08. Variables and Parameters

Configuration guide for variables and parameters in MILU2 Infrastructure.

Variable Files Overview

tofu/envs/
├── common_vars.hcl          # Shared across all environments
├── config.hcl               # Backend + provider config
└── <env>/
    └── env_vars.hcl         # Environment-specific settings

How Variables Are Loaded

# In terragrunt.hcl
locals {
  common_vars = read_terragrunt_config(find_in_parent_folders("common_vars.hcl"))
  env_vars    = read_terragrunt_config("${get_terragrunt_dir()}/../env_vars.hcl")
}

inputs = {
  common_vars = local.common_vars
  env_vars    = local.env_vars
}

Downloading Variables

Variables are stored in S3 and downloaded before plan/apply:

# Download both files
sh shell/get_vars.sh <env>

# Downloads from:
# s3://milu2-iac-env/tofu/common_vars.hcl
# s3://milu2-iac-env/tofu/<env>/env_vars.hcl

common_vars.hcl

Location: s3://milu2-iac-env/tofu/common_vars.hcl

VariableTypeExampleDescription
app_namestring"milu2"Application name prefix
aws_regionstring"ap-northeast-1"Primary AWS region

env_vars.hcl

Location: s3://milu2-iac-env/tofu/<env>/env_vars.hcl

Network Settings

VariableTypeExampleDescription
vpc_cidrstring"10.0.0.0/16"VPC CIDR block
public_subnet_cidrstring"10.0.0.0/24"Public subnet CIDR
public_subnet_azstring"ap-northeast-1a"Public subnet AZ
private_subnet_cidrslist["10.0.1.0/24", "10.0.2.0/24"]Private subnet CIDRs
ga_subnet_cidrslist["10.0.10.0/28", "10.0.10.16/28"]GA subnet CIDRs
bastion_inbound_cidrslist["203.0.113.0/24"]SSH allowed CIDRs

Domain Settings

VariableTypeExampleDescription
web_domainstring"web.milu2.example.com"Web CloudFront domain
admin_domainstring"admin.milu2.example.com"Admin CloudFront domain
api_domainstring"api.milu2.example.com"API CloudFront domain
push_domainstring"push.milu2.example.com"Push service domain

Database Settings

VariableTypeDescription
db_usernamestringRDS master username
db_nameslistDatabase names to create
mas_db_userstringMaster DBA username
mas_db_passwordstringMaster DBA password
ope_db_userstringOperations username
ope_db_passwordstringOperations password
ro_db_userstringRead-only username
ro_db_passwordstringRead-only password

Cache Settings

VariableTypeDescription
elasticache_auth_tokenstringElastiCache AUTH token
memorydb_auth_userstringMemoryDB ACL username
memorydb_auth_passwordstringMemoryDB ACL password

terragrunt.hcl Inputs

Location: tofu/envs/<env>/core/terragrunt.hcl

Compute Settings

VariableTypeDefaultDescription
fargate_spot_basenumber0Fargate Spot base capacity
fargate_spot_weightnumber0Fargate Spot weight
api_autoscale_minnumber1API min tasks
api_autoscale_maxnumber8API max tasks
web_autoscale_minnumber1Web min tasks
web_autoscale_maxnumber8Web max tasks

RDS Settings

VariableTypeDefaultDescription
reader_countnumber0Aurora reader count
rds_min_capacitynumber0.5Min ACUs
rds_max_capacitynumber2Max ACUs

ElastiCache Settings

VariableTypeDefaultDescription
elasticache_node_typestring"cache.t4g.micro"Node type
elasticache_num_node_groupsnumber1Number of shards
elasticache_replicas_per_node_groupnumber0Replicas per shard
elasticache_multi_az_enabledboolfalseMulti-AZ

MemoryDB Settings

VariableTypeDefaultDescription
memorydb_node_typestring"db.t4g.small"Node type
memorydb_num_shardsnumber1Number of shards
memorydb_num_replicas_per_shardnumber0Replicas per shard

Game Node Settings

# Example node_servers
node_servers = {
  world = {
    port_start  = 7551
    port_end    = 7999
    protocol    = "UDP"
    desired     = 1
    secondaries = 0
  }
  commu = {
    port_start  = 9551
    port_end    = 9999
    protocol    = "UDP"
    desired     = 1
    secondaries = 0
  }
  battle = {
    port_start  = 8551
    port_end    = 8999
    protocol    = "UDP"
    desired     = 1
    secondaries = 0
  }
  chat = {
    port_start  = 8101
    port_end    = 8499
    protocol    = "TCP"
    desired     = 1
    secondaries = 0
  }
  center = {
    port_start  = 3000
    port_end    = 3000
    protocol    = "TCP"
    desired     = 1
    secondaries = 0
  }
}

Global Accelerator Settings

# Example ga_servers
ga_servers = {
  world = {
    from_port = 10000
    to_port   = 19999
  }
  commu = {
    from_port = 20000
    to_port   = 29999
  }
  battle = {
    from_port = 30000
    to_port   = 39999
  }
  chat = {
    from_port = 40000
    to_port   = 48999
  }
}

Environment-Specific Overrides

Production Recommendations

# Higher capacity
rds_min_capacity  = 2
rds_max_capacity  = 16
api_autoscale_max = 20
web_autoscale_max = 20

# Multi-AZ
elasticache_multi_az_enabled         = true
elasticache_replicas_per_node_group  = 1

# Deletion protection
db_deletion_protection    = true
docdb_deletion_protection = true

# Larger instances
elasticache_node_type = "cache.r6g.large"
memorydb_node_type    = "db.r6g.large"

Development/Test

# Minimal capacity
rds_min_capacity  = 0.5
rds_max_capacity  = 2
api_autoscale_min = 1
web_autoscale_min = 1

# Single AZ
elasticache_multi_az_enabled = false

# Fargate Spot for cost savings
fargate_spot_base   = 1
fargate_spot_weight = 1

Lambda Environment Variables

LambdaVariables
image-validatorS3_TMP_BUCKET, S3_DEST_BUCKET
video-validatorS3_TMP_BUCKET, S3_QUARANTINE_BUCKET, REKOGNITION_SNS_TOPIC_ARN, REKOGNITION_ROLE_ARN, MAX_VIDEO_DURATION_SEC
video-moderation-resultS3_QUARANTINE_BUCKET, S3_DEST_BUCKET
cache-invalidatorDISTRIBUTION_ID
ga-port-mapping-resolverSUBNET_IDS
scale-node-serviceAPP_NAME

Provider Tags (Default)

All resources receive these tags automatically:

default_tags {
  tags = {
    Name        = "${app_name}-${env}"
    Project     = "${app_name}"
    Environment = "${env}"
    Module      = "${path_relative_to_include()}"
  }
}

Sensitive Variables

⚠️ Never commit these to Git:

  • *_password - Database passwords
  • *_auth_token - Cache auth tokens
  • bastion_inbound_cidrs - Office/VPN IPs

These are stored in S3 and downloaded during deployment.