Skip to content

AWS ECS Environment and Secrets Map

Purpose

This document captures the current production environment values that need to move into ECS task definitions, AWS Secrets Manager, or AWS Systems Manager Parameter Store.

The values below were provided from the production runtime configuration. They are not all frontend-only settings. In practice, this map applies to the application runtime that serves the frontend and API stack.

Classification

Store in Secrets Manager

These values are sensitive and should not be stored in plain ECS environment variables:

  • POSTGRES_PASSWORD
  • SECRET_KEY
  • REDIS_PASSWORD

Store in Parameter Store or Plain ECS Environment Variables

These values are configuration, not secrets:

  • POSTGRES_SERVER
  • POSTGRES_USER
  • POSTGRES_DB
  • POSTGRES_PORT
  • POSTGRES_READ_PORT
  • ALGORITHM
  • ACCESS_TOKEN_EXPIRE_MINUTES
  • API_V1_STR
  • API_URL
  • PROJECT_NAME
  • REDIS_HOST
  • REDIS_PORT
  • REDIS_USERNAME
  • REDIS_CLUSTER_MODE
  • REDIS_CACHE_TTL
  • REDIS_TLS_ENABLED
  • REDIS_TLS_CERT_REQS
  • REDIS_TLS_CA_CERTS_FILE
  • REDIS_TLS_CERTFILE
  • REDIS_TLS_KEYFILE

Current Production Values

Variable Current Value Classification ECS Target
POSTGRES_SERVER production-haproxy.timescale.glimpse.internal Config ECS env or Parameter Store
POSTGRES_USER tracker Config ECS env or Parameter Store
POSTGRES_PASSWORD blank in the provided export Secret Secrets Manager
POSTGRES_DB tracker Config ECS env or Parameter Store
POSTGRES_PORT 5432 Config ECS env or Parameter Store
POSTGRES_READ_PORT 5433 Config ECS env or Parameter Store
SECRET_KEY blank in the provided export Secret Secrets Manager
ALGORITHM HS256 Config ECS env or Parameter Store
ACCESS_TOKEN_EXPIRE_MINUTES 30 Config ECS env or Parameter Store
API_V1_STR https://tracker.glimpse.technology/api/v1 Config ECS env or Parameter Store
API_URL https://tracker.glimpse.technology Config ECS env or Parameter Store
PROJECT_NAME Tracker API Config ECS env or Parameter Store
REDIS_HOST clustercfg.tracker.gpaazd.memorydb.eu-west-2.amazonaws.com Config ECS env or Parameter Store
REDIS_PORT 6379 Config ECS env or Parameter Store
REDIS_USERNAME tracker Config ECS env or Parameter Store
REDIS_PASSWORD blank in the provided export Secret Secrets Manager
REDIS_CLUSTER_MODE true Config ECS env or Parameter Store
REDIS_CACHE_TTL 3600 Config ECS env or Parameter Store
REDIS_TLS_ENABLED true Config ECS env or Parameter Store
REDIS_TLS_CERT_REQS none Config ECS env or Parameter Store
REDIS_TLS_CA_CERTS_FILE blank in the provided export Config ECS env or Parameter Store
REDIS_TLS_CERTFILE blank in the provided export Config ECS env or Parameter Store
REDIS_TLS_KEYFILE blank in the provided export Config ECS env or Parameter Store

Migration Notes

Production Redis Platform

The production cache/queue layer is an AWS MemoryDB Valkey cluster.

Observed production ARN:

  • arn:aws:memorydb:eu-west-2:951665295205:cluster/tracker

Application Scope

These variables should be attached to the ECS task definition for the application runtime, not baked into the container image.

Use a naming pattern that keeps staging and production separate, for example:

  • tracker/prod/secret-key
  • tracker/prod/postgres-password
  • tracker/prod/redis-password
  • tracker/staging/secret-key
  • tracker/staging/postgres-password
  • tracker/staging/redis-password

Keep these outside Secrets Manager unless they later become sensitive:

  • API base URLs
  • database hostnames and ports
  • Redis hostnames and ports
  • token lifetime settings
  • JWT algorithm
  • cluster mode flags

Notes on Blank Values

The blank values in the production export should be treated as placeholders, not as safe defaults. They still need to be sourced from the appropriate secret store in ECS.