-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsubstrate.yaml.example
More file actions
134 lines (121 loc) · 4.83 KB
/
Copy pathsubstrate.yaml.example
File metadata and controls
134 lines (121 loc) · 4.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
# substrate.yaml.example — copy to substrate.yaml and adjust as needed.
#
# All fields can also be set via environment variables prefixed with SUBSTRATE_.
# Example: SUBSTRATE_SERVER_ADDRESS=":4566"
server:
# TCP address to listen on. Use 0.0.0.0:4566 to bind all interfaces.
address: ":4566"
read_timeout: "30s"
write_timeout: "30s"
shutdown_timeout: "10s"
# HTTP path for the liveness health endpoint (always returns 200).
health_path: "/health"
# HTTP path for the readiness endpoint (lists registered plugins).
ready_path: "/ready"
event_store:
# Set to false to disable the event log (not recommended for testing use cases).
enabled: true
# Storage backend: "memory" (default), "sqlite" (persistent), or "file" (NDJSON).
backend: "memory"
# Path used by the sqlite and file backends (directory for file, prefix for sqlite).
# persist_path: "/var/lib/substrate"
# SQLite data source name (relative to persist_path when set). Default: substrate.db
# dsn: "substrate.db"
# Maximum NDJSON file size in MB before rotation (0 = no rotation, file backend only).
# max_file_size_mb: 100
log:
# Log level: debug | info | warn | error
level: "info"
# Log format: text (human-readable) | json (structured, for log aggregation)
format: "text"
# Quota enforcement — token-bucket rate limits per service / operation.
# Operation-specific rules (e.g. "iam/CreateUser") take precedence over
# service-level rules (e.g. "iam"). Omitting rules uses built-in AWS defaults.
quotas:
enabled: true
# rules:
# iam: { rate: 100, burst: 100 }
# iam/CreateUser: { rate: 20, burst: 20 }
# sts: { rate: 100, burst: 100 }
# sts/AssumeRole: { rate: 50, burst: 50 }
# Eventual-consistency simulation.
# When enabled, reads to a recently mutated resource within propagation_delay
# return HTTP 409 InconsistentStateException. Disabled by default to preserve
# backward compatibility with tests that do write → immediate read.
consistency:
enabled: false
propagation_delay: "2s"
affected_services:
- "iam"
# Credential registry for multi-account isolation and SigV4 signature verification.
# When enabled, every incoming request must carry a valid AWS4-HMAC-SHA256 Authorization
# header signed with a key registered here. Omitting this section disables both credential
# resolution and signature verification (all requests are accepted, backward-compatible default).
credentials:
# Set to true to enable SigV4 signature verification.
# enabled: true
# Static credentials. Production deployments can load these from Secrets Manager or env vars.
# entries:
# - access_key_id: "AKIAEXAMPLE00000001"
# secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
# account_id: "111122223333"
# Cross-service IAM authorization.
# When enabled, every request whose caller principal has been resolved via the credential
# registry is checked against that principal's attached managed policies, inline policies,
# and permission boundary before the request reaches the plugin layer.
auth:
# Set to true to enable cross-service IAM enforcement.
# enabled: true
# Per-request cost estimation.
# Built-in table: IAM/STS=$0, s3/PutObject=$0.000005, s3/GetObject=$0.0000004,
# dynamodb/GetItem=$0.00000025, lambda/Invoke=$0.0000002. Add overrides below.
costs:
enabled: true
# overrides:
# "s3/PutObject": 0.000006
# Prometheus metrics endpoint.
# Exposes substrate_requests_total, substrate_cost_usd_total, and other
# operational counters in Prometheus text-format v0.0.4.
metrics:
enabled: false
# path: "/metrics"
# Cost forecasting and anomaly detection.
# Uses linear regression on historical daily costs to project future spend.
forecast:
enabled: false
# window_days: 30
# horizon_days: 7
# anomaly_threshold_sigma: 2.0
# alert_thresholds:
# s3: 10.00
# lambda: 5.00
# OpenTelemetry distributed tracing.
# Emits spans for every AWS API request through the Substrate pipeline.
tracing:
enabled: false
# exporter: "noop" # choices: noop | stdout | otlp_http
# otlp_endpoint: "http://localhost:4318"
# service_name: "substrate"
# Fault injection — inject errors or latency into the request pipeline.
# Rules are evaluated in order; the first matching rule fires. Disabled by default.
fault:
enabled: false
# rules:
# - service: "s3"
# operation: "PutObject"
# fault_type: "error"
# error_code: "InternalError"
# http_status: 500
# probability: 0.05 # fire on 5% of matching requests
# - service: "dynamodb"
# fault_type: "latency"
# latency_ms: 200
# probability: 0.10
# Multi-region routing and resource isolation.
# When allowed is non-empty, requests targeting regions not in the list are
# rejected with 400 InvalidClientTokenId.
region:
default: "us-east-1"
# allowed:
# - "us-east-1"
# - "us-west-2"