Configuration parameters

The Elastic CI Stack for AWS can be configured using parameters in AWS CloudFormation or variables in Terraform. This page provides a complete reference of all available configuration options.

Deployment method

If you're using AWS CloudFormation, see the AWS CloudFormation setup guide. If you're using Terraform, see the Terraform deployment guide.

The following tables list all of the available configuration parameters. For CloudFormation deployments, these are parameters in the aws-stack.yml template. For Terraform deployments, these are variables in the Terraform module.

Note that you must provide a value for the Buildkite Agent token (CloudFormation: BuildkiteAgentTokenParameterStorePath or BuildkiteAgentToken; Terraform: agent_token_parameter_store_path or agent_token) to use the stack. All other parameters are optional.

Base Configuration

CloudFormation parameter	Terraform variable	Description
`BuildkiteAgentToken` `(String)`	`buildkite_agent_token` `(string)`	Buildkite agent registration token. Or, preload it into SSM Parameter Store and use BuildkiteAgentTokenParameterStorePath for secure environments.
`BuildkiteAgentTokenParameterStorePath` `(String)`	`buildkite_agent_token_parameter_store_path` `(string)`	Optional - Path to Buildkite agent token stored in AWS Systems Manager Parameter Store. Supports both parameter paths (e.g., '/buildkite/agent-token') and cross-account SSM parameter ARNs (e.g., 'arnssm:us-east-1:123456789012:parameter/buildkite/shared-token'). If provided, this overrides the BuildkiteAgentToken field. Recommended for better security instead of hardcoding tokens in the template. Use cross-account ARNs to access SSM parameters shared via AWS RAM. Allowed Pattern: `^$\|^/$\|^/[a-zA-Z0-9_.\-/]+$\|^arn:aws:ssm\:[a-z0-9-]+\:[0-9]{12}:parameter/[a-zA-Z0-9_.\-/]+$`
`BuildkiteAgentTokenParameterStoreKMSKey` `(String)`	`buildkite_agent_token_parameter_store_kms_key` `(string)`	Optional - AWS KMS key ID used to encrypt the SSM parameter.
`BuildkiteQueue` `(String)`	`buildkite_queue` `(string)`	Queue name that agents will use, targeted in pipeline steps using 'queue={value}'. Default Value: `default` Minimum Length: 1
`AgentEndpoint` `(String)`	`agent_endpoint` `(string)`	API endpoint URL for Buildkite agent communication. Most customers shouldn't need to change this unless using a custom endpoint agreed with the Buildkite team. Default Value: `https://agent.buildkite.com/v3`

Signed Pipelines Configuration

CloudFormation parameter	Terraform variable	Description
`PipelineSigningKMSKeyId` `(String)`	`pipeline_signing_kms_key_id` `(string)`	Optional - Identifier or ARN of existing KMS key for pipeline signing. Leave blank to create a new key when PipelineSigningKMSKeySpec is specified.
`PipelineSigningKMSKeySpec` `(String)`	`pipeline_signing_kms_key_spec` `(string)`	Key specification for pipeline signing KMS key. Set to 'none' to disable pipeline signing, or 'ECC_NIST_P256' to enable with automatic key creation. Allowed Values: `ECC_NIST_P256` `none` Default Value: `none`
`PipelineSigningKMSAccess` `(String)`	`pipeline_signing_kms_access` `(string)`	Access permissions for pipeline signing. 'sign-and-verify' allows both operations, 'verify' restricts to verification only. Allowed Values: `sign-and-verify` `verify` Default Value: `sign-and-verify`
`PipelineSigningVerificationFailureBehavior` `(String)`	`pipeline_signing_verification_failure_behavior` `(string)`	The behavior when a job is received without a valid verifiable signature (without a signature, with an invalid signature, or with a signature that fails verification). Allowed Values: `block` `warn` Default Value: `block`
`BuildkiteAgentSigningKeySSMParameter` `(String)`	`pipeline_signing_jwks_parameter_store_path` `(string)`	Existing SSM Parameter Store path to a JSON Web Key Set (JWKS) containing a key to sign jobs with. Allowed Pattern: `^$\|^/[a-zA-Z0-9_.\-/]+$`
`BuildkiteAgentSigningKeyID` `(String)`	`pipeline_signing_jwks_key_id` `(string)`	The ID of the key in the JWKS to use for signing jobs. If not specified, and the JWKS contains only one key, that key will be used.
`BuildkiteAgentVerificationKeySSMParameter` `(String)`	`pipeline_verification_jwks_parameter_store_path` `(string)`	Existing SSM Parameter Store path to a JSON Web Key Set (JWKS) containing keys with which to verify jobs. Allowed Pattern: `^$\|^/[a-zA-Z0-9_.\-/]+$`

Advanced Configuration

CloudFormation parameter	Terraform variable	Description
`BuildkiteAgentRelease` `(String)`	`buildkite_agent_release` `(string)`	Buildkite agent release channel to install. 'stable' = production-ready (recommended), 'beta' = pre-release with latest features, 'edge' = bleeding-edge development builds. Use 'stable' unless specific new features are required. Allowed Values: `stable` `beta` `edge` Default Value: `stable`
`BuildkiteAgentTags` `(String)`	`buildkite_agent_tags` `(string)`	Additional tags to help target specific Buildkite agents in pipeline steps (comma-separated). Example: 'environment=production,docker=enabled,size=large'. Use these tags in pipeline steps with 'agents: { environment: production }'.
`BuildkiteAgentTimestampLines` `(String)`	`buildkite_agent_timestamp_lines` `(bool)`	Set to true to prepend timestamps to every line of output. Allowed Values: `true` `false` Default Value: `false`
`BuildkiteAgentExperiments` `(String)`	`buildkite_agent_experiments` `(string)`	Optional - Agent experiments to enable, comma delimited. See https://github.com/buildkite/agent/blob/-/EXPERIMENTS.md.
`BuildkiteAgentEnableGitMirrors` `(String)`	`buildkite_agent_enable_git_mirrors` `(bool)`	Enables Git mirrors in the agent. Allowed Values: `true` `false` Default Value: `false`
`BuildkiteAgentTracingBackend` `(String)`	`buildkite_agent_tracing_backend` `(string)`	Optional - The tracing backend to use for CI tracing. See https://buildkite.com/docs/agent/v3/tracing. Allowed Values: `datadog` `opentelemetry`
`BuildkiteAgentCancelGracePeriod` `(Number)`	`buildkite_agent_cancel_grace_period` `(number)`	The number of seconds a canceled or timed out job is given to gracefully terminate and upload its artifacts. Default Value: `60` Minimum Value: 1
`BuildkiteAgentSignalGracePeriod` `(Number)`	`buildkite_agent_signal_grace_period` `(number)`	The number of seconds given to a subprocess to handle being sent `cancel-signal`. After this period has elapsed, SIGKILL will be sent. Default Value: `-1` Minimum Value: -1
`BuildkiteTerminateInstanceAfterJob` `(String)`	`buildkite_terminate_instance_after_job` `(bool)`	Set to 'true' to terminate the instance after a job has completed. Allowed Values: `true` `false` Default Value: `false`
`BuildkitePurgeBuildsOnDiskFull` `(String)`	`buildkite_purge_builds_on_disk_full` `(bool)`	Set to 'true' to purge build directories as a last resort when disk space is critically low. Allowed Values: `true` `false` Default Value: `false`
`BuildkiteAdditionalSudoPermissions` `(String)`	`buildkite_additional_sudo_permissions` `(string)`	Optional - Comma-separated list of specific commands (full paths) that build jobs can run with sudo privileges. Include only commands essential for builds. Leave blank unless builds require specific system-level operations.
`BuildkiteWindowsAdministrator` `(String)`	`buildkite_windows_administrator` `(bool)`	Add buildkite-agent user to Windows Administrators group. This provides full system access for build jobs. Set to 'false' if builds don't require administrator privileges for additional security isolation. Allowed Values: `true` `false` Default Value: `true`
`BuildkiteAgentScalerServerlessARN` `(String)`	`buildkite_agent_scaler_serverless_arn` `(string)`	ARN of the Serverless Application Repository that hosts the buildkite-agent-scaler Lambda function. The scaler automatically manages Buildkite agent instances based on job queue demand. Repository must be public or shared with your AWS account. See https://aws.amazon.com/serverless/serverlessrepo/. Default Value: `arn:aws:serverlessrepo:us-east-1:172840064832:applications/buildkite-agent-scaler`
`BuildkiteAgentScalerVersion` `(String)`	`buildkite_agent_scaler_version` `(string)`	Version of the buildkite-agent-scaler to use. Default Value: `1.9.5` Allowed Pattern: `^(?\:(?\:[2-9]\|[1-9]\d+)\.\d+\.\d+\|1\.(?\:[1-9]\d+\.\d+\|9\.(?\:[5-9]\|[1-9]\d+)))$`
`EnableEC2LogRetentionPolicy` `(String)`	`enable_ec2_log_retention_policy` `(bool)`	Enable automatic deletion of old EC2 logs to reduce CloudWatch storage costs. Disabled by default to preserve all logs. When enabled, EC2 logs older than EC2LogRetentionDays will be automatically deleted. This only affects EC2 instance logs (agents, system logs), not Lambda logs. WARNING: Enabling this on existing stacks will delete historical logs older than the retention period - this cannot be undone. Allowed Values: `true` `false` Default Value: `false`
`EC2LogRetentionDays` `(Number)`	`ec2_log_retention_days` `(number)`	The number of days to retain CloudWatch Logs for EC2 instances managed by the CloudWatch agent (Buildkite agents, system logs, etc). Allowed Values: `1` `3` `5` `7` `14` `30` `60` `90` `120` `150` `180` `365` `400` `545` `731` `1827` `3653` Default Value: `7`
`LogRetentionDays` `(Number)`	`ec2_log_retention_days` `(number)`	The number of days to retain CloudWatch Logs for Lambda functions in the stack. Allowed Values: `1` `3` `5` `7` `14` `30` `60` `90` `120` `150` `180` `365` `400` `545` `731` `1827` `3653` Default Value: `1`
`BuildkiteAgentEnableGracefulShutdown` `(String)`	`buildkite_agent_enable_graceful_shutdown` `(bool)`	Set to true to enable graceful shutdown of Buildkite agents when the ASG is updated with replacement. This allows ASGs to be removed in a timely manner during an in-place update of the Elastic CI Stack for AWS, and allows remaining Buildkite agents to finish jobs without interruptions. Allowed Values: `true` `false` Default Value: `false`
`LambdaArchitecture` `(String)`	`lambda_architecture` `(string)`	CPU architecture for Lambda functions (x86_64 or arm64). arm64 provides better price-performance but requires compatible dependencies. Allowed Values: `x86_64` `arm64` Default Value: `x86_64`

Network Configuration

CloudFormation parameter	Terraform variable	Description
`VpcId` `(String)`	`vpc_id` `(string)`	Optional - Id of an existing VPC to launch instances into. Leave blank to have a new VPC created.
`Subnets` `(CommaDelimitedList)`	`subnets` `(list(string))`	Optional - Comma separated list of two existing VPC subnet ids where EC2 instances will run. Required if setting VpcId.
`AvailabilityZones` `(CommaDelimitedList)`	`availability_zones` `(string)`	Optional - Comma separated list of AZs that subnets are created in (if Subnets parameter is not specified).
`SecurityGroupIds` `(String)`	`security_group_ids` `(list(string))`	Optional - Comma separated list of security group ids to assign to instances.
`AssociatePublicIpAddress` `(String)`	`associate_public_ip_address` `(bool)`	Give instances public IP addresses for direct internet access. Set to 'false' for a more isolated environment if the VPC has alternative outbound internet access configured. Allowed Values: `true` `false` Default Value: `true`

Instance Configuration

CloudFormation parameter	Terraform variable	Description
`ImageId` `(String)`	`image_id` `(string)`	Optional - Custom AMI to use for instances (must be based on the stack's AMI).
`ImageIdParameter` `(String)`	`image_id_parameter` `(string)`	Optional - Custom AMI SSM Parameter to use for instances (must be based on the stack's AMI).
`InstanceOperatingSystem` `(String)`	`instance_operating_system` `(string)`	The operating system to run on the instances. Allowed Values: `linux` `windows` Default Value: `linux`
`InstanceTypes` `(String)`	`instance_types` `(string)`	EC2 instance types to use (comma-separated, up to 25). The first type listed is preferred for OnDemand instances. Additional types improve Spot instance availability but make costs less predictable. Examples: 't3.large' for light workloads, 'm5.xlarge,m5a.xlarge' for CPU-intensive builds, 'c5.2xlarge,c5.4xlarge' for compute-heavy tasks. Default Value: `t3.large` Allowed Pattern: `^[\w-\.]+(,[\w-\.]){0,24}$` Minimum Length:* 1
`CpuCredits` `(String)`	`cpu_credits` `(string)`	Credit option for CPU usage of burstable instances. Sets the CreditSpecification.CpuCredits property in the LaunchTemplate for T-class instance types (t2, t3, t3a, t4g). Allowed Values: `standard` `unlimited` Default Value: `unlimited`
`EnableInstanceStorage` `(String)`	`enable_instance_storage` `(bool)`	Mount available NVMe Instance Storage at /mnt/ephemeral, and use it to store docker images and containers, and the build working directory. You must ensure that the instance types have instance storage available for this to have any effect. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-store-volumes.html Allowed Values: `true` `false` Default Value: `false`
`MountTmpfsAtTmp` `(String)`	`mount_tmpfs_at_tmp` `(bool)`	Controls the filesystem mounted at /tmp. By default, /tmp is a tmpfs (memory-backed filesystem). Disabling this causes /tmp to be stored in the root filesystem. Allowed Values: `true` `false` Default Value: `true`
`AgentsPerInstance` `(Number)`	`agents_per_instance` `(number)`	Number of Buildkite agents to start on each EC2 instance. NOTE: If an agent crashes or is terminated, it won't be automatically restarted, leaving fewer active agents on that instance. The ScaleInIdlePeriod parameter controls when the entire instance terminates (when all agents are idle), not individual agent restarts. Consider enabling ScalerEnableExperimentalElasticCIMode for better agent management, or use fewer agents per instance with more instances for high availability. Default Value: `1` Minimum Value: 1
`KeyName` `(String)`	`key_name` `(string)`	Optional - SSH keypair used to access the Buildkite instances via ec2-user, setting this will enable SSH ingress.
`SecretsBucket` `(String)`	`secrets_bucket` `(string)`	Optional - Name of an existing S3 bucket containing pipeline secrets (Created if left blank).
`SecretsBucketRegion` `(String)`	`secrets_bucket_region` `(string)`	Optional - Region for the SecretsBucket. If blank the bucket's region is dynamically discovered.
`SecretsBucketEncryption` `(String)`	`secrets_bucket_encryption` `(bool)`	Indicates whether the SecretsBucket should enforce encryption at rest and in transit. Allowed Values: `true` `false` Default Value: `false`
`ArtifactsBucket` `(String)`	`artifacts_bucket` `(string)`	Optional - Name of an existing S3 bucket for build artifact storage.
`ArtifactsBucketRegion` `(String)`	`artifacts_bucket_region` `(string)`	Optional - Region for the ArtifactsBucket. If blank the bucket's region is dynamically discovered.
`ArtifactsS3ACL` `(String)`	`artifacts_s3_acl` `(string)`	Optional - ACL to use for S3 artifact uploads. Allowed Values: `private` `public-read` `public-read-write` `authenticated-read` `aws-exec-read` `bucket-owner-read` `bucket-owner-full-control` Default Value: `private`
`AuthorizedUsersUrl` `(String)`	`authorized_users_url` `(string)`	Optional - HTTPS or S3 URL to periodically download SSH authorized_keys from, setting this will enable SSH ingress. authorized_keys are applied to ec2-user.
`BootstrapScriptUrl` `(String)`	`bootstrap_script_url` `(string)`	Optional - URI for a script to run on each instance during boot. Supported URI schemes: S3 object URI (s3://bucket/key), HTTPS URL (https://example.com/script.sh), or local file path (file:///path/to/script).
`AgentEnvFileUrl` `(String)`	`agent_env_file_url` `(string)`	Optional - URI containing environment variables for the Buildkite agent process itself (not for builds). Supported URI schemes: S3 object URI (s3://bucket/key), SSM parameter path (ssm:/path/to/param), HTTPS URL (https://example.com/script.sh), or local file path (file:///path/to/script). These variables configure agent behavior like proxy settings or debugging options. For build environment variables, use pipeline 'env' configuration instead.
`RootVolumeSize` `(Number)`	`root_volume_size` `(number)`	Size of each instance's root EBS volume (in GB). Default Value: `250` Minimum Value: 10
`RootVolumeName` `(String)`	`root_volume_name` `(string)`	Optional - Name of the root block device for the AMI.
`RootVolumeType` `(String)`	`root_volume_type` `(string)`	Type of root volume to use. If specifying `io1` or `io2`, specify `RootVolumeIOPS` as well for optimal performance. See https://docs.aws.amazon.com/ebs/latest/userguide/provisioned-iops.html for more details. Default Value: `gp3`
`RootVolumeEncrypted` `(String)`	`root_volume_encrypted` `(bool)`	Indicates whether the EBS volume is encrypted. Allowed Values: `true` `false` Default Value: `false`
`ManagedPolicyARNs` `(CommaDelimitedList)`	`managed_policy_arns` `(list(string))`	Optional - Comma separated list of managed IAM policy ARNs to attach to the instance role.
`InstanceRoleName` `(String)`	`instance_role_name` `(string)`	Optional - A name for the IAM Role attached to the Instance Profile.
`InstanceRolePermissionsBoundaryARN` `(String)`	`instance_role_permissions_boundary_arn` `(string)`	Optional - The ARN of the policy used to set the permissions boundary for the role.
`InstanceRoleTags` `(String)`	`instance_role_tags` `(string)`	Optional - Comma-separated key=value pairs for instance IAM role tags (up to 5 tags). Example: 'Environment=production,Team=platform,Purpose=ci'. Note: Keys and values cannot contain '=' characters. Allowed Pattern: `^$\|^[\w\s_.\:/+\-@]+=[\w\s_.\:/+\-@](,[\w\s_.\:/+\-@]+=[\w\s_.\:/+\-@]){0,4}$`
`IMDSv2Tokens` `(String)`	`imdsv2_tokens` `(string)`	Security setting for EC2 instance metadata access. 'Required' enforces secure token-based access (recommended for security), 'Optional' allows both secure and legacy access methods. Use 'Required' unless legacy applications require the older metadata service. Allowed Values: `optional` `required` Default Value: `optional`
`EnableDetailedMonitoring` `(String)`	`enable_detailed_monitoring` `(bool)`	Enable detailed EC2 monitoring. Allowed Values: `true` `false` Default Value: `false`
`InstanceName` `(String)`	`instance_name` `(string)`	Optional - Customize the EC2 instance Name tag.
`ExperimentalEnableResourceLimits` `(String)`	`experimental_enable_resource_limits` `(bool)`	Experimental - If true, enables systemd resource limits for the Buildkite agent. This helps prevent resource exhaustion by limiting CPU, memory, and I/O usage. Useful for shared instances running multiple agents or resource-intensive builds. Allowed Values: `true` `false` Default Value: `false`
`ResourceLimitsMemoryHigh` `(String)`	`resource_limits_memory_high` `(string)`	Experimental - Sets the MemoryHigh limit for the Buildkite agent slice. The value can be a percentage (e.g., '90%') or an absolute value (e.g., '4G'). Default Value: `90%` Allowed Pattern: `^(\d+([KkMmGgTt])?\|(?:[1-9][0-9]?\|100)%\|infinity)$`
`ResourceLimitsMemoryMax` `(String)`	`resource_limits_memory_max` `(string)`	Experimental - Sets the MemoryMax limit for the Buildkite agent slice. The value can be a percentage (e.g., '90%') or an absolute value (e.g., '4G'). Default Value: `90%` Allowed Pattern: `^(\d+([KkMmGgTt])?\|(?:[1-9][0-9]?\|100)%\|infinity)$`
`ResourceLimitsMemorySwapMax` `(String)`	`resource_limits_memory_swap_max` `(string)`	Experimental - Sets the MemorySwapMax limit for the Buildkite agent slice. The value can be a percentage (e.g., '90%') or an absolute value (e.g., '4G'). Default Value: `90%` Allowed Pattern: `^(\d+([KkMmGgTt])?\|(?:[1-9][0-9]?\|100)%\|infinity)$`
`ResourceLimitsCPUWeight` `(Number)`	`resource_limits_cpu_weight` `(number)`	Experimental - Sets the CPU weight for the Buildkite agent slice (1-10000, default 100). Higher values give more CPU time to the agent. Default Value: `100` Minimum Value: 1 Maximum Value: 10000
`ResourceLimitsCPUQuota` `(String)`	`resource_limits_cpu_quota` `(string)`	Experimental - Sets the CPU quota for the Buildkite agent slice. Takes a percentage value, suffixed with "%". Default Value: `90%` Allowed Pattern: `^\d+%$`
`ResourceLimitsIOWeight` `(Number)`	`resource_limits_io_weight` `(number)`	Experimental - Sets the I/O weight for the Buildkite agent slice (1-10000, default 80). Higher values give more I/O bandwidth to the agent. Default Value: `80` Minimum Value: 1 Maximum Value: 10000

Auto-scaling Configuration

CloudFormation parameter	Terraform variable	Description
`MinSize` `(Number)`	`min_size` `(number)`	Minimum number of instances. Ensures baseline capacity for immediate job execution. Default Value: `0` Minimum Value: 0
`MaxSize` `(Number)`	`max_size` `(number)`	Maximum number of instances. Controls cost ceiling and prevents runaway scaling. Default Value: `10` Minimum Value: 0
`InstanceBuffer` `(Number)`	`instance_buffer` `(number)`	Number of idle instances to keep running. Lower values save costs, higher values reduce wait times for new jobs. Default Value: `0`
`OnDemandBaseCapacity` `(Number)`	`on_demand_base_capacity` `(number)`	Specify how much On-Demand capacity the Auto Scaling group should have for its base portion before scaling by percentages. The maximum group size will be increased (but not decreased) to this value. Default Value: `0` Minimum Value: 0
`OnDemandPercentage` `(Number)`	`on_demand_percentage` `(number)`	Percentage of instances to launch as OnDemand vs Spot instances. OnDemand instances provide guaranteed availability at higher cost. Spot instances offer 60-90% cost savings but may be interrupted by AWS. Use 100% for critical workloads, lower values when jobs can handle unexpected instance interruptions. Default Value: `100` Minimum Value: 0 Maximum Value: 100
`SpotAllocationStrategy` `(String)`	`spot_allocation_strategy` `(string)`	Strategy for selecting Spot instance types to minimize interruptions and costs. 'capacity-optimized' (recommended) chooses types with the most available capacity. 'price-capacity-optimized' balances low prices with availability. 'lowest-price' prioritizes cost savings. 'capacity-optimized-prioritized' follows InstanceTypes order while optimizing for capacity. Allowed Values: `price-capacity-optimized` `capacity-optimized` `lowest-price` `capacity-optimized-prioritized` Default Value: `capacity-optimized`
`ScaleOutFactor` `(Number)`	`scale_out_factor` `(number)`	Multiplier for scale-out speed. Values higher than 1.0 create instances more aggressively, values lower than 1.0 more conservatively. Use higher values for time-sensitive workloads, lower values to control costs. Default Value: `1.0`
`ScaleInIdlePeriod` `(Number)`	`scale_in_idle_period` `(number)`	Number of seconds ALL agents on an instance must be idle before the instance is terminated. When all AgentsPerInstance agents are idle for this duration, the entire instance is terminated, not individual agents. This parameter controls instance-level scaling behavior. Default Value: `600`
`ScaleOutForWaitingJobs` `(String)`	`scale_out_for_waiting_jobs` `(bool)`	Scale up instances for pipeline steps queued behind manual approval or wait steps. When enabled, the scaler will provision instances even when jobs can't start immediately due to pipeline waits. Ensure ScaleInIdlePeriod is long enough to keep instances running during wait periods. Allowed Values: `true` `false` Default Value: `false`
`InstanceCreationTimeout` `(String)`	`instance_creation_timeout` `(string)`	Optional - Timeout period for Auto Scaling Group Creation Policy.
`ScalerEventSchedulePeriod` `(String)`	`scaler_event_schedule_period` `(string)`	How often the Event Schedule for buildkite-agent-scaler is triggered. Should be an expression with units. Example: '30 seconds', '1 minute', '5 minutes'. Default Value: `1 minute`
`ScalerMinPollInterval` `(String)`	`scaler_min_poll_interval` `(string)`	Minimum time between auto-scaler checks for new build jobs (e.g., '30s', '1m'). Default Value: `10s`
`ScalerEnableExperimentalElasticCIMode` `(String)`	`scaler_enable_elastic_ci_mode` `(bool)`	Experimental - Enable the Elastic CI Mode with enhanced features like graceful termination and dangling instance detection. Available since BuildkiteAgentScalerVersion 1.9.3 Allowed Values: `true` `false` Default Value: `false`
`EnableScheduledScaling` `(String)`	`enable_scheduled_scaling` `(bool)`	Enable scheduled scaling to automatically adjust MinSize based on time-based schedules Allowed Values: `true` `false` Default Value: `false`
`ScheduleTimezone` `(String)`	`schedule_timezone` `(string)`	Timezone for scheduled scaling actions (only used when EnableScheduledScaling is true). See AWS documentation for supported formats: https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-scheduled-scaling.html#scheduled-scaling-timezone (America/New_York, UTC, Europe/London, etc.) Default Value: `UTC`
`ScaleUpSchedule` `(String)`	`scale_up_schedule` `(string)`	Cron expression for when to scale up (only used when EnableScheduledScaling is true). See AWS documentation for format details: https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-scheduled-scaling.html#scheduled-scaling-cron ("0 8 * * MON-FRI" for 8 AM weekdays) Default Value: `0 8 * * MON-FRI` Allowed Pattern: `^[0-9,-/]+ [0-9,-/]+ [0-9,-/]+ [0-9,-/]+ [0-9A-Za-z*,-/]+$`
`ScaleUpMinSize` `(Number)`	`scale_up_min_size` `(number)`	MinSize to set when the ScaleUpSchedule is triggered (applied at the time specified in ScaleUpSchedule, only used when EnableScheduledScaling is true). Cannot exceed MaxSize. Default Value: `1` Minimum Value: 0
`ScaleDownSchedule` `(String)`	`scale_down_schedule` `(string)`	Cron expression for when to scale down (only used when EnableScheduledScaling is true). See AWS documentation for format details: https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-scheduled-scaling.html#scheduled-scaling-cron ("0 18 * * MON-FRI" for 6 PM weekdays) Default Value: `0 18 * * MON-FRI` Allowed Pattern: `^[0-9,-/]+ [0-9,-/]+ [0-9,-/]+ [0-9,-/]+ [0-9A-Za-z*,-/]+$`
`ScaleDownMinSize` `(Number)`	`scale_down_min_size` `(number)`	MinSize to set when the ScaleDownSchedule is triggered (applied at the time specified in ScaleDownSchedule, only used when EnableScheduledScaling is true) Default Value: `0` Minimum Value: 0

Cost Allocation Configuration

CloudFormation parameter	Terraform variable	Description
`EnableCostAllocationTags` `(String)`	`enable_cost_allocation_tags` `(bool)`	Enables AWS Cost Allocation tags for all resources in the stack. See https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html. Allowed Values: `true` `false` Default Value: `false`
`CostAllocationTagName` `(String)`	`cost_allocation_tag_name` `(string)`	The name of the Cost Allocation Tag used for billing purposes. Default Value: `CreatedBy`
`CostAllocationTagValue` `(String)`	`cost_allocation_tag_value` `(string)`	The value of the Cost Allocation Tag used for billing purposes. Default Value: `buildkite-elastic-ci-stack-for-aws`

Docker Daemon Configuration

CloudFormation parameter	Terraform variable	Description
`EnableDockerUserNamespaceRemap` `(String)`	`enable_docker_user_namespace_remap` `(bool)`	Enables Docker user namespace remapping so docker runs as buildkite-agent. Allowed Values: `true` `false` Default Value: `true`
`EnableDockerExperimental` `(String)`	`enable_docker_experimental` `(bool)`	Enables Docker experimental features. Allowed Values: `true` `false` Default Value: `false`

Docker Networking Configuration

CloudFormation parameter	Terraform variable	Description
`DockerNetworkingProtocol` `(String)`	`docker_networking_protocol` `(string)`	Which IP version to enable for docker containers and building docker images. Only applies to Linux instances, not Windows. Allowed Values: `ipv4` `dualstack` Default Value: `ipv4`
`DockerIPv4AddressPool1` `(String)`	`docker_ipv4_address_pool_1` `(string)`	Primary IPv4 CIDR block for Docker default address pools. Must not conflict with host network or VPC CIDR. Only applies to Linux instances, not Windows. Default Value: `172.17.0.0/12` Allowed Pattern: `^(?\:(?\:25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.){3}(?\:25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\/(?\:[0-9]\|[12][0-9]\|3[0-2])$`
`DockerIPv4AddressPool2` `(String)`	`docker_ipv4_address_pool_2` `(string)`	Secondary IPv4 CIDR block for Docker default address pools. Only applies to Linux instances, not Windows. Default Value: `192.168.0.0/16` Allowed Pattern: `^(?\:(?\:25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.){3}(?\:25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\/(?\:[0-9]\|[12][0-9]\|3[0-2])$`
`DockerIPv6AddressPool` `(String)`	`docker_ipv6_address_pool` `(string)`	IPv6 CIDR block for Docker default address pools in dualstack mode. Only applies to Linux instances, not Windows. Default Value: `2001:db8:2::/104` Allowed Pattern: `^(?\:(?\:[0-9a-fA-F]{1,4}\:){7}[0-9a-fA-F]{1,4}\|(?\:[0-9a-fA-F]{1,4}\:){1,7}\:\|(?\:[0-9a-fA-F]{1,4}\:){1,6}\:[0-9a-fA-F]{1,4}\|(?\:[0-9a-fA-F]{1,4}\:){1,5}(?\:\:[0-9a-fA-F]{1,4}){1,2}\|(?\:[0-9a-fA-F]{1,4}\:){1,4}(?\:\:[0-9a-fA-F]{1,4}){1,3}\|(?\:[0-9a-fA-F]{1,4}\:){1,3}(?\:\:[0-9a-fA-F]{1,4}){1,4}\|(?\:[0-9a-fA-F]{1,4}\:){1,2}(?\:\:[0-9a-fA-F]{1,4}){1,5}\|[0-9a-fA-F]{1,4}\:(?\::[0-9a-fA-F]{1,4}){1,6}\|\:(?\:(?\:\:[0-9a-fA-F]{1,4}){1,7}\|\:))\/(?:[0-9]\|[1-9][0-9]\|1[01][0-9]\|12[0-8])$`
`DockerFixedCidrV4` `(String)`	`docker_fixed_cidr_v4` `(string)`	Optional IPv4 CIDR block for Docker's fixed-cidr option. Restricts the IP range Docker uses for container networking on the default bridge. Must be a subset of the first pool in DockerIPv4AddressPool1 (Docker allocates docker0 from the first pool). Leave empty to disable. Useful to prevent conflicts with external services like databases. Only applies to Linux instances, not Windows. Allowed Pattern: `^$\|^(?\:(?\:25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.){3}(?\:25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\/(?\:[0-9]\|[12][0-9]\|3[0-2])$`
`DockerFixedCidrV6` `(String)`	`docker_fixed_cidr_v6` `(string)`	IPv6 CIDR block for Docker's fixed-cidr-v6 option in dualstack mode. Restricts the IP range Docker uses for IPv6 container networking. Only applies to Linux instances in dualstack mode, not Windows. Default Value: `2001:db8:1::/64` Allowed Pattern: `^(?\:(?\:[0-9a-fA-F]{1,4}\:){7}[0-9a-fA-F]{1,4}\|(?\:[0-9a-fA-F]{1,4}\:){1,7}\:\|(?\:[0-9a-fA-F]{1,4}\:){1,6}\:[0-9a-fA-F]{1,4}\|(?\:[0-9a-fA-F]{1,4}\:){1,5}(?\:\:[0-9a-fA-F]{1,4}){1,2}\|(?\:[0-9a-fA-F]{1,4}\:){1,4}(?\:\:[0-9a-fA-F]{1,4}){1,3}\|(?\:[0-9a-fA-F]{1,4}\:){1,3}(?\:\:[0-9a-fA-F]{1,4}){1,4}\|(?\:[0-9a-fA-F]{1,4}\:){1,2}(?\:\:[0-9a-fA-F]{1,4}){1,5}\|[0-9a-fA-F]{1,4}\:(?\::[0-9a-fA-F]{1,4}){1,6}\|\:(?\:(?\:\:[0-9a-fA-F]{1,4}){1,7}\|\:))\/(?:[0-9]\|[1-9][0-9]\|1[01][0-9]\|12[0-8])$`

Docker Registry Configuration

CloudFormation parameter	Terraform variable	Description
`ECRAccessPolicy` `(String)`	`ecr_access_policy` `(string)`	Docker image registry permissions for agents. 'none' = no access, 'readonly' = pull images only, 'poweruser' = pull/push images, 'full' = complete ECR access. The '-pullthrough' variants (e.g., 'readonly-pullthrough') add permissions to enable automatic caching of public Docker images, reducing pull times and bandwidth costs. Allowed Values: `none` `readonly` `readonly-pullthrough` `poweruser` `poweruser-pullthrough` `full` Default Value: `none`

Plugin Configuration

CloudFormation parameter	Terraform variable	Description
`EnableSecretsPlugin` `(String)`	`enable_secrets_plugin` `(bool)`	Enables S3 Secrets plugin for all pipelines. Allowed Values: `true` `false` Default Value: `true`
`EnableECRPlugin` `(String)`	`enable_ecr_plugin` `(bool)`	Enables ECR plugin for all pipelines. Allowed Values: `true` `false` Default Value: `true`
`EnableECRCredentialHelper` `(String)`	`enable_ecr_credential_helper` `(bool)`	Enable Amazon ECR Credential Helper in ECR plugin for Docker authentication. Allowed Values: `true` `false` Default Value: `false`
`EnableDockerLoginPlugin` `(String)`	`enable_docker_login_plugin` `(bool)`	Enables docker-login plugin for all pipelines. Allowed Values: `true` `false` Default Value: `true`