Skip to content

Terraform Variables

All Terraform input variables for the AI Gateway infrastructure, organized by category. Every optional feature is disabled by default and enabled via its toggle variable.


VariableTypeDefaultDescription
aws_regionstring"us-east-1"AWS region to deploy into
environmentstring— (required)Deployment environment (dev or prod)
project_namestring"ai-gateway"Project name used for resource naming
vpc_cidrstring"10.0.0.0/16"CIDR block for the VPC
gateway_imagestring"ghcr.io/agentgateway/agentgateway:latest"Docker image URI for the AI Gateway data plane (agentgateway, ADR-017). Overridden at apply time with the ECR URI pinned + mirrored by the release workflow; the upstream GHCR default keeps plan/validate resolvable.
mantle_hoststring""ADR-015 mantle lane: pinned host:port of the OpenAI-compatible Bedrock mantle endpoint (e.g. bedrock-mantle.us-east-1.api.aws:443) that serves the OpenAI Responses lane for GPT-5.5/5.4. Empty disables the lane entirely (no /openai/v1 route, no mantle secret provisioned).
gateway_desired_countnumber2Desired number of gateway ECS tasks
gateway_cpunumber1024Total CPU units for the gateway ECS task
gateway_memorynumber2048Total memory (MiB) for the gateway ECS task
autoscaling_min_capacitynumber2Minimum number of ECS tasks for autoscaling
autoscaling_max_capacitynumber6Maximum number of ECS tasks for autoscaling
certificate_arnstring""ACM certificate ARN for HTTPS listener
enable_wafbooltrueWhether to enable WAF on the ALB

VariableTypeDefaultDescription
cognito_user_pool_idstring""Cognito User Pool ID for JWT validation. Leave empty to disable JWT auth.
cognito_domain_prefixstring""Cognito User Pool domain prefix for the token endpoint. Leave empty to skip domain creation.
enable_jwt_authboolfalseWhether to enable ALB JWT validation. Requires certificate_arn and cognito_user_pool_id.
identity_providersmap(object){}Map of external identity providers (SAML/OIDC) to federate with Cognito
enable_user_authboolfalseWhether to enable user-facing SSO authentication (authorization_code flow)
callback_urlslist(string)["http://localhost:3000/callback"]List of allowed callback URLs for the user SSO client
logout_urlslist(string)["http://localhost:3000/logout"]List of allowed logout URLs for the user SSO client
group_mappingmap(object){}Mapping from IdP group names to gateway claims (team, org_unit, cost_center, tenant_tier)

Each entry in the identity_providers map has the following shape:

identity_providers = {
my_idp = {
provider_type = "SAML" # "SAML" or "OIDC"
metadata_url = "https://..." # IdP metadata URL
provider_details = { ... } # Provider-specific details
attribute_mapping = { ... } # Attribute mapping to Cognito
}
}

Each entry maps an IdP group name to gateway claims:

group_mapping = {
"Engineering" = {
team = "platform"
org_unit = "engineering"
cost_center = "CC-1234"
tenant_tier = "premium"
}
}

VariableTypeDefaultDescription
client_configsmap(object){}Map of team configurations for per-team Cognito app clients

Each key is a team identifier. The value specifies allowed OAuth scopes and a description:

client_configs = {
platform = {
allowed_scopes = ["https://gateway.internal/invoke"]
description = "Platform engineering team"
}
ml-ops = {
allowed_scopes = ["https://gateway.internal/invoke", "https://gateway.internal/admin"]
description = "ML Operations team"
}
}

VariableTypeDefaultDescription
enable_provider_fallbackboolfalseWhether to enable provider fallback routing. When true, routing configs are wired into the gateway.
routing_configsmap(string){}Map of named routing configurations as JSON strings. Keys are config names (e.g. anthropic, openai), values are agentgateway routing JSON (ai.groups priority tiers).

Content safety is inline Bedrock Guardrails (the ApplyGuardrail API, called in-path by agentgateway’s promptGuard policy on both request and response). There is no separate content-scanner Lambda.

VariableTypeDefaultDescription
enable_guardrailsbooltrueWhether to create the Bedrock Guardrail and wire it into the agentgateway data plane (ADR-017). When true, the guardrail runs inline in detect/log-only mode by default.
enforce_guardrailsboolfalsefalse = detect/LOG-ONLY (filters evaluate and emit assessments but never block or anonymize; topic filters off). true = BLOCK on trip and attach topic filters. Set per environment (e.g. dev=false, prod selectively true).
guardrails_blocked_topicslist(object)See belowList of topics to block, each with a name, definition, and optional examples
guardrails_blocked_wordslist(string)[]List of words or phrases to block in inputs and outputs
guardrails_content_filter_strengthstring"HIGH"Strength of content filters (LOW, MEDIUM, or HIGH)
[
{
name = "competitor_products"
definition = "Discussions or recommendations about competitor products and services."
examples = ["Tell me about competing AI platforms"]
},
{
name = "internal_financials"
definition = "Internal financial data, revenue figures, or unreleased business metrics."
examples = ["What is the company revenue this quarter"]
}
]

VariableTypeDefaultDescription
enable_cost_attributionboolfalseWhether to deploy the cost attribution Lambda pipeline
alarm_sns_topic_arnslist(string)[]List of SNS topic ARNs for CloudWatch alarm notifications. If empty, a default topic is created.
budget_limit_daily_usdnumber1000Daily budget limit in USD for dashboard gauge and budget alarm
budget_alarm_threshold_pctnumber80Percentage of daily budget that triggers the budget utilization alarm
error_rate_threshold_pctnumber5Error rate percentage threshold that triggers the high error rate alarm
error_rate_evaluation_minutesnumber5Number of 1-minute evaluation periods for the error rate alarm
p99_latency_threshold_msnumber30000P99 latency threshold in milliseconds that triggers the high latency alarm
latency_evaluation_minutesnumber5Number of 1-minute evaluation periods for the latency alarm
provider_down_minutesnumber10Number of consecutive 1-minute periods with zero requests before declaring a provider down

VariableTypeDefaultDescription
enable_budgetsboolfalseWhether to deploy the budget and usage tracking DynamoDB tables

VariableTypeDefaultDescription
enable_chargebackboolfalseWhether to deploy the monthly chargeback report pipeline (requires enable_budgets)

VariableTypeDefaultDescription
enable_audit_logboolfalseEnable audit logging via Firehose to S3

VariableTypeDefaultDescription
enable_admin_apiboolfalseEnable the API Gateway admin plane (also enables team_registration and routing modules)

VariableTypeDefaultDescription
enable_inspectorboolfalseWhether to enable Amazon Inspector enhanced scanning for ECR repositories

VariableTypeDefaultDescription
enable_appconfigboolfalseEnable AWS AppConfig for feature flag and dynamic configuration management

A summary of every feature toggle and its default state:

ToggleDefaultFeature
enable_waftrueAWS WAF on the ALB
enable_guardrailstrueInline Bedrock Guardrails content safety (detect/log-only unless enforce_guardrails)
enforce_guardrailsfalseFlip guardrails from detect/log-only to BLOCK
enable_jwt_authfalseALB JWT validation via Cognito
enable_user_authfalseUser-facing SSO (authorization_code flow)
enable_provider_fallbackfalseProvider fallback routing
enable_cost_attributionfalseCost attribution Lambda pipeline
enable_budgetsfalseBudget and usage tracking
enable_chargebackfalseMonthly chargeback report pipeline
enable_audit_logfalseFirehose-to-S3 audit logging
enable_admin_apifalseAPI Gateway admin plane (metering and governance features)
enable_inspectorfalseAmazon Inspector ECR scanning
enable_appconfigfalseAWS AppConfig feature flags
mantle_host"" (disabled)ADR-015 OpenAI Responses → Bedrock mantle lane; set to the pinned host:port endpoint to enable
client_configs{} (no clients)Per-team Cognito app clients; a non-empty map enables the clients module (no boolean toggle)