tryretool · josephschadlick · Jun 3, 2025 · Jun 3, 2025 · Jun 6, 2025 · Jun 16, 2025
diff --git a/modules/aws_ecs/ecs.tf b/modules/aws_ecs/ecs.tf
@@ -44,7 +44,7 @@ resource "aws_launch_configuration" "this" {
   instance_type = var.instance_type # e.g. t2.medium
 
   enable_monitoring           = true
-  associate_public_ip_address = true
+  associate_public_ip_address = var.associate_public_ip_address
 
   # This user data represents a collection of “scripts” that will be executed the first time the machine starts.
   # This specific example makes sure the EC2 instance is automatically attached to the ECS cluster that we create earlier

diff --git a/modules/aws_ecs/loadbalancers.tf b/modules/aws_ecs/loadbalancers.tf
@@ -1,6 +1,7 @@
 resource "aws_lb" "this" {
   name         = "${var.deployment_name}-alb"
   idle_timeout = var.alb_idle_timeout
+  internal     = var.alb_internal
 
   security_groups = [aws_security_group.alb.id]
   subnets         = var.public_subnet_ids

diff --git a/modules/aws_ecs/locals.tf b/modules/aws_ecs/locals.tf
@@ -123,7 +123,7 @@ locals {
         auto_create_group = "true"
         log_stream_prefix = "SERVICE_RETOOL/"
       }
-    } : {
+      } : {
       logDriver = "awslogs"
       options = {
         awslogs-group         = aws_cloudwatch_log_group.this.id
@@ -143,7 +143,7 @@ locals {
         memory    = var.launch_type == "EC2" ? var.ecs_task_resource_map["fluentbit"]["memory"] : null
 
         firelensConfiguration = {
-          type    = "fluentbit"
+          type = "fluentbit"
           options = {
             config-file-type  = "file"
             config-file-value = "/extra.conf"
@@ -152,7 +152,7 @@ locals {
 
         logConfiguration = {
           logDriver = "awslogs"
-          options   = {
+          options = {
             awslogs-group         = aws_cloudwatch_log_group.this.id
             awslogs-region        = var.aws_region
             awslogs-stream-prefix = "SERVICE_RETOOL"

diff --git a/modules/aws_ecs/main.tf b/modules/aws_ecs/main.tf
@@ -79,7 +79,7 @@ resource "aws_ecs_service" "retool" {
       security_groups = [
         aws_security_group.containers.id
       ]
-      assign_public_ip = true
+      assign_public_ip = var.assign_public_ip
     }
   }
 }
@@ -107,7 +107,7 @@ resource "aws_ecs_service" "jobs_runner" {
       security_groups = [
         aws_security_group.containers.id
       ]
-      assign_public_ip = true
+      assign_public_ip = var.assign_public_ip
     }
   }
 }
@@ -140,7 +140,7 @@ resource "aws_ecs_service" "workflows_backend" {
       security_groups = [
         aws_security_group.containers.id
       ]
-      assign_public_ip = true
+      assign_public_ip = var.assign_public_ip
     }
   }
 }
@@ -169,7 +169,7 @@ resource "aws_ecs_service" "workflows_worker" {
       security_groups = [
         aws_security_group.containers.id
       ]
-      assign_public_ip = true
+      assign_public_ip = var.assign_public_ip
     }
   }
 }
@@ -201,7 +201,7 @@ resource "aws_ecs_service" "code_executor" {
       security_groups = [
         aws_security_group.containers.id
       ]
-      assign_public_ip = true
+      assign_public_ip = var.assign_public_ip
     }
   }
 }
@@ -234,7 +234,7 @@ resource "aws_ecs_service" "telemetry" {
       security_groups = [
         aws_security_group.containers.id
       ]
-      assign_public_ip = true
+      assign_public_ip = var.assign_public_ip
     }
   }
 }
@@ -454,12 +454,12 @@ resource "aws_ecs_task_definition" "retool_code_executor" {
     local.common_containers,
     [
       {
-        name       = "retool-code-executor"
-        essential  = true
-        image      = local.ecs_code_executor_image
-        cpu        = var.launch_type == "EC2" ? var.ecs_task_resource_map["code_executor"]["cpu"] : null
-        memory     = var.launch_type == "EC2" ? var.ecs_task_resource_map["code_executor"]["memory"] : null
-        user       = var.launch_type == "EC2" ? null : "1001:1001"
+        name      = "retool-code-executor"
+        essential = true
+        image     = local.ecs_code_executor_image
+        cpu       = var.launch_type == "EC2" ? var.ecs_task_resource_map["code_executor"]["cpu"] : null
+        memory    = var.launch_type == "EC2" ? var.ecs_task_resource_map["code_executor"]["memory"] : null
+        user      = var.launch_type == "EC2" ? null : "1001:1001"
         # required to use nsjail sandboxing, which is required for custom libraries for JS and Python
         # Learn more here: https://docs.retool.com/self-hosted/concepts/architecture#code-executor
         # If not using nsjail sandboxing, update this to be false and use user = "1001:1001"
@@ -486,7 +486,7 @@ resource "aws_ecs_task_definition" "retool_code_executor" {
           local.base_environment_variables,
           [
             {
-              name = "NODE_OPTIONS",
+              name  = "NODE_OPTIONS",
               value = "--max_old_space_size=1024"
             }
           ],
@@ -635,7 +635,7 @@ resource "aws_service_discovery_service" "retool_code_executor_service" {
 
 resource "aws_service_discovery_service" "retool_telemetry_service" {
   count = var.telemetry_enabled ? 1 : 0
-  name = "telemetry"
+  name  = "telemetry"
 
   dns_config {
     namespace_id = aws_service_discovery_private_dns_namespace.retool_namespace[0].id
@@ -701,5 +701,6 @@ module "temporal" {
   aws_ecs_capacity_provider_name               = var.launch_type == "EC2" ? aws_ecs_capacity_provider.this[0].name : null
   task_propagate_tags                          = var.task_propagate_tags
   service_discovery_namespace                  = local.service_discovery_namespace
+  assign_public_ip                             = var.assign_public_ip
   iam_partition                                = var.iam_partition
 }
diff --git a/modules/aws_ecs/temporal/main.tf b/modules/aws_ecs/temporal/main.tf
@@ -93,7 +93,7 @@ resource "aws_ecs_service" "retool_temporal" {
       security_groups = [
         var.container_sg_id
       ]
-      assign_public_ip = true
+      assign_public_ip = var.assign_public_ip
     }
   }
 }

diff --git a/modules/aws_ecs/temporal/variables.tf b/modules/aws_ecs/temporal/variables.tf
@@ -74,6 +74,12 @@ variable "launch_type" {
   }
 }
 
+variable "assign_public_ip" {
+  type        = bool
+  description = "Whether to assign a public IP address to Temporal Fargate tasks. Defaults to false."
+  default     = true
+}
+
 variable "temporal_aurora_username" {
   type        = string
   default     = "retool"

diff --git a/modules/aws_ecs/variables.tf b/modules/aws_ecs/variables.tf
@@ -49,6 +49,18 @@ variable "min_instance_count" {
   default     = 3
 }
 
+variable "associate_public_ip_address" {
+  type        = bool
+  description = "Whether to associate a public IP address with an EC2 instance in a VPC. Defaults to true."
+  default     = true
+}
+
+variable "assign_public_ip" {
+  type        = bool
+  description = "Whether to assign a public IP address to Fargate tasks. Defaults to false."
+  default     = true
+}
+
 variable "deployment_name" {
   type        = string
   description = "Name prefix for created resources. Defaults to `retool`."
@@ -421,6 +433,12 @@ variable "alb_http_redirect" {
   description = "Boolean for if http should redirect to https"
 }
 
+variable "alb_internal" {
+  type        = bool
+  default     = false
+  description = "Whether to create an internal load balancer. Defaults to false."
+}
+
 variable "cookie_insecure" {
   type        = bool
   default     = true

diff --git a/modules/aws_ecs_ec2/loadbalancers.tf b/modules/aws_ecs_ec2/loadbalancers.tf
@@ -1,6 +1,7 @@
 resource "aws_lb" "this" {
   name         = "${var.deployment_name}-alb"
   idle_timeout = var.alb_idle_timeout
+  internal     = var.alb_internal
 
   security_groups = [aws_security_group.alb.id]
   subnets         = var.subnet_ids

diff --git a/modules/aws_ecs_ec2/main.tf b/modules/aws_ecs_ec2/main.tf
@@ -42,7 +42,7 @@ resource "aws_launch_configuration" "this" {
   instance_type = var.instance_type # e.g. t2.medium
 
   enable_monitoring           = true
-  associate_public_ip_address = true
+  associate_public_ip_address = var.associate_public_ip_address
 
   # This user data represents a collection of “scripts” that will be executed the first time the machine starts.
   # This specific example makes sure the EC2 instance is automatically attached to the ECS cluster that we create earlier

diff --git a/modules/aws_ecs_ec2/variables.tf b/modules/aws_ecs_ec2/variables.tf
@@ -43,6 +43,12 @@ variable "min_instance_count" {
   default     = 3
 }
 
+variable "associate_public_ip_address" {
+  type        = bool
+  description = "Whether to associate a public IP address with an EC2 instance in a VPC. Defaults to true."
+  default     = true
+}
+
 variable "deployment_name" {
   type        = string
   description = "Name prefix for created resources. Defaults to `retool`."
@@ -139,6 +145,12 @@ variable "cookie_insecure" {
   description = "Whether to allow insecure cookies. Should be turned off when serving on HTTPS. Defaults to true."
 }
 
+variable "alb_internal" {
+  type        = bool
+  default     = false
+  description = "Whether to create an internal load balancer. Defaults to false."
+}
+
 variable "maximum_percent" {
   type        = number
   default     = 250