Merge pull request #16 from tryretool/roberto/workflows-ecs-module-v0

v0 workflows terraform modules

Author: roberto-retool

modules/aws_ecs/README.md

@@ -0,0 +1,117 @@
+# AWS ECS + EC2 Module
+
+This module deploys an ECS cluster with autoscaling group of EC2 instances.
+
+# Usage
+
+1. Directly use our module in your existing Terraform configuration and provide the required variables
+
+```
+module "retool" {
+    source = "[email protected]:tryretool/retool-terraform.git//modules/aws_ecs"
+
+    aws_region = "<your-aws-region>"
+    vpc_id = "<your-vpc-id>"
+    subnet_ids = [
+        "<your-subnet-1>",
+        "<your-subnet-2>"
+    ]
+    ssh_key_name = "<your-key-pair>"
+    ecs_retool_image = "<desired-retool-version>"
+    workflows_enabled = true
+
+    # Additional configuration
+    ...
+}
+```
+
+2. Run `terraform init` to install all requirements for the module.
+
+3. Replace `ecs_retool_image` with your desired [Retool Version](https://docs.retool.com/docs/updating-retool-on-premise#retool-release-versions). The format should be `tryretool/backend:X.Y.Z`, where `X.Y.Z` is your desired version number. Version 2.111 or greater is needed for Workflows (2.117 or later strongly recommended for performance improvements).
+
+4. Ensure that the default security settings in `security.tf` matches your specifications. If you need to tighten down access, pass in custom ingress and egress rules into `container_egress_rules`, `container_ingress_rules`, `alb_egress_rules`, and `alb_ingress_rules`.
+
+5. Check through `variables.tf` for any other input variables that may be required. Set `launch_type` to `EC2` if not using Fargate.
+
+6. Run `terraform plan` to view all planned changes to your account.
+
+7. Run `terraform apply` to apply the changes and deploy Retool.
+
+8. You should now find a Load Balancer in your AWS EC2 Console associated with the deployment. The instance address should now be running Retool.
+
+## Common Configuration
+
+### Instances
+
+**EC2 Instance Size**
+To configure the EC instance size, set the `instance_type` input variable (e.g. `t2.large`).
+
+**RDS Instance Class**
+To configure the RDS instance class, set the `instance_class` input variable (e.g. `db.m6g.large`).
+
+## Advanced Configuration
+**Bring your own Temporal Cluster**
+To configure your own Temporal cluster, set the `use_existing_temporal_cluster` to `true` and configure your Temporal Cluster's Frontend service endpoint (and TLS if needed) using `temporal_cluster_config`. If configuring mTLS, we expect the cert and key values to be base64-encoded strings.
+### Security Groups
+
+To customize the ingress and egress rules on the security groups, you can override specific input variable defaults.
+
+- `container_ingress_rules` controls the inbound rules for EC2 instances in autoscaling group or ECS services in Fargate
+- `container_egress_rules` controls the outbound rules for EC2 instances in autoscaling group or ECS services in Fargate
+- `alb_ingress_rules` controls the inbound rules for the Load Balancer
+- `alb_egress_rules` controls the outbound rules for the Load Balancer
+
+```
+container_ingress_rules = [
+    {
+      description      = "Global HTTP inbound"
+      from_port        = "80"
+      to_port          = "80"
+      protocol         = "tcp"
+      cidr_blocks      = ["0.0.0.0/0"]
+      ipv6_cidr_blocks = ["::/0"]
+    },
+    {
+      description      = "Global HTTPS inbound"
+      from_port        = "443"
+      to_port          = "443"
+      protocol         = "tcp"
+      cidr_blocks      = ["0.0.0.0/0"]
+      ipv6_cidr_blocks = ["::/0"]
+    },
+    {
+      description      = "SSH inbound"
+      from_port        = "22"
+      to_port          = "22"
+      protocol         = "tcp"
+      cidr_blocks      = ["0.0.0.0/0"]
+      ipv6_cidr_blocks = ["::/0"]
+    }
+]
+
+container_egress_rules = [
+    {
+      description      = "Global outbound"
+      from_port        = "0"
+      to_port          = "0"
+      protocol         = "-1"
+      cidr_blocks      = ["0.0.0.0/0"]
+      ipv6_cidr_blocks = ["::/0"]
+    }
+]
+```
+
+### Environment Variables
+
+To add additional [Retool environment variables](https://docs.retool.com/docs/environment-variables) to your deployment, populate the `additional_env_vars` input variable into the module.
+
+NOTE: The `additional_env_vars` will only work as type `map(string)`. Convert all booleans and numbers into strings, e.g.
+
+```
+additional_env_vars = [
+    {
+        name = "DISABLE_GIT_SYNCING"
+        value = "true"
+    }
+]
+```

modules/aws_ecs/ecs.tf

@@ -0,0 +1,144 @@
+resource "aws_ecs_cluster" "this" {
+  name = "${var.deployment_name}-ecs"
+
+  setting {
+    name  = "containerInsights"
+    value = var.ecs_insights_enabled
+  }
+}
+
+# Fargate capacity provider
+resource "aws_ecs_cluster_capacity_providers" "this" {
+  cluster_name = aws_ecs_cluster.this.name
+
+  capacity_providers = var.launch_type == "FARGATE" ? ["FARGATE"] : [aws_ecs_capacity_provider.this[0].name]
+
+  default_capacity_provider_strategy {
+    base              = 1
+    weight            = 100
+    capacity_provider = var.launch_type == "FARGATE" ? "FARGATE" : aws_ecs_capacity_provider.this[0].name
+  }
+}
+
+# Required setup for EC2 instances (if not using Fargate)
+data "aws_ami" "this" {
+  most_recent = true # get the latest version
+  name_regex = "^amzn2-ami-ecs-hvm-\\d\\.\\d\\.\\d{8}-x86_64-ebs$"
+
+  filter {
+    name = "virtualization-type"
+    values = [
+      "hvm"
+    ]
+  }
+
+  owners = [
+    "amazon" # only official images
+  ]
+}
+
+resource "aws_launch_configuration" "this" {
+  count         = var.launch_type == "EC2" ? 1 : 0
+  name_prefix   = "${var.deployment_name}-ecs-launch-configuration-"
+  image_id      = data.aws_ami.this.id
+  instance_type = var.instance_type # e.g. t2.medium
+
+  enable_monitoring           = true
+  associate_public_ip_address = true
+
+  # This user data represents a collection of “scripts” that will be executed the first time the machine starts.
+  # This specific example makes sure the EC2 instance is automatically attached to the ECS cluster that we create earlier
+  # and marks the instance as purchased through the Spot pricing
+  user_data = <<-EOF
+  #!/bin/bash
+  echo ECS_CLUSTER=${var.deployment_name}-ecs >> /etc/ecs/ecs.config
+  EOF
+
+  # We’ll see security groups later
+  security_groups = [
+    aws_security_group.containers.id
+  ]
+
+  # If you want to SSH into the instance and manage it directly:
+  # 1. Make sure this key exists in the AWS EC2 dashboard
+  # 2. Make sure your local SSH agent has it loaded
+  # 3. Make sure the EC2 instances are launched within a public subnet (are accessible from the internet)
+  key_name = var.ssh_key_name
+
+  # Allow the EC2 instances to access AWS resources on your behalf, using this instance profile and the permissions defined there
+  iam_instance_profile = aws_iam_instance_profile.ec2[0].arn
+  
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_autoscaling_group" "this" {
+  count                = var.launch_type == "EC2" ? 1 : 0
+  name                 = "${var.deployment_name}-autoscaling-group"
+  max_size             = var.max_instance_count
+  min_size             = var.min_instance_count
+  desired_capacity     = var.min_instance_count
+  vpc_zone_identifier  = var.subnet_ids
+  launch_configuration = aws_launch_configuration.this[0].name
+
+  default_cooldown          = 30
+  health_check_grace_period = 30
+
+  termination_policies = [
+    "OldestInstance"
+  ]
+
+  tag {
+    key                 = "AmazonECSManaged"
+    value               = ""
+    propagate_at_launch = true
+  }
+
+  tag {
+    key                 = "Cluster"
+    value               = "${var.deployment_name}-ecs"
+    propagate_at_launch = true
+  }
+
+  tag {
+    key                 = "Name"
+    value               = "${var.deployment_name}-ec2-instance"
+    propagate_at_launch = true
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+# Attach an autoscaling policy to the spot cluster to target 70% MemoryReservation on the ECS cluster.
+resource "aws_autoscaling_policy" "this" {
+  count                  = var.launch_type == "EC2" ? 1 : 0
+  name                   = "${var.deployment_name}-ecs-scale-policy"
+  policy_type            = "TargetTrackingScaling"
+  adjustment_type        = "ChangeInCapacity"
+  autoscaling_group_name = aws_autoscaling_group.this[0].name
+
+  target_tracking_configuration {
+    customized_metric_specification {
+      metric_dimension {
+        name  = "ClusterName"
+        value = "${var.deployment_name}-ecs"
+      }
+      metric_name = "MemoryReservation"
+      namespace   = "AWS/ECS"
+      statistic   = "Average"
+    }
+    target_value = var.autoscaling_memory_reservation_target
+  }
+}
+
+resource "aws_ecs_capacity_provider" "this" {
+  count = var.launch_type == "EC2" ? 1 : 0
+  name  = "${var.deployment_name}-ecs-capacity-provider"
+
+  auto_scaling_group_provider {
+    auto_scaling_group_arn = aws_autoscaling_group.this[0].arn
+  }
+}

modules/aws_ecs/loadbalancers.tf

@@ -0,0 +1,52 @@
+resource "aws_lb" "this" {
+  name         = "${var.deployment_name}-alb"
+  idle_timeout = var.alb_idle_timeout
+
+  security_groups = [aws_security_group.alb.id]
+  subnets         = var.subnet_ids
+}
+
+resource "aws_lb_listener" "this" {
+  load_balancer_arn = aws_lb.this.arn
+  port              = 80
+  protocol          = "HTTP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.this.arn
+  }
+}
+
+resource "aws_lb_listener_rule" "this" {
+  listener_arn = aws_lb_listener.this.arn
+  priority     = 1
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.this.arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["/"]
+    }
+  }
+}
+
+resource "aws_lb_target_group" "this" {
+  name                 = "${var.deployment_name}-target"
+  vpc_id               = var.vpc_id
+  deregistration_delay = 30
+  port                 = 3000
+  protocol             = "HTTP"
+  target_type          = var.launch_type == "FARGATE" ? "ip" : "instance"
+
+  health_check {
+    interval            = 61
+    path                = "/api/checkHealth"
+    protocol            = "HTTP"
+    timeout             = 60
+    healthy_threshold   = 3
+    unhealthy_threshold = 2
+  }
+}