Deployment Guide
Infracast can be deployed as SaaS (zero ops), Docker (self-hosted), or Terraform on AWS. Choose the model that fits your requirements.
Option 1: SaaS (Recommended)
The fastest way to get started — no infrastructure required.
- Sign up at app.infracast.io
- Create your organization and first tenant
- Add credentials for your cloud accounts or on-prem infrastructure
- Run your first discovery job
SaaS includes:
- Automatic upgrades (zero downtime)
- Managed PostgreSQL with daily backups
- 99.9% uptime SLA
- SOC 2 Type II compliant infrastructure
Option 2: Docker (Self-Hosted)
Best for evaluation, air-gapped environments, or small teams.
Prerequisites
- Docker 20.10+ and Docker Compose v2
- 4 GB RAM minimum (8 GB recommended)
- 10 GB disk
Quick Start
git clone https://github.com/azgardtek/vulcan.git
cd vulcan
cp .env.example .env
# Edit .env with your settings
docker compose up -d
Environment Variables (.env)
.env
# Database
POSTGRES_USER=vulcan
POSTGRES_PASSWORD=change-me-in-production
POSTGRES_DB=vulcan
# API
API_SECRET_KEY=generate-a-32-byte-random-string
JWT_SECRET=another-32-byte-random-string
# License (optional — Free tier works without)
# INFRACAST_LICENSE_FILE=/etc/infracast/license.json
# INFRACAST_LICENSE_JSON={"..."}
# NVD CVE database (optional but recommended for CVE correlation)
# NVD_API_KEY=your-nvd-api-key
# Content CDN (optional — defaults to infracast CDN)
# CONTENT_CDN_URL=https://<your-cdn>.cloudfront.net
# Admin bootstrap
ADMIN_USERNAME=admin
ADMIN_PASSWORD=change-me-immediately
Verify Installation
# Check all containers are running
docker compose ps
# Verify API health
curl http://localhost:8080/healthz
# Expected: {"status":"ok","db_connected":true}
# UI available at
open http://localhost:3000
Bootstrap First Admin
docker compose exec vulcan-api ./vulcan bootstrap \
--username admin \
--password 'YourSecurePassword!'
Production Considerations for Docker
Not Production-Ready Out of the Box
The default Docker Compose setup uses single-node PostgreSQL with no backups. For production Docker deployments:
- Point
DATABASE_URLto a managed PostgreSQL (RDS, Cloud SQL, Supabase) - Add TLS termination via nginx or Traefik reverse proxy
- Use Docker Secrets or a vault for credentials (not plain
.envfiles) - Set up log aggregation (CloudWatch, Datadog, etc.)
Recommended Production Docker Setup
docker-compose.prod.yml
services:
vulcan-api:
image: ghcr.io/azgardtek/vulcan:latest
restart: always
ports:
- "8080:8080"
environment:
DATABASE_URL: "postgres://vulcan:${DB_PASSWORD}@your-rds-host:5432/vulcan?sslmode=require"
JWT_SECRET: "${JWT_SECRET}"
API_SECRET_KEY: "${API_SECRET_KEY}"
NVD_API_KEY: "${NVD_API_KEY}"
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8080/healthz"]
interval: 30s
timeout: 10s
retries: 3
nginx:
image: nginx:alpine
restart: always
ports:
- "443:443"
- "80:80"
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
- /etc/letsencrypt:/etc/letsencrypt:ro
Option 3: Terraform on AWS
Best for enterprise self-hosted, MSSP, or FedRAMP requirements.
See Getting Started: Terraform for the full walkthrough.
High-Level Steps
git clone https://github.com/azgardtek/vulcan.git
cd vulcan/deploy/terraform/aws
cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars
terraform init
terraform plan
terraform apply
Terraform creates: VPC, ALB, ECS cluster, RDS PostgreSQL, S3 buckets, CloudFront, IAM roles, and CloudWatch log groups.
Terraform Variables Reference
| Variable | Required | Default | Description |
|---|---|---|---|
environment | Yes | — | dev or prod |
aws_region | Yes | — | AWS region (e.g., us-east-1) |
domain_name | Yes | — | Domain for the deployment |
certificate_arn | Yes | — | ACM certificate ARN |
vpc_cidr | No | 10.0.0.0/16 | VPC CIDR block |
db_instance_class | No | db.t3.medium | RDS instance type |
db_multi_az | No | false | Enable Multi-AZ for RDS |
db_storage_gb | No | 20 | Initial RDS storage in GB |
ecs_cpu | No | 512 | ECS task CPU units |
ecs_memory | No | 1024 | ECS task memory in MB |
ecs_desired_count | No | 1 | Number of ECS tasks |
ecs_min_count | No | 1 | Auto-scaling minimum |
ecs_max_count | No | 3 | Auto-scaling maximum |
tags | No | {} | Additional resource tags |
Environment Variables Reference
Full list of API server environment variables:
| Variable | Required | Description |
|---|---|---|
DATABASE_URL | Yes | PostgreSQL connection string |
JWT_SECRET | Yes | Secret for signing JWTs (32+ bytes) |
API_PORT | No | HTTP listen port (default: 8080) |
PLUGIN_DIR | No | Directory of plugin binaries (default: /usr/local/lib/infracast/plugins) |
INFRACAST_LICENSE_FILE | No | Path to license JSON file |
INFRACAST_LICENSE_JSON | No | License JSON as environment variable |
NVD_API_KEY | No | NIST NVD API key for faster CVE sync |
CONTENT_CDN_URL | No | Content pack CDN URL |
CONTENT_CACHE_DIR | No | Local cache for content packs |
CONTENT_PUBLIC_KEY | No | Ed25519 public key for content verification (base64) |
ALLOWED_ORIGINS | No | CORS origins (comma-separated, default *) |
LOG_LEVEL | No | Log verbosity: debug, info, warn, error |
LOG_FORMAT | No | json or text (default: json) |
Post-Deployment Steps
After any deployment method:
- Log in to the UI and change the default admin password
- Create a tenant for your organization
- Add credentials for your infrastructure providers
- Create your first discovery job and verify assets appear in the graph
- Configure alerting for critical findings (see Monitoring)
- Set up backups if self-hosted (see Backup & Restore)