Configuration Reference¶

All infrastructure configuration lives in Pulumi.<stack-name>.yaml. See Pulumi.example.yaml for a fully documented reference with all available options.

Required Settings¶

Config Key	Description	Example
`hawk:domain`	Internal domain for services	`hawk.example.com`
`hawk:publicDomain`	Public domain for DNS zones	`example.com`
`hawk:primarySubnetCidr`	VPC CIDR block	`10.0.0.0/16`

Authentication¶

Hawk creates a Cognito user pool by default. If you want to use your own OIDC provider instead:

Config Key	Description	Example
`hawk:oidcClientId`	OIDC client ID	`your-client-id`
`hawk:oidcAudience`	OIDC audience for access tokens	`https://api.example.com`
`hawk:oidcIssuer`	OIDC issuer URL	`https://login.example.com/oauth2/default`
`hawk:oidcDomain`	OIDC provider domain	`login.example.com`

Infrastructure Options¶

Config Key	Default	Description
`hawk:eksK8sVersion`	`1.33`	Kubernetes version for EKS
`hawk:albIdleTimeout`	`3600`	ALB idle timeout in seconds
`hawk:albInternal`	`false`	Set to `true` to make the ALB internal (requires VPN)
`hawk:cloudwatchLogsRetentionDays`	`14`	CloudWatch log retention
`hawk:vpcFlowLogsRetentionDays`	`14`	VPC flow log retention
`hawk:agentCpuCount`	`4`	CPU cores per eval agent
`hawk:agentRamGb`	`16`	RAM in GB per eval agent

Optional Integrations¶

These are all disabled by default. Enable them in your stack config when needed.

Datadog¶

Monitoring, APM, and log forwarding:

hawk:enableDatadog: "true"
hawk:datadogSite: datadoghq.com

Requires a <env>/platform/datadog-api-key secret in AWS Secrets Manager.

Cloudflare¶

DNS delegation from a parent zone to Route53:

hawk:cloudflareZoneId: "your-zone-id"
hawk:cloudflareParentDomain: "example.com"

Requires a <env>/platform/cloudflare-api-token secret in AWS Secrets Manager.

Tailscale¶

VPN overlay for private service access:

Set hawk:albInternal: "true" and store a Tailscale auth key in AWS Secrets Manager. This makes all services accessible only through your Tailscale network.

Budget Alerts¶

hawk:budgetLimit: "10000"
hawk:budgetNotificationEmails:
  - "team@example.com"

When integrations are disabled, services fall back to simpler alternatives (CloudWatch instead of Datadog, no DNS delegation, etc.).