access_logs_retention_days | Number of days to retain access logs in S3 bucket for ALB and Cloudfront. Logs older than this will be deleted. Set to 0 to retain logs indefinitely. | number | 90 | no |
availability_zones | List of Availability Zones (AZs) where subnets will be created e.g. [eu-west-2a , eu-west-2b ]. Ignored when availability_zone_ids is set. The order of zones in the list must be stable or else Terraform will continually make changes. If no AZs are specified, then subnets will be created in all available AZs. We recommend setting availability_zones explicitly for predictability, consistency, and stability. | list(string) | [] | no |
cdn_default_content_cache_ttl | Cache TTL for all WordPress content other than static and dynamic content defined in cdn_static_content_path_patterns and cdn_dynamic_content_path_patterns respectively. Example of such content is WordPress home page, pages and posts. Increase for high-load WordPress sites. | number | 300 | no |
cdn_dynamic_content_path_patterns | List of dynamic WordPress content path patterns that should never be cached. | list(string) | [ "/wp-admin/*", "/wp-login.php", "/wp-signup.php", "/wp-trackback.php", "/wp-cron.php", "/xmlrpc.php", "/wp-json/*" ] | no |
cdn_enabled | Enable CloudFront CDN for the site. | bool | true | no |
cdn_price_class | CloudFront distribution price class. One of the following: PriceClass_All , PriceClass_200 , PriceClass_100 . See also choosing the CloudFront price class. | string | "PriceClass_100" | no |
cdn_static_content_browser_cache_ttl | Browser cache TTL for the static WordPress content. Cloudfront will add a Cache-Control header with a specified value to cdn_static_content_path_patterns path responses only if the header is absent in the response. If a WordPress plugin (e.g. W3 Total Cache) is used to set Cache-Control value, this setting will be overriden." | number | 604800 | no |
cdn_static_content_cache_ttl | Cache TTL for the static WordPress content. Typically, this type of content should be cached for a long period of time. | number | 604800 | no |
cdn_static_content_path_patterns | List of static WordPress content path patterns that should be cached for a long period of time. This is usually versioned content that is invalidated using the cache-busting technique." | list(string) | [ "/wp-content/*", "/wp-includes/*" ] | no |
container_config | Additional WordPress and PHP configuration to pass to the WordPress container. See https://hub.docker.com/r/bitnami/wordpress-nginx for the full list. _Note_: Database connection and other mandatory settings are automatically injected. | map(string) | {} | no |
container_image | WordPress container image. | string | "docker.io/bitnami/wordpress-nginx:latest" | no |
container_logs_retention_days | Number of days to retain access logs in CloudWatch for ECS containers. Logs older than this will be deleted. Set to 0 to retain logs indefinitely. | number | 90 | no |
db_admin_password_version | Database admin auto-generated password version. Incrementing this will trigger the database password rotation. Note that this may break database connectivity and require manual intervention." | number | 1 | no |
db_backup_retention_period | The number of days to retain database backups for. | number | 5 | no |
db_cluster_family | The family of the RDS database cluster. | string | n/a | yes |
db_engine_version | The version of the RDS database engine to use. See aws rds describe-db-engine-versions for options. | string | n/a | yes |
db_instance_class | Instance class to use for RDS Aurora MySQL database. See the list of available instance classes here. | string | n/a | yes |
db_instance_count | Number of database instances to create in the RDS cluster. | number | n/a | yes |
db_storage_kms_arn | The ARN for the KMS Customer Managed Key (CMK) to use to encrypt RDS storage. Leave blank to use AWS managed key. | string | null | no |
dns_subdomain | Subdomain for the WordPress site. E.g. "www" | string | n/a | yes |
dns_zone_name | Route53 public zone name for the WordPress site e.g. example.com . If the DNS zone already exists, records will be added to the existing zone. Otherwise, a zone will be created. | string | n/a | yes |
efs_backup_enabled | Enable automatic Elastic File System (EFS) volume backup using AWS Backup service. | bool | true | no |
efs_kms_arn | The ARN for the KMS Customer Managed Key (CMK) to use to encrypt EFS volumes. Leave blank to use AWS managed key. | string | null | no |
efs_provisioned_throughput_in_mibps | The throughput, measured in MiB/s, that you want to provision for the EFS volume. This is required only when efs_throughput_mode is set to provisioned . | number | 0 | no |
efs_throughput_mode | Throughput mode for the EFS volume. Valid values: bursting , provisioned , or elastic . When using provisioned , also set efs_provisioned_throughput_in_mibps . See EFS Throughput Modes for more details. | string | "bursting" | no |
environment | AWS account name (e.g. cms ) or region (e.g. euw2 ). Leave blank for single-account deployments. | string | null | no |
jumpbox_enabled | Deploy jumpbox server for SSH access to the private subnets. Required for RDS database access via SSH tunnel. | bool | true | no |
lb_health_check_healthy_threshold | The number of consecutive health checks successes required before considering the target healthy. | number | 1 | no |
lb_health_check_interval | The duration in seconds in between health checks. | number | 30 | no |
lb_health_check_path | The destination for the health check request. | string | "/wp-admin/install.php" | no |
lb_health_check_timeout | The duration in seconds to wait before failing a health check request. | number | 10 | no |
lb_health_check_unhealthy_threshold | The number of consecutive health check failures required before considering the target unhealthy. | number | 3 | no |
namespace | Namespace prefix is usually an abbreviation of your organization name (e.g. 'is'). It helps to ensure generated IDs are globally unique. Should be 3 characters max. | string | n/a | yes |
region | AWS region. Leave blank if you want to use the region configured in the AWS CLI profile. | string | null | no |
secret_kms_arn | The ARN for the KMS Customer Managed Key (CMK) to use to encrypt Secret Manager secrets. Leave blank to use AWS managed key. | string | null | no |
service_task_cpu | Amount of CPU to allocate to each ECS task. Must match Fargate task sizes. | number | n/a | yes |
service_task_instance_count | Number of ECS tasks to run. | number | 1 | no |
service_task_memory | Amount of memory to allocate to each ECS task. Must match Fargate task sizes. | number | n/a | yes |
stage | AWS environment stage. Allowed values: dev , staging , test , uat , prod ). | string | n/a | yes |
tags | Additional tags to apply to all resources. | map(string) | {} | no |
vpc_cidr_block | CIDR block for VPC to be created. Sunbets calculated dynamically based on this CIDR. | string | n/a | yes |
vpc_use_nat_instance | Use NAT Instance instead of NAT Gateway for outbound traffic. NAT instance is cheaper but less reliable. This is useful for testing and development. Always set this to false in production to use NAT Gateway. | bool | false | no |
waf_aws_managed_rulesets | List of AWS Managed WAF Rulesets to enable. Rulesets prioritised in the order they appear in the list. See AWS Managed Rule Groups for the full list. | list(string) | [ "AWSManagedRulesCommonRuleSet", "AWSManagedRulesKnownBadInputsRuleSet", "AWSManagedRulesSQLiRuleSet", "AWSManagedRulesAmazonIpReputationList", "AWSManagedRulesPHPRuleSet", "AWSManagedRulesWordPressRuleSet" ] | no |
waf_cloudwatch_metrics_enabled | Enable CloudWatch metrics for the WAF rulesets. | bool | true | no |
waf_enabled | Enable Web Application Firewall (WAF) to protect the site. | bool | true | no |
waf_override_action_with_count | Override the default action for the WAF rulesets with count . Enable this if you need to debug WAF behaviour instead of enforcing actual rules. | bool | false | no |
waf_sampled_requests_enabled | Enable sampling of requests for the WAF rulesets. | bool | true | no |
waf_whitelist_ipv4_addresses | List of IP addresses to exclude from WAF checks. This prevents legitimate requests from being blocked by managed WAF rulesets (false-positives). For example, Stripe webhook requests larger than Cloudfront's 16KB limit can be blocked (see AWSManagedRulesCommonRuleSet#SizeRestrictions_BODY rule). | list(string) | [] | no |