Skip to content

npellegrin/jitsi-aws-fargate

Folders and files

NameName
Last commit message
Last commit date

Latest commit

ae38b37 · Dec 17, 2024

History

9 Commits
Dec 17, 2024
Dec 17, 2024
Dec 13, 2024
Dec 17, 2024
Dec 17, 2024
Dec 17, 2024
Dec 17, 2024
Dec 17, 2024
Dec 17, 2024
Dec 17, 2024
Dec 17, 2024
Dec 17, 2024
Dec 17, 2024
Dec 17, 2024
Dec 17, 2024
Dec 17, 2024
Dec 17, 2024
Dec 17, 2024
Dec 17, 2024
Dec 17, 2024
Dec 17, 2024
Dec 17, 2024

Repository files navigation

Jitsi on AWS Fargate

A full Terraform demo stack deploying Jitsi in AWS Fargate.

Required ecosystem

An AWS Route53 Hosted Zone with the domain you want for your Jitsi instance is required.

Required parameters

Parameter Description
allowed_account_ids Your AWS account identifier
domain_name The domain name you want for Jitsi instance
hosted_zone_id The Hosted Zone identifier where records will be written for Jisti domain

How to deploy this software

Create a terraform.tfvars file with the required parameters and replace with your own values:

allowed_account_ids    = []

domain_name    = ""
hosted_zone_id = ""

On an AWS account you own, run:

terraform apply

Networking and associated costs

This project is intended to be as close as possible as a "real" deployment, consequently, when deploy_in_private_subnets parameter is true, Jitsi services are deployed in private subnets without a NAT gateway. In this particular configuration, additional VPC endpoints are deployed over two availability zone each. This incur additional costs estimated to 60 USD per month (4 VPC endpoints x 2 ENIs per VPC endpoint x 730 hours in a month x 0,01 USD = 58,40 USD).

If you just want to try Jitsi without additional networking costs, keep the parameter deploy_in_private_subnets to false (it is the default).

Regardless of the deploy_in_private_subnets parameter configuration, you will pay the AWS Fargate containers while Jitsi tasks are running. Do not let this infrastructure run without actually using it, or it will impact your AWS bill.

Limitation

This is a demo Terraform stack. Consequently, it has the following limitations:

  • There is no security hardening
  • There is no scaling configuration
  • There is no customization of the installation

Docker Hub mirror

This project creates ECR registries to provide DockerHub mirrors inside AWS. You may, or may not use it. If you use the private ECR registries, you must init registries with images pulled from DockerHub like below.

AWS_ACCOUNT_ID=...
AWS_REGISTRY=${AWS_ACCOUNT_ID}.dkr.ecr.eu-west-1.amazonaws.com/jitsi-meet-mirror

docker pull jitsi/jicofo:jicofo-1.0-1118-1
docker tag jitsi/jicofo:jicofo-1.0-1118-1 ${AWS_REGISTRY}/jitsi/jicofo:jicofo-1.0-1118-1
docker push ${AWS_REGISTRY}/jitsi/jicofo:jicofo-1.0-1118-1

docker pull jitsi/jvb:jvb-2.3-187-gc7ef8e66-1
docker tag jitsi/jvb:jvb-2.3-187-gc7ef8e66-1 ${AWS_REGISTRY}/jitsi/jvb:jvb-2.3-187-gc7ef8e66-1
docker push ${AWS_REGISTRY}/jitsi/jvb:jvb-2.3-187-gc7ef8e66-1

docker pull jitsi/prosody:prosody-0.12.4
docker tag jitsi/prosody:prosody-0.12.4 ${AWS_REGISTRY}/jitsi/prosody:prosody-0.12.4
docker push ${AWS_REGISTRY}/jitsi/prosody:prosody-0.12.4

docker pull jitsi/web:web-1.0.8310-1
docker tag jitsi/web:web-1.0.8310-1 ${AWS_REGISTRY}/jitsi/web:web-1.0.8310-1
docker push ${AWS_REGISTRY}/jitsi/web:web-1.0.8310-1

Note that using these registries is required if you have choosen to flip deploy_in_private_subnets to true, because no NAT gateway are deployed by the project. You may adapt this project and deploy a NAT gateway if relevant. I choosed not to do it by default to keep default costs low.

Terraform docs

Requirements

Name Version
terraform >= 1.5
aws ~> 5.81.0
random ~> 3.6.3

Providers

Name Version
aws 5.81.0
random 3.6.3

Modules

Name Source Version
vpc terraform-aws-modules/vpc/aws n/a

Resources

Name Type
aws_acm_certificate.jitsi_public resource
aws_acm_certificate_validation.jitsi_public resource
aws_cloudwatch_log_group.cluster resource
aws_cloudwatch_log_group.jitsi_jicofo resource
aws_cloudwatch_log_group.jitsi_jvb resource
aws_cloudwatch_log_group.jitsi_prosody resource
aws_cloudwatch_log_group.jitsi_web resource
aws_ecr_repository.jitsi_jicofo resource
aws_ecr_repository.jitsi_jvb resource
aws_ecr_repository.jitsi_prosody resource
aws_ecr_repository.jitsi_web resource
aws_ecs_cluster.main resource
aws_ecs_cluster_capacity_providers.main resource
aws_ecs_service.jitsi_jicofo resource
aws_ecs_service.jitsi_jvb resource
aws_ecs_service.jitsi_prosody resource
aws_ecs_service.jitsi_web resource
aws_ecs_task_definition.jitsi_jicofo resource
aws_ecs_task_definition.jitsi_jvb resource
aws_ecs_task_definition.jitsi_prosody resource
aws_ecs_task_definition.jitsi_web resource
aws_iam_policy.jitsi_jicofo resource
aws_iam_policy.jitsi_jvb resource
aws_iam_policy.jitsi_prosody resource
aws_iam_policy.jitsi_web resource
aws_iam_policy.task_exe resource
aws_iam_role.jitsi_jicofo resource
aws_iam_role.jitsi_jvb resource
aws_iam_role.jitsi_prosody resource
aws_iam_role.jitsi_web resource
aws_iam_role.task_exe resource
aws_iam_role_policy_attachment.jitsi_jicofo resource
aws_iam_role_policy_attachment.jitsi_jvb resource
aws_iam_role_policy_attachment.jitsi_prosody resource
aws_iam_role_policy_attachment.jitsi_web resource
aws_iam_role_policy_attachment.task_exe resource
aws_kms_alias.cluster resource
aws_kms_alias.registry resource
aws_kms_key.cluster resource
aws_kms_key.registry resource
aws_lb.jitsi_public resource
aws_lb_listener.jitsi_jvb resource
aws_lb_listener.jitsi_jvb_fallback resource
aws_lb_listener.jitsi_web resource
aws_lb_target_group.jitsi_jvb resource
aws_lb_target_group.jitsi_jvb_fallback resource
aws_lb_target_group.jitsi_web resource
aws_route53_record.jitsi resource
aws_route53_record.jitsi_auth resource
aws_route53_record.jitsi_guest resource
aws_route53_record.jitsi_internal_muc resource
aws_route53_record.jitsi_muc resource
aws_route53_record.jitsi_public resource
aws_route53_record.jitsi_public_certificate_validation resource
aws_route53_record.jitsi_xmpp resource
aws_route53_zone.jitsi resource
aws_security_group.endpoints resource
aws_security_group.jitsi_jicofo resource
aws_security_group.jitsi_jvb resource
aws_security_group.jitsi_prosody resource
aws_security_group.jitsi_web resource
aws_security_group_rule.egress_jitsi_jicofo resource
aws_security_group_rule.egress_jitsi_jvb resource
aws_security_group_rule.egress_jitsi_prosody resource
aws_security_group_rule.egress_jitsi_web resource
aws_security_group_rule.endpoints_egress resource
aws_security_group_rule.endpoints_ingress resource
aws_security_group_rule.ingress_health_check_to_jitsi_jvb resource
aws_security_group_rule.ingress_jitsi_jicofo_to_jitsi_prosody_5222 resource
aws_security_group_rule.ingress_jitsi_jvb_to_jitsi_prosody_5222 resource
aws_security_group_rule.ingress_jitsi_prosody_to_jitsi_jicofo resource
aws_security_group_rule.ingress_jitsi_prosody_to_jitsi_jvb resource
aws_security_group_rule.ingress_jitsi_web_to_jitsi_prosody_5222 resource
aws_security_group_rule.ingress_jitsi_web_to_jitsi_prosody_5280 resource
aws_security_group_rule.ingress_jitsi_web_to_jitsi_prosody_5347 resource
aws_security_group_rule.ingress_lb_to_jitsi_jvb resource
aws_security_group_rule.ingress_lb_to_jitsi_jvb_fallback resource
aws_security_group_rule.ingress_lb_to_jitsi_web resource
aws_service_discovery_private_dns_namespace.jitsi resource
aws_service_discovery_service.jitsi_prosody resource
aws_ssm_parameter.jitsi_passwords resource
aws_vpc_endpoint.ecr_api resource
aws_vpc_endpoint.ecr_dkr resource
aws_vpc_endpoint.logs resource
aws_vpc_endpoint.s3 resource
aws_vpc_endpoint.ssm resource
aws_vpc_endpoint_subnet_association.ecr_api resource
aws_vpc_endpoint_subnet_association.ecr_dkr resource
aws_vpc_endpoint_subnet_association.logs resource
aws_vpc_endpoint_subnet_association.ssm resource
random_password.jitsi_passwords resource
aws_caller_identity.current data source
aws_region.current data source

Inputs

Name Description Type Default Required
allowed_account_ids Allowed AWS accounts list(string) n/a yes
aws_availability_zones AWS Availability zones to use list(string)
[
"eu-west-1a",
"eu-west-1b"
]
no
aws_region AWS region to use string "eu-west-1" no
deploy_in_private_subnets When TRUE, will deploy Jitsi services in a private network, without public IPs. Additional costs for VPC endpoints are expected with a private network setup. bool false no
domain_name Jitsi public DNS string n/a yes
hosted_zone_id Jitsi public zone domaine string n/a yes
jitsi_images References to Jisti components Docker images. If you use the private registries deployed in this demo, the images must be prefixed by .dkr.ecr.eu-west-1.amazonaws.com/jitsi-meet-mirror/
object({
jicofo = string
jvb = string
prosody = string
web = string
})
{
"jicofo": "jitsi/jicofo",
"jvb": "jitsi/jvb",
"prosody": "jitsi/prosody",
"web": "jitsi/web"
}
no
vpc_cidr CIDR block of VPC. string "10.0.0.0/16" no
vpc_private_subnets CIDR block of VPC private subnets. list
[
"10.0.1.0/24",
"10.0.2.0/24"
]
no
vpc_public_subnets CIDR block of VPC public subnets. list
[
"10.0.101.0/24",
"10.0.102.0/24"
]
no

Outputs

Name Description
jitsi_meet_endpoint n/a

About

A full Terraform demo stack deploying Jitsi in AWS Fargate

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages