Infisical is a secrets and config manager. They have an open source version that could fit in a lot of your use cases.
Besides, from the available open source solutions available, they have a beautiful interface and have more features that doesn't limit you in the Open Source version, and I think this is amazing.
With this terraform module you can setup a Infisical Vault in AWS using the ECS + Postgres setup.
ECS + Aurora Postgres Serverless
module "infisical" {
source = "git@github.com:lays147/terraform-infisical.git?ref=main"
tags = {}
networking = {
vpc_id = ""
subnets_ids = ""
load_balancer_arn = ""
load_balancer_security_group_id = ""
}
dns = {
route_53_zone_id = ""
}
ecs = {
cluster_arn = ""
infisical = {
image = ""
}
}
}When setting up this module for the first time, the variable run_infisical_migrations must be true otherwhise Infisical will not start. After the migrations are ran, you can set this variable to false and then the server will be able to start.
- Clone/Fork this repository
- Install pre-commit
- Write your changes
- Open a PR =)
- The Postgres configuration is hard coded to use the
"13.12"Aurora Serverless version. If you plan to have a heavy use of the Infisical, it's recomended to migrate the database to RDS. Feel free to contribute in this module to support RDS and Serverless. - The Redis instance runs as a sidecar together with the main container in the same task definition. The Memory and CPU of the ECS Service is shared between the Redis and the Infisical Container
- The Redis instance does not have a password configured.
- The Postgres connection uses the admin user and password. It's not the best scenario, but this module can be edited to support a user and password as an input. You can check this series of blog posts to check how can you use Terraform + Ansible to manage a RDS instance.
| Name | Version |
|---|---|
| terraform | ~> 1.6 |
| aws | >= 5.0 |
| random | 3.5.1 |
| Name | Version |
|---|---|
| aws | 5.40.0 |
| random | 3.5.1 |
| Name | Source | Version |
|---|---|---|
| aurora_postgresql_v2 | terraform-aws-modules/rds-aurora/aws | ~>v9.2.1 |
| ecs_service | terraform-aws-modules/ecs/aws//modules/service | v5.10.0 |
| Name | Type |
|---|---|
| aws_ecr_pull_through_cache_rule.this | resource |
| aws_ecr_repository.this | resource |
| aws_lb_listener_rule.this | resource |
| aws_lb_target_group.this | resource |
| aws_route53_record.this | resource |
| aws_security_group_rule.elb-egress | resource |
| aws_ssm_parameter.auth_secret | resource |
| aws_ssm_parameter.encryption_key | resource |
| aws_ssm_parameter.postgres | resource |
| random_id.auth_secret | resource |
| random_id.encryption_key | resource |
| random_password.this | resource |
| aws_lb.this | data source |
| aws_lb_listener.selected443 | data source |
| aws_rds_engine_version.postgresql | data source |
| aws_route53_zone.this | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| dns | DNS Configuration | object({ |
n/a | yes |
| ecr_use_pull_through_cache | Cache Infisical image to ECR from Docker Hub | object({ |
{ |
no |
| ecs | ECS Configuration | object({ |
n/a | yes |
| networking | Network configuration | object({ |
n/a | yes |
| postgres | Postgres Configuration | object({ |
{ |
no |
| run_infisical_migrations | Run database migrations | bool |
false |
no |
| tags | Tags to use | map(string) |
{} |
no |
| Name | Description |
|---|---|
| infisical_dns | Infisical DNS |