feat: add support of TLS/DB encryption/custom SG rules

Author: leroyguillaume

modules/aws_ecs/loadbalancers.tf

@@ -3,22 +3,54 @@ resource "aws_lb" "this" {
   idle_timeout = var.alb_idle_timeout
 
   security_groups = [aws_security_group.alb.id]
-  subnets         = var.subnet_ids
+  subnets         = var.alb_subnet_ids != null ? var.alb_subnet_ids : var.subnet_ids
 }
 
-resource "aws_lb_listener" "this" {
+resource "aws_lb_listener" "http" {
   load_balancer_arn = aws_lb.this.arn
   port              = 80
   protocol          = "HTTP"
 
+  dynamic "default_action" {
+    for_each = var.alb_certificate_arn == null ? [1] : []
+
+    content {
+      type             = "forward"
+      target_group_arn = aws_lb_target_group.this.arn
+    }
+  }
+
+  dynamic "default_action" {
+    for_each = var.alb_certificate_arn != null ? [1] : []
+
+    content {
+      type = "redirect"
+
+      redirect {
+        port        = "443"
+        protocol    = "HTTPS"
+        status_code = "HTTP_301"
+      }
+    }
+  }
+}
+
+resource "aws_lb_listener" "https" {
+  count = var.alb_certificate_arn != null ? 1 : 0
+  certificate_arn   = var.alb_certificate_arn
+  load_balancer_arn = aws_lb.this.arn
+  port              = "443"
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
+
   default_action {
-    type             = "forward"
     target_group_arn = aws_lb_target_group.this.arn
+    type             = "forward"
   }
 }
 
 resource "aws_lb_listener_rule" "this" {
-  listener_arn = aws_lb_listener.this.arn
+  listener_arn = var.alb_certificate_arn != null ? aws_lb_listener.https[0].arn : aws_lb_listener.http.arn
   priority     = 1
 
   action {
@@ -49,4 +81,4 @@ resource "aws_lb_target_group" "this" {
     healthy_threshold   = 3
     unhealthy_threshold = 2
   }
-}
+}

modules/aws_ecs/main.tf

@@ -17,12 +17,12 @@ resource "aws_cloudwatch_log_group" "this" {
 }
 
 resource "aws_db_subnet_group" "this" {
-  name = "${var.deployment_name}-retool"
+  name       = "${var.deployment_name}-retool"
   subnet_ids = var.subnet_ids
 }
 
 resource "aws_db_instance" "this" {
-  identifier                    = "${var.deployment_name}-rds-instance"
+  identifier                   = "${var.deployment_name}-rds-instance"
   allocated_storage            = 80
   instance_class               = var.rds_instance_class
   engine                       = "postgres"
@@ -35,9 +35,11 @@ resource "aws_db_instance" "this" {
   vpc_security_group_ids       = [aws_security_group.rds.id]
   db_subnet_group_name         = aws_db_subnet_group.this.id
   performance_insights_enabled = var.rds_performance_insights_enabled
-  
-  skip_final_snapshot          = true
-  apply_immediately           = true
+  kms_key_id                   = var.rds_kms_key_id
+  storage_encrypted = var.rds_kms_key_id != null
+
+  skip_final_snapshot = true
+  apply_immediately   = true
 }
 
 resource "aws_ecs_service" "retool" {
@@ -65,7 +67,7 @@ resource "aws_ecs_service" "retool" {
   dynamic "network_configuration" {
     for_each = var.launch_type == "FARGATE" ? toset([1]) : toset([])
 
-    content {    
+    content {
       subnets = var.subnet_ids
       security_groups = [
         aws_security_group.containers.id
@@ -92,7 +94,7 @@ resource "aws_ecs_service" "jobs_runner" {
 
     for_each = var.launch_type == "FARGATE" ? toset([1]) : toset([])
 
-    content {    
+    content {
       subnets = var.subnet_ids
       security_groups = [
         aws_security_group.containers.id
@@ -108,7 +110,7 @@ resource "aws_ecs_service" "workflows_backend" {
   cluster         = aws_ecs_cluster.this.id
   desired_count   = 1
   task_definition = aws_ecs_task_definition.retool_workflows_backend[0].arn
-  
+
   # Need to explictly set this in aws_ecs_service to avoid destructive behavior: https://github.com/hashicorp/terraform-provider-aws/issues/22823
   capacity_provider_strategy {
     base              = 1
@@ -123,7 +125,7 @@ resource "aws_ecs_service" "workflows_backend" {
 
     for_each = var.launch_type == "FARGATE" ? toset([1]) : toset([])
 
-    content {    
+    content {
       subnets = var.subnet_ids
       security_groups = [
         aws_security_group.containers.id
@@ -150,7 +152,7 @@ resource "aws_ecs_service" "workflows_worker" {
 
     for_each = var.launch_type == "FARGATE" ? toset([1]) : toset([])
 
-    content {    
+    content {
       subnets = var.subnet_ids
       security_groups = [
         aws_security_group.containers.id
@@ -161,13 +163,13 @@ resource "aws_ecs_service" "workflows_worker" {
 }
 
 resource "aws_ecs_task_definition" "retool_jobs_runner" {
-  family        = "retool-jobs-runner"
-  task_role_arn = aws_iam_role.task_role.arn
-  execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
+  family                   = "retool-jobs-runner"
+  task_role_arn            = aws_iam_role.task_role.arn
+  execution_role_arn       = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
   requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : null
-  network_mode  = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
-  cpu       = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["jobs_runner"]["cpu"] : null
-  memory    = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["jobs_runner"]["memory"] : null
+  network_mode             = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
+  cpu                      = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["jobs_runner"]["cpu"] : null
+  memory                   = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["jobs_runner"]["memory"] : null
   container_definitions = jsonencode(
     [
       {
@@ -211,13 +213,13 @@ resource "aws_ecs_task_definition" "retool_jobs_runner" {
   )
 }
 resource "aws_ecs_task_definition" "retool" {
-  family        = "retool"
-  task_role_arn = aws_iam_role.task_role.arn
-  execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
+  family                   = "retool"
+  task_role_arn            = aws_iam_role.task_role.arn
+  execution_role_arn       = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
   requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : null
-  network_mode  = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
-  cpu       = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["main"]["cpu"] : null
-  memory    = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["main"]["memory"] : null
+  network_mode             = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
+  cpu                      = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["main"]["cpu"] : null
+  memory                   = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["main"]["memory"] : null
   container_definitions = jsonencode(
     [
       {
@@ -266,14 +268,14 @@ resource "aws_ecs_task_definition" "retool" {
 }
 
 resource "aws_ecs_task_definition" "retool_workflows_backend" {
-  count         = var.workflows_enabled ? 1 : 0
-  family        = "retool-workflows-backend"
-  task_role_arn = aws_iam_role.task_role.arn
-  execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
-  requires_compatibilities = var.launch_type == "FARGATE" ?  ["FARGATE"] : null
-  network_mode  = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
-  cpu       = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_backend"]["cpu"] : null
-  memory    = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_backend"]["memory"] : null
+  count                    = var.workflows_enabled ? 1 : 0
+  family                   = "retool-workflows-backend"
+  task_role_arn            = aws_iam_role.task_role.arn
+  execution_role_arn       = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
+  requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : null
+  network_mode             = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
+  cpu                      = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_backend"]["cpu"] : null
+  memory                   = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_backend"]["memory"] : null
   container_definitions = jsonencode(
     [
       {
@@ -321,14 +323,14 @@ resource "aws_ecs_task_definition" "retool_workflows_backend" {
   )
 }
 resource "aws_ecs_task_definition" "retool_workflows_worker" {
-  count         = var.workflows_enabled ? 1 : 0
-  family        = "retool-workflows-worker"
-  task_role_arn = aws_iam_role.task_role.arn
-  execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
-  requires_compatibilities = var.launch_type == "FARGATE" ?  ["FARGATE"] : null
-  network_mode  = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
-  cpu       = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_worker"]["cpu"] : null
-  memory    = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_worker"]["memory"] : null
+  count                    = var.workflows_enabled ? 1 : 0
+  family                   = "retool-workflows-worker"
+  task_role_arn            = aws_iam_role.task_role.arn
+  execution_role_arn       = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
+  requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : null
+  network_mode             = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
+  cpu                      = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_worker"]["cpu"] : null
+  memory                   = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_worker"]["memory"] : null
   container_definitions = jsonencode(
     [
       {
@@ -381,13 +383,13 @@ resource "aws_ecs_task_definition" "retool_workflows_worker" {
 }
 
 resource "aws_service_discovery_private_dns_namespace" "retoolsvc" {
-  count         = var.workflows_enabled ? 1 : 0
+  count       = var.workflows_enabled ? 1 : 0
   name        = "retoolsvc"
   description = "Service Discovery namespace for Retool deployment"
   vpc         = var.vpc_id
 }
 
-resource "aws_service_discovery_service" "retool_workflow_backend_service" { 
+resource "aws_service_discovery_service" "retool_workflow_backend_service" {
   count = var.workflows_enabled ? 1 : 0
   name  = "workflow-backend"
 
@@ -408,17 +410,18 @@ resource "aws_service_discovery_service" "retool_workflow_backend_service" {
 }
 
 module "temporal" {
-  count = var.workflows_enabled && !var.use_exising_temporal_cluster ? 1 : 0
+  count  = var.workflows_enabled && !var.use_exising_temporal_cluster ? 1 : 0
   source = "./temporal"
-  
-  deployment_name   = "${var.deployment_name}-temporal"
-  vpc_id = var.vpc_id
-  subnet_ids = var.subnet_ids
-  private_dns_namespace_id = aws_service_discovery_private_dns_namespace.retoolsvc[0].id
-  aws_cloudwatch_log_group_id = aws_cloudwatch_log_group.this.id
-  aws_region = var.aws_region
-  aws_ecs_cluster_id = aws_ecs_cluster.this.id
-  launch_type = var.launch_type
-  container_sg_id = aws_security_group.containers.id
+
+  deployment_name                = "${var.deployment_name}-temporal"
+  vpc_id                         = var.vpc_id
+  subnet_ids                     = var.subnet_ids
+  private_dns_namespace_id       = aws_service_discovery_private_dns_namespace.retoolsvc[0].id
+  aws_cloudwatch_log_group_id    = aws_cloudwatch_log_group.this.id
+  aws_region                     = var.aws_region
+  aws_ecs_cluster_id             = aws_ecs_cluster.this.id
+  launch_type                    = var.launch_type
+  container_sg_id                = aws_security_group.containers.id
   aws_ecs_capacity_provider_name = var.launch_type == "EC2" ? aws_ecs_capacity_provider.this[0].name : null
+  kms_key_id                     = var.temporal_aurora_kms_key_id
 }

modules/aws_ecs/outputs.tf

@@ -42,3 +42,7 @@ output "rds_instance_name" {
   value       = aws_db_instance.this.db_name
   description = "Name of RDS instance"
 }
+
+output "sg_containers_id" {
+  value = aws_security_group.containers.id
+}