mirror of
https://github.com/open-webui/open-webui.git
synced 2025-12-12 20:35:19 +00:00
78 lines
2.2 KiB
HCL
78 lines
2.2 KiB
HCL
# Generate shared secret for JWT signing
|
|
resource "random_password" "webui_secret_key" {
|
|
length = 32
|
|
special = false # Avoid special characters that might cause issues
|
|
}
|
|
|
|
# Shared secret for consistent JWT tokens across instances
|
|
resource "aws_secretsmanager_secret" "webui_shared_secret" {
|
|
name = "openwebui-shared-secret"
|
|
description = "Shared secret for OpenWebUI JWT signing across instances"
|
|
recovery_window_in_days = 0 # Force immediate deletion to avoid naming conflicts
|
|
force_overwrite_replica_secret = true
|
|
|
|
tags = {
|
|
Name = "OpenWebUI Shared Secret"
|
|
}
|
|
}
|
|
|
|
resource "aws_secretsmanager_secret_version" "webui_shared_secret" {
|
|
secret_id = aws_secretsmanager_secret.webui_shared_secret.id
|
|
secret_string = random_password.webui_secret_key.result
|
|
}
|
|
|
|
# Dedicated ECS task execution role for OpenWebUI scaled service
|
|
resource "aws_iam_role" "openwebui_execution_role" {
|
|
name = "openwebui-scaled-execution-role"
|
|
|
|
assume_role_policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Statement = [
|
|
{
|
|
Action = "sts:AssumeRole"
|
|
Effect = "Allow"
|
|
Principal = {
|
|
Service = "ecs-tasks.amazonaws.com"
|
|
}
|
|
}
|
|
]
|
|
})
|
|
|
|
tags = {
|
|
Name = "OpenWebUI Scaled Execution Role"
|
|
}
|
|
}
|
|
|
|
# Attach AWS managed ECS execution policy
|
|
resource "aws_iam_role_policy_attachment" "openwebui_execution_role_policy" {
|
|
role = aws_iam_role.openwebui_execution_role.name
|
|
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
|
|
}
|
|
|
|
# Service-specific secrets access via inline policy
|
|
resource "aws_iam_role_policy" "openwebui_secrets_policy" {
|
|
name = "openwebui-scaled-secrets-access"
|
|
role = aws_iam_role.openwebui_execution_role.id
|
|
|
|
policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Statement = [
|
|
{
|
|
Effect = "Allow"
|
|
Action = ["secretsmanager:GetSecretValue"]
|
|
Resource = [
|
|
aws_secretsmanager_secret.webui_shared_secret.arn,
|
|
aws_secretsmanager_secret.redis_connection.arn,
|
|
var.existing_database_secret_arn
|
|
]
|
|
},
|
|
{
|
|
Effect = "Allow"
|
|
Action = [
|
|
"kms:Decrypt"
|
|
]
|
|
Resource = "*"
|
|
}
|
|
]
|
|
})
|
|
}
|