AWS Deployment
Deploy the IDEViewer portal to AWS using ECS Fargate, RDS PostgreSQL, and Application Load Balancer via Terraform.
Architecture
Internet
|
v
[Application Load Balancer] <- HTTPS (custom domain) or HTTP (ALB DNS)
|
v
[ECS Fargate Service] <- 1-4 tasks, auto-scaling on CPU
| |
v v
[RDS PostgreSQL] [AWS Secrets Manager]
(private) SECRET_KEY
DATABASE_URL
Google OAuth (optional)
The same Terraform apply also provisions an ElastiCache Redis cluster (default cache.t4g.micro, configurable via redis_node_type) and a dedicated portal-worker ECS service that runs the RQ worker for asynchronous vulnerability scans. The worker starts at worker_min_tasks (default 1) with CPU and memory controlled by worker_cpu and worker_memory. The portal connects to Redis via the REDIS_URL env var injected from Terraform outputs.
Prerequisites
- AWS CLI v2 configured with appropriate credentials
- Terraform >= 1.5
- Docker
- An AWS account with permissions for: ECS, ECR, RDS, ALB, VPC, Secrets Manager, CloudWatch, IAM
Quick Start
1. Configure
cd deploy/terraform
cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with your preferences
2. Deploy
./start.sh --aws
The wizard verifies AWS credentials, reviews your Terraform configuration, shows cost estimates, and confirms before creating resources. Alternatively:
cd deploy
./deploy.sh init
3. Access
The deployment script prints the portal URL. Default credentials:
| Username | Password |
|---|---|
admin | ideviewer |
Terraform Variables
Required
| Variable | Description | Default |
|---|---|---|
aws_region | AWS region | us-east-1 |
project_name | Resource name prefix (must be unique in your account) | ideviewer |
Optional
| Variable | Description | Default |
|---|---|---|
custom_domain | Custom domain (e.g., portal.example.com) | "" (uses ALB DNS) |
route53_zone_id | Route53 zone ID for custom domain | "" |
google_client_id | Google OAuth Client ID | "" |
google_client_secret | Google OAuth Client Secret | "" |
ecs_cpu | ECS task CPU (1024 = 1 vCPU) | 1024 |
ecs_memory | ECS task memory (MB) | 2048 |
ecs_min_tasks | Minimum ECS tasks | 1 |
ecs_max_tasks | Maximum ECS tasks | 4 |
rds_instance_class | RDS instance type | db.t3.micro |
redis_node_type | ElastiCache Redis node type | cache.t4g.micro |
worker_cpu | RQ worker task CPU (1024 = 1 vCPU) | 512 |
worker_memory | RQ worker task memory (MB) | 1024 |
worker_min_tasks | Minimum worker tasks | 1 |
Container Environment Variables
These are set on the ECS task definition (or via Secrets Manager) and read by the portal container at runtime.
| Variable | Required | Default | Description |
|---|---|---|---|
SECRET_KEY | Yes | – | Flask secret key for session signing |
DATABASE_URL | Yes | – | PostgreSQL connection string |
FLASK_CONFIG | No | production | development, production, or testing |
PORTAL_URL | No | ALB URL | Public URL (used for OAuth redirects) |
GOOGLE_CLIENT_ID | No | – | Google OAuth client ID |
GOOGLE_CLIENT_SECRET | No | – | Google OAuth client secret |
GUNICORN_WORKERS | No | 4 | Number of gunicorn worker processes |
GUNICORN_THREADS | No | 2 | Threads per gunicorn worker |
GUNICORN_TIMEOUT | No | 120 | Gunicorn worker timeout in seconds |
DB_POOL_SIZE | No | 5 | SQLAlchemy connection pool size (prod only) |
DB_MAX_OVERFLOW | No | 5 | SQLAlchemy pool overflow (prod only) |
DB_POOL_RECYCLE | No | 1800 | Connection recycle interval, seconds |
REDIS_URL | No | – | Redis connection URL (e.g. redis://localhost:6379/0). When set, vulnerability scans run async via RQ; when unset, they run inline. |
Custom Domain Setup
- Create a Route53 hosted zone for your domain
- Set the variables in
terraform.tfvars:
custom_domain = "portal.securient.com"
route53_zone_id = "Z1234567890ABC"
- Run
./deploy.sh init– Terraform creates the ACM certificate and DNS records automatically
Cost Estimates
Approximate monthly costs (us-east-1, minimal configuration):
| Resource | Spec | Est. Cost |
|---|---|---|
| ECS Fargate | 1 task, 1 vCPU, 2GB | ~$30/mo |
| NAT Gateway | 1 gateway | ~$32/mo |
| RDS PostgreSQL | db.t3.micro, 20GB | ~$15/mo |
| ALB | 1 ALB + LCUs | ~$20/mo |
| Secrets Manager | 4 secrets | ~$2/mo |
| CloudWatch + ECR | Logs + image storage | ~$2/mo |
| Total | ~$100/mo |
To reduce costs:
- Use
db.t3.microwith single-AZ (already default) - Replace NAT Gateway with a NAT instance (~$4/mo)
- Use reserved pricing for Fargate and RDS for long-term savings
Operations
# Update portal (after code changes)
./deploy.sh build # Build + push new Docker image
./deploy.sh deploy # Rolling update on ECS
# View logs
./deploy.sh logs # Tail CloudWatch logs
# Check status
./deploy.sh status # ECS service status, URLs, endpoints
# Scale manually
aws ecs update-service \
--cluster ideviewer-cluster \
--service ideviewer-oss-portal \
--desired-count 3
Connect Daemons
After deployment, register daemons using the portal URL:
ideviewer register \
--customer-key YOUR-KEY \
--portal-url https://portal.securient.com
Tear Down
./deploy.sh destroy
This removes ALL resources including the database. Export any data before destroying.