tryretool · esanchezxev · Mar 25, 2025 · Mar 25, 2025 · Mar 25, 2025 · Mar 25, 2025
diff --git a/modules/aws_ec2_standalone/main.tf b/modules/aws_ec2_standalone/main.tf
@@ -13,14 +13,14 @@ provider "aws" {
 
 data "aws_ami" "this" {
   most_recent = true # get the latest version
-   filter {
-      name   = "name"
-      values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"]
+  filter {
+    name   = "name"
+    values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"]
   }
 
   filter {
-      name   = "virtualization-type"
-      values = ["hvm"]
+    name   = "virtualization-type"
+    values = ["hvm"]
   }
 
   owners = [

diff --git a/modules/aws_ecs/ecs.tf b/modules/aws_ecs/ecs.tf
@@ -5,6 +5,8 @@ resource "aws_ecs_cluster" "this" {
     name  = "containerInsights"
     value = var.ecs_insights_enabled
   }
+
+  tags = var.tags
 }
 
 # Fargate capacity provider
@@ -46,15 +48,15 @@ resource "aws_launch_configuration" "this" {
   enable_monitoring           = true
   associate_public_ip_address = true
 
-  # This user data represents a collection of “scripts” that will be executed the first time the machine starts.
+  # This user data represents a collection of "scripts" that will be executed the first time the machine starts.
   # This specific example makes sure the EC2 instance is automatically attached to the ECS cluster that we create earlier
   # and marks the instance as purchased through the Spot pricing
   user_data = <<-EOF
   #!/bin/bash
   echo ECS_CLUSTER=${var.deployment_name}-ecs >> /etc/ecs/ecs.config
   EOF
 
-  # We’ll see security groups later
+  # We'll see security groups later
   security_groups = [
     aws_security_group.containers.id
   ]
@@ -89,22 +91,18 @@ resource "aws_autoscaling_group" "this" {
     "OldestInstance"
   ]
 
-  tag {
-    key                 = "AmazonECSManaged"
-    value               = ""
-    propagate_at_launch = true
-  }
-
-  tag {
-    key                 = "Cluster"
-    value               = "${var.deployment_name}-ecs"
-    propagate_at_launch = true
-  }
-
-  tag {
-    key                 = "Name"
-    value               = "${var.deployment_name}-ec2-instance"
-    propagate_at_launch = true
+  dynamic "tag" {
+    for_each = merge({
+      AmazonECSManaged = "",
+      Cluster          = "${var.deployment_name}-ecs",
+      Name             = "${var.deployment_name}-ec2-instance"
+    }, var.tags)
+
+    content {
+      key                 = tag.key
+      value               = tag.value
+      propagate_at_launch = true
+    }
   }
 
   lifecycle {

diff --git a/modules/aws_ecs/loadbalancers.tf b/modules/aws_ecs/loadbalancers.tf
@@ -1,9 +1,11 @@
 resource "aws_lb" "this" {
-  name         = "${var.deployment_name}-alb"
-  idle_timeout = var.alb_idle_timeout
-
-  security_groups = [aws_security_group.alb.id]
-  subnets         = var.public_subnet_ids
+  name               = "${var.deployment_name}-alb"
+  internal           = false
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.alb.id]
+  subnets            = var.public_subnet_ids
+  idle_timeout       = var.alb_idle_timeout
+  tags               = var.tags
 }
 
 resource "aws_lb_listener" "this" {
@@ -68,4 +70,6 @@ resource "aws_lb_target_group" "this" {
     healthy_threshold   = 3
     unhealthy_threshold = 2
   }
+
+  tags = var.tags
 }
diff --git a/modules/aws_ecs/locals.tf b/modules/aws_ecs/locals.tf
@@ -123,7 +123,7 @@ locals {
         auto_create_group = "true"
         log_stream_prefix = "SERVICE_RETOOL/"
       }
-    } : {
+      } : {
       logDriver = "awslogs"
       options = {
         awslogs-group         = aws_cloudwatch_log_group.this.id
@@ -143,7 +143,7 @@ locals {
         memory    = var.launch_type == "EC2" ? var.ecs_task_resource_map["fluentbit"]["memory"] : null
 
         firelensConfiguration = {
-          type    = "fluentbit"
+          type = "fluentbit"
           options = {
             config-file-type  = "file"
             config-file-value = "/extra.conf"
@@ -152,7 +152,7 @@ locals {
 
         logConfiguration = {
           logDriver = "awslogs"
-          options   = {
+          options = {
             awslogs-group         = aws_cloudwatch_log_group.this.id
             awslogs-region        = var.aws_region
             awslogs-stream-prefix = "SERVICE_RETOOL"

diff --git a/modules/aws_ecs/main.tf b/modules/aws_ecs/main.tf
@@ -14,11 +14,13 @@ data "aws_vpc" "selected" {
 resource "aws_cloudwatch_log_group" "this" {
   name              = "${var.deployment_name}-ecs-log-group"
   retention_in_days = var.log_retention_in_days
+  tags              = var.tags
 }
 
 resource "aws_db_subnet_group" "this" {
   name       = "${var.deployment_name}-retool"
   subnet_ids = var.private_subnet_ids
+  tags       = var.tags
 }
 
 resource "aws_db_instance" "this" {
@@ -42,6 +44,7 @@ resource "aws_db_instance" "this" {
   storage_throughput           = var.rds_storage_throughput
   iops                         = var.rds_iops
   multi_az                     = var.rds_multi_az
+  tags                         = var.tags
 
   skip_final_snapshot = true
   apply_immediately   = true
@@ -454,12 +457,12 @@ resource "aws_ecs_task_definition" "retool_code_executor" {
     local.common_containers,
     [
       {
-        name       = "retool-code-executor"
-        essential  = true
-        image      = local.ecs_code_executor_image
-        cpu        = var.launch_type == "EC2" ? var.ecs_task_resource_map["code_executor"]["cpu"] : null
-        memory     = var.launch_type == "EC2" ? var.ecs_task_resource_map["code_executor"]["memory"] : null
-        user       = var.launch_type == "EC2" ? null : "1001:1001"
+        name      = "retool-code-executor"
+        essential = true
+        image     = local.ecs_code_executor_image
+        cpu       = var.launch_type == "EC2" ? var.ecs_task_resource_map["code_executor"]["cpu"] : null
+        memory    = var.launch_type == "EC2" ? var.ecs_task_resource_map["code_executor"]["memory"] : null
+        user      = var.launch_type == "EC2" ? null : "1001:1001"
         # required to use nsjail sandboxing, which is required for custom libraries for JS and Python
         # Learn more here: https://docs.retool.com/self-hosted/concepts/architecture#code-executor
         # If not using nsjail sandboxing, update this to be false and use user = "1001:1001"
@@ -486,7 +489,7 @@ resource "aws_ecs_task_definition" "retool_code_executor" {
           local.base_environment_variables,
           [
             {
-              name = "NODE_OPTIONS",
+              name  = "NODE_OPTIONS",
               value = "--max_old_space_size=1024"
             }
           ],
@@ -591,11 +594,13 @@ resource "aws_service_discovery_private_dns_namespace" "retool_namespace" {
   name        = local.service_discovery_namespace
   description = "Service Discovery namespace for Retool deployment"
   vpc         = var.vpc_id
+  tags        = var.tags
 }
 
 resource "aws_service_discovery_service" "retool_workflow_backend_service" {
   count = var.workflows_enabled ? 1 : 0
   name  = "workflow-backend"
+  tags  = var.tags
 
   dns_config {
     namespace_id = aws_service_discovery_private_dns_namespace.retool_namespace[0].id
@@ -635,7 +640,7 @@ resource "aws_service_discovery_service" "retool_code_executor_service" {
 
 resource "aws_service_discovery_service" "retool_telemetry_service" {
   count = var.telemetry_enabled ? 1 : 0
-  name = "telemetry"
+  name  = "telemetry"
 
   dns_config {
     namespace_id = aws_service_discovery_private_dns_namespace.retool_namespace[0].id
@@ -701,4 +706,5 @@ module "temporal" {
   aws_ecs_capacity_provider_name               = var.launch_type == "EC2" ? aws_ecs_capacity_provider.this[0].name : null
   task_propagate_tags                          = var.task_propagate_tags
   service_discovery_namespace                  = local.service_discovery_namespace
+  tags                                         = var.tags
 }
diff --git a/modules/aws_ecs/roles.tf b/modules/aws_ecs/roles.tf
@@ -25,6 +25,7 @@ resource "aws_iam_role" "task_role" {
   name               = "${var.deployment_name}-task-role"
   assume_role_policy = data.aws_iam_policy_document.task_role_assume_policy.json
   path               = "/"
+  tags               = var.tags
 
   inline_policy {
     name   = "${var.deployment_name}-task-policy"
@@ -62,6 +63,7 @@ resource "aws_iam_role" "service_role" {
   name               = "${var.deployment_name}-service-role"
   assume_role_policy = data.aws_iam_policy_document.service_role_assume_policy.json
   path               = "/"
+  tags               = var.tags
 
   inline_policy {
     name   = "${var.deployment_name}-service-policy"
@@ -85,6 +87,7 @@ resource "aws_iam_role" "execution_role" {
   count              = var.launch_type == "FARGATE" ? 1 : 0
   name               = "${var.deployment_name}-execution-role"
   assume_role_policy = data.aws_iam_policy_document.execution_role_assume_policy.json
+  tags               = var.tags
 }
 
 resource "aws_iam_role_policy_attachment" "execution_role" {
@@ -105,6 +108,7 @@ resource "aws_iam_role" "ec2" {
   name               = "${var.deployment_name}-ec2-iam-role"
   assume_role_policy = data.aws_iam_policy_document.ec2_assume_policy.json
   path               = "/"
+  tags               = var.tags
 
   inline_policy {
     name   = "${var.deployment_name}-ec2-policy"

diff --git a/modules/aws_ecs/temporal/locals.tf b/modules/aws_ecs/temporal/locals.tf
@@ -3,48 +3,48 @@ locals {
     var.additional_env_vars, # add additional environment variables
     [
       {
-        "name": "LOG_LEVEL",
-        "value": "debug,info"
+        "name" : "LOG_LEVEL",
+        "value" : "debug,info"
       },
       {
-        "name": "NUM_HISTORY_SHARDS",
-        "value": "128"
+        "name" : "NUM_HISTORY_SHARDS",
+        "value" : "128"
       },
       {
-        "name": "DB",
-        "value": "postgresql"
+        "name" : "DB",
+        "value" : "postgresql"
       },
       {
-        "name": "POSTGRES_HOST",
-        "value": module.temporal_aurora_rds.cluster_endpoint
+        "name" : "POSTGRES_HOST",
+        "value" : module.temporal_aurora_rds.cluster_endpoint
       },
       {
-        "name": "POSTGRES_PORT",
-        "value": tostring(module.temporal_aurora_rds.cluster_port)
+        "name" : "POSTGRES_PORT",
+        "value" : tostring(module.temporal_aurora_rds.cluster_port)
       },
       {
-        "name": "POSTGRES_USER",
-        "value": var.temporal_aurora_username
+        "name" : "POSTGRES_USER",
+        "value" : var.temporal_aurora_username
       },
       {
-        "name": "POSTGRES_PASSWORD",
-        "value": random_string.temporal_aurora_password.result
+        "name" : "POSTGRES_PASSWORD",
+        "value" : random_string.temporal_aurora_password.result
       },
       {
-        "name": "DBNAME",
-        "value": "temporal"
+        "name" : "DBNAME",
+        "value" : "temporal"
       },
       {
-        "name": "DBNAME_VISIBILITY",
-        "value": "temporal_visibility"
+        "name" : "DBNAME_VISIBILITY",
+        "value" : "temporal_visibility"
       },
       {
-        "name": "DYNAMIC_CONFIG_FILE_PATH",
-        "value": "/etc/temporal/ecs/dynamic_config/dynamicconfig-sql.yaml"
+        "name" : "DYNAMIC_CONFIG_FILE_PATH",
+        "value" : "/etc/temporal/ecs/dynamic_config/dynamicconfig-sql.yaml"
       },
       {
-        "name": "ECS_DEPLOYED",
-        "value": "true"
+        "name" : "ECS_DEPLOYED",
+        "value" : "true"
       }
     ]
   )

diff --git a/modules/aws_ecs/temporal/main.tf b/modules/aws_ecs/temporal/main.tf
@@ -40,10 +40,12 @@ module "temporal_aurora_rds" {
 
   backup_retention_period = var.temporal_aurora_backup_retention_period
   preferred_backup_window = var.temporal_aurora_preferred_backup_window
+  tags                    = var.tags
 }
 
 resource "aws_service_discovery_service" "temporal_frontend_service" {
   name = "temporal"
+  tags = var.tags
 
   dns_config {
     namespace_id = var.private_dns_namespace_id
@@ -70,6 +72,7 @@ resource "aws_ecs_service" "retool_temporal" {
   desired_count   = 1
   task_definition = aws_ecs_task_definition.retool_temporal[each.key].arn
   propagate_tags  = var.task_propagate_tags
+  tags            = var.tags
 
   # Need to explictly set this in aws_ecs_service to avoid destructive behavior: https://github.com/hashicorp/terraform-provider-aws/issues/22823
   capacity_provider_strategy {
@@ -109,6 +112,7 @@ resource "aws_ecs_task_definition" "retool_temporal" {
   network_mode             = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
   cpu                      = var.launch_type == "FARGATE" ? each.value["cpu"] : null
   memory                   = var.launch_type == "FARGATE" ? each.value["memory"] : null
+  tags                     = var.tags
   container_definitions = jsonencode(
     [
       {

diff --git a/modules/aws_ecs/temporal/roles.tf b/modules/aws_ecs/temporal/roles.tf
@@ -13,6 +13,7 @@ resource "aws_iam_role" "task_role" {
   name               = "${var.deployment_name}-task-role"
   assume_role_policy = data.aws_iam_policy_document.task_role_assume_policy.json
   path               = "/"
+  tags               = var.tags
 }
 
 data "aws_iam_policy_document" "service_role_assume_policy" {
@@ -45,6 +46,7 @@ resource "aws_iam_role" "service_role" {
   name               = "${var.deployment_name}-service-role"
   assume_role_policy = data.aws_iam_policy_document.service_role_assume_policy.json
   path               = "/"
+  tags               = var.tags
 
   inline_policy {
     name   = "${var.deployment_name}-service-policy"
@@ -68,6 +70,7 @@ resource "aws_iam_role" "execution_role" {
   count              = var.launch_type == "FARGATE" ? 1 : 0
   name               = "${var.deployment_name}-execution-role"
   assume_role_policy = data.aws_iam_policy_document.execution_role_assume_policy.json
+  tags               = var.tags
 }
 
 resource "aws_iam_role_policy_attachment" "execution_role" {

diff --git a/modules/aws_ecs/temporal/secrets.tf b/modules/aws_ecs/temporal/secrets.tf
@@ -1,13 +1,13 @@
-
 resource "random_string" "temporal_aurora_password" {
   length  = var.secret_length
   special = false
 }
 
 resource "aws_secretsmanager_secret" "temporal_aurora_password" {
-  name        = "${var.deployment_name}-temporal-rds-password"
-  description = "This is the password for the Retool Temporal RDS instance"
+  name                    = "${var.deployment_name}-temporal-rds-password"
+  description             = "This is the password for the Retool Temporal RDS instance"
   recovery_window_in_days = 0
+  tags                    = var.tags
 }
 
 resource "aws_secretsmanager_secret_version" "temporal_aurora_password" {
@@ -16,9 +16,10 @@ resource "aws_secretsmanager_secret_version" "temporal_aurora_password" {
 }
 
 resource "aws_secretsmanager_secret" "temporal_aurora_username" {
-  name        = "${var.deployment_name}-temporal-rds-username"
-  description = "This is the username for the Retool Temporal RDS instance"
+  name                    = "${var.deployment_name}-temporal-rds-username"
+  description             = "This is the username for the Retool Temporal RDS instance"
   recovery_window_in_days = 0
+  tags                    = var.tags
 }
 
 resource "aws_secretsmanager_secret_version" "temporal_aurora_username" {