C

Configuring Terraform

Configuring Qt Insight Private Cloud

The Qt Insight installation uses Terraform to deploy resources to AWS. The installation is done using the command line.

  1. To configure Qt Insight Private Cloud, create a Terraform configuration file by creating a copy of the sample.tvfars file in the infra/env directory of the extracted install package.

    The sample variable file lists the available configuration options and deployment descriptions.

  2. Replace the values marked as <placeholder> with your own. See Configuration options for description of each available option.

Configuration options

The following configuration options are available for Qt Private Cloud Terraform deployment. The installation package contains a sample.tfvars file that can be used as a starting point for the configuration.

NameDescriptionTypeDefaultRequired
admin_accountsAdmin accounts for Qt Insight. Refers to the accounts in the OAuth server.list (string)n/ayes
amazon_linux_2_ami_idAWS AMI ID to use for the EC2 instances. Used for the Snowplow modules. The AMI ID must be based on Amazon Linux 2 (the latest community version is used by default).string""no
app_dns_nameThe domain name used for the Qt Insight dashboard application.

Example:

app_dns_name = "app.insight.example.com"
stringn/ayes
backup_regionThe AWS region used for cross-region data backup. Must be provided if enable_cross_region_backup is true.

For more information, see AWS Documentation - Regions and Zones.

string""no
certificate_arnACM certificate to use for the Qt Insight dashboard transport layer security (TLS) endpoint. The certificate must have a value of <app_dns_name> variable as Common Name (CN) or Subject Alternative Name (SAN). The certificate can be imported into ACM from an external certificate authority or it can be requested from ACM directly.

Note: One certificate can be used for both collection and application. In this case, both subdomains must be in the certificate CN or SAN fields.

stringn/ayes
collect_certificate_arnACM certificate to use for the collector TLS endpoint. The certificate must have a value of <collect_dns_name> variable as CN or SAN. The certificate can be imported into ACM from an external certificate authority or it can be requested from ACM directly.

Note: One certificate can be used for both collection and application. In this case, both subdomains must be in the certificate CN or SAN fields.

stringn/ayes
collect_dns_nameThe domain name used for the Qt Insight event collection endpoint.

Example:

collect_dns_name = "collect.insight.example.com"
stringn/ayes
collector_instance_typeEC2 instance type for the collector instance.stringt3.mediumno
config_cache_ttlTime interval - in seconds (s), minutes (m) or hours (h) - to cache the application's remote configuration.

The remote configuration is stored in in-memory cache to reduce the database load.

string5mno
dashboard_rds_snapshot_idRelational Database Service (RDS) snapshot ID used for restoring the Qt Insight database. If the ID is changed, RDS creates a new database from the snapshot.

Note: Change this value only if you intend to restore the database from a snapshot.

string""no
data_bucket_nameName of the S3 bucket to which the analytics data is stored. This data bucket is created during the installation phase.

Note: The bucket name must be unique across the entire AWS.

stringn/ayes
enable_cross_region_backupEnables backup replication to backup_region. Supports Redshift and RDS databases used by Qt Insight.

Note: Makes Terraform 10-15 minutes slower, so when testing you may want to set this to false.

boolfalseno
enrich_instance_typeEC2 instance type for an enriched instance.stringt3.mediumno
export_bucket_nameName of the exported S3 bucket.

Note: The bucket name must be unique across the entire AWS.

stringn/ayes
iglu_instance_typeEC2 instance type for an Iglu instance.stringt3.mediumno
iglu_rds_snapshot_idRDS snapshot ID used for restoring the Iglu database. If the ID is changed, RDS creates a new database from the snapshot.

Note: Change this value only if you intend to restore the database from a snapshot.

string""no
is_user_pseudonymizedToggle if domain_user field is anonymized within the enrichment pipeline.booltrueno
lb_access_logs_enabledDetermines whether to store the load balancer access logs.

Note: If this option is enabled, the logs_bucket_id must be set.

boolfalseno
loader_instance_typeEC2 instance type for a loader instance.stringt3.mediumno
log_retention_daysDefines the number of days to retain the logs.number30yes
logs_bucket_idS3 bucket ID used for accessing the bucket logs. Also used for storing the load balancer logs if lb_access_logs_enabled is true.

Note: Must be provided if lb_access_logs_enabled is true. The bucket name must be unique across the entire AWS.

string""no
monitoring_enabledEnables the installation of the Cloudwatch dashboard to monitor Qt Insight.booltrueno
oauth_client_configClient configuration for the OAuth application. Required fields (get the values from your identity provider):
  • client_id
  • client_secret
  • issuer

Example:

oauth_client_config = {
client_id = "<client id>"
client_secret = "<client secret>"
issuer = "<issuer url>"
}
map(string)n/ayes
profileAWS profile to use for Terraform. This must match the profile configured locally. For details, see aws configure --profile.

Example (AWS):

aws configure --profile insight-deploy-user

Example (Qt Insight configuration)

profile = "insight-deploy-user"
stringn/ayes
redshift_cluster_sizeDefines the number of nodes to be created in the Redshift cluster.number1yes
redshift_cluster_snapshot_idRedshift snapshot ID used for restoring the database. If the ID is changed, Redshift creates a new database from the snapshot.

Note: Change this value only if you intend to restore the database from a snapshot.

stringn/ayes
redshift_node_typeDefines the type of the nodes to be created in the Redshift cluster. For details about the different node types, see AWS Documentation - Redshift.

Example:

redshift_node_type = "ra3.xlplus"
stringn/ayes
redshift_snapshot_retention_daysDefines the number of days to retain the automated snapshots of the Redshift cluster.number5no
regionDefines the AWS region the services are deployed in. For more information, see AWS Documentation - Regions and Zonesstringn/ayes
root_dns_nameRoot domain name for Qt Insight. Dashboard application and collection endpoint are subdomains under root. Typically this will be a subdomain delegated from external DNS provider.

Example:

root_dns_name = "insight.example.com"
stringn/ayes
root_route53_delegation_set_idRoute 53 delegation set ID for the Qt Insight root subdomain. You can create the ID with the AWS command-line interface command aws route53 create-reusable-delegation-set --caller-reference, where the caller-reference can be any unique string (for example, a date/time stamp).

Note: Copy the nameserver's value for DNS delegation.

Example:

root_route53_delegation_set_id = "N06238763TERTV123456"
stringn/ayes
enable_application_telemetryOptional configuration to enable Sentry in the Qt Insight UI. If enabled, Sentry is used in the Qt Insight application to send feedback and crash reports to Sentry.io

For more information, see var.telemetry_dsn.

boolfalseno
telemetry_dsnSentry.io data source name. Used for associating Sentry events to correct organization.

Note: This option is only used if var.enable_application_telemetry is true.

If var.enable_sentry_telemetry is true and this is empty, the DSN of Qt's organization is used (telemetry is sent to Qt).

string""no
shredder_instance_typeEC2 instance type for a shredder instance.stringt3.mediumno
stream_retention_periodThe number of hours that the kinesis streams should retain the data.number48yes
subnetsList of IPv4 classless inter-domain routing (CIDR) ranges of each subnet in each availability zone used.

Note: AZ must match the available availability zones in the chosen AWS region. Each AZ must have an isolated, private and public subnet. The CIDR ranges must be in the virtual private cloud (VPC) CIDR range and must not overlap with each other.

Example:

subnets = [
     {
         az            = "a"
         isolated_cidr = "10.150.1.0/24"
         public_cidr   = "10.150.3.0/24"
         private_cidr  = "10.150.5.0/24"
     },
     {
         az            = "b"
         isolated_cidr = "10.150.2.0/24"
         public_cidr   = "10.150.4.0/24"
         private_cidr  = "10.150.6.0/24"
     }
 ]
list(object)n/ayes
terraform_backend_bucket_nameThe name of the S3 bucket in which to store the Terraform state of the private-cloud deployment.stringn/ayes
token_cache_ttlTime interval - in seconds (s), minutes (m) or hours (h) - to cache the tokens of the incoming events. The data pipeline validates the token in each ingested event.

This token status is stored in in-memory cache to reduce the database load.

string1mno
vpc_cidrThe IPv4 CIDR range of the VPC.

Example:

vpc_cidr = "10.150.0.0/16"
stringn/ayes

Available under certain Qt licenses.
Find out more.