Infisical is a secrets and config manager. They have an open source version that could fit in a lot of your use cases.
Besides, from the available open source solutions available, they have a beautiful interface and have more features that doesn't limit you in the Open Source version, and I think this is amazing.
With this terraform module you can setup a Infisical Vault in AWS using the ECS + Postgres setup.
ECS + Aurora Postgres Serverless
module "infisical" {
source = "git@github.com:lays147/terraform-infisical.git?ref=main"
tags = {}
networking = {
vpc_id = ""
subnets_ids = ""
load_balancer_arn = ""
load_balancer_security_group_id = ""
}
dns = {
route_53_zone_id = ""
}
ecs = {
cluster_arn = ""
infisical = {
image = ""
}
}
}
When setting up this module for the first time, the variable run_infisical_migrations
must be true
otherwhise Infisical will not start. After the migrations are ran, you can set this variable to false
and then the server will be able to start.
- Clone/Fork this repository
- Install pre-commit
- Write your changes
- Open a PR =)
- The Postgres configuration is hard coded to use the
"13.12"
Aurora Serverless version. If you plan to have a heavy use of the Infisical, it's recomended to migrate the database to RDS. Feel free to contribute in this module to support RDS and Serverless. - The Redis instance runs as a sidecar together with the main container in the same task definition. The Memory and CPU of the ECS Service is shared between the Redis and the Infisical Container
- The Redis instance does not have a password configured.
- The Postgres connection uses the admin user and password. It's not the best scenario, but this module can be edited to support a user and password as an input. You can check this series of blog posts to check how can you use Terraform + Ansible to manage a RDS instance.
Name | Version |
---|---|
terraform | ~> 1.6 |
aws | >= 5.0 |
random | 3.5.1 |
Name | Version |
---|---|
aws | 5.40.0 |
random | 3.5.1 |
Name | Source | Version |
---|---|---|
aurora_postgresql_v2 | terraform-aws-modules/rds-aurora/aws | ~>v9.2.1 |
ecs_service | terraform-aws-modules/ecs/aws//modules/service | v5.10.0 |
Name | Type |
---|---|
aws_ecr_pull_through_cache_rule.this | resource |
aws_ecr_repository.this | resource |
aws_lb_listener_rule.this | resource |
aws_lb_target_group.this | resource |
aws_route53_record.this | resource |
aws_security_group_rule.elb-egress | resource |
aws_ssm_parameter.auth_secret | resource |
aws_ssm_parameter.encryption_key | resource |
aws_ssm_parameter.postgres | resource |
random_id.auth_secret | resource |
random_id.encryption_key | resource |
random_password.this | resource |
aws_lb.this | data source |
aws_lb_listener.selected443 | data source |
aws_rds_engine_version.postgresql | data source |
aws_route53_zone.this | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
dns | DNS Configuration | object({ |
n/a | yes |
ecr_use_pull_through_cache | Cache Infisical image to ECR from Docker Hub | object({ |
{ |
no |
ecs | ECS Configuration | object({ |
n/a | yes |
networking | Network configuration | object({ |
n/a | yes |
postgres | Postgres Configuration | object({ |
{ |
no |
run_infisical_migrations | Run database migrations | bool |
false |
no |
tags | Tags to use | map(string) |
{} |
no |
Name | Description |
---|---|
infisical_dns | Infisical DNS |