diff --git a/modules/aws_ec2_standalone/main.tf b/modules/aws_ec2_standalone/main.tf index 0cd4334..9d4ac2a 100644 --- a/modules/aws_ec2_standalone/main.tf +++ b/modules/aws_ec2_standalone/main.tf @@ -13,14 +13,14 @@ provider "aws" { data "aws_ami" "this" { most_recent = true # get the latest version - filter { - name = "name" - values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"] + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"] } filter { - name = "virtualization-type" - values = ["hvm"] + name = "virtualization-type" + values = ["hvm"] } owners = [ diff --git a/modules/aws_ecs/ecs.tf b/modules/aws_ecs/ecs.tf index 4e16958..0ee5e0a 100644 --- a/modules/aws_ecs/ecs.tf +++ b/modules/aws_ecs/ecs.tf @@ -5,6 +5,8 @@ resource "aws_ecs_cluster" "this" { name = "containerInsights" value = var.ecs_insights_enabled } + + tags = var.tags } # Fargate capacity provider @@ -46,7 +48,7 @@ resource "aws_launch_configuration" "this" { enable_monitoring = true associate_public_ip_address = true - # This user data represents a collection of “scripts” that will be executed the first time the machine starts. + # This user data represents a collection of "scripts" that will be executed the first time the machine starts. # This specific example makes sure the EC2 instance is automatically attached to the ECS cluster that we create earlier # and marks the instance as purchased through the Spot pricing user_data = <<-EOF @@ -54,7 +56,7 @@ resource "aws_launch_configuration" "this" { echo ECS_CLUSTER=${var.deployment_name}-ecs >> /etc/ecs/ecs.config EOF - # We’ll see security groups later + # We'll see security groups later security_groups = [ aws_security_group.containers.id ] @@ -89,22 +91,18 @@ resource "aws_autoscaling_group" "this" { "OldestInstance" ] - tag { - key = "AmazonECSManaged" - value = "" - propagate_at_launch = true - } - - tag { - key = "Cluster" - value = "${var.deployment_name}-ecs" - propagate_at_launch = true - } - - tag { - key = "Name" - value = "${var.deployment_name}-ec2-instance" - propagate_at_launch = true + dynamic "tag" { + for_each = merge({ + AmazonECSManaged = "", + Cluster = "${var.deployment_name}-ecs", + Name = "${var.deployment_name}-ec2-instance" + }, var.tags) + + content { + key = tag.key + value = tag.value + propagate_at_launch = true + } } lifecycle { diff --git a/modules/aws_ecs/loadbalancers.tf b/modules/aws_ecs/loadbalancers.tf index 1d0d2ca..b207142 100644 --- a/modules/aws_ecs/loadbalancers.tf +++ b/modules/aws_ecs/loadbalancers.tf @@ -1,9 +1,11 @@ resource "aws_lb" "this" { - name = "${var.deployment_name}-alb" - idle_timeout = var.alb_idle_timeout - - security_groups = [aws_security_group.alb.id] - subnets = var.public_subnet_ids + name = "${var.deployment_name}-alb" + internal = false + load_balancer_type = "application" + security_groups = [aws_security_group.alb.id] + subnets = var.public_subnet_ids + idle_timeout = var.alb_idle_timeout + tags = var.tags } resource "aws_lb_listener" "this" { @@ -68,4 +70,6 @@ resource "aws_lb_target_group" "this" { healthy_threshold = 3 unhealthy_threshold = 2 } + + tags = var.tags } diff --git a/modules/aws_ecs/locals.tf b/modules/aws_ecs/locals.tf index a58c2bb..7349ee6 100644 --- a/modules/aws_ecs/locals.tf +++ b/modules/aws_ecs/locals.tf @@ -123,7 +123,7 @@ locals { auto_create_group = "true" log_stream_prefix = "SERVICE_RETOOL/" } - } : { + } : { logDriver = "awslogs" options = { awslogs-group = aws_cloudwatch_log_group.this.id @@ -143,7 +143,7 @@ locals { memory = var.launch_type == "EC2" ? var.ecs_task_resource_map["fluentbit"]["memory"] : null firelensConfiguration = { - type = "fluentbit" + type = "fluentbit" options = { config-file-type = "file" config-file-value = "/extra.conf" @@ -152,7 +152,7 @@ locals { logConfiguration = { logDriver = "awslogs" - options = { + options = { awslogs-group = aws_cloudwatch_log_group.this.id awslogs-region = var.aws_region awslogs-stream-prefix = "SERVICE_RETOOL" diff --git a/modules/aws_ecs/main.tf b/modules/aws_ecs/main.tf index 9750935..d3d363e 100644 --- a/modules/aws_ecs/main.tf +++ b/modules/aws_ecs/main.tf @@ -14,11 +14,13 @@ data "aws_vpc" "selected" { resource "aws_cloudwatch_log_group" "this" { name = "${var.deployment_name}-ecs-log-group" retention_in_days = var.log_retention_in_days + tags = var.tags } resource "aws_db_subnet_group" "this" { name = "${var.deployment_name}-retool" subnet_ids = var.private_subnet_ids + tags = var.tags } resource "aws_db_instance" "this" { @@ -42,6 +44,7 @@ resource "aws_db_instance" "this" { storage_throughput = var.rds_storage_throughput iops = var.rds_iops multi_az = var.rds_multi_az + tags = var.tags skip_final_snapshot = true apply_immediately = true @@ -454,12 +457,12 @@ resource "aws_ecs_task_definition" "retool_code_executor" { local.common_containers, [ { - name = "retool-code-executor" - essential = true - image = local.ecs_code_executor_image - cpu = var.launch_type == "EC2" ? var.ecs_task_resource_map["code_executor"]["cpu"] : null - memory = var.launch_type == "EC2" ? var.ecs_task_resource_map["code_executor"]["memory"] : null - user = var.launch_type == "EC2" ? null : "1001:1001" + name = "retool-code-executor" + essential = true + image = local.ecs_code_executor_image + cpu = var.launch_type == "EC2" ? var.ecs_task_resource_map["code_executor"]["cpu"] : null + memory = var.launch_type == "EC2" ? var.ecs_task_resource_map["code_executor"]["memory"] : null + user = var.launch_type == "EC2" ? null : "1001:1001" # required to use nsjail sandboxing, which is required for custom libraries for JS and Python # Learn more here: https://docs.retool.com/self-hosted/concepts/architecture#code-executor # If not using nsjail sandboxing, update this to be false and use user = "1001:1001" @@ -486,7 +489,7 @@ resource "aws_ecs_task_definition" "retool_code_executor" { local.base_environment_variables, [ { - name = "NODE_OPTIONS", + name = "NODE_OPTIONS", value = "--max_old_space_size=1024" } ], @@ -591,11 +594,13 @@ resource "aws_service_discovery_private_dns_namespace" "retool_namespace" { name = local.service_discovery_namespace description = "Service Discovery namespace for Retool deployment" vpc = var.vpc_id + tags = var.tags } resource "aws_service_discovery_service" "retool_workflow_backend_service" { count = var.workflows_enabled ? 1 : 0 name = "workflow-backend" + tags = var.tags dns_config { namespace_id = aws_service_discovery_private_dns_namespace.retool_namespace[0].id @@ -635,7 +640,7 @@ resource "aws_service_discovery_service" "retool_code_executor_service" { resource "aws_service_discovery_service" "retool_telemetry_service" { count = var.telemetry_enabled ? 1 : 0 - name = "telemetry" + name = "telemetry" dns_config { namespace_id = aws_service_discovery_private_dns_namespace.retool_namespace[0].id @@ -701,4 +706,5 @@ module "temporal" { aws_ecs_capacity_provider_name = var.launch_type == "EC2" ? aws_ecs_capacity_provider.this[0].name : null task_propagate_tags = var.task_propagate_tags service_discovery_namespace = local.service_discovery_namespace + tags = var.tags } diff --git a/modules/aws_ecs/roles.tf b/modules/aws_ecs/roles.tf index 7657656..0968b7e 100644 --- a/modules/aws_ecs/roles.tf +++ b/modules/aws_ecs/roles.tf @@ -25,6 +25,7 @@ resource "aws_iam_role" "task_role" { name = "${var.deployment_name}-task-role" assume_role_policy = data.aws_iam_policy_document.task_role_assume_policy.json path = "/" + tags = var.tags inline_policy { name = "${var.deployment_name}-task-policy" @@ -62,6 +63,7 @@ resource "aws_iam_role" "service_role" { name = "${var.deployment_name}-service-role" assume_role_policy = data.aws_iam_policy_document.service_role_assume_policy.json path = "/" + tags = var.tags inline_policy { name = "${var.deployment_name}-service-policy" @@ -85,6 +87,7 @@ resource "aws_iam_role" "execution_role" { count = var.launch_type == "FARGATE" ? 1 : 0 name = "${var.deployment_name}-execution-role" assume_role_policy = data.aws_iam_policy_document.execution_role_assume_policy.json + tags = var.tags } resource "aws_iam_role_policy_attachment" "execution_role" { @@ -105,6 +108,7 @@ resource "aws_iam_role" "ec2" { name = "${var.deployment_name}-ec2-iam-role" assume_role_policy = data.aws_iam_policy_document.ec2_assume_policy.json path = "/" + tags = var.tags inline_policy { name = "${var.deployment_name}-ec2-policy" diff --git a/modules/aws_ecs/temporal/locals.tf b/modules/aws_ecs/temporal/locals.tf index e4ef558..94ba970 100644 --- a/modules/aws_ecs/temporal/locals.tf +++ b/modules/aws_ecs/temporal/locals.tf @@ -3,48 +3,48 @@ locals { var.additional_env_vars, # add additional environment variables [ { - "name": "LOG_LEVEL", - "value": "debug,info" + "name" : "LOG_LEVEL", + "value" : "debug,info" }, { - "name": "NUM_HISTORY_SHARDS", - "value": "128" + "name" : "NUM_HISTORY_SHARDS", + "value" : "128" }, { - "name": "DB", - "value": "postgresql" + "name" : "DB", + "value" : "postgresql" }, { - "name": "POSTGRES_HOST", - "value": module.temporal_aurora_rds.cluster_endpoint + "name" : "POSTGRES_HOST", + "value" : module.temporal_aurora_rds.cluster_endpoint }, { - "name": "POSTGRES_PORT", - "value": tostring(module.temporal_aurora_rds.cluster_port) + "name" : "POSTGRES_PORT", + "value" : tostring(module.temporal_aurora_rds.cluster_port) }, { - "name": "POSTGRES_USER", - "value": var.temporal_aurora_username + "name" : "POSTGRES_USER", + "value" : var.temporal_aurora_username }, { - "name": "POSTGRES_PASSWORD", - "value": random_string.temporal_aurora_password.result + "name" : "POSTGRES_PASSWORD", + "value" : random_string.temporal_aurora_password.result }, { - "name": "DBNAME", - "value": "temporal" + "name" : "DBNAME", + "value" : "temporal" }, { - "name": "DBNAME_VISIBILITY", - "value": "temporal_visibility" + "name" : "DBNAME_VISIBILITY", + "value" : "temporal_visibility" }, { - "name": "DYNAMIC_CONFIG_FILE_PATH", - "value": "/etc/temporal/ecs/dynamic_config/dynamicconfig-sql.yaml" + "name" : "DYNAMIC_CONFIG_FILE_PATH", + "value" : "/etc/temporal/ecs/dynamic_config/dynamicconfig-sql.yaml" }, { - "name": "ECS_DEPLOYED", - "value": "true" + "name" : "ECS_DEPLOYED", + "value" : "true" } ] ) diff --git a/modules/aws_ecs/temporal/main.tf b/modules/aws_ecs/temporal/main.tf index 9d9ef7d..f9bf3e2 100644 --- a/modules/aws_ecs/temporal/main.tf +++ b/modules/aws_ecs/temporal/main.tf @@ -40,10 +40,12 @@ module "temporal_aurora_rds" { backup_retention_period = var.temporal_aurora_backup_retention_period preferred_backup_window = var.temporal_aurora_preferred_backup_window + tags = var.tags } resource "aws_service_discovery_service" "temporal_frontend_service" { name = "temporal" + tags = var.tags dns_config { namespace_id = var.private_dns_namespace_id @@ -70,6 +72,7 @@ resource "aws_ecs_service" "retool_temporal" { desired_count = 1 task_definition = aws_ecs_task_definition.retool_temporal[each.key].arn propagate_tags = var.task_propagate_tags + tags = var.tags # Need to explictly set this in aws_ecs_service to avoid destructive behavior: https://github.com/hashicorp/terraform-provider-aws/issues/22823 capacity_provider_strategy { @@ -109,6 +112,7 @@ resource "aws_ecs_task_definition" "retool_temporal" { network_mode = var.launch_type == "FARGATE" ? "awsvpc" : "bridge" cpu = var.launch_type == "FARGATE" ? each.value["cpu"] : null memory = var.launch_type == "FARGATE" ? each.value["memory"] : null + tags = var.tags container_definitions = jsonencode( [ { diff --git a/modules/aws_ecs/temporal/roles.tf b/modules/aws_ecs/temporal/roles.tf index 2e4ecd1..044b85d 100644 --- a/modules/aws_ecs/temporal/roles.tf +++ b/modules/aws_ecs/temporal/roles.tf @@ -13,6 +13,7 @@ resource "aws_iam_role" "task_role" { name = "${var.deployment_name}-task-role" assume_role_policy = data.aws_iam_policy_document.task_role_assume_policy.json path = "/" + tags = var.tags } data "aws_iam_policy_document" "service_role_assume_policy" { @@ -45,6 +46,7 @@ resource "aws_iam_role" "service_role" { name = "${var.deployment_name}-service-role" assume_role_policy = data.aws_iam_policy_document.service_role_assume_policy.json path = "/" + tags = var.tags inline_policy { name = "${var.deployment_name}-service-policy" @@ -68,6 +70,7 @@ resource "aws_iam_role" "execution_role" { count = var.launch_type == "FARGATE" ? 1 : 0 name = "${var.deployment_name}-execution-role" assume_role_policy = data.aws_iam_policy_document.execution_role_assume_policy.json + tags = var.tags } resource "aws_iam_role_policy_attachment" "execution_role" { diff --git a/modules/aws_ecs/temporal/secrets.tf b/modules/aws_ecs/temporal/secrets.tf index d249f98..f007f30 100644 --- a/modules/aws_ecs/temporal/secrets.tf +++ b/modules/aws_ecs/temporal/secrets.tf @@ -1,13 +1,13 @@ - resource "random_string" "temporal_aurora_password" { length = var.secret_length special = false } resource "aws_secretsmanager_secret" "temporal_aurora_password" { - name = "${var.deployment_name}-temporal-rds-password" - description = "This is the password for the Retool Temporal RDS instance" + name = "${var.deployment_name}-temporal-rds-password" + description = "This is the password for the Retool Temporal RDS instance" recovery_window_in_days = 0 + tags = var.tags } resource "aws_secretsmanager_secret_version" "temporal_aurora_password" { @@ -16,9 +16,10 @@ resource "aws_secretsmanager_secret_version" "temporal_aurora_password" { } resource "aws_secretsmanager_secret" "temporal_aurora_username" { - name = "${var.deployment_name}-temporal-rds-username" - description = "This is the username for the Retool Temporal RDS instance" + name = "${var.deployment_name}-temporal-rds-username" + description = "This is the username for the Retool Temporal RDS instance" recovery_window_in_days = 0 + tags = var.tags } resource "aws_secretsmanager_secret_version" "temporal_aurora_username" { diff --git a/modules/aws_ecs/temporal/variables.tf b/modules/aws_ecs/temporal/variables.tf index 4f0390e..a17c478 100644 --- a/modules/aws_ecs/temporal/variables.tf +++ b/modules/aws_ecs/temporal/variables.tf @@ -210,3 +210,9 @@ variable "service_discovery_namespace" { type = string description = "Service discovery namespace DNS name for Retool ECS cluster." } + +variable "tags" { + description = "A map of tags to add to all resources" + type = map(string) + default = {} +} diff --git a/modules/aws_ecs/variables.tf b/modules/aws_ecs/variables.tf index b6e127a..7e6ad5a 100644 --- a/modules/aws_ecs/variables.tf +++ b/modules/aws_ecs/variables.tf @@ -596,3 +596,9 @@ variable "alb_egress_rules" { ] description = "Egress rules for load balancer" } + +variable "tags" { + description = "A map of tags to add to all resources" + type = map(string) + default = {} +} diff --git a/modules/aws_ecs_ec2/locals.tf b/modules/aws_ecs_ec2/locals.tf index 7a14150..7718ab1 100644 --- a/modules/aws_ecs_ec2/locals.tf +++ b/modules/aws_ecs_ec2/locals.tf @@ -47,8 +47,8 @@ locals { "value" : var.retool_license_key }, { - "name": "DEPLOYMENT_TEMPLATE_TYPE" - "value": "aws-ecs-ec2-terraform-deprecated" + "name" : "DEPLOYMENT_TEMPLATE_TYPE" + "value" : "aws-ecs-ec2-terraform-deprecated" } ] ) diff --git a/modules/aws_ecs_ec2/main.tf b/modules/aws_ecs_ec2/main.tf index 72f55ab..0b32376 100644 --- a/modules/aws_ecs_ec2/main.tf +++ b/modules/aws_ecs_ec2/main.tf @@ -22,7 +22,7 @@ resource "aws_ecs_cluster" "this" { data "aws_ami" "this" { most_recent = true # get the latest version - name_regex = "^amzn2-ami-ecs-hvm-\\d\\.\\d\\.\\d{8}-x86_64-ebs$" + name_regex = "^amzn2-ami-ecs-hvm-\\d\\.\\d\\.\\d{8}-x86_64-ebs$" filter { name = "virtualization-type" @@ -65,7 +65,7 @@ resource "aws_launch_configuration" "this" { # Allow the EC2 instances to access AWS resources on your behalf, using this instance profile and the permissions defined there iam_instance_profile = aws_iam_instance_profile.ec2.arn - + lifecycle { create_before_destroy = true } @@ -144,7 +144,7 @@ resource "aws_cloudwatch_log_group" "this" { } resource "aws_db_instance" "this" { - identifier = "${var.deployment_name}-rds-instance" + identifier = "${var.deployment_name}-rds-instance" allocated_storage = 80 instance_class = var.rds_instance_class engine = "postgres" @@ -157,9 +157,9 @@ resource "aws_db_instance" "this" { vpc_security_group_ids = [aws_security_group.rds.id] performance_insights_enabled = var.rds_performance_insights_enabled multi_az = var.rds_multi_az - - skip_final_snapshot = true - apply_immediately = true + + skip_final_snapshot = true + apply_immediately = true } resource "aws_ecs_service" "retool" { diff --git a/modules/aws_ecs_ec2/secrets.tf b/modules/aws_ecs_ec2/secrets.tf index f47ca3a..8223abf 100644 --- a/modules/aws_ecs_ec2/secrets.tf +++ b/modules/aws_ecs_ec2/secrets.tf @@ -4,8 +4,8 @@ resource "random_string" "rds_password" { } resource "aws_secretsmanager_secret" "rds_password" { - name = "${var.deployment_name}-rds-password" - description = "This is the password for the Retool RDS instance" + name = "${var.deployment_name}-rds-password" + description = "This is the password for the Retool RDS instance" recovery_window_in_days = 0 } @@ -15,8 +15,8 @@ resource "aws_secretsmanager_secret_version" "rds_password" { } resource "aws_secretsmanager_secret" "rds_username" { - name = "${var.deployment_name}-rds-username" - description = "This is the username for the Retool RDS instance" + name = "${var.deployment_name}-rds-username" + description = "This is the username for the Retool RDS instance" recovery_window_in_days = 0 } @@ -31,8 +31,8 @@ resource "random_string" "jwt_secret" { } resource "aws_secretsmanager_secret" "jwt_secret" { - name = "${var.deployment_name}-jwt-secret" - description = "This is the secret for Retool JWTs" + name = "${var.deployment_name}-jwt-secret" + description = "This is the secret for Retool JWTs" recovery_window_in_days = 0 } @@ -48,8 +48,8 @@ resource "random_string" "encryption_key" { } resource "aws_secretsmanager_secret" "encryption_key" { - name = "${var.deployment_name}-encryption-key" - description = "This is the secret for encrypting credentials" + name = "${var.deployment_name}-encryption-key" + description = "This is the secret for encrypting credentials" recovery_window_in_days = 0 }