README.md

Webapp Infrastructure for Formbricks

This Terraform module provisions the AWS infrastructure to host Formbricks webapp containers as an ECS Fargate workload.

Resources Created

• ECS Service:
  • Maintains a consistent running state of two tasks.
  • Task execution IAM roles facilitate secure access to Secrets Manager.
  • CloudMap registration for service discovery via DNS.
• ECS Tasks:
  • Deployed within private subnets for enhanced security.
• Application Load Balancer (ALB):
  • Distributes incoming traffic across tasks in multiple availability zones.
  • Key attributes:
    • Security group permits all egress traffic, and ingress from any IP address on port 80.
    • Public subnet placement.
    • HTTP listener on port 80.
  • Deletion protection is disabled by default. Can be configured here.
  • HTTPS Support: Enable by uncommenting the relevant alb resource code in main.tf and providing your certificate ARN. See documentation for more details:
    • Create HTTPS Listener: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
    • ALB Resource: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
• Task Security Group:
  • Enables container access (port 3000) from the ALB security group with full egress permissions.

Sharing Secrets with ECS Task Containers

Formbricks docker container, requires sensitive configuration details provided through environment variables. Here are the essential ones:

• DATABASE_URL: Connection details for your database.
• NEXTAUTH_SECRET: Used for secure authentication processes.
• ENCRYPTION_KEY: A key used for data encryption.

Formbricks documentation provides further details: https://formbricks.com/docs/self-hosting/external-auth-providers

Methods for Sharing Secrets with ECS Tasks (Containers):

1. Environment Variables in Task Definition (Ideal for Quick Setup and Non-Production Workloads)

• Modify the container task definition, adding more environment variables as required.
• For convenience, the essential variables (DATABASE_URL, NEXTAUTH_SECRET & ENCRYPTION_KEY) are already included.
• Assign values for Terraform variables (DATABASE_URL, NEXTAUTH_SECRET & ENCRYPTION_KEY) during deployment.
• Refer to these resources for guidance:
  • Terraform AWS ECS Container Definition Module: https://registry.terraform.io/modules/terraform-aws-modules/ecs/aws/latest/submodules/container-definition
  • Using task definition parameters: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html

2. Using AWS Secrets Manager (Recommended for Production Environments)

• Disable using environment variables in container task definition to ensure sensitive information isn't passed directly through environment variables.
• Setup the Secrets Manager.
• Store values for the following secrets: DATABASE_URL, NEXTAUTH_SECRET and ENCRYPTION_KEY. After storing the secret, it would look something like this.
• Modify the Terraform Code:
  • Update the Terraform variables file (variables.tf) to accept the ARNs (Amazon Resource Names) of the secrets as input.
  • Configure the ecs_module Terraform code (main.tf) with the following:
    • Grant the IAM role the necessary permissions to read the specified secrets from Secrets Manager.
    • Pass the secrets' ARNs as input to the container task definition.
  • Create a new tfvars file called secrets_manager_data.tfvars similar to sample_secrets_manager_data.tfvars. Update the ARN for your secrets in the file.
  • During Terraform apply phase, pass the secrets information as follows:

    terraform apply -var-file=secrets_manager_data.tfvars

Deployment

1. Prerequisites

   • Terraform installed on your system.
   • Valid AWS credentials configured (via env variables, profile, etc.).
   • Deployed core-infra for Formbricks.
   • Change directory to terraform/webapp-formbricks

2. Set AWS Credentials

   export AWS_ACCESS_KEY_ID=your_access_key
   export AWS_SECRET_ACCESS_KEY=your_secret_key

3. Initialize Terraform

   terraform init

4. Generate Security Keys

   Use the following command to generate values for NEXTAUTH_SECRET and ENCRYPTION_KEY.

   openssl rand -hex 32

   Note: Use different values for NEXTAUTH_SECRET and ENCRYPTION_KEY.

5. Review and Apply Changes (choose either environment variables or Secrets Manager)
   Using Environment Variables:

   terraform apply -var "DATABASE_URL=your_db_connection_string" \
                   -var "NEXTAUTH_SECRET=your_nextauth_secret" \
                   -var "ENCRYPTION_KEY=your_encryption_key"

   Using Secrets Manager:

   terraform apply -var-file=secrets_manager_data.tfvars

6. Output Terraform will output the application URL which can be used to interact with your Formbricks application on successful deployment.

Cleanup

To destroy the AWS resources created by this module, use:

terraform destroy