_chart_version | Version of the Langfuse Helm chart to deploy | string | "1.2.15" | no | +| Name | Description | Type | Default | Required | +|-------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|-------------------------|:--------:| +| name | Name to use for or prefix resources with | string | "langfuse" | no | +| domain | Domain name used to host langfuse on (e.g., langfuse.company.com) | string | n/a | yes | +| use_encryption_key | Wheter or not to use an Encryption key for LLM API credential and integration credential store | bool | true | no | +| kubernetes_namespace | Namespace to deploy langfuse to | string | "langfuse" | no | +| subnetwork_cidr | CIDR block for Subnetwork | string | "10.0.0.0/16" | no | +| database_instance_tier | The machine type to use for the database instance | string | "db-perf-optimized-N-2" | no | +| database_instance_edition | The edition to use for the database instance | string | "ENTERPRISE_PLUS" | no | +| database_instance_availability_type | The availability type to use for the database instance | string | "REGIONAL" | no | +| cache_tier | The service tier of the instance | string | "STANDARD_HA" | no | +| cache_memory_size_gb | Redis memory size in GB | number | 1 | no | +| deletion_protection | Whether or not to enable deletion_protection on data sensitive resources | bool | true | no | +| langfuse_chart_version | Version of the Langfuse Helm chart to deploy | string | "1.2.15" | no | | customer_managed_encryption_key | The Cloud KMS key name to use for customer-managed encryption across all supported resources (Cloud Storage, Cloud SQL, Redis, GKE). Format: projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. If not provided, Google-managed encryption keys will be used. | string | null | no | -| storage_class_name | Name of the Kubernetes storage class to use for ClickHouse persistent volumes. When using customer-managed encryption keys, you should create a custom storage class with CMEK configuration and provide its name here. If not provided, the cluster's default storage class will be used. | string | null | no | +| storage_class_name | Name of the Kubernetes storage class to use for ClickHouse persistent volumes. When using customer-managed encryption keys, you should create a custom storage class with CMEK configuration and provide its name here. If not provided, the cluster's default storage class will be used. | string | null | no | ## Outputs diff --git a/langfuse.tf b/langfuse.tf index 42c585e..0d3acf9 100644 --- a/langfuse.tf +++ b/langfuse.tf @@ -1,5 +1,7 @@ locals { langfuse_values = <