AWS ECS Environment and Secrets Map
Purpose
This document captures the current production environment values that need to move into ECS task definitions, AWS Secrets Manager, or AWS Systems Manager Parameter Store.
The values below were provided from the production runtime configuration. They are not all frontend-only settings. In practice, this map applies to the application runtime that serves the frontend and API stack.
Classification
Store in Secrets Manager
These values are sensitive and should not be stored in plain ECS environment variables:
POSTGRES_PASSWORDSECRET_KEYREDIS_PASSWORD
Store in Parameter Store or Plain ECS Environment Variables
These values are configuration, not secrets:
POSTGRES_SERVERPOSTGRES_USERPOSTGRES_DBPOSTGRES_PORTPOSTGRES_READ_PORTALGORITHMACCESS_TOKEN_EXPIRE_MINUTESAPI_V1_STRAPI_URLPROJECT_NAMEREDIS_HOSTREDIS_PORTREDIS_USERNAMEREDIS_CLUSTER_MODEREDIS_CACHE_TTLREDIS_TLS_ENABLEDREDIS_TLS_CERT_REQSREDIS_TLS_CA_CERTS_FILEREDIS_TLS_CERTFILEREDIS_TLS_KEYFILE
Current Production Values
| Variable | Current Value | Classification | ECS Target |
|---|---|---|---|
POSTGRES_SERVER |
production-haproxy.timescale.glimpse.internal |
Config | ECS env or Parameter Store |
POSTGRES_USER |
tracker |
Config | ECS env or Parameter Store |
POSTGRES_PASSWORD |
blank in the provided export | Secret | Secrets Manager |
POSTGRES_DB |
tracker |
Config | ECS env or Parameter Store |
POSTGRES_PORT |
5432 |
Config | ECS env or Parameter Store |
POSTGRES_READ_PORT |
5433 |
Config | ECS env or Parameter Store |
SECRET_KEY |
blank in the provided export | Secret | Secrets Manager |
ALGORITHM |
HS256 |
Config | ECS env or Parameter Store |
ACCESS_TOKEN_EXPIRE_MINUTES |
30 |
Config | ECS env or Parameter Store |
API_V1_STR |
https://tracker.glimpse.technology/api/v1 |
Config | ECS env or Parameter Store |
API_URL |
https://tracker.glimpse.technology |
Config | ECS env or Parameter Store |
PROJECT_NAME |
Tracker API |
Config | ECS env or Parameter Store |
REDIS_HOST |
clustercfg.tracker.gpaazd.memorydb.eu-west-2.amazonaws.com |
Config | ECS env or Parameter Store |
REDIS_PORT |
6379 |
Config | ECS env or Parameter Store |
REDIS_USERNAME |
tracker |
Config | ECS env or Parameter Store |
REDIS_PASSWORD |
blank in the provided export | Secret | Secrets Manager |
REDIS_CLUSTER_MODE |
true |
Config | ECS env or Parameter Store |
REDIS_CACHE_TTL |
3600 |
Config | ECS env or Parameter Store |
REDIS_TLS_ENABLED |
true |
Config | ECS env or Parameter Store |
REDIS_TLS_CERT_REQS |
none |
Config | ECS env or Parameter Store |
REDIS_TLS_CA_CERTS_FILE |
blank in the provided export | Config | ECS env or Parameter Store |
REDIS_TLS_CERTFILE |
blank in the provided export | Config | ECS env or Parameter Store |
REDIS_TLS_KEYFILE |
blank in the provided export | Config | ECS env or Parameter Store |
Migration Notes
Production Redis Platform
The production cache/queue layer is an AWS MemoryDB Valkey cluster.
Observed production ARN:
arn:aws:memorydb:eu-west-2:951665295205:cluster/tracker
Application Scope
These variables should be attached to the ECS task definition for the application runtime, not baked into the container image.
Recommended Secret Names
Use a naming pattern that keeps staging and production separate, for example:
tracker/prod/secret-keytracker/prod/postgres-passwordtracker/prod/redis-passwordtracker/staging/secret-keytracker/staging/postgres-passwordtracker/staging/redis-password
Recommended Config Split
Keep these outside Secrets Manager unless they later become sensitive:
- API base URLs
- database hostnames and ports
- Redis hostnames and ports
- token lifetime settings
- JWT algorithm
- cluster mode flags
Notes on Blank Values
The blank values in the production export should be treated as placeholders, not as safe defaults. They still need to be sourced from the appropriate secret store in ECS.