Self-hosted Depot builders
Work continues on self-hosted Depot builders. As we revealed last month, we are developing the ability for organizations to connect an AWS account to their Depot organization, then project builds run inside the connected account instead of inside Depot's infrastructure providers. This allows organizations with special requirements to utilize Depot, while keeping their project data entirely inside their own account.
As we are nearing a beta release of self-hosted builders, we have settled on the following architecture:
- Organizations create a cloud connection in their Depot organization, providing their AWS account ID
- Organizations launch a set of AWS resources (VPC, launch templates, etc.) inside their account — we will provide an open-source Terraform module to make this easy
- An open-source
cloud-agent
process runs inside the organization's AWS account — it is responsible for launching and managing instances needed for project builds, with minimal IAM permissions - Inside the launched instances, an open-source
machine-agent
is responsible for communicating with the Depot API and running any software needed for the build
We've chosen this architecture primarily to minimize blast radius and security footprint. All software running inside organization cloud accounts is open-source and auditable, and we do not share AWS account credentials or cross-account roles with the hosted Depot service.
We expect to have support for self-hosted builders completed for AWS by the end of August, and expect to expand to other cloud providers in the future.