This is a terraform module to create a Rancher server on AWS. It is designed to work with host instances placed in autoscaling groups (see my hosts module) and handles (via a sidekick app) automatically deregistering hosts from the server on scale down.
The server is placed behind an Nginx proxy which is responsible for SSL termination.
- Automatic SSL provided by Lets Encrypt
- Stateless server container through the use of an external database
- Includes a sidekick app for automatically removing hosts due to be terminated by an autoscaling group (via autoscaling lifecycle hooks)
- Mostly configurable with variables (happy to accept PRs for new vars)
Include the following in your Terraform config:
module "rancher_server" {
# Import the module from Github
# It's probably better to fork or clone this repo if you intend to use in production
# so any future changes dont mess up your existing infrastructure.
source = ""
# Set the details of the target VPC
# Tip: this uses my VPC module:
vpc_id = "${module.vpc.vpc_id}"
vpc_region = "${module.vpc.vpc_region}"
vpc_private_subnets = "${module.vpc.vpc_private_subnets}"
vpc_private_subnet_ids = "${module.vpc.vpc_private_subnet_ids}"
# Server config
server_name = "rancher-server"
server_hostname = "rancher-server.yourdomain.tld"
keypair_name = "your_keypair_name" # if needed, create an aws_key_pair. See example below.
server_subnet_id = "${element(split(",", module.vpc.vpc_public_subnet_ids), 0)}"
server_version = "v0.42.0"
ssl_email = "[email protected]"
# Database
database_address = "dbhost"
database_username = "dbuser"
database_password = "dbpass"
# S3 bucket
# Added to allow specifying your own S3 bucket name to get around errors like this:
# `Error creating S3 bucket: BucketAlreadyExists: The requested bucket name is not available.
# The bucket namespace is shared by all users of the system. Please select a different name and try again.`
s3_bucket_name = "rancher-server.yourdomain.tld-credentials"
- The rancher server takes a minute or so to start up and longer on initial bootstrap.. give it at least 10 mins after terraform has finished creating all the resources.
- On initial bootstrap, the server will be unprotected.. the first thing you should do is configure access control!
- The hostname should be routable to the server before creating hosts - the best way to do this is with Route53 and a terraform config (see example below).
- The rancher database should already be created (Rancher will bootstrap the tables but wont create the DB, see example below).
# Import the keypair
resource "aws_key_pair" "keypair" {
key_name = "${var.server_name}-key"
public_key = "${file("${var.server_key}")}"
lifecycle {
create_before_destroy = true
resource "aws_route53_record" "server_hostname" {
name = "rancher-server.yourdomain.tld"
type = "A"
ttl = "30"
records = [
lifecycle {
create_before_destroy = true
# Subnet groups
resource "aws_db_subnet_group" "default" {
name = "main"
description = "Database VPC private subnets"
subnet_ids = [
lifecycle {
create_before_destroy = true
# Security group
resource "aws_security_group" "db" {
name = "Rancher-Database-SG"
description = "Allow rancher server to access database server."
vpc_id = "${module.vpc.vpc_id}"
# Allow traffic from the rancher server security group
ingress {
from_port = 3306
to_port = 3306
protocol = "tcp"
security_groups = [
lifecycle {
create_before_destroy = true
# Database instance
resource "aws_db_instance" "default" {
allocated_storage = 10
engine = "mysql"
engine_version = "5.6.23"
identifier = "rancher-database"
instance_class = "db.t2.micro"
final_snapshot_identifier = "rancher-database-final"
publicly_accessible = false
db_subnet_group_name = "${}"
vpc_security_group_ids = [
# Database details
name = "rancherserverdb"
username = "root"
password = "password01"
lifecycle {
create_before_destroy = true