Setting up Braintrust in your AWS Account
This guide walks through the process of setting up Braintrust in your AWS account using Terraform. This is the recommended way to self-host Braintrust on AWS.
Setting up the Data Plane
Configure the Terraform module
First, you'll need to instantiate the Braintrust Terraform module in your own repository. The module contains all the necessary resources for a self-hosted Braintrust data plane. We recommend created a dedicated AWS account for your Braintrust deployment, but it is not required.
We provide an example configuration in the terraform-braintrust-data-plane repository. Copy the entire contents of the examples/braintrust-data-plane
directory into your own repository.
You'll need to modify several files:
provider.tf
: Configure your AWS account and regionterraform.tf
: Set up your remote backend (typically S3 and DynamoDB)main.tf
: Customize the Braintrust deployment settings
The default settings in main.tf
are suitable for a small development deployment. Adjust them based on your needs.
Initialize AWS account
If you're using a new AWS account, you'll need to create service-linked roles first:
This script ensures all necessary IAM service-linked roles are created for the deployment.
Configure Brainstore license
You'll need a Brainstore license key to complete the deployment. You can find this in the Braintrust UI under Settings > Data Plane.
Do not commit the license key to your git repository. Instead, use one of these methods:
- Set
TF_VAR_brainstore_license_key=your-key
in your environment - Pass it via command line:
terraform apply -var 'brainstore_license_key=your-key'
- Add it to an uncommitted
terraform.tfvars
or.auto.tfvars
file - Store it in AWS Secrets Manager and load it at runtime using the
aws_secretsmanager_secret_version_source
data source
Deploy the module
Initialize and apply the Terraform configuration:
This will create all necessary AWS resources including:
- VPC with public & private subnets
- Lambda functions for the Braintrust API
- Public Cloudfront endpoint and API Gateway
- EC2 Auto-scaling group for Brainstore
- Postgres database, Redis cache, and S3 buckets
- KMS key for encryption
Get your API URL
After the deployment completes, get your API URL from the Terraform outputs:
You should see output similar to:
Save this URL - you'll need it to configure your Braintrust organization.
Configure your organization
Point your organization to your data plane
- Go to the Braintrust UI
- Click your user icon in the top right
- Navigate to Settings > Data Plane
- Click "Edit"
If you're testing, we highly recommend creating a new Braintrust Organization for testing your data plane. Changing your live organization's API URL might break existing users.
Configure the API URL
- Paste your API URL into the text field
- Leave the Proxy and Realtime URL fields blank
- Click "Save"
Verify the connection
The UI will automatically test the connection to your new data plane. Verify that the ping to each endpoint is successful.
Maintaining your installation
Updating the deployment
If you are pointing at the latest root module, you can update the deployment by simply re-running terraform apply
. This will apply any changes to the infrastructure while preserving your data.
It is always recommended to carefully review the output of terraform plan
before applying any changes to your deployment. If you see something unexpected, like deletion of a database or S3 bucket, please reach out to the Braintrust team for help.
If you prefer to point at a specific version of the root module, you can do so by adding a ?ref=<version>
to the module source:
We publish regular releases of the root module which you can find in the GitHub Releases page.
Debugging issues
If you encounter issues, you can use the provided dump-logs.sh
script to collect logs:
For example, to dump 60 minutes of logs for the bt-sandbox
deployment, run:
This will save logs for all services to a logs-<deployment_name>
directory, which you can share with the Braintrust team for debugging.
Advanced configurations
Customizing the deployment
While we recommend using the root module for easier support and upgrades, you can customize the deployment by using individual submodules. The main module serves as a reference for how to configure these submodules.
For example, if you want to use an existing VPC:
- Remove the
module.main_vpc
block - Pass your existing VPC's ID, subnets, and security group IDs to the
services
,database
, andredis
modules
VPC connectivity
If you need to connect Braintrust's VPC to other internal resources (like an LLM gateway), you can do one of the following:
- Create a VPC Endpoint Service for your internal resource. Then create a VPC Interface Endpoint inside of the Braintrust "Quarantine" VPC
- Setup VPC peering with the Braintrust "Quarantine" VPC
CloudFormation (Deprecated)
We used to support a CloudFormation template for setting up the Braintrust data plane. This method is deprecated for new deployments.
If you have an existing deployment and need to migrate to Terraform, please reach out to the Braintrust team for help.
The docs for the deprecated CloudFormation template can be found here.