Releases: comet-ml/terraform-aws-comet-stsaas
v1.13.0
Added
eks_admin_capacity_typeandeks_clickhouse_capacity_typevariables — mirror the existingeks_comet_capacity_typeso non-prod customers can put the admin and ClickHouse node groups on Spot. Defaults areON_DEMANDso every existing customer is unaffected on the next apply.
Notes
- ClickHouse is stateful; setting SPOT can lose unreplicated writes between backups. Use only when data loss on eviction is acceptable (UAT / dev).
- Came out of DND-1150 (stsaasuat FinOps cleanup) where Nimrod asked for "all node pools to Spot" but the module previously only exposed
capacity_typefor the comet pool.
PR: #12
v1.12.0
What's Changed
Full Changelog: v1.11.0...v1.12.0
Contributors
Assets 2
v1.11.0
What's Changed
Full Changelog: v1.10.0...v1.11.0
Contributors
Assets 2
v1.10.0
What's Changed
Full Changelog: v1.9.0...v1.10.0
Contributors
Assets 2
v1.9.0
What's Changed
Full Changelog: v1.8.1...v1.9.0
Contributors
Assets 2
v1.8.1
What's Changed
Fixes
- comet_secretsmanager: Don't auto-generate
opik_admin_pass; default to literal"opik"to match the chart contract. Reverts the random auto-gen introduced in #4 for theopikuser. Theagentrouser keeps random.
The opik subchart hardcodes ANALYTICS_DB_PASS / ANALYTICS_DB_MIGRATIONS_PASS / STATE_DB_PASS to the literal "opik" in its public values.yaml. opik-backend reads these env vars at runtime — so if terraform randomizes the value, opik-backend can't authenticate to ClickHouse and the install fails with Code: 516 opik: Authentication failed (#6).
Migration notes
- New customers on this tag get a vanilla install that just works.
- Existing customers (
v1.7.0/v1.8.0) already have either literal"opik"or a random value in theircometml/{env}/clickhouse.opik_admin_pass— no behavior change. - Customers who want a real password override BOTH
clickhouse_admin_password(terraform) ANDopik.component.backend.env.ANALYTICS_DB_PASS(chart values).
Full Changelog: v1.8.0...v1.8.1
v1.8.0
What's Changed
Features
- secretsmanager: auto-generate clickhouse
agentroandadminuser passwords; populatehost/port/usernamekeys for the monitoring exporter (#4)
Fixes
- comet_eks: align
external_secrets_chart_versionsubmodule default with the comet-devops umbrella chart (0.9.3→2.2.0). Prevents an ArgoCD-handoff CRD lockup where the old conversion webhook references a service that disappears when ArgoCD takes over the operator install (#5)
Migration notes
Existing customers on v1.7.0 and earlier already have external-secrets at chart 2.2.0 via the root override (set in v1.4.0+). New customers using the bumped tag get the same behavior whether they use the root module or comet_eks standalone.
Full Changelog: v1.7.0...v1.8.0
v1.3.0
What's Changed
New Features
- CloudWatch Exporter IRSA support (
enable_cloudwatch_exporter = true) — Creates IAM policy and IRSA role forprometheus-cloudwatch-exporterto scrape ElastiCache, RDS, and other AWS managed service metrics (DND-868)
Since v1.0.2
- feat: Add Karpenter prerequisites (node group, IRSA, SQS, EventBridge rules)
- feat: Deploy comet-stsaas-karpenter Helm chart via
enable_karpenter - fix: Karpenter discovery tags, S3 policy attachment, admin node group handling
- feat: Add CloudWatch Exporter IRSA role support
Usage
module "comet" {
source = "github.com/comet-ml/terraform-aws-comet-stsaas?ref=v1.3.0"
enable_cloudwatch_exporter = true
# ... other variables
}Full Changelog: v1.0.2...v1.3.0
v1.0.2
v1.0.1
Add Loki and Monitoring Support in EKS Module
- Introduced support for Loki by adding an IRSA role and IAM policy for S3 access in the comet_eks module.
- Added variables for enabling Loki and configuring the S3 bucket for Loki logs.
- Implemented monitoring setup with a dedicated namespace and Grafana credentials management.
- Updated outputs to include ARNs and names for the new Loki resources.
- Enhanced the comet_s3 module to create an S3 bucket for Loki logs based on configuration settings.