A successful Seqera Platform deployment requires making decisions about networking, security posture, container orchestration, permissions, etc. which can sometimes be overwhelming to a client administrator who just wants to get their users onboarded and using the features offered by the Platform.
The Seqera CX team has developed a field tool to simplify deployment in two ways:
-
Reduce the infrastructure and configuration burden, so that a first-time deployment of Seqera Platform Enterprise requires less than 1 hour of work and only a few minutes for subsequent redeployments.
-
Provide an Infrastructure-As-Code (IaC) solution so activities are repeatable and artifacts can be checked into source-control.
- Disclaimer
- Supported Versions & Components
- Appropriateness Criteria
- Prerequisites
- Configuration Steps (Mandatory)
- Configuration Steps (Optional)
- Execution Steps
- Warnings
- Multiple Deployment Consideration
This is an unofficial field tool. Use at your own discretion!!
The solution is delivered on a best-effort basis, but provides no guarantees of appropriateness for your specific scenario. Please conduct your due diligence prior to execution within your environment.
For further information on how the project is managed, please see:
-
Terraform Assets
Project resources (generated by terraform-docs). -
Design Decisions
Information about project structure, design decisions, and assumptions made. -
Security Scanning
How we scan for / mitigate security vulnerabilities found within the solution. -
Deficiencies & Gotchas
Information on existing deficiencies and gotchas. -
Software License Warning Ensure you are compliant with software licenses.
This section calls out the version floors and component-lifecycle notices that affect what you can expect from this installer.
-
Seqera Platform v25 or later. Earlier versions are no longer maintained here. If you need to deploy a pre-v25 version of Seqera Platform — for example, to reproduce an existing customer environment — check out the
legacy-final-pre-v25tag (created May 6/26), which marks the final commit that supported the legacy version range:git checkout legacy-final-pre-v25
New features and fixes are not backported to that tag.
-
Seqerakit components are deprecated (as of Release 1.8, circa 2026-06-17). The existing
seqerakit_*tfvars, the post-deployment seqerakit step, and the generatedseqerakit.ymltemplate remain in the repo to avoid breaking in-flight deployments, but they are no longer actively maintained and are not guaranteed to work out of the box. This functionality will be replaced in future with the seqera Terraform provider.
You must meet the following criteria to use this solution successfully.
- You are a client of Seqera Labs.
- You will run Seqera Platform in AWS.
- Your corporate policies allow you to store secrets in AWS Systems Manager Parameter Store (SSM).
- You have access to a local Linux-based terminal (Mac supported, with caveats).
- You can use Terraform to provision infrastructure.
- You use OpenSSH and can maintain a
~/.ssh/configfile. - (New as of May 21, 2025) You have access to a local container runtime (e.g. Docker).
- (New as of 2026-05-06) You are deploying Seqera Platform v25 or later. For pre-v25 deployments, see Supported Versions & Components.
See Tool Dependencies for tooling requirements.
See Permissions for the required AWS IAM permissions.
See Configuration Files for file details.
-
Download a copy of the repository to your local workstation:
git clone <path_to_offical_repo> && cd <name_of_local_directory>
-
Select a name for your Seqera Platform application (default:
tower-template).This is a namespace isolator which prevents concurrent instances (e.g.,
devandprod) from accidentally sharing configurations.
-
Follow the instructions in Prepare Secrets and then return here.
-
Follow the instructions in Prepare SSM Secrets and then return here.
Remember your application name and SSM prefixes, as these are required for later configuration steps.
- Follow the instructions in Prepare TFvars.
- Follow the instructions in Prepare AWS IAM Permissions.
- Follow the instructions in Prepare OpenSSH.
The following configuration actions are encouraged but not mandatory.
- Follow the instructions in Review Terraform State Strategy.
- Follow the instructions in Fusion Binary Vendoring.
- Follow the instructions in Update Githooks Settings.
- Follow the instructions in Crypto Secret Rotation.
- Follow the instructions in Private Certificates
- Follow the instructions in Using AWS EC2 Instance Role
- Follow the instructions in Data Lineage.
-
Via terminal, navigate to the project root and initialize the project:
$ terraform init
-
Create and review an execution plan:
# Recommended approach. # Execute the Seqera-supplied Python script to check your `terraform.tfvars` file for known configuration conflicts prior to terraform binary invocation. $ make plan # Alternative approach. # Execute plan without Python script verification execution. $ terraform plan
-
Execute the actions reviewed in the Terraform plan:
# Recommended approach. # Execute the Seqera-supplied Python script to check your `terraform.tfvars` file for known configuration conflicts prior to terraform binary invocation. $ make apply # Alternative approach. # Execute plan without Python script verification execution. # Note: You can append `--auto-approve` to the end of the command to avoid the need to type 'yes' to approve the deployment. $ terraform apply
- To destroy the deployed infrastructure:
$ terraform destroy
Please see Upgrade Steps for instructions on how to upgrade an existing installation to a new Release.
-
If a database (regardless if container or RDS) was created as part of the deployment, teardown will destroy it and all data within.
Prior to deletion, consider backing up your database if the data may be needed in future. -
Terraform is not aware of actions executed within the Seqera Platform (i.e., invocation of Tower Forge to create compute environments by users / automation tools like Seqerakit). Executing
terraform destroywithout first conducting a purge of objects within Seqera Platform will result in orphaned assets in your AWS Account.
Given client environment variability, Seqera offers no official guidance re: how best to run multiple concurrent implementations (e.g. entirely separate repositories, different branches in a monorepo, Terraform workspaces, git submodules, etc). Each site must decide what is best for them and implement accordingly.
With that said, for design purposes, this tool assumes that multiple project instances will live in the same filesystem (each within its own exclusive namespace). Each project's ssh_config file uses an alias matching the unique app_name from your tfvars file, making it possible to add multiple non-conflicting Include statements in your ~/.ssh/config.