This stack is meant for production use.
TRACECAT__AUTH_TYPES=google_oauth,saml
is the default configuration.
You’ll need to configure Google OAuth or SAML SSO to login.Prerequisites
The open source Terraform stack deploys Tracecat into AWS with a
public facing application load balancer (ALB) and public hosted zone.Internal services (e.g. API, worker, databases) are segregrated via private security groups.
If your security model requires an internal facing ALB and private hosted zone,
please reach out to founders@tracecat.com for help!
- Terraform
curl
,openssl
,docker
to create cryptographic keys used in the Tracecat app- AWS credentials. View AWS Provider docs for details.
- A public Route53 hosted zone (save the hosted zone’s domain name and ID)
- To create secrets in Secrets Manager, either:
- AWS CLI. View installation docs.
- Access to the AWS Management Console.
Instructions
1
Download Terraform stack
Download Terraform modules from GitHub: https://github.com/TracecatHQ/terraform-fargate
2
Create encryption secrets for Tracecat
Tracecat relies on three symmetric encryption keys (
The service key and signing secret are random 32-byte hexadecial strings generated by the View
TRACECAT__DB_ENCRYPTION_KEY
, TRACECAT__SERVICE_KEY
, TRACECAT__SIGNING_SECRET
) to sign and encrypt secrets within the application.
openssl
CLI tool.
The database encryption key is created using the cryptography
Python library, which is run in Docker.Download and execute the secrets creation bash script.create-aws-secrets.sh
file on GitHub for details
if you want to run this step manually.3
Retrieve secret ARNs
Store the ARNs of the three created secrets in a secure place.
You will need these ARNs to pass into the Terraform stack as variables.You can find the ARNs in the web console:

4
Configure Google OAuth or SAML SSO
The Terraform stack has two Google OAuth variables or four SAML SSO variables that need to be configured to setup Google OAuth or SAML SSO.
The variables are:
oauth_client_id_arn
oauth_client_secret_arn
saml_idp_metadata_url_arn
5
Deploy stack
Initialize Terraform and deploy the stack by running the following commands:Wait for the Terraform stack to deploy.
This can take up to 10 minutes as spinning up new RDS databases can be slow.
You can configure the Tracecat Fargate deployment via Terraform variables.
View available configs in the
variables.tf
file on GitHub.6
Access Tracecat UI
Access the Tracecat UI via
https://<your-hosted-zone-domain-name>
.
You can also view Tracecat’s API docs via https://<your-hosted-zone-domain-name>/api/docs
.Login
The first user that logs in via Google OAuth or SAML SSO will be created with default admin privileges.Next Steps
- Log into Tracecat and build your first playbook. View quickstart.
- Read
variables.tf
andecs/locals.tf
files to better understand Tracecat’s configurations.