docs/documentation/platform/gateways/relay-deployment/terraform.mdx
This guide walks you through deploying an Infisical Relay server using Terraform. Select a provider below for specific instructions.
<Tabs> <Tab title="AWS EC2"> The provided configuration automates the creation of the EC2 instance, sets up the necessary security group rules, and uses a startup script to install and configure the Infisical Relay service.Before you start, make sure you have the following:
Here is the complete Terraform configuration to deploy the Infisical Relay.
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-west-2" # Change to your desired AWS region
}
# Security Group for the Infisical Relay instance
resource "aws_security_group" "infisical_relay_sg" {
name = "infisical-relay-sg"
description = "Allows inbound traffic for Infisical Relay and SSH"
vpc_id = "vpc-0c71f9c5709d88d18" # Change to your VPC ID
# Inbound: Allows the Infisical platform to securely communicate with the Relay server.
ingress {
from_port = 8443
to_port = 8443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
# Inbound: Allows Infisical Gateway to securely communicate via the Relay.
ingress {
from_port = 2222
to_port = 2222
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
# Inbound: Allows secure shell (SSH) access for administration.
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] # Restrict this to your IP in production
}
# Outbound: Allows the Relay server to make necessary outbound connections to the Infisical platform.
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "infisical-relay-sg"
}
}
# Elastic IP for a static public IP address
resource "aws_eip" "infisical_relay_eip" {
tags = {
Name = "infisical-relay-eip"
}
}
# EC2 instance to run Infisical Relay
module "infisical_relay_instance" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 5.6"
name = "infisical-relay-example"
ami = "ami-065778886ef8ec7c8" # Change to your desired AMI ID
instance_type = "t3.micro"
subnet_id = "subnet-0fd2337a1c604a494" # Change to your Subnet ID
vpc_security_group_ids = [aws_security_group.infisical_relay_sg.id]
associate_public_ip_address = false # We are using an Elastic IP instead
user_data = <<-EOT
#!/bin/bash
set -e
# Install Infisical CLI
curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash
apt-get update && apt-get install -y infisical
# Install the relay as a systemd service.
# This example uses a Machine Identity token for authentication via the INFISICAL_TOKEN environment variable.
#
# Note: For production environments, you might consider fetching the token from AWS Parameter Store or AWS Secrets Manager.
export INFISICAL_TOKEN="your-machine-identity-token"
sudo -E infisical relay systemd install \
--name "my-relay-example" \
--domain "https://app.infisical.com" \
--host "${aws_eip.infisical_relay_eip.public_ip}"
# Start and enable the service to run on boot
sudo systemctl start infisical-relay
sudo systemctl enable infisical-relay
EOT
}
# Associate the Elastic IP with the EC2 instance
resource "aws_eip_association" "eip_assoc" {
instance_id = module.infisical_relay_instance.id
allocation_id = aws_eip.infisical_relay_eip.id
}
main.tf.main.tf to match your AWS environment and Infisical credentials. You'll need to replace:
region in the provider block.vpc_id in the aws_security_group resource.ami and subnet_id in the infisical_relay_instance module.INFISICAL_TOKEN environment variable in the user_data script (e.g., export INFISICAL_TOKEN="your-machine-identity-token").--domain in the user_data script if you are self-hosting Infisical.terraform init
terraform plan
terraform apply