Deploy to AWS

For production workloads — multiple users, customer-facing test runs, compliance requirements — running QAID on AWS gives you the durability and isolation a serious deployment needs. The Terraform module provisions everything for you.

For a simpler single-VM deployment, see Install with Docker.

Sizing guidance

RAM is the binding constraint — each concurrent browser instance for test execution needs roughly 200–500 MB.

Total monthly AWS cost for the default sizing: roughly $130–180/month depending on traffic and data transfer.

Prerequisites

• AWS account with admin or equivalent permissions
• Domain name with DNS pointed at AWS Route 53 (or willingness to delegate)
• Terraform v1.5+ installed locally
• AWS CLI v2 configured with credentials
• A QAID license from your administrator

Deploy

The full Terraform module ships with QAID under infra/. The deployment is a two-step process:

1. Provision infrastructure

cd infra/

# Initialize Terraform
terraform init

# Review what will be created
terraform plan -var-file=environments/production.tfvars

# Apply (creates VPC, ALB, EC2, RDS, Route 53 records, ACM cert)
terraform apply -var-file=environments/production.tfvars

Provisioning takes about 10–15 minutes — most of that is the RDS instance and ACM certificate validation.

2. Configure and deploy QAID

After Terraform finishes, it outputs the EC2 instance ID and an SSH command. Connect via SSM Session Manager (no public IP needed):

aws ssm start-session --target <instance-id>

Once on the instance:

cd /opt/qaid

# .env was pre-populated by Terraform with the RDS connection string,
# license server URL, and generated secrets. Verify it looks right.
cat .env

# Start QAID
docker compose up -d

Visit https://your-domain.com and complete First-Run Setup.

DNS and TLS

The Terraform module assumes your domain's hosted zone is in Route 53 in the same AWS account. It creates:

• An A-record alias from your domain to the ALB
• An ACM wildcard certificate (*.your-domain.com) for TLS
• DNS validation records for the cert

If your domain is registered elsewhere, point the nameservers at the Route 53 hosted zone before running terraform apply.

Outbound network requirements

The QAID EC2 instance needs outbound HTTPS access to:

The default VPC routes outbound traffic through a NAT Gateway in the public subnet.

Cost optimization

The biggest cost driver is the NAT Gateway (~$32/month + data transfer). A few optimizations:

• VPC endpoints for AWS services — keeps internal AWS traffic off NAT Gateway. Already configured in the Terraform module.
• NAT instance instead of NAT Gateway — at low scale, a t3.nano NAT instance costs ~$4/month vs. $32 for the managed NAT Gateway. Trade off is reliability + manual maintenance. Suitable for non-production.
• Single AZ — the default spans 2 AZs for HA. For evaluation, you can run single-AZ to halve the data transfer cost.

Backups

RDS automated backups are configured by default:

• Daily snapshots, retained 7 days
• Point-in-time recovery for the last 24 hours
• Final snapshot on instance termination

For QAID's runtime data (screenshots, snapshots) stored on the EC2 instance, the Terraform module configures an EBS snapshot policy (daily, 7-day retention).

Upgrades

Updating QAID on AWS is the same docker compose pull && docker compose up -d flow as the Docker install. See Upgrading for details.

Infrastructure changes (EC2 instance type, RDS class, etc.) go through terraform apply — usually a rolling update with brief downtime.

Next steps

• Configuration Reference — full list of environment variables
• First-Run Setup — admin account, license activation, Anthropic API key
• Upgrading — how to safely move to a new version