Skip to main content

​
Overview

Deploy OpenTaco Statesman on AWS App Runner for the fastest setup. App Runner provides a managed HTTPS URL automatically — no custom domain or ACM certificate required. Terraform example path: taco/examples/aws-apprunner-quickstart

​
Prerequisites

  • AWS CLI and Docker installed and logged in
  • Terraform >= 1.4
  • An existing S3 bucket and prefix for OpenTaco state
  • Optional: OIDC provider (e.g., Auth0)

​
1) Mirror image to ECR (copy/paste)

App Runner pulls images from ECR. Run these commands to mirror the public image (region: us-east-1, repo: opentaco-statesman): 
aws ecr create-repository --repository-name opentaco-statesman --region us-east-1

aws ecr get-login-password --region us-east-1 | \
  docker login --username AWS --password-stdin \
  $(aws sts get-caller-identity --query Account --output text).dkr.ecr.us-east-1.amazonaws.com

docker pull --platform linux/amd64 ghcr.io/diggerhq/digger/taco-statesman:latest

docker tag ghcr.io/diggerhq/digger/taco-statesman:latest \
  $(aws sts get-caller-identity --query Account --output text).dkr.ecr.us-east-1.amazonaws.com/opentaco-statesman:latest

docker push \
  $(aws sts get-caller-identity --query Account --output text).dkr.ecr.us-east-1.amazonaws.com/opentaco-statesman:latest
Notes:
  • Terraform defaults use ecr_repo_name = "opentaco-statesman" and image_tag = "latest", so no extra configuration is needed if you keep the commands as is.

​
2) Configure variables

Create terraform.tfvars: 
aws_region    = "us-east-1"
bucket_name   = "your-s3-bucket"
bucket_prefix = "opentaco"
ecr_repo_name = "opentaco-statesman"
image_tag     = "latest"

# Start with auth disabled to get the service URL first
opentaco_auth_disable = true

​
3) Deploy and get URL

terraform init
terraform apply -auto-approve
terraform output service_url  # HTTPS URL from App Runner
Health check: 
curl $(terraform output -raw service_url)/readyz
Expected: 
{"service":"opentaco","status":"ok"}

​
4) Enable SSO

Follow Configure SSO: ./sso for IdP setup details. Then update terraform.tfvars with your OIDC values and set opentaco_public_base_url to the service_url, and apply again: 
opentaco_public_base_url = "https://xxxxxxxx.awsapprunner.com"
opentaco_auth_disable    = false
opentaco_auth_issuer        = "https://your-tenant.auth0.com/"  # trailing slash required
opentaco_auth_client_id     = "your_client_id"
opentaco_auth_client_secret = "your_client_secret"
opentaco_auth_auth_url      = "https://your-tenant.auth0.com/authorize"
opentaco_auth_token_url     = "https://your-tenant.auth0.com/oauth/token"
Add the callback URL to your IdP: 
[SERVICE_URL]/oauth/oidc-callback

​
Notes

  • No custom domain or certificate needed; App Runner manages HTTPS for you.
  • The service uses an IAM instance role for S3 access, so no AWS access keys are required in the container.
  • You can later attach a custom domain to App Runner if desired (optional).

​
5) Install Taco CLI

Use the same install steps as in the main Quickstart.
The first thing you’ll want to do is visit our releases page here and check the latest taco/cli release. Right now it is v0.1.7
# For Linux AMD64 (most common)
curl -L https://github.com/diggerhq/digger/releases/download/taco/cli/v0.1.7/taco-linux-amd64 -o taco
chmod +x taco

# Move to a directory in your PATH
sudo mv taco /usr/local/bin

# Alternative: Install to user directory (no sudo required)
mkdir -p ~/.local/bin
mv taco ~/.local/bin
# Add to PATH in your shell profile if not already there
echo 'export PATH=$HOME/.local/bin:$PATH' >> ~/.bashrc
source ~/.bashrc
For other architectures:
# For Linux ARM64
curl -L https://github.com/diggerhq/digger/releases/download/taco/cli/v0.1.7/taco-linux-arm64 -o taco

# For Linux 386
curl -L https://github.com/diggerhq/digger/releases/download/taco/cli/v0.1.7/taco-linux-386 -o taco
Confirm Taco CLI is available with:
taco --help

​
6) Login with Taco

Set the server URL to the App Runner service_url and log in: 
taco setup    # set the server URL to the service_url output
taco login    # runs the PKCE login flow