Skip to main content
This guide walks you through deploying an Infisical Relay server using Terraform. Select a provider below for specific instructions.
The provided configuration automates the creation of the EC2 instance, sets up the necessary security group rules, and uses a startup script to install and configure the Infisical Relay service.

Prerequisites

Before you start, make sure you have the following:
  • An AWS account with permissions to create EC2 instances, Security Groups, and Elastic IPs.
  • An existing VPC and Subnet ID in your desired AWS region.
  • The AMI ID for your chosen OS (this guide uses an Ubuntu 22.04 LTS AMI).
  • Credentials for the Infisical Relay to authenticate with your Infisical instance. This guide uses a Machine Identity token, but other methods are available. You can find a full list of authentication options here.

Terraform Configuration

Here is the complete Terraform configuration to deploy the Infisical Relay.
The provided security group rules are open to the internet (0.0.0.0/0) for simplicity. In a production environment, you should restrict the cidr_blocks to known IP addresses for enhanced security, especially for the SSH port (22).

How to Deploy

  1. Save the configuration: Save the code above to a file named main.tf.
  2. Customize values: Update the placeholder values in main.tf to match your AWS environment and Infisical credentials. You’ll need to replace:
    • region in the provider block.
    • vpc_id in the aws_security_group resource.
    • ami and subnet_id in the infisical_relay_instance module.
    • The --token in the user_data script with the enrollment token from the relay detail page.
    • The --domain in the user_data script if you are self-hosting Infisical.
  3. Apply the configuration: Run the following Terraform commands in your terminal: