AWS ECS Fargate
Use Terraform to deploy Tracecat into ECS Fargate.
Prerequisites
- Terraform
- AWS credentials. View AWS Provider docs for details.
- A public Route53 hosted zone (save the hosted zone’s domain name and ID)
- To create secrets in Secrets Manager, either:
- AWS CLI. View installation docs.
- Access to the AWS Management Console.
The open source Terraform stack deploys Tracecat into AWS with a public facing application load balancer (ALB) and public hosted zone.
Internal services (e.g. API, worker, databases) are segregrated via private security groups. If your security model requires an internal facing ALB and private hosted zone, please reach out to founders@tracecat.com for help!
Instructions
Download Terraform stack
Download installation files from the Tracecat GitHub repo: https://github.com/TracecatHQ/tracecat/tree/main/deployments/aws/fargate
Create encryption secrets for Tracecat
Tracecat relies on three symmetric encryption keys (TRACECAT__DB_ENCRYPTION_KEY, TRACECAT__SERVICE_KEY, TRACECAT__SIGNING_SECRET)
to sign and encrypt secrets within the application.
Download and execute the secrets creation bash script.
curl -o create-aws-secrets.sh https://github.com/TracecatHQ/tracecat/blob/main/deployments/aws/fargate/scripts/create-aws-secrets.sh
chmod +x create-aws-secrets.sh && ./create-aws-secrets.sh
Retrieve secret ARNs
Get and store the ARNs of the three created secrets in a secure place. You will need these ARNs to pass into the Terraform stack as variables.
You can find the ARNs in the web console:
Deploy stack
Initialize Terraform and deploy the stack by running the following commands:
# Initialize Terraform directory
terraform init
# (Optional) Set Terraform variables via env vars
export TF_VAR_domain_name=<your-hosted-zone-domain-name>
export TF_VAR_hosted_zone_id=<your-hosted-zone-id>
export TF_VAR_tracecat_db_encryption_key_arn=<secret-arn>
export TF_VAR_tracecat_service_key_arn=<secret-arn>
export TF_VAR_tracecat_signing_secret_arn=<secret-arn>
# Create Terraform stack
terraform apply
Wait for the Terraform stack to deploy. This can take up to 10 minutes as spinning up new RDS databases can be slow.
You can configure the Tracecat Fargate deployment via Terraform variables.
View available configs in the variables.tf file on GitHub.
Access Tracecat UI
Access the Tracecat UI via https://<your-hosted-zone-domain-name>.
You can also view Tracecat’s API docs via https://<your-hosted-zone-domain-name>/api/docs.
Next Steps
- Log into Tracecat and build your first playbook. View quickstart.
- Tracecat comes with basic (email + password) authentication. Find out how to configure other authentication methods. View docs.
- Read
variables.tfandlocals.tffiles to better understand Tracecat’s configurations. - (Optional) Configure external-facing webhooks. View docs.