Configuration Reference

This page documents all Terraform variables for the thinkwork-ai/thinkwork/aws module. Variables are grouped by category, and every variable has a sensible default — a full dev deployment needs only four variables set (stage, region, account, DB password), and a production deployment typically adds a domain, Google OAuth credentials, and HA overrides.

How to choose values

A short orientation before the tables:

• Dev stacks favor cost and speed. Aurora Serverless v2 at the minimum capacity, single NAT gateway, no Hindsight, Claude Haiku as the default model. You can stand up and tear down these stacks in minutes.
• Production stacks favor availability and safety. HA across AZs, reserved concurrency on AgentCore, domain + ACM, Google OAuth enabled, Hindsight if the tenants need structured memory. Expect the first deploy to take 15–20 minutes.
• Shared-infrastructure stacks use the create_* boolean flags to adopt an existing VPC, database, or Cognito pool instead of creating new ones. Every existing_* field is required if its corresponding create_* is false. See BYO Infrastructure for the full story.
• Enterprise customer stacks should use a customer-owned Enterprise Deployment Repo rather than forking the ThinkWork source repository. Bootstrap creates the repo, state backend, artifact bucket, GitHub OIDC trust, and per-stage CI environment; after that, GitHub Actions deploys pinned releases and applies customer overlays.

Defaults are chosen for dev correctness. Don’t set every value explicitly — set the ones that matter for your deployment shape and let the rest fall to defaults.

Caution

terraform.tfvars holds plaintext secrets today. db_password, google_oauth_client_secret, and any API keys you feed in as variables land in terraform.tfvars in cleartext. That file should never be committed, and on production stacks should migrate to SSM Parameter Store or Secrets Manager references (via aws_ssm_parameter data sources) rather than literal values. This migration is a planned follow-up; until it lands, treat terraform.tfvars as a sensitive file — don’t paste it into chat, don’t commit it, and rotate any secret that may have been exposed.

Required variables

These must be set in every deployment. There are no defaults.

Variable	Type	Description
stage	string	Deployment stage name (e.g. dev, staging, prod). Used as a prefix for all resource names.
region	string	AWS region (e.g. us-east-1). Must match your AWS_REGION environment.
account_id	string	AWS account ID (12-digit string). Used in IAM policies and resource ARNs.
db_password	string	Master password for the Aurora Postgres database. Minimum 16 characters. Stored in Secrets Manager.

Core options

Variable	Type	Default	Description
database_engine	string	"aurora-serverless"	aurora-serverless (Aurora Serverless v2) or rds-postgres (provisioned RDS). Use aurora-serverless for dev/staging and variable workloads.
enable_hindsight	bool	false	Optional Hindsight memory add-on (ECS Fargate + ALB for semantic + entity-graph retrieval). AgentCore managed memory with automatic per-turn retention is always on regardless of this setting — this flag only controls whether Hindsight is also deployed alongside it.
memory_engine	string	""	Deprecated. Use enable_hindsight instead. For backwards compatibility, setting this to "hindsight" is equivalent to enable_hindsight = true.
enable_workspace_orchestration	bool	false	Deploy S3 EventBridge/SQS routing and the workspace event dispatcher for async folder-native agent work. Also enable tenants.workspace_orchestration_enabled per tenant after migration.
default_model_id	string	"anthropic.claude-3-5-sonnet-20241022-v2:0"	Bedrock model ID for the default Agent Template created on first deploy.
log_retention_days	number	30	CloudWatch log group retention in days. Set to 0 for never expire (not recommended for production).

Networking

Variable	Type	Default	Description
create_vpc	bool	true	Whether to create a new VPC. Set false to use an existing VPC.
vpc_cidr	string	"10.0.0.0/16"	CIDR block for the new VPC. Ignored if create_vpc = false.
availability_zones	list(string)	[]	AZs to use. Defaults to the first 2 AZs in the region.
existing_vpc_id	string	""	Required if create_vpc = false.
existing_private_subnet_ids	list(string)	[]	Required if create_vpc = false. Minimum 2 subnets.
existing_public_subnet_ids	list(string)	[]	Required if create_vpc = false. Minimum 2 subnets.
create_vpc_endpoints	bool	false	Create VPC Interface endpoints for AWS services. Recommended for production or no-NAT configurations.
single_nat_gateway	bool	true	Use one NAT gateway for all AZs (cost optimization). Set false for HA in production.

Database

Variable	Type	Default	Description
create_database	bool	true	Whether to create a new database.
db_name	string	"thinkwork"	Database name.
db_username	string	"thinkwork"	Master username.
aurora_min_capacity	number	0.5	Minimum ACUs for Aurora Serverless v2. Set 0.5 for dev (scales to zero when idle after 5 min).
aurora_max_capacity	number	16	Maximum ACUs for Aurora Serverless v2.
rds_instance_class	string	"db.t3.medium"	Instance class when database_engine = "rds-postgres".
rds_allocated_storage	number	20	Initial storage in GB when database_engine = "rds-postgres".
existing_db_host	string	""	Required if create_database = false.
existing_db_port	number	5432	Database port. Used if create_database = false.
existing_db_name	string	""	Database name. Required if create_database = false.
existing_db_username	string	""	Database username. Required if create_database = false.
existing_db_security_group_id	string	""	SG to allow Lambda access. Required if create_database = false.

Tip

For development, set aurora_min_capacity = 0.5. Aurora Serverless v2 pauses after 5 minutes of inactivity and the first query after a pause takes ~3 seconds to resume. This eliminates idle database costs during nights and weekends.

Auth (Cognito)

Variable	Type	Default	Description
create_cognito	bool	true	Whether to create a new Cognito User Pool and Identity Pool.
cognito_domain_prefix	string	""	Cognito hosted UI domain prefix (e.g. thinkwork-dev → thinkwork-dev.auth.us-east-1.amazoncognito.com). Defaults to thinkwork-{stage}.
cognito_callback_urls	list(string)	[]	OAuth callback URLs for the Cognito app client. Add your admin app and end-user app URLs.
cognito_logout_urls	list(string)	[]	OAuth logout URLs.
google_oauth_client_id	string	""	Google OAuth client ID for Google identity provider. Leave empty to disable Google sign-in.
google_oauth_client_secret	string	""	Google OAuth client secret. Stored in Secrets Manager.
existing_user_pool_id	string	""	Required if create_cognito = false.
existing_user_pool_arn	string	""	Required if create_cognito = false.
existing_identity_pool_id	string	""	Required if create_cognito = false.
mfa_configuration	string	"OFF"	Cognito MFA setting: OFF, OPTIONAL, or ON.

Domain and DNS

Variable	Type	Default	Description
domain_name	string	""	Root domain for the deployment (e.g. thinkwork.example.com). Leave empty to use CloudFront domains.
hosted_zone_id	string	""	Route53 hosted zone ID for domain_name. Required if domain_name is set.
admin_app_subdomain	string	"app"	Subdomain for the admin app (e.g. app.thinkwork.example.com).
api_subdomain	string	"api"	Subdomain for API Gateway (e.g. api.thinkwork.example.com).

Memory

ThinkWork always provisions an AWS Bedrock AgentCore Memory resource as part of module.thinkwork. The agent container emits a CreateEvent for every turn, and AgentCore’s built-in strategies (semantic, summarization, user-preference, episodic) extract facts in the background. Retention is automatic — you don’t need to configure anything or prompt the model to call remember().

Variable	Type	Default	Description
agentcore_memory_id	string	""	Optional pre-existing AgentCore Memory resource ID to reuse. Leave empty to let the agentcore-memory module auto-provision one.
enable_hindsight	bool	false	Optional add-on: also deploy the Hindsight ECS service for semantic + entity-graph retrieval alongside managed memory.
hindsight_image_tag	string	"0.5.0"	Hindsight Docker image tag. Only used when enable_hindsight = true.
hindsight_retain_interval_hours	number	1	How often (hours) Hindsight runs the retain step. Only used when enable_hindsight = true.
hindsight_reflect_interval_hours	number	24	How often (hours) Hindsight runs the reflect/synthesis step.
hindsight_task_cpu	number	512	ECS Fargate CPU units for Hindsight tasks.
hindsight_task_memory	number	1024	ECS Fargate memory (MB) for Hindsight tasks.

When enable_hindsight = true, the agent container gains three additional tools (hindsight_retain, hindsight_recall, hindsight_reflect) alongside the always-on managed memory tools (remember, recall, forget). The remember() tool dual-writes to both backends so explicit memories land in both stores.

Email (SES)

Variable	Type	Default	Description
ses_parent_domain	string	""	Parent domain for tenant-scoped Space email addresses (e.g. thinkwork.example.com). Leave empty to skip SES inbound resources.
ses_tenant_slugs	set(string)	[]	Tenant slugs to provision as SES receiving subdomains under ses_parent_domain, one identity per tenant slug.
ses_inbound_domain	string	""	Legacy delegated inbound domain (e.g. agents.thinkwork.example.com). Keep configured until legacy-address retirement ends.
ses_from_address	string	""	From address for non-Space outbound email. Must be verified in SES.
ses_configuration_set	string	"thinkwork-{stage}"	SES configuration set name for email event tracking.
ses_inbound_enabled	bool	false	Whether to configure SES inbound email (creates EMAIL- threads from inbound mail).

Knowledge Base

ThinkWork provisions an IAM service role that lets Bedrock Knowledge Bases read from the KB S3 bucket, invoke amazon.titan-embed-text-v2:0 for embeddings, and write vectors into Aurora Postgres via the RDS Data API. There is no OpenSearch Serverless collection — the vector index lives in the same Aurora cluster as the rest of your data (pgvector), so there is no separate vector-store cost line.

Knowledge Base configuration (chunking strategy, data source wiring, sync schedule) is managed at runtime through the Knowledge module, not through terraform variables.

AgentCore

Variable	Type	Default	Description
agentcore_memory_mb	number	3008	Lambda memory for AgentCore. Increasing memory also increases vCPU allocation.
agentcore_timeout_seconds	number	900	Lambda timeout (max 900 = 15 min).
agentcore_reserved_concurrency	number	-1	Reserved concurrency for AgentCore Lambda. -1 means unreserved (uses account limit). Set a value to cap concurrent invocations.
agentcore_container_tag	string	"latest"	ECR image tag for the AgentCore container. Override to pin to a specific version.

Workspace orchestration

Workspace orchestration is the S3-backed event layer that turns files like work/inbox/*.md, review/*, and work/runs/*/events/*.json into canonical agent-work events. It is disabled by default so operators can roll it out tenant by tenant.

Variable	Type	Default	Description
enable_workspace_orchestration	bool	false	Enables workspace bucket EventBridge notifications, EventBridge rules, SQS queues, DLQs, and the workspace-event-dispatcher Lambda event source mapping.

After Terraform apply, enable the tenant row:

UPDATE tenants
SET workspace_orchestration_enabled = true
WHERE slug = 'acme';

See Workspace Orchestration for target routing, protected prefixes, runtime environment variables, and operational troubleshooting.

Tags

Variable	Type	Default	Description
tags	map(string)	{}	Additional tags applied to all resources. Merged with ThinkWork’s default tags (Stage, ManagedBy: thinkwork).

Example: minimal dev config

stage      = "dev"
region     = "us-east-1"
account_id = "123456789012"
db_password = "dev-password-change-me"

Example: production config

stage      = "prod"
region     = "us-east-1"
account_id = "123456789012"
db_password = var.db_password   # From CI secret

domain_name    = "agents.example.com"
hosted_zone_id = "Z1234567890ABC"

database_engine   = "aurora-serverless"
aurora_min_capacity = 1
aurora_max_capacity = 32

enable_hindsight = true      # optional add-on alongside managed memory

single_nat_gateway = false   # HA: one NAT per AZ

create_vpc_endpoints = true

cognito_callback_urls = [
  "https://app.agents.example.com/callback",
  "https://agents.example.com/callback"
]

google_oauth_client_id     = "abc.apps.googleusercontent.com"
google_oauth_client_secret = var.google_oauth_secret

ses_from_address    = "system@thinkwork.example.com"
ses_inbound_enabled = true
ses_inbound_domain  = "agents.thinkwork.example.com" # legacy retirement notices
ses_parent_domain   = "thinkwork.example.com"
ses_tenant_slugs    = ["acme", "support"]

agentcore_reserved_concurrency = 50

tags = {
  Team        = "platform"
  CostCenter  = "engineering"
  Environment = "production"
}

Related pages

• Enterprise Deployment Repo — recommended enterprise deployment path
• Customer Overlay Contract — eval, skill, workspace default, seed, and branding packs
• Greenfield AWS Deploy — end-to-end walkthrough with these variables in context
• BYO Infrastructure — adopting an existing VPC, database, or Cognito pool
• Getting Started — the 15-minute dev deploy
• Architecture — what each tier of resources does
• Concepts: Control — the production-readiness concerns these variables touch (guardrails, budgets, audit)