Skip to content

Commit 54a6c54

Browse files
feat: add support of TLS/DB encryption/custom SG rules
1 parent 664d281 commit 54a6c54

File tree

7 files changed

+396
-189
lines changed

7 files changed

+396
-189
lines changed

modules/aws_ecs/loadbalancers.tf

Lines changed: 37 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -3,22 +3,54 @@ resource "aws_lb" "this" {
33
idle_timeout = var.alb_idle_timeout
44

55
security_groups = [aws_security_group.alb.id]
6-
subnets = var.subnet_ids
6+
subnets = var.alb_subnet_ids != null ? var.alb_subnet_ids : var.subnet_ids
77
}
88

9-
resource "aws_lb_listener" "this" {
9+
resource "aws_lb_listener" "http" {
1010
load_balancer_arn = aws_lb.this.arn
1111
port = 80
1212
protocol = "HTTP"
1313

14+
dynamic "default_action" {
15+
for_each = var.alb_certificate_arn == null ? [1] : []
16+
17+
content {
18+
type = "forward"
19+
target_group_arn = aws_lb_target_group.this.arn
20+
}
21+
}
22+
23+
dynamic "default_action" {
24+
for_each = var.alb_certificate_arn != null ? [1] : []
25+
26+
content {
27+
type = "redirect"
28+
29+
redirect {
30+
port = "443"
31+
protocol = "HTTPS"
32+
status_code = "HTTP_301"
33+
}
34+
}
35+
}
36+
}
37+
38+
resource "aws_lb_listener" "https" {
39+
count = var.alb_certificate_arn != null ? 1 : 0
40+
certificate_arn = var.alb_certificate_arn
41+
load_balancer_arn = aws_lb.this.arn
42+
port = "443"
43+
protocol = "HTTPS"
44+
ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01"
45+
1446
default_action {
15-
type = "forward"
1647
target_group_arn = aws_lb_target_group.this.arn
48+
type = "forward"
1749
}
1850
}
1951

2052
resource "aws_lb_listener_rule" "this" {
21-
listener_arn = aws_lb_listener.this.arn
53+
listener_arn = var.alb_certificate_arn != null ? aws_lb_listener.https[0].arn : aws_lb_listener.http.arn
2254
priority = 1
2355

2456
action {
@@ -49,4 +81,4 @@ resource "aws_lb_target_group" "this" {
4981
healthy_threshold = 3
5082
unhealthy_threshold = 2
5183
}
52-
}
84+
}

modules/aws_ecs/main.tf

Lines changed: 54 additions & 51 deletions
Original file line numberDiff line numberDiff line change
@@ -17,12 +17,12 @@ resource "aws_cloudwatch_log_group" "this" {
1717
}
1818

1919
resource "aws_db_subnet_group" "this" {
20-
name = "${var.deployment_name}-retool"
20+
name = "${var.deployment_name}-retool"
2121
subnet_ids = var.subnet_ids
2222
}
2323

2424
resource "aws_db_instance" "this" {
25-
identifier = "${var.deployment_name}-rds-instance"
25+
identifier = "${var.deployment_name}-rds-instance"
2626
allocated_storage = 80
2727
instance_class = var.rds_instance_class
2828
engine = "postgres"
@@ -35,9 +35,11 @@ resource "aws_db_instance" "this" {
3535
vpc_security_group_ids = [aws_security_group.rds.id]
3636
db_subnet_group_name = aws_db_subnet_group.this.id
3737
performance_insights_enabled = var.rds_performance_insights_enabled
38-
39-
skip_final_snapshot = true
40-
apply_immediately = true
38+
kms_key_id = var.rds_kms_key_id
39+
storage_encrypted = var.rds_kms_key_id != null
40+
41+
skip_final_snapshot = true
42+
apply_immediately = true
4143
}
4244

4345
resource "aws_ecs_service" "retool" {
@@ -65,7 +67,7 @@ resource "aws_ecs_service" "retool" {
6567
dynamic "network_configuration" {
6668
for_each = var.launch_type == "FARGATE" ? toset([1]) : toset([])
6769

68-
content {
70+
content {
6971
subnets = var.subnet_ids
7072
security_groups = [
7173
aws_security_group.containers.id
@@ -92,7 +94,7 @@ resource "aws_ecs_service" "jobs_runner" {
9294

9395
for_each = var.launch_type == "FARGATE" ? toset([1]) : toset([])
9496

95-
content {
97+
content {
9698
subnets = var.subnet_ids
9799
security_groups = [
98100
aws_security_group.containers.id
@@ -108,7 +110,7 @@ resource "aws_ecs_service" "workflows_backend" {
108110
cluster = aws_ecs_cluster.this.id
109111
desired_count = 1
110112
task_definition = aws_ecs_task_definition.retool_workflows_backend[0].arn
111-
113+
112114
# Need to explictly set this in aws_ecs_service to avoid destructive behavior: https://github.com/hashicorp/terraform-provider-aws/issues/22823
113115
capacity_provider_strategy {
114116
base = 1
@@ -123,7 +125,7 @@ resource "aws_ecs_service" "workflows_backend" {
123125

124126
for_each = var.launch_type == "FARGATE" ? toset([1]) : toset([])
125127

126-
content {
128+
content {
127129
subnets = var.subnet_ids
128130
security_groups = [
129131
aws_security_group.containers.id
@@ -150,7 +152,7 @@ resource "aws_ecs_service" "workflows_worker" {
150152

151153
for_each = var.launch_type == "FARGATE" ? toset([1]) : toset([])
152154

153-
content {
155+
content {
154156
subnets = var.subnet_ids
155157
security_groups = [
156158
aws_security_group.containers.id
@@ -161,13 +163,13 @@ resource "aws_ecs_service" "workflows_worker" {
161163
}
162164

163165
resource "aws_ecs_task_definition" "retool_jobs_runner" {
164-
family = "retool-jobs-runner"
165-
task_role_arn = aws_iam_role.task_role.arn
166-
execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
166+
family = "retool-jobs-runner"
167+
task_role_arn = aws_iam_role.task_role.arn
168+
execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
167169
requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : null
168-
network_mode = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
169-
cpu = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["jobs_runner"]["cpu"] : null
170-
memory = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["jobs_runner"]["memory"] : null
170+
network_mode = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
171+
cpu = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["jobs_runner"]["cpu"] : null
172+
memory = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["jobs_runner"]["memory"] : null
171173
container_definitions = jsonencode(
172174
[
173175
{
@@ -211,13 +213,13 @@ resource "aws_ecs_task_definition" "retool_jobs_runner" {
211213
)
212214
}
213215
resource "aws_ecs_task_definition" "retool" {
214-
family = "retool"
215-
task_role_arn = aws_iam_role.task_role.arn
216-
execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
216+
family = "retool"
217+
task_role_arn = aws_iam_role.task_role.arn
218+
execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
217219
requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : null
218-
network_mode = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
219-
cpu = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["main"]["cpu"] : null
220-
memory = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["main"]["memory"] : null
220+
network_mode = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
221+
cpu = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["main"]["cpu"] : null
222+
memory = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["main"]["memory"] : null
221223
container_definitions = jsonencode(
222224
[
223225
{
@@ -266,14 +268,14 @@ resource "aws_ecs_task_definition" "retool" {
266268
}
267269

268270
resource "aws_ecs_task_definition" "retool_workflows_backend" {
269-
count = var.workflows_enabled ? 1 : 0
270-
family = "retool-workflows-backend"
271-
task_role_arn = aws_iam_role.task_role.arn
272-
execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
273-
requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : null
274-
network_mode = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
275-
cpu = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_backend"]["cpu"] : null
276-
memory = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_backend"]["memory"] : null
271+
count = var.workflows_enabled ? 1 : 0
272+
family = "retool-workflows-backend"
273+
task_role_arn = aws_iam_role.task_role.arn
274+
execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
275+
requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : null
276+
network_mode = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
277+
cpu = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_backend"]["cpu"] : null
278+
memory = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_backend"]["memory"] : null
277279
container_definitions = jsonencode(
278280
[
279281
{
@@ -321,14 +323,14 @@ resource "aws_ecs_task_definition" "retool_workflows_backend" {
321323
)
322324
}
323325
resource "aws_ecs_task_definition" "retool_workflows_worker" {
324-
count = var.workflows_enabled ? 1 : 0
325-
family = "retool-workflows-worker"
326-
task_role_arn = aws_iam_role.task_role.arn
327-
execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
328-
requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : null
329-
network_mode = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
330-
cpu = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_worker"]["cpu"] : null
331-
memory = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_worker"]["memory"] : null
326+
count = var.workflows_enabled ? 1 : 0
327+
family = "retool-workflows-worker"
328+
task_role_arn = aws_iam_role.task_role.arn
329+
execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
330+
requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : null
331+
network_mode = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
332+
cpu = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_worker"]["cpu"] : null
333+
memory = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_worker"]["memory"] : null
332334
container_definitions = jsonencode(
333335
[
334336
{
@@ -381,13 +383,13 @@ resource "aws_ecs_task_definition" "retool_workflows_worker" {
381383
}
382384

383385
resource "aws_service_discovery_private_dns_namespace" "retoolsvc" {
384-
count = var.workflows_enabled ? 1 : 0
386+
count = var.workflows_enabled ? 1 : 0
385387
name = "retoolsvc"
386388
description = "Service Discovery namespace for Retool deployment"
387389
vpc = var.vpc_id
388390
}
389391

390-
resource "aws_service_discovery_service" "retool_workflow_backend_service" {
392+
resource "aws_service_discovery_service" "retool_workflow_backend_service" {
391393
count = var.workflows_enabled ? 1 : 0
392394
name = "workflow-backend"
393395

@@ -408,17 +410,18 @@ resource "aws_service_discovery_service" "retool_workflow_backend_service" {
408410
}
409411

410412
module "temporal" {
411-
count = var.workflows_enabled && !var.use_exising_temporal_cluster ? 1 : 0
413+
count = var.workflows_enabled && !var.use_exising_temporal_cluster ? 1 : 0
412414
source = "./temporal"
413-
414-
deployment_name = "${var.deployment_name}-temporal"
415-
vpc_id = var.vpc_id
416-
subnet_ids = var.subnet_ids
417-
private_dns_namespace_id = aws_service_discovery_private_dns_namespace.retoolsvc[0].id
418-
aws_cloudwatch_log_group_id = aws_cloudwatch_log_group.this.id
419-
aws_region = var.aws_region
420-
aws_ecs_cluster_id = aws_ecs_cluster.this.id
421-
launch_type = var.launch_type
422-
container_sg_id = aws_security_group.containers.id
415+
416+
deployment_name = "${var.deployment_name}-temporal"
417+
vpc_id = var.vpc_id
418+
subnet_ids = var.subnet_ids
419+
private_dns_namespace_id = aws_service_discovery_private_dns_namespace.retoolsvc[0].id
420+
aws_cloudwatch_log_group_id = aws_cloudwatch_log_group.this.id
421+
aws_region = var.aws_region
422+
aws_ecs_cluster_id = aws_ecs_cluster.this.id
423+
launch_type = var.launch_type
424+
container_sg_id = aws_security_group.containers.id
423425
aws_ecs_capacity_provider_name = var.launch_type == "EC2" ? aws_ecs_capacity_provider.this[0].name : null
426+
kms_key_id = var.temporal_aurora_kms_key_id
424427
}

modules/aws_ecs/outputs.tf

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,3 +42,7 @@ output "rds_instance_name" {
4242
value = aws_db_instance.this.db_name
4343
description = "Name of RDS instance"
4444
}
45+
46+
output "sg_containers_id" {
47+
value = aws_security_group.containers.id
48+
}

0 commit comments

Comments
 (0)