SHAHRIAR LABSIntelligence in Motion
    Back to Blog
    EngineeringJune 10, 2026

    Multi-Tenant SaaS on AWS ECS + Terraform

    Multi-tenant SaaS on AWS ECS Fargate with Terraform isolates tenants while sharing infrastructure — here's the pattern Shahriar Labs uses in production.

    Multi-tenant SaaS on AWS ECS Fargate with Terraform isolates tenants while sharing infrastructure — reducing per-tenant cost while maintaining security boundaries. This is the pattern Shahriar Labs uses for production SaaS builds, refined across multiple client projects.

    Isolation Model Selection

    The right isolation model depends on compliance requirements and tenant size distribution. For most B2B SaaS: shared ECS cluster with per-tenant task definitions, row-level security (RLS) in PostgreSQL with tenant_id on every table, and separate S3 prefixes per tenant. This covers 80% of tenants at minimal infrastructure cost.

    Enterprise tenants with compliance requirements (HIPAA, SOC 2 Type II, financial sector) need stronger isolation: separate RDS instances or schemas, separate VPCs or at minimum separate security groups, and separate AWS accounts for the largest contracts. Design your tenant module to support both — parameterize isolation level, not implement two separate stacks.

    The Terraform Tenant Module

    The core Terraform structure:

    module "tenant" {
  source    = "./modules/tenant"
  tenant_id = "acme-corp"
  tier      = "enterprise"  # "starter" | "growth" | "enterprise"
  region    = "ap-southeast-1"
}

    The module provisions: RDS schema (or instance for enterprise), IAM role with tenant-scoped S3 policy, ECS task definition with tenant env vars injected via Secrets Manager, and Route53 subdomain (acme-corp.yourapp.com). Adding a tenant is a one-line Terraform call.

    Zero-Downtime Tenant Migrations

    Schema migrations across hundreds of tenant schemas require a migration runner that: iterates tenant list from the database, applies migrations tenant-by-tenant with rollback on failure, skips already-migrated tenants (idempotent), and publishes migration status to a monitoring dashboard. Never run raw ALTER TABLE across all tenants in a single transaction — a lock on one tenant's table blocks all others.

    For the workflow orchestration layer, see our post on using Temporal for reliable GenAI pipelines. For always-on agent infrastructure on AWS, see hermes-agent-aws.

    Frequently Asked Questions

    What is multi-tenant SaaS architecture?
    Multiple customers served from shared infrastructure with data isolation per tenant.
    How do you isolate tenants on ECS Fargate?
    Shared cluster + separate task definitions (default), or separate services + ALB routing. Separate accounts for enterprise.
    How does Terraform help?
    Parameterized tenant modules let you provision identical infrastructure stacks per tenant with a single variable change.
    How do you handle tenant database isolation?
    Row-level security (default), separate schemas (mid-tier), separate RDS instances (enterprise).

    Written by Shihab Shahriar Antor — AI Engineer & Founder of Shahriar Labs. Building LetX, QuantumSketch, and open-source AI agent skills.

    Related Articles

    Scaling Wasm: The LetX Engineering Handbook

    How we ported 5GB of TeX Live to the browser, and why WebAssembly is the future of complex web apps.

    The Shahriar Stack: Why We Bet on Next.js and Wasm

    A deep dive into the technical choices powering our ecosystem. Why we choose performance over popularity.