Terraform module for OpenClaw AI agent gateway on AWS with ALB, Cognito authentication, EFS persistence, and multi-provider LLM support (Bedrock, Anthropic, OpenAI, Ollama).
Replaces curl-pipe-sh defaults with Cognito MFA and proper AWS security patterns.
DevOps engineers deploying AI gateways
terraform-aws-modules · Pulumi AI templates
So I built a Terraform module that replaces the defaults with what I'd consider production-grade:
* Cognito + ALB instead of a shared gateway token (per-user identity, MFA) * GPG-verified APT packages instead of curl|bash * systemd with ProtectHome=tmpfs and BindPaths sandboxing * Secrets Manager + KMS instead of plaintext API keys * EFS for persistence across instance replacement * CloudWatch logging with 365-day retention Bedrock is the default LLM provider so it works without any API keys. One terraform apply. Full security writeup: https://infrahouse.com/blog/2026-03-09-deploying-openclaw-on...
I'm sure I've missed things. What would you add or do differently for running an autonomous agent with shell access on a shared server?
Two lines in your flake flip OpenClaw from alarmingly exposed to locked-down: gateway auth, localhost binding, Caddy auto-TLS, strict systemd directives, tool allowlists, and fail2ban are all wired in. It's a pragmatic, opinionated safety wrapper that saves you from the default footguns — just expect it to be useful only if you already live in the NixOS/OpenClaw world.
Lambda reconciliation loop scales NAT to zero, saving costs versus NAT Gateway for sporadic workloads.
Terraform-native ISO controls are table stakes; unclear if reports actually satisfy auditors.
Turns docker-compose into real Terraform modules you actually own and can edit.
Malicious OpenClaw skill scanner, but the market for hardening OpenClaw specifically is tiny.
Hardened Rust alternative to OpenClaw, but early (v0.1 preview, still rough edges).
