Terraform module for deploying a cheap yet stable vaultwarden (formerly bitwarden_rs) to AWS.

• Prerequisites
• Features
• How it works
• Usage
  • Secrets
  • Terraform
• TODO
• Contributions
• Requirements
• Providers
• Modules
• Resources
• Inputs
• Outputs

• Route53 hosted zone
• SMTP credentials
• EC2 key pair
• KMS key

• HTTPS using LetsEncrypt
• Backups to S3 (daily by default)
• fail2ban and logrotate
• Auto healing using an auto scaling group
• Saving cost using a spot instance
• By default, it uses t2.micro and t2.small as instances, and it launches the cheapest one
• Fixed source IP address by reattaching ENI
• Encrypted secrets using mozilla/sops

This module provisions the following resources:

• Auto Scaling Group with mixed instances policy
• Launch Template
• Elastic IP
• Elastic Network Interface
• Security Group
• IAM Role for ENI and EBS attachment and S3 for file operations

By default, an instance of the latest Amazon Linux 2 is launched. The instance will run init.sh to:

1. Attach the ENI to eth1
2. Attach the EBS volume as /dev/xvdf and mount it
3. Install and configure docker, docker-compose, sops, fail2ban
4. Start Bitwarden
5. Switch the default route to eth1

The secrets are encrypted and stored in the env.enc file. The file format is:

acme_email=[email protected]
signups_allowed=false
domain=bitwarden.example.com
smtp_host=smtp.gmail.com
smtp_port=587
smtp_ssl=true
smtp_username=[email protected]
smtp_password="V3ryStr0ngPa$sw0rd!"
enable_admin_page=true
admin_token=0YakKKYV01Qyz2Y3ynrJVYhw4fy1HtH+oCyVK8k3LhvnpawvkmUT/LZAibYJp3Eq
bucket=bitwarden-bucket
db_user=bitwarden
db_user_password=ChangeThisVeryStrongPassword
db_root_password=ReplaceThisEvenStrongerPassword

NOTE: I strongly advise NOT to enable the Admin Page, hence to remove the lines containing enable_admin_page and admin_token. If you still want to enable it, you should at least generate a 48 char long password.

$ openssl rand -base64 48

Once the env.enc file is populated with the correct secrets it must be encrypted. This file should never be left unencrypted.

$ SOPS_KMS_ARN="KMS_KEY_ARN" sops -e -i data/env.enc

replace KMS_KEY_ARN with the ARN of the KMS you want to use

provider "aws" {
  region = "eu-west-1"
}

data "local_file" "this" {
  filename = "${path.module}/env.enc"
}

data "aws_kms_key" "this" {
  key_id = "alias/bitwarden-sops-encryption-key-prod"
}

module "bitwarden" {
  source         = "../"
  name           = "bitwarden"
  domain         = "bitwarden.example.org"
  environment    = "prod"
  route53_zone   = "example.org."
  ssh_cidr       = ["212.178.73.60/32"]
  env_file       = data.local_file.this.content
  instance_types = ["t2.micro", "t2.small", "t2.medium", "t2.large"]
}

1. Add a restore script
2. Manage dependencies with renovate-bot
3. Implement a retry mechanism when attaching ENI and EBS
4. Detect if the EBS volume has been formatted or not
5. Add logrotate for Traefik logs
6. Catch the spot instance termination event and trigger a backup
7. Verify that the application has properly launched by logging in as a dummy user

This is an open source software. Feel free to open issues and pull requests.

No modules.

[
  "t2.micro",
  "t2.small"
]