feat: add support of TLS/DB encryption/custom SG rules

Author: leroyguillaume

modules/aws_ec2_standalone/main.tf

@@ -13,14 +13,14 @@ provider "aws" {
 
 data "aws_ami" "this" {
   most_recent = true # get the latest version
-   filter {
-      name   = "name"
-      values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"]
+  filter {
+    name   = "name"
+    values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"]
   }
 
   filter {
-      name   = "virtualization-type"
-      values = ["hvm"]
+    name   = "virtualization-type"
+    values = ["hvm"]
   }
 
   owners = [

modules/aws_ecs/ecs.tf

@@ -23,7 +23,7 @@ resource "aws_ecs_cluster_capacity_providers" "this" {
 # Required setup for EC2 instances (if not using Fargate)
 data "aws_ami" "this" {
   most_recent = true # get the latest version
-  name_regex = "^amzn2-ami-ecs-hvm-\\d\\.\\d\\.\\d{8}-x86_64-ebs$"
+  name_regex  = "^amzn2-ami-ecs-hvm-\\d\\.\\d\\.\\d{8}-x86_64-ebs$"
 
   filter {
     name = "virtualization-type"
@@ -67,7 +67,7 @@ resource "aws_launch_configuration" "this" {
 
   # Allow the EC2 instances to access AWS resources on your behalf, using this instance profile and the permissions defined there
   iam_instance_profile = aws_iam_instance_profile.ec2[0].arn
-  
+
   lifecycle {
     create_before_destroy = true
   }

modules/aws_ecs/loadbalancers.tf

@@ -1,24 +1,57 @@
 resource "aws_lb" "this" {
   name         = "${var.deployment_name}-alb"
   idle_timeout = var.alb_idle_timeout
+  internal     = var.alb_internal
 
   security_groups = [aws_security_group.alb.id]
-  subnets         = var.subnet_ids
+  subnets         = var.alb_subnet_ids != null ? var.alb_subnet_ids : var.subnet_ids
 }
 
-resource "aws_lb_listener" "this" {
+resource "aws_lb_listener" "http" {
   load_balancer_arn = aws_lb.this.arn
   port              = 80
   protocol          = "HTTP"
 
+  dynamic "default_action" {
+    for_each = var.alb_certificate_arn == null ? [1] : []
+
+    content {
+      type             = "forward"
+      target_group_arn = aws_lb_target_group.this.arn
+    }
+  }
+
+  dynamic "default_action" {
+    for_each = var.alb_certificate_arn != null ? [1] : []
+
+    content {
+      type = "redirect"
+
+      redirect {
+        port        = "443"
+        protocol    = "HTTPS"
+        status_code = "HTTP_301"
+      }
+    }
+  }
+}
+
+resource "aws_lb_listener" "https" {
+  count             = var.alb_certificate_arn != null ? 1 : 0
+  certificate_arn   = var.alb_certificate_arn
+  load_balancer_arn = aws_lb.this.arn
+  port              = "443"
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
+
   default_action {
-    type             = "forward"
     target_group_arn = aws_lb_target_group.this.arn
+    type             = "forward"
   }
 }
 
 resource "aws_lb_listener_rule" "this" {
-  listener_arn = aws_lb_listener.this.arn
+  listener_arn = var.alb_certificate_arn != null ? aws_lb_listener.https[0].arn : aws_lb_listener.http.arn
   priority     = 1
 
   action {
@@ -49,4 +82,4 @@ resource "aws_lb_target_group" "this" {
     healthy_threshold   = 3
     unhealthy_threshold = 2
   }
-}
+}

modules/aws_ecs/locals.tf

@@ -49,40 +49,40 @@ locals {
       },
       # Workflows-specific
       {
-        "name": "WORKFLOW_BACKEND_HOST",
-        "value": "http://workflow-backend.retoolsvc:3000"
+        "name" : "WORKFLOW_BACKEND_HOST",
+        "value" : "http://workflow-backend.retoolsvc:3000"
       },
       {
-        "name": "WORKFLOW_TEMPORAL_CLUSTER_NAMESPACE",
-        "value": var.temporal_cluster_config.namespace
+        "name" : "WORKFLOW_TEMPORAL_CLUSTER_NAMESPACE",
+        "value" : var.temporal_cluster_config.namespace
       },
       {
-        "name": "WORKFLOW_TEMPORAL_CLUSTER_FRONTEND_HOST",
-        "value": var.temporal_cluster_config.host
+        "name" : "WORKFLOW_TEMPORAL_CLUSTER_FRONTEND_HOST",
+        "value" : var.temporal_cluster_config.host
       },
       {
-        "name": "WORKFLOW_TEMPORAL_CLUSTER_FRONTEND_PORT",
-        "value": var.temporal_cluster_config.port
+        "name" : "WORKFLOW_TEMPORAL_CLUSTER_FRONTEND_PORT",
+        "value" : var.temporal_cluster_config.port
       },
       {
-        "name": "WORKFLOW_TEMPORAL_TLS_ENABLED",
-        "value": tostring(var.temporal_cluster_config.tls_enabled)
+        "name" : "WORKFLOW_TEMPORAL_TLS_ENABLED",
+        "value" : tostring(var.temporal_cluster_config.tls_enabled)
       }
     ]
   )
 
   temporal_mtls_config = (
-    var.temporal_cluster_config.tls_enabled && var.temporal_cluster_config.tls_crt != null && var.temporal_cluster_config.tls_key != null ? 
-      [
-        {
-          "name": "WORKFLOW_TEMPORAL_TLS_CRT",
-          "value": var.temporal_cluster_config.tls_crt
-        },
-        {
-          "name": "WORKFLOW_TEMPORAL_TLS_KEY",
-          "value": var.temporal_cluster_config.tls_key
-        } 
-      ] : 
-      []
+    var.temporal_cluster_config.tls_enabled && var.temporal_cluster_config.tls_crt != null && var.temporal_cluster_config.tls_key != null ?
+    [
+      {
+        "name" : "WORKFLOW_TEMPORAL_TLS_CRT",
+        "value" : var.temporal_cluster_config.tls_crt
+      },
+      {
+        "name" : "WORKFLOW_TEMPORAL_TLS_KEY",
+        "value" : var.temporal_cluster_config.tls_key
+      }
+    ] :
+    []
   )
 }

modules/aws_ecs/main.tf

@@ -17,12 +17,12 @@ resource "aws_cloudwatch_log_group" "this" {
 }
 
 resource "aws_db_subnet_group" "this" {
-  name = "${var.deployment_name}-retool"
+  name       = "${var.deployment_name}-retool"
   subnet_ids = var.subnet_ids
 }
 
 resource "aws_db_instance" "this" {
-  identifier                    = "${var.deployment_name}-rds-instance"
+  identifier                   = "${var.deployment_name}-rds-instance"
   allocated_storage            = 80
   instance_class               = var.rds_instance_class
   engine                       = "postgres"
@@ -35,9 +35,17 @@ resource "aws_db_instance" "this" {
   vpc_security_group_ids       = [aws_security_group.rds.id]
   db_subnet_group_name         = aws_db_subnet_group.this.id
   performance_insights_enabled = var.rds_performance_insights_enabled
-  
-  skip_final_snapshot          = true
-  apply_immediately           = true
+  kms_key_id                   = var.rds_kms_key_id
+  storage_encrypted            = var.rds_kms_key_id != null
+  backup_window                = var.rds_backup_window
+  backup_retention_period      = var.rds_backup_retention_in_days
+
+  skip_final_snapshot = true
+  apply_immediately   = true
+
+  lifecycle {
+    ignore_changes = [engine_version]
+  }
 }
 
 resource "aws_ecs_service" "retool" {
@@ -65,7 +73,7 @@ resource "aws_ecs_service" "retool" {
   dynamic "network_configuration" {
     for_each = var.launch_type == "FARGATE" ? toset([1]) : toset([])
 
-    content {    
+    content {
       subnets = var.subnet_ids
       security_groups = [
         aws_security_group.containers.id
@@ -92,7 +100,7 @@ resource "aws_ecs_service" "jobs_runner" {
 
     for_each = var.launch_type == "FARGATE" ? toset([1]) : toset([])
 
-    content {    
+    content {
       subnets = var.subnet_ids
       security_groups = [
         aws_security_group.containers.id
@@ -108,7 +116,7 @@ resource "aws_ecs_service" "workflows_backend" {
   cluster         = aws_ecs_cluster.this.id
   desired_count   = 1
   task_definition = aws_ecs_task_definition.retool_workflows_backend[0].arn
-  
+
   # Need to explictly set this in aws_ecs_service to avoid destructive behavior: https://github.com/hashicorp/terraform-provider-aws/issues/22823
   capacity_provider_strategy {
     base              = 1
@@ -123,7 +131,7 @@ resource "aws_ecs_service" "workflows_backend" {
 
     for_each = var.launch_type == "FARGATE" ? toset([1]) : toset([])
 
-    content {    
+    content {
       subnets = var.subnet_ids
       security_groups = [
         aws_security_group.containers.id
@@ -150,7 +158,7 @@ resource "aws_ecs_service" "workflows_worker" {
 
     for_each = var.launch_type == "FARGATE" ? toset([1]) : toset([])
 
-    content {    
+    content {
       subnets = var.subnet_ids
       security_groups = [
         aws_security_group.containers.id
@@ -161,13 +169,13 @@ resource "aws_ecs_service" "workflows_worker" {
 }
 
 resource "aws_ecs_task_definition" "retool_jobs_runner" {
-  family        = "retool-jobs-runner"
-  task_role_arn = aws_iam_role.task_role.arn
-  execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
+  family                   = "retool-jobs-runner"
+  task_role_arn            = aws_iam_role.task_role.arn
+  execution_role_arn       = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
   requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : null
-  network_mode  = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
-  cpu       = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["jobs_runner"]["cpu"] : null
-  memory    = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["jobs_runner"]["memory"] : null
+  network_mode             = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
+  cpu                      = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["jobs_runner"]["cpu"] : null
+  memory                   = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["jobs_runner"]["memory"] : null
   container_definitions = jsonencode(
     [
       {
@@ -211,13 +219,13 @@ resource "aws_ecs_task_definition" "retool_jobs_runner" {
   )
 }
 resource "aws_ecs_task_definition" "retool" {
-  family        = "retool"
-  task_role_arn = aws_iam_role.task_role.arn
-  execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
+  family                   = "retool"
+  task_role_arn            = aws_iam_role.task_role.arn
+  execution_role_arn       = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
   requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : null
-  network_mode  = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
-  cpu       = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["main"]["cpu"] : null
-  memory    = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["main"]["memory"] : null
+  network_mode             = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
+  cpu                      = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["main"]["cpu"] : null
+  memory                   = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["main"]["memory"] : null
   container_definitions = jsonencode(
     [
       {
@@ -266,14 +274,14 @@ resource "aws_ecs_task_definition" "retool" {
 }
 
 resource "aws_ecs_task_definition" "retool_workflows_backend" {
-  count         = var.workflows_enabled ? 1 : 0
-  family        = "retool-workflows-backend"
-  task_role_arn = aws_iam_role.task_role.arn
-  execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
-  requires_compatibilities = var.launch_type == "FARGATE" ?  ["FARGATE"] : null
-  network_mode  = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
-  cpu       = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_backend"]["cpu"] : null
-  memory    = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_backend"]["memory"] : null
+  count                    = var.workflows_enabled ? 1 : 0
+  family                   = "retool-workflows-backend"
+  task_role_arn            = aws_iam_role.task_role.arn
+  execution_role_arn       = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
+  requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : null
+  network_mode             = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
+  cpu                      = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_backend"]["cpu"] : null
+  memory                   = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_backend"]["memory"] : null
   container_definitions = jsonencode(
     [
       {
@@ -321,14 +329,14 @@ resource "aws_ecs_task_definition" "retool_workflows_backend" {
   )
 }
 resource "aws_ecs_task_definition" "retool_workflows_worker" {
-  count         = var.workflows_enabled ? 1 : 0
-  family        = "retool-workflows-worker"
-  task_role_arn = aws_iam_role.task_role.arn
-  execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
-  requires_compatibilities = var.launch_type == "FARGATE" ?  ["FARGATE"] : null
-  network_mode  = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
-  cpu       = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_worker"]["cpu"] : null
-  memory    = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_worker"]["memory"] : null
+  count                    = var.workflows_enabled ? 1 : 0
+  family                   = "retool-workflows-worker"
+  task_role_arn            = aws_iam_role.task_role.arn
+  execution_role_arn       = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
+  requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : null
+  network_mode             = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
+  cpu                      = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_worker"]["cpu"] : null
+  memory                   = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_worker"]["memory"] : null
   container_definitions = jsonencode(
     [
       {
@@ -381,13 +389,13 @@ resource "aws_ecs_task_definition" "retool_workflows_worker" {
 }
 
 resource "aws_service_discovery_private_dns_namespace" "retoolsvc" {
-  count         = var.workflows_enabled ? 1 : 0
+  count       = var.workflows_enabled ? 1 : 0
   name        = "retoolsvc"
   description = "Service Discovery namespace for Retool deployment"
   vpc         = var.vpc_id
 }
 
-resource "aws_service_discovery_service" "retool_workflow_backend_service" { 
+resource "aws_service_discovery_service" "retool_workflow_backend_service" {
   count = var.workflows_enabled ? 1 : 0
   name  = "workflow-backend"
 
@@ -408,17 +416,20 @@ resource "aws_service_discovery_service" "retool_workflow_backend_service" {
 }
 
 module "temporal" {
-  count = var.workflows_enabled && !var.use_exising_temporal_cluster ? 1 : 0
+  count  = var.workflows_enabled && !var.use_exising_temporal_cluster ? 1 : 0
   source = "./temporal"
-  
-  deployment_name   = "${var.deployment_name}-temporal"
-  vpc_id = var.vpc_id
-  subnet_ids = var.subnet_ids
-  private_dns_namespace_id = aws_service_discovery_private_dns_namespace.retoolsvc[0].id
-  aws_cloudwatch_log_group_id = aws_cloudwatch_log_group.this.id
-  aws_region = var.aws_region
-  aws_ecs_cluster_id = aws_ecs_cluster.this.id
-  launch_type = var.launch_type
-  container_sg_id = aws_security_group.containers.id
+
+  deployment_name                = "${var.deployment_name}-temporal"
+  vpc_id                         = var.vpc_id
+  subnet_ids                     = var.subnet_ids
+  private_dns_namespace_id       = aws_service_discovery_private_dns_namespace.retoolsvc[0].id
+  aws_cloudwatch_log_group_id    = aws_cloudwatch_log_group.this.id
+  aws_region                     = var.aws_region
+  aws_ecs_cluster_id             = aws_ecs_cluster.this.id
+  launch_type                    = var.launch_type
+  container_sg_id                = aws_security_group.containers.id
   aws_ecs_capacity_provider_name = var.launch_type == "EC2" ? aws_ecs_capacity_provider.this[0].name : null
+  kms_key_id                     = var.temporal_aurora_kms_key_id
+  backup_window                  = var.temporal_aurora_backup_window
+  backup_retention_in_days       = var.temporal_aurora_backup_retention_in_days
 }

modules/aws_ecs/outputs.tf

@@ -42,3 +42,7 @@ output "rds_instance_name" {
   value       = aws_db_instance.this.db_name
   description = "Name of RDS instance"
 }
+
+output "sg_containers_id" {
+  value = aws_security_group.containers.id
+}