docusign · vasyl-shliakhtychenko · Apr 17, 2026
diff --git a/terraform/README.md b/terraform/README.md
@@ -133,7 +133,7 @@ The directory structure is organized to support deploying the extension app to d
 - `README.md`: The main documentation file.
 - `aws/`: Contains Terraform configuration files for deploying to Amazon Web Services.
     - `README.md`: Documentation specific to AWS deployment.
-    - `apprunner.tf`, `ecr.tf`, `image.tf`, `main.tf`, `outputs.tf`, `providers.tf`, `terraform.tf`, `variables.tf`: Various Terraform configuration files for AWS resources.
+    - `ecr.tf`, `image.tf`, `lightsail.tf`, `main.tf`, `outputs.tf`, `providers.tf`, `terraform.tf`, `variables.tf`: Various Terraform configuration files for AWS resources.
 - `azure/`: Contains Terraform configuration files for deploying to Microsoft Azure.
     - `README.md`: Documentation specific to Azure deployment.
     - `acr.tf`, `image.tf`, `main.tf`, `outputs.tf`, `providers.tf`, `resource_group.tf`, `terraform.tf`, `variables.tf`, `webapp.tf`: Various Terraform configuration files for Azure resources.
@@ -156,9 +156,9 @@ The directory structure is organized to support deploying the extension app to d
 ├── README.md
 ├── aws
 │   ├── README.md
-│   ├── apprunner.tf
 │   ├── ecr.tf
 │   ├── image.tf
+│   ├── lightsail.tf
 │   ├── main.tf
 │   ├── outputs.tf
 │   ├── providers.tf

diff --git a/terraform/aws/.terraform.lock.hcl b/terraform/aws/.terraform.lock.hcl
diff --git a/terraform/aws/README.md b/terraform/aws/README.md
@@ -40,7 +40,6 @@ Now that you’ve set up your AWS environment, continue with the [Terraform depl
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.0 |
-| <a name="provider_time"></a> [time](#provider\_time) | ~> 0.12 |
 
 ## Modules
 
@@ -57,17 +56,12 @@ Now that you’ve set up your AWS environment, continue with the [Terraform depl
 
 | Name | Type |
 |------|------|
-| [aws_apprunner_service.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apprunner_service) | resource |
 | [aws_ecr_repository.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource |
 | [aws_ecr_repository_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy) | resource |
-| [aws_iam_role.access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role.instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy_attachment.apprunner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [time_sleep.access_iam_role_propagation](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [aws_lightsail_container_service.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lightsail_container_service) | resource |
+| [aws_lightsail_container_service_deployment_version.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lightsail_container_service_deployment_version) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_ecr_authorization_token.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_authorization_token) | data source |
-| [aws_iam_policy_document.app_role_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.apprunner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.ecr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
@@ -82,8 +76,8 @@ Now that you’ve set up your AWS environment, continue with the [Terraform depl
 | <a name="input_application_build_labels"></a> [application\_build\_labels](#input\_application\_build\_labels) | The labels to apply to the application build image | `map(string)` | <pre>{<br/>  "org.opencontainers.image.authors": "DocuSign Inc.",<br/>  "org.opencontainers.image.description": "This reference implementation models the implementation of connected fields functionalities in an extension app.",<br/>  "org.opencontainers.image.licenses": "MIT",<br/>  "org.opencontainers.image.source": "https://github.com/docusign/extension-app-connected-fields-reference-implementation",<br/>  "org.opencontainers.image.title": "Connected Fields Extension App Reference Implementation",<br/>  "org.opencontainers.image.vendor": "DocuSign Inc."<br/>}</pre> | no |
 | <a name="input_application_build_paths"></a> [application\_build\_paths](#input\_application\_build\_paths) | Paths of files relative to the build context, changes to which lead to a rebuild of the image. Supported pattern matches are the same as for the `fileset` Terraform function (https://developer.hashicorp.com/terraform/language/functions/fileset). | `list(string)` | <pre>[<br/>  "public/**",<br/>  "src/**",<br/>  "views/**",<br/>  "package.json",<br/>  "tsconfig.json",<br/>  "Dockerfile",<br/>  ".dockerignore"<br/>]</pre> | no |
 | <a name="input_application_environment_mode"></a> [application\_environment\_mode](#input\_application\_environment\_mode) | The environment mode for the application | `string` | `"production"` | no |
-| <a name="input_application_instance_cpu"></a> [application\_instance\_cpu](#input\_application\_instance\_cpu) | The number of CPU units to allocate to the application instance | `string` | `"256"` | no |
-| <a name="input_application_instance_memory"></a> [application\_instance\_memory](#input\_application\_instance\_memory) | The amount of memory to allocate to the application instance | `string` | `"512"` | no |
+| <a name="input_application_instance_power"></a> [application\_instance\_power](#input\_application\_instance\_power) | The power specification for the Lightsail container service instance | `string` | `"nano"` | no |
+| <a name="input_application_instance_scale"></a> [application\_instance\_scale](#input\_application\_instance\_scale) | The number of Lightsail container service instances to run | `number` | `1` | no |
 | <a name="input_application_jwt_secret_key"></a> [application\_jwt\_secret\_key](#input\_application\_jwt\_secret\_key) | The secret key to use for signing JWT tokens. If empty, a random key will be generated. | `string` | `""` | no |
 | <a name="input_application_name"></a> [application\_name](#input\_application\_name) | The name of the application | `string` | `"extension-app-connected-fields"` | no |
 | <a name="input_application_oauth_client_id"></a> [application\_oauth\_client\_id](#input\_application\_oauth\_client\_id) | The OAuth client ID for the application. If empty, a random client ID will be generated. | `string` | `""` | no |

diff --git a/terraform/aws/apprunner.tf b/terraform/aws/apprunner.tf
diff --git a/terraform/aws/ecr.tf b/terraform/aws/ecr.tf
@@ -42,6 +42,20 @@ data "aws_iam_policy_document" "ecr" {
       ]
     }
   }
+
+  statement {
+    actions = [
+      "ecr:BatchGetImage",
+      "ecr:GetDownloadUrlForLayer",
+    ]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        aws_lightsail_container_service.this.private_registry_access[0].ecr_image_puller_role[0].principal_arn,
+      ]
+    }
+  }
 }
 
 resource "aws_ecr_repository_policy" "this" {

diff --git a/terraform/aws/lightsail.tf b/terraform/aws/lightsail.tf
@@ -0,0 +1,47 @@
+locals {
+  application_service_url = trimsuffix(aws_lightsail_container_service.this.url, "/")
+}
+
+resource "aws_lightsail_container_service" "this" {
+  name  = var.application_name
+  power = var.application_instance_power
+  scale = var.application_instance_scale
+
+  private_registry_access {
+    ecr_image_puller_role {
+      is_active = true
+    }
+  }
+
+  tags = local.tags
+}
+
+resource "aws_lightsail_container_service_deployment_version" "this" {
+  container {
+    container_name = var.application_name
+    image          = module.image.app_image_name
+
+    environment = {
+      JWT_SECRET_KEY      = local.application_jwt_secret_key
+      OAUTH_CLIENT_ID     = local.application_oauth_client_id
+      OAUTH_CLIENT_SECRET = local.application_oauth_client_secret
+      AUTHORIZATION_CODE  = local.application_authorization_code
+    }
+
+    ports = {
+      (var.application_port) = "HTTP"
+    }
+  }
+
+  public_endpoint {
+    container_name = var.application_name
+    container_port = var.application_port
+
+    health_check {
+      path          = "/"
+      success_codes = "200-499"
+    }
+  }
+
+  service_name = aws_lightsail_container_service.this.name
+}
diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf
@@ -103,59 +103,27 @@ variable "application_build_labels" {
   }
 }
 
-variable "application_instance_cpu" {
-  description = "The number of CPU units to allocate to the application instance"
+variable "application_instance_power" {
+  description = "The power specification for the Lightsail container service instance"
   type        = string
   nullable    = false
-  default     = "256"
+  default     = "nano"
 
   validation {
-    condition = contains(
-      [
-        "256",
-        "512",
-        "1024",
-        "2048",
-        "4096",
-        "0.25 vCPU",
-        "0.5 vCPU",
-        "1 vCPU",
-        "2 vCPU",
-        "4 vCPU",
-    ], var.application_instance_cpu)
-    error_message = "The number of CPU units must be one of '256', '512', '1024', '2048', '4096', '0.25 vCPU', '0.5 vCPU', '1 vCPU', '2 vCPU', or '4 vCPU'"
+    condition     = contains(["nano", "micro", "small", "medium", "large", "xlarge"], var.application_instance_power)
+    error_message = "The instance power must be one of 'nano', 'micro', 'small', 'medium', 'large', or 'xlarge'"
   }
 }
 
-variable "application_instance_memory" {
-  description = "The amount of memory to allocate to the application instance"
-  type        = string
+variable "application_instance_scale" {
+  description = "The number of Lightsail container service instances to run"
+  type        = number
   nullable    = false
-  default     = "512"
+  default     = 1
 
   validation {
-    condition = contains(
-      [
-        "512",
-        "1024",
-        "2048",
-        "3072",
-        "4096",
-        "6144",
-        "8192",
-        "10240",
-        "12288",
-        "0.5 GB",
-        "1 GB",
-        "2 GB",
-        "3 GB",
-        "4 GB",
-        "6 GB",
-        "8 GB",
-        "10 GB",
-        "12 GB",
-    ], var.application_instance_memory)
-    error_message = "The amount of memory must be one of '512', '1024', '2048', '3072', '4096', '6144', '8192', '10240', '12288', '0.5 GB', '1 GB', '2 GB', '3 GB', '4 GB', '6 GB', '8 GB', '10 GB', or '12 GB'"
+    condition     = var.application_instance_scale >= 1 && var.application_instance_scale <= 20
+    error_message = "The instance scale must be between 1 and 20"
   }
 }