Configuration Reference¶
All infrastructure configuration lives in Pulumi.<stack-name>.yaml. See Pulumi.example.yaml for a fully documented reference with all available options.
Required Settings¶
| Config Key | Description | Example |
|---|---|---|
hawk:domain |
Internal domain for services | hawk.example.com |
hawk:publicDomain |
Public domain for DNS zones | example.com |
hawk:primarySubnetCidr |
VPC CIDR block | 10.0.0.0/16 |
Authentication¶
Hawk creates a Cognito user pool by default. If you want to use your own OIDC provider instead:
| Config Key | Description | Example |
|---|---|---|
hawk:oidcClientId |
OIDC client ID | your-client-id |
hawk:oidcAudience |
OIDC audience for access tokens | https://api.example.com |
hawk:oidcIssuer |
OIDC issuer URL | https://login.example.com/oauth2/default |
hawk:oidcDomain |
OIDC provider domain | login.example.com |
Infrastructure Options¶
| Config Key | Default | Description |
|---|---|---|
hawk:eksK8sVersion |
1.33 |
Kubernetes version for EKS |
hawk:albIdleTimeout |
3600 |
ALB idle timeout in seconds |
hawk:albInternal |
false |
Set to true to make the ALB internal (requires VPN) |
hawk:cloudwatchLogsRetentionDays |
14 |
CloudWatch log retention |
hawk:vpcFlowLogsRetentionDays |
14 |
VPC flow log retention |
hawk:agentCpuCount |
4 |
CPU cores per eval agent |
hawk:agentRamGb |
16 |
RAM in GB per eval agent |
Optional Integrations¶
These are all disabled by default. Enable them in your stack config when needed.
Datadog¶
Monitoring, APM, and log forwarding:
yaml
hawk:enableDatadog: "true"
hawk:datadogSite: datadoghq.com
Requires a <env>/platform/datadog-api-key secret in AWS Secrets Manager.
Cloudflare¶
DNS delegation from a parent zone to Route53:
yaml
hawk:cloudflareZoneId: "your-zone-id"
hawk:cloudflareParentDomain: "example.com"
Requires a <env>/platform/cloudflare-api-token secret in AWS Secrets Manager.
Tailscale¶
VPN overlay for private service access:
Set hawk:albInternal: "true" and store a Tailscale auth key in AWS Secrets Manager. This makes all services accessible only through your Tailscale network.
Budget Alerts¶
yaml
hawk:budgetLimit: "10000"
hawk:budgetNotificationEmails:
- "team@example.com"
When integrations are disabled, services fall back to simpler alternatives (CloudWatch instead of Datadog, no DNS delegation, etc.).