From eaa6a8d34618630ee3a8a25b85e74cb7ad4b2117 Mon Sep 17 00:00:00 2001 From: Joseph Schadlick Date: Tue, 3 Jun 2025 16:08:32 -0700 Subject: [PATCH 1/3] Add associate_public_ip_address variable to aws_ecs and aws_ecs_ec2 modules --- modules/aws_ecs/ecs.tf | 2 +- modules/aws_ecs/variables.tf | 6 ++++++ modules/aws_ecs_ec2/main.tf | 2 +- modules/aws_ecs_ec2/variables.tf | 6 ++++++ 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/modules/aws_ecs/ecs.tf b/modules/aws_ecs/ecs.tf index 4e16958..8cca01c 100644 --- a/modules/aws_ecs/ecs.tf +++ b/modules/aws_ecs/ecs.tf @@ -44,7 +44,7 @@ resource "aws_launch_configuration" "this" { instance_type = var.instance_type # e.g. t2.medium enable_monitoring = true - associate_public_ip_address = true + associate_public_ip_address = var.associate_public_ip_address # This user data represents a collection of “scripts” that will be executed the first time the machine starts. # This specific example makes sure the EC2 instance is automatically attached to the ECS cluster that we create earlier diff --git a/modules/aws_ecs/variables.tf b/modules/aws_ecs/variables.tf index b6e127a..73319a4 100644 --- a/modules/aws_ecs/variables.tf +++ b/modules/aws_ecs/variables.tf @@ -49,6 +49,12 @@ variable "min_instance_count" { default = 3 } +variable "associate_public_ip_address" { + type = bool + description = "Whether to associate a public IP address with an EC2 instance in a VPC. Defaults to true." + default = true +} + variable "deployment_name" { type = string description = "Name prefix for created resources. Defaults to `retool`." diff --git a/modules/aws_ecs_ec2/main.tf b/modules/aws_ecs_ec2/main.tf index 72f55ab..1894a75 100644 --- a/modules/aws_ecs_ec2/main.tf +++ b/modules/aws_ecs_ec2/main.tf @@ -42,7 +42,7 @@ resource "aws_launch_configuration" "this" { instance_type = var.instance_type # e.g. t2.medium enable_monitoring = true - associate_public_ip_address = true + associate_public_ip_address = var.associate_public_ip_address # This user data represents a collection of “scripts” that will be executed the first time the machine starts. # This specific example makes sure the EC2 instance is automatically attached to the ECS cluster that we create earlier diff --git a/modules/aws_ecs_ec2/variables.tf b/modules/aws_ecs_ec2/variables.tf index d0a43e0..f1143fe 100644 --- a/modules/aws_ecs_ec2/variables.tf +++ b/modules/aws_ecs_ec2/variables.tf @@ -43,6 +43,12 @@ variable "min_instance_count" { default = 3 } +variable "associate_public_ip_address" { + type = bool + description = "Whether to associate a public IP address with an EC2 instance in a VPC. Defaults to true." + default = true +} + variable "deployment_name" { type = string description = "Name prefix for created resources. Defaults to `retool`." From 9ead242510bd4cf57db09f9b5d16707f8931c08e Mon Sep 17 00:00:00 2001 From: Joseph Schadlick Date: Tue, 3 Jun 2025 16:18:54 -0700 Subject: [PATCH 2/3] Add assign_public_ip variable to aws_ecs module --- modules/aws_ecs/locals.tf | 6 +++--- modules/aws_ecs/main.tf | 29 ++++++++++++++------------- modules/aws_ecs/temporal/main.tf | 2 +- modules/aws_ecs/temporal/variables.tf | 6 ++++++ modules/aws_ecs/variables.tf | 6 ++++++ 5 files changed, 31 insertions(+), 18 deletions(-) diff --git a/modules/aws_ecs/locals.tf b/modules/aws_ecs/locals.tf index a58c2bb..7349ee6 100644 --- a/modules/aws_ecs/locals.tf +++ b/modules/aws_ecs/locals.tf @@ -123,7 +123,7 @@ locals { auto_create_group = "true" log_stream_prefix = "SERVICE_RETOOL/" } - } : { + } : { logDriver = "awslogs" options = { awslogs-group = aws_cloudwatch_log_group.this.id @@ -143,7 +143,7 @@ locals { memory = var.launch_type == "EC2" ? var.ecs_task_resource_map["fluentbit"]["memory"] : null firelensConfiguration = { - type = "fluentbit" + type = "fluentbit" options = { config-file-type = "file" config-file-value = "/extra.conf" @@ -152,7 +152,7 @@ locals { logConfiguration = { logDriver = "awslogs" - options = { + options = { awslogs-group = aws_cloudwatch_log_group.this.id awslogs-region = var.aws_region awslogs-stream-prefix = "SERVICE_RETOOL" diff --git a/modules/aws_ecs/main.tf b/modules/aws_ecs/main.tf index 9750935..c795850 100644 --- a/modules/aws_ecs/main.tf +++ b/modules/aws_ecs/main.tf @@ -79,7 +79,7 @@ resource "aws_ecs_service" "retool" { security_groups = [ aws_security_group.containers.id ] - assign_public_ip = true + assign_public_ip = var.assign_public_ip } } } @@ -107,7 +107,7 @@ resource "aws_ecs_service" "jobs_runner" { security_groups = [ aws_security_group.containers.id ] - assign_public_ip = true + assign_public_ip = var.assign_public_ip } } } @@ -140,7 +140,7 @@ resource "aws_ecs_service" "workflows_backend" { security_groups = [ aws_security_group.containers.id ] - assign_public_ip = true + assign_public_ip = var.assign_public_ip } } } @@ -169,7 +169,7 @@ resource "aws_ecs_service" "workflows_worker" { security_groups = [ aws_security_group.containers.id ] - assign_public_ip = true + assign_public_ip = var.assign_public_ip } } } @@ -201,7 +201,7 @@ resource "aws_ecs_service" "code_executor" { security_groups = [ aws_security_group.containers.id ] - assign_public_ip = true + assign_public_ip = var.assign_public_ip } } } @@ -234,7 +234,7 @@ resource "aws_ecs_service" "telemetry" { security_groups = [ aws_security_group.containers.id ] - assign_public_ip = true + assign_public_ip = var.assign_public_ip } } } @@ -454,12 +454,12 @@ resource "aws_ecs_task_definition" "retool_code_executor" { local.common_containers, [ { - name = "retool-code-executor" - essential = true - image = local.ecs_code_executor_image - cpu = var.launch_type == "EC2" ? var.ecs_task_resource_map["code_executor"]["cpu"] : null - memory = var.launch_type == "EC2" ? var.ecs_task_resource_map["code_executor"]["memory"] : null - user = var.launch_type == "EC2" ? null : "1001:1001" + name = "retool-code-executor" + essential = true + image = local.ecs_code_executor_image + cpu = var.launch_type == "EC2" ? var.ecs_task_resource_map["code_executor"]["cpu"] : null + memory = var.launch_type == "EC2" ? var.ecs_task_resource_map["code_executor"]["memory"] : null + user = var.launch_type == "EC2" ? null : "1001:1001" # required to use nsjail sandboxing, which is required for custom libraries for JS and Python # Learn more here: https://docs.retool.com/self-hosted/concepts/architecture#code-executor # If not using nsjail sandboxing, update this to be false and use user = "1001:1001" @@ -486,7 +486,7 @@ resource "aws_ecs_task_definition" "retool_code_executor" { local.base_environment_variables, [ { - name = "NODE_OPTIONS", + name = "NODE_OPTIONS", value = "--max_old_space_size=1024" } ], @@ -635,7 +635,7 @@ resource "aws_service_discovery_service" "retool_code_executor_service" { resource "aws_service_discovery_service" "retool_telemetry_service" { count = var.telemetry_enabled ? 1 : 0 - name = "telemetry" + name = "telemetry" dns_config { namespace_id = aws_service_discovery_private_dns_namespace.retool_namespace[0].id @@ -701,4 +701,5 @@ module "temporal" { aws_ecs_capacity_provider_name = var.launch_type == "EC2" ? aws_ecs_capacity_provider.this[0].name : null task_propagate_tags = var.task_propagate_tags service_discovery_namespace = local.service_discovery_namespace + assign_public_ip = var.assign_public_ip } diff --git a/modules/aws_ecs/temporal/main.tf b/modules/aws_ecs/temporal/main.tf index 9d9ef7d..1e9204a 100644 --- a/modules/aws_ecs/temporal/main.tf +++ b/modules/aws_ecs/temporal/main.tf @@ -93,7 +93,7 @@ resource "aws_ecs_service" "retool_temporal" { security_groups = [ var.container_sg_id ] - assign_public_ip = true + assign_public_ip = var.assign_public_ip } } } diff --git a/modules/aws_ecs/temporal/variables.tf b/modules/aws_ecs/temporal/variables.tf index 4f0390e..462b2a8 100644 --- a/modules/aws_ecs/temporal/variables.tf +++ b/modules/aws_ecs/temporal/variables.tf @@ -74,6 +74,12 @@ variable "launch_type" { } } +variable "assign_public_ip" { + type = bool + description = "Whether to assign a public IP address to Temporal Fargate tasks. Defaults to false." + default = true +} + variable "temporal_aurora_username" { type = string default = "retool" diff --git a/modules/aws_ecs/variables.tf b/modules/aws_ecs/variables.tf index 73319a4..1e5d408 100644 --- a/modules/aws_ecs/variables.tf +++ b/modules/aws_ecs/variables.tf @@ -55,6 +55,12 @@ variable "associate_public_ip_address" { default = true } +variable "assign_public_ip" { + type = bool + description = "Whether to assign a public IP address to Fargate tasks. Defaults to false." + default = true +} + variable "deployment_name" { type = string description = "Name prefix for created resources. Defaults to `retool`." From 3a69f8490a58781565d49d95d8c2a51bb236f051 Mon Sep 17 00:00:00 2001 From: Joseph Schadlick Date: Fri, 6 Jun 2025 11:52:12 -0700 Subject: [PATCH 3/3] Add alb_internal var to toggle internal load balancer creation --- modules/aws_ecs/loadbalancers.tf | 1 + modules/aws_ecs/variables.tf | 6 ++++++ modules/aws_ecs_ec2/loadbalancers.tf | 1 + modules/aws_ecs_ec2/variables.tf | 6 ++++++ 4 files changed, 14 insertions(+) diff --git a/modules/aws_ecs/loadbalancers.tf b/modules/aws_ecs/loadbalancers.tf index 1d0d2ca..3ac2231 100644 --- a/modules/aws_ecs/loadbalancers.tf +++ b/modules/aws_ecs/loadbalancers.tf @@ -1,6 +1,7 @@ resource "aws_lb" "this" { name = "${var.deployment_name}-alb" idle_timeout = var.alb_idle_timeout + internal = var.alb_internal security_groups = [aws_security_group.alb.id] subnets = var.public_subnet_ids diff --git a/modules/aws_ecs/variables.tf b/modules/aws_ecs/variables.tf index 1e5d408..8d5cbc2 100644 --- a/modules/aws_ecs/variables.tf +++ b/modules/aws_ecs/variables.tf @@ -433,6 +433,12 @@ variable "alb_http_redirect" { description = "Boolean for if http should redirect to https" } +variable "alb_internal" { + type = bool + default = false + description = "Whether to create an internal load balancer. Defaults to false." +} + variable "cookie_insecure" { type = bool default = true diff --git a/modules/aws_ecs_ec2/loadbalancers.tf b/modules/aws_ecs_ec2/loadbalancers.tf index a3eee4f..80c5c52 100644 --- a/modules/aws_ecs_ec2/loadbalancers.tf +++ b/modules/aws_ecs_ec2/loadbalancers.tf @@ -1,6 +1,7 @@ resource "aws_lb" "this" { name = "${var.deployment_name}-alb" idle_timeout = var.alb_idle_timeout + internal = var.alb_internal security_groups = [aws_security_group.alb.id] subnets = var.subnet_ids diff --git a/modules/aws_ecs_ec2/variables.tf b/modules/aws_ecs_ec2/variables.tf index f1143fe..08cc619 100644 --- a/modules/aws_ecs_ec2/variables.tf +++ b/modules/aws_ecs_ec2/variables.tf @@ -145,6 +145,12 @@ variable "cookie_insecure" { description = "Whether to allow insecure cookies. Should be turned off when serving on HTTPS. Defaults to true." } +variable "alb_internal" { + type = bool + default = false + description = "Whether to create an internal load balancer. Defaults to false." +} + variable "maximum_percent" { type = number default = 250