admin/bodyshop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7dab60e3bcbb39954c1b1c011895dde444efb03f
bodyshop/documenso/terraform/README.md
Patrick Fic 7dab60e3bc Initial terraform for Documenso.
2026-03-26 09:15:00 -07:00

3.1 KiB
Raw Blame History

Documenso on AWS

This Terraform stack deploys Documenso to AWS in ca-central-1 using:

  • ECS Fargate for the application tier
  • RDS PostgreSQL for the database tier
  • S3 for document uploads and signed PDFs
  • Application Load Balancer with ACM-managed TLS
  • Route53 DNS for esignature.imex.online
  • SES domain identity and DKIM records for outbound email
  • Secrets Manager for generated application secrets, SMTP credentials, and the optional Documenso signing certificate
  • AWS WAF with a basic managed rule set and rate limiting
  • CloudWatch alarms for ALB, ECS, and RDS health indicators

Why this shape

This is the most practical fit for your Docker Compose workload if you want a balance of cost efficiency, managed operations, and scaling:

  • Fargate gives you horizontal scaling without managing EC2 hosts.
  • RDS PostgreSQL is simpler and cheaper than Aurora for a single Documenso workload.
  • S3-backed uploads are better for production scale and keep document growth out of PostgreSQL.
  • The database stays private; the ALB is public.
  • The ECS tasks run in public subnets to avoid a NAT gateway charge. Inbound access is still restricted to the ALB security group.
  • HTTPS is terminated by the ALB using ACM. The Documenso self-signed .p12 certificate is separate and is used for document signing, not browser TLS.

Files

  • main.tf: core infrastructure
  • variables.tf: configurable inputs
  • outputs.tf: useful deployment outputs
  • terraform.tfvars.example: example input values

Assumptions built into this stack

  1. Your DNS for imex.online is hosted in Route53.
  2. You want Multi-AZ RDS enabled from the start for database availability.
  3. You are comfortable starting with documenso/documenso:latest. For repeatable deployments, pin a version or digest after your first rollout.
  4. You will provide SES SMTP credentials. Terraform verifies the SES domain, but it does not derive SMTP passwords for you.
  5. You will provide a base64-encoded PKCS#12 signing certificate and passphrase if you want document signing enabled immediately. This stack injects those values through Secrets Manager instead of mounting a host file.
  6. You are comfortable with Terraform creating a dedicated IAM user and access key for Documenso S3 uploads because Documenso documents explicit S3 credentials for the upload backend.
  7. You want Terraform destroy protection enabled for both the database and the uploads bucket.

Deploy

  1. Copy terraform.tfvars.example to terraform.tfvars and fill in the SMTP values.
  2. If you want Documenso signing enabled, add signing_certificate_base64 and signing_certificate_passphrase.
  3. Optionally set upload_bucket_name if you want a specific S3 bucket name.
  4. Run terraform init.
  5. Run terraform plan.
  6. Run terraform apply.

Recommended first production adjustments

  1. Pin the Documenso image to a tested version or digest.
  2. Wire alarm_actions to an SNS topic, PagerDuty bridge, or your on-call system so alarms notify someone.
  3. Expand the WAF rule set if you need more aggressive filtering later.
  4. Add CloudWatch alarms on ECS 5xx errors, ALB target health, and RDS CPU/storage.
Reference in New Issue View Git Blame Copy Permalink