Update to support secrets

Everett Smith · Everett Smith · commit 9b884180ce8f · 2025-07-24T12:26:59.000-07:00
diff --git a/modules/aws_ecs/locals.tf b/modules/aws_ecs/locals.tf
@@ -65,18 +65,6 @@ locals {
         "name"  = "POSTGRES_USER",
         "value" = var.rds_username
       },
-      {
-        "name"  = "POSTGRES_PASSWORD",
-        "value" = random_string.rds_password.result
-      },
-      {
-        "name" : "JWT_SECRET",
-        "value" : random_string.jwt_secret.result
-      },
-      {
-        "name" : "ENCRYPTION_KEY",
-        "value" : random_string.encryption_key.result
-      },
       {
         "name" : "LICENSE_KEY",
         "value" : var.retool_license_key
@@ -116,6 +104,24 @@ locals {
     ]
   )
 
+  secrets = concat(
+    var.additional_secrets,
+    [
+      {
+        name = "POSTGRES_PASSWORD",
+        valueFrom = aws_secretsmanager_secret.rds_password.arn
+      },
+      {
+        name      = "JWT_SECRET",
+        valueFrom = aws_secretsmanager_secret.jwt_secret.arn
+      },
+      {
+        name    = "ENCRYPTION_KEY",
+        valueFrom   = aws_secretsmanager_secret.encryption_key.arn
+      }
+    ]
+  )
+
   task_log_configuration = (
     var.telemetry_enabled ? {
       # Send logs to CloudWatch in addition to telemetry service:
diff --git a/modules/aws_ecs/main.tf b/modules/aws_ecs/main.tf
@@ -211,7 +211,7 @@ resource "aws_ecs_service" "telemetry" {
 resource "aws_ecs_task_definition" "retool_jobs_runner" {
   family                   = "retool-jobs-runner"
   task_role_arn            = aws_iam_role.task_role.arn
-  execution_role_arn       = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
+  execution_role_arn       = aws_iam_role.execution_role[0].arn
   requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : ["EC2"]
   network_mode             = "awsvpc"
   cpu                      = var.launch_type == "FARGATE" ? var.fargate_task_resource_map["jobs_runner"]["cpu"] : null
@@ -249,6 +249,8 @@ resource "aws_ecs_task_definition" "retool_jobs_runner" {
             }
           ]
         )
+
+        secrets = local.secrets
       }
     ]
   ))
@@ -257,7 +259,7 @@ resource "aws_ecs_task_definition" "retool_jobs_runner" {
 resource "aws_ecs_task_definition" "retool" {
   family                   = "retool"
   task_role_arn            = aws_iam_role.task_role.arn
-  execution_role_arn       = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
+  execution_role_arn       = aws_iam_role.execution_role[0].arn
   requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : ["EC2"]
   network_mode             = "awsvpc"
   cpu                      = var.launch_type == "FARGATE" ? var.fargate_task_resource_map["main"]["cpu"] : null
@@ -300,6 +302,8 @@ resource "aws_ecs_task_definition" "retool" {
             }
           ]
         )
+
+        secrets = local.secrets
       }
     ]
   ))
@@ -309,7 +313,7 @@ resource "aws_ecs_task_definition" "retool_workflows_backend" {
   count                    = var.workflows_enabled ? 1 : 0
   family                   = "retool-workflows-backend"
   task_role_arn            = aws_iam_role.task_role.arn
-  execution_role_arn       = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
+  execution_role_arn       = aws_iam_role.execution_role[0].arn
   requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : ["EC2"]
   network_mode             = "awsvpc"
   cpu                      = var.launch_type == "FARGATE" ? var.fargate_task_resource_map["workflows_backend"]["cpu"] : null
@@ -352,6 +356,8 @@ resource "aws_ecs_task_definition" "retool_workflows_backend" {
             }
           ]
         )
+
+        secrets = local.secrets
       }
     ]
   ))
@@ -361,7 +367,7 @@ resource "aws_ecs_task_definition" "retool_workflows_worker" {
   count                    = var.workflows_enabled ? 1 : 0
   family                   = "retool-workflows-worker"
   task_role_arn            = aws_iam_role.task_role.arn
-  execution_role_arn       = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
+  execution_role_arn       = aws_iam_role.execution_role[0].arn
   requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : ["EC2"]
   network_mode             = "awsvpc"
   cpu                      = var.launch_type == "FARGATE" ? var.fargate_task_resource_map["code_executor"]["cpu"] : null
@@ -408,6 +414,8 @@ resource "aws_ecs_task_definition" "retool_workflows_worker" {
             }
           ]
         )
+
+        secrets = local.secrets
       }
     ]
   ))
@@ -417,7 +425,7 @@ resource "aws_ecs_task_definition" "retool_code_executor" {
   count                    = var.code_executor_enabled ? 1 : 0
   family                   = "retool-code-executor"
   task_role_arn            = aws_iam_role.task_role.arn
-  execution_role_arn       = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
+  execution_role_arn       = aws_iam_role.execution_role[0].arn
   requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : ["EC2"]
   network_mode             = "awsvpc"
   cpu                      = var.launch_type == "FARGATE" ? var.fargate_task_resource_map["telemetry"]["cpu"] : null
@@ -472,6 +480,8 @@ resource "aws_ecs_task_definition" "retool_code_executor" {
             }
           ] : []
         )
+
+        secrets = local.secrets
       }
     ]
   ))
@@ -481,7 +491,7 @@ resource "aws_ecs_task_definition" "retool_telemetry" {
   count                    = var.telemetry_enabled ? 1 : 0
   family                   = "retool-telemetry"
   task_role_arn            = aws_iam_role.task_role.arn
-  execution_role_arn       = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
+  execution_role_arn       = aws_iam_role.execution_role[0].arn
   requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : ["EC2"]
   network_mode             = "awsvpc"
   cpu                      = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["telemetry"]["cpu"] : null
diff --git a/modules/aws_ecs/roles.tf b/modules/aws_ecs/roles.tf
@@ -69,7 +69,6 @@ resource "aws_iam_role" "service_role" {
   }
 }
 
-# Execution Role for Fargate
 data "aws_iam_policy_document" "execution_role_assume_policy" {
   statement {
     actions = ["sts:AssumeRole"]
@@ -82,17 +81,42 @@ data "aws_iam_policy_document" "execution_role_assume_policy" {
 }
 
 resource "aws_iam_role" "execution_role" {
-  count              = var.launch_type == "FARGATE" ? 1 : 0
   name               = "${var.deployment_name}-execution-role"
   assume_role_policy = data.aws_iam_policy_document.execution_role_assume_policy.json
 }
 
 resource "aws_iam_role_policy_attachment" "execution_role" {
-  count      = var.launch_type == "FARGATE" ? 1 : 0
   role       = aws_iam_role.execution_role[0].name
   policy_arn = "arn:${var.iam_partition}:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
 
+data "aws_iam_policy_document" "execution_role_read_secrets" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "secretsmanager:GetSecretValue",
+    ]
+
+    resources = [
+      aws_secretsmanager_secret.rds_password.arn,
+      aws_secretsmanager_secret.encryption_key.arn,
+      aws_secretsmanager_secret.jwt_secret.arn
+    ]
+  }
+}
+
+resource aws_iam_policy "execution_role_read_secrets" {
+  name        = "ExecutionRoleReadSecrets"
+  description = "Allows ECS or EC2 instance execution to read secrets block values from AWS Secret Manager"
+  policy      = data.aws_iam_policy_document.execution_role_read_secrets.json
+}
+
+resource "aws_iam_role_policy_attachment" "execution_role_read_secrets" {
+  role       = aws_iam_role.execution_role[0].name
+  policy_arn = aws_iam_policy.execution_role_read_secrets.arn
+}
+
 # IAM Role for EC2 instances
 resource "aws_iam_instance_profile" "ec2" {
   count = var.launch_type == "EC2" ? 1 : 0
diff --git a/modules/aws_ecs/variables.tf b/modules/aws_ecs/variables.tf
@@ -514,6 +514,12 @@ variable "additional_env_vars" {
   description = "Additional environment variables (e.g. BASE_DOMAIN)"
 }
 
+variable "additional_secrets" {
+  type        = list(map(string))
+  default     = []
+  description = "Optional additional environment variables set from pre-existing AWS Secrets Manager Secrets."
+}
+
 variable "additional_temporal_env_vars" {
   type        = list(map(string))
   default     = []

Original file line number	Diff line number	Diff line change
`@@ -211,7 +211,7 @@ resource "aws_ecs_service" "telemetry" {`
`211`	`211`	`resource "aws_ecs_task_definition" "retool_jobs_runner" {`
`212`	`212`	`family = "retool-jobs-runner"`
`213`	`213`	`task_role_arn = aws_iam_role.task_role.arn`
`214`		`- execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null`
	`214`	`+ execution_role_arn = aws_iam_role.execution_role[0].arn`
`215`	`215`	`requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : ["EC2"]`
`216`	`216`	`network_mode = "awsvpc"`
`217`	`217`	`cpu = var.launch_type == "FARGATE" ? var.fargate_task_resource_map["jobs_runner"]["cpu"] : null`
`@@ -249,6 +249,8 @@ resource "aws_ecs_task_definition" "retool_jobs_runner" {`
`249`	`249`	`}`
`250`	`250`	`]`
`251`	`251`	`)`
	`252`	`+`
	`253`	`+ secrets = local.secrets`
`252`	`254`	`}`
`253`	`255`	`]`
`254`	`256`	`))`
`@@ -257,7 +259,7 @@ resource "aws_ecs_task_definition" "retool_jobs_runner" {`
`257`	`259`	`resource "aws_ecs_task_definition" "retool" {`
`258`	`260`	`family = "retool"`
`259`	`261`	`task_role_arn = aws_iam_role.task_role.arn`
`260`		`- execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null`
	`262`	`+ execution_role_arn = aws_iam_role.execution_role[0].arn`
`261`	`263`	`requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : ["EC2"]`
`262`	`264`	`network_mode = "awsvpc"`
`263`	`265`	`cpu = var.launch_type == "FARGATE" ? var.fargate_task_resource_map["main"]["cpu"] : null`
`@@ -300,6 +302,8 @@ resource "aws_ecs_task_definition" "retool" {`
`300`	`302`	`}`
`301`	`303`	`]`
`302`	`304`	`)`
	`305`	`+`
	`306`	`+ secrets = local.secrets`
`303`	`307`	`}`
`304`	`308`	`]`
`305`	`309`	`))`
`@@ -309,7 +313,7 @@ resource "aws_ecs_task_definition" "retool_workflows_backend" {`
`309`	`313`	`count = var.workflows_enabled ? 1 : 0`
`310`	`314`	`family = "retool-workflows-backend"`
`311`	`315`	`task_role_arn = aws_iam_role.task_role.arn`
`312`		`- execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null`
	`316`	`+ execution_role_arn = aws_iam_role.execution_role[0].arn`
`313`	`317`	`requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : ["EC2"]`
`314`	`318`	`network_mode = "awsvpc"`
`315`	`319`	`cpu = var.launch_type == "FARGATE" ? var.fargate_task_resource_map["workflows_backend"]["cpu"] : null`
`@@ -352,6 +356,8 @@ resource "aws_ecs_task_definition" "retool_workflows_backend" {`
`352`	`356`	`}`
`353`	`357`	`]`
`354`	`358`	`)`
	`359`	`+`
	`360`	`+ secrets = local.secrets`
`355`	`361`	`}`
`356`	`362`	`]`
`357`	`363`	`))`
`@@ -361,7 +367,7 @@ resource "aws_ecs_task_definition" "retool_workflows_worker" {`
`361`	`367`	`count = var.workflows_enabled ? 1 : 0`
`362`	`368`	`family = "retool-workflows-worker"`
`363`	`369`	`task_role_arn = aws_iam_role.task_role.arn`
`364`		`- execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null`
	`370`	`+ execution_role_arn = aws_iam_role.execution_role[0].arn`
`365`	`371`	`requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : ["EC2"]`
`366`	`372`	`network_mode = "awsvpc"`
`367`	`373`	`cpu = var.launch_type == "FARGATE" ? var.fargate_task_resource_map["code_executor"]["cpu"] : null`
`@@ -408,6 +414,8 @@ resource "aws_ecs_task_definition" "retool_workflows_worker" {`
`408`	`414`	`}`
`409`	`415`	`]`
`410`	`416`	`)`
	`417`	`+`
	`418`	`+ secrets = local.secrets`
`411`	`419`	`}`
`412`	`420`	`]`
`413`	`421`	`))`
`@@ -417,7 +425,7 @@ resource "aws_ecs_task_definition" "retool_code_executor" {`
`417`	`425`	`count = var.code_executor_enabled ? 1 : 0`
`418`	`426`	`family = "retool-code-executor"`
`419`	`427`	`task_role_arn = aws_iam_role.task_role.arn`
`420`		`- execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null`
	`428`	`+ execution_role_arn = aws_iam_role.execution_role[0].arn`
`421`	`429`	`requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : ["EC2"]`
`422`	`430`	`network_mode = "awsvpc"`
`423`	`431`	`cpu = var.launch_type == "FARGATE" ? var.fargate_task_resource_map["telemetry"]["cpu"] : null`
`@@ -472,6 +480,8 @@ resource "aws_ecs_task_definition" "retool_code_executor" {`
`472`	`480`	`}`
`473`	`481`	`] : []`
`474`	`482`	`)`
	`483`	`+`
	`484`	`+ secrets = local.secrets`
`475`	`485`	`}`
`476`	`486`	`]`
`477`	`487`	`))`
`@@ -481,7 +491,7 @@ resource "aws_ecs_task_definition" "retool_telemetry" {`
`481`	`491`	`count = var.telemetry_enabled ? 1 : 0`
`482`	`492`	`family = "retool-telemetry"`
`483`	`493`	`task_role_arn = aws_iam_role.task_role.arn`
`484`		`- execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null`
	`494`	`+ execution_role_arn = aws_iam_role.execution_role[0].arn`
`485`	`495`	`requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : ["EC2"]`
`486`	`496`	`network_mode = "awsvpc"`
`487`	`497`	`cpu = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["telemetry"]["cpu"] : null`