Hi,

I am deploying retool service with temporal cluster using this repository. I successfully deployed Retool service to aws ecs fargate cluster ( main backend, jobs runner, workflows worker, workflows backend) from this docker image tryretool/backend:3.16.7 with aws postgresql database version 15.4. But i am facing the following error

Unable to start server. Error: could not build arguments for function "go.uber.org/fx".(*App).constructCustomLogger.func2 (/go/pkg/mod/go.uber.org/[email protected]/app.go:415): failed to build fxevent.Logger: could not build arguments for function "go.temporal.io/server/temporal".glob..func8 (/home/builder/temporal/temporal/fx.go:921): failed to build log.Logger: received non-nil error from function "go.temporal.io/server/temporal".ServerOptionsProvider (/home/builder/temporal/temporal/fx.go:163): sql schema version compatibility check failed: pq: no pg_hba.conf entry for host "172.20.21.107", user "db_admin", database "temporal", no encryption

when deploying Temporal cluster on aws ecs fargate services ( frontend, history, worker, matching) using this docker image tryretool/one-offs:retool-temporal-1.1.4 with aws postgresql 15.4 database.

More details can be found on this ticket

If you can help me to fix this error it would be much appreciated

I will be very happy to provide more details about the terraform code setup i am using

Thank you in advance

cc @roberto-retool

Hello everyone.

I have found out that having the auto_minor_version_upgrade attribute being omitted (which defaults to true) on this resource while also having this engine version causes AWS to automatically upgrade Postgres to a newer version (in my case 13.10) and Terraform Apply to fail since it's unable to downgrade the DB instance.

The documentation for this module at https://docs.retool.com/self-hosted/quickstarts/ecs-fargate/terraform provides a sample code block but it doesn't appear to be valid. For instance, subnet_ids is marked as a required field, and is listed in the documentation. But using this module, private_subnet_ids and public_subnet_ids are also marked required, but are not referred to in the documentation. I can take a guess at what private_subnet_ids and public_subnet_ids should be, but their presence makes the function of subnet_ids unclear.

Can you please provide a known-working config example here? Other settings like aws_ecs_capacity_provider_name are unclear because they're marked required but are not required fields in ECS itself, so it's not clear whether this module will only work with one made.

Right now, there is no way to override environment variables this module sets.

This is especially problematic given that ENCRYPTION_KEY is always the random string: https://github.com/tryretool/terraform-retool-modules/blob/main/modules/aws_ecs/locals.tf#L42-L45

I would like a way to customize the ENCRYPTION_KEY, but this does not seem possible with this module right now

👋 Terraform's AWS Provider was updated to 5.0 on May 25th, 2023 (See changelog), but only ~> 4.0 is supported by these modules (See modules/aws_ecs/main.tf as an example).

Given the AWS provider 5.0 update has a large number of breaking changes (and essential bug fixes) we unfortunately cannot downgrade our Terraform configuration and pin to the latest ~> 4.0 version.

Could these module's AWS providers be updated to ~> 5.0 to address?

│ Error: Error creating DB Instance: InvalidParameterCombination: Cannot find version 10.6 for postgres
│       status code: 400, request id: 0c9a89d8-63ea-4121-9f0f-f30cab6194b0
│ 
│   with module.retool.aws_db_instance.this,
│   on modules/retool_ecs_ec2/main.tf line 138, in resource "aws_db_instance" "this":
│  138: resource "aws_db_instance" "this" {
│ 

Side notes:

• I noticed in the docker-compose that Postgres is set to 11.X. I would suggest standardizing the Postgres versions across deployments
• The docs do not state which versions of Postgres are supported for Retool's onprem installation. Please update the docs to include a support matrix

The aws_security_group.temporal_aurora resource defined below is missing the vpc_id argument:

This results in Terraform being unable to create the resource because no VPC ID has been specified:

│ Error: creating Security Group (retool-prod-temporal-rds-security-group): VPCIdNotSpecified: No default VPC for this user
│       status code: 400, request id: c448adb9-ac28-4e14-84ed-5450130d1e6a
│ 
│   with module.retool.aws_security_group.temporal_aurora[0],
│   on .terraform/modules/retool/modules/aws_ecs/security.tf line 26, in resource "aws_security_group" "temporal_aurora":
│   26: resource "aws_security_group" "temporal_aurora" {

If you look at the aws_security_group resource immediately following this one, the vpc_id argument is present:

I believe you just need to add the following to the aws_security_group.temporal_aurora resource to resolve the problem:
vpc_id = var.vpc_id

Thank you.

The Retool Standalone EC2 Module output for ec2_id returns the arn which causes later resources to fail when needing the instance id.

e.g.:

Error registering targets with target group: ValidationError: Instance ID 'arn:aws:ec2:us-west-2:xxxxxxxxxxxx:instance/i-xxxxxxxxxxxxxxxxx' is not valid

The resource here:

https://github.com/tryretool/terraform-retool-modules/blob/main/modules/aws_ecs/main.tf#L390C11-L395

needs to be unique within an AWS account, so it is difficult to deploy two of this module as is.

Currently, as provided, one cannot do rolling deployments on the ECS-EC2 module.

This is due to the hostPort being configured (port 80) and not allowing AWS/Docker magic to occur.

The fix is simple. Update hostPort: 0 instead of hostPort: 80 on both task definitions.

Doing this one update allowed for a smooth rolling update to occur.
Verified by monitoring the ECS Cluster -> Services -> Event logs and checking which task definitions were active.

Example Error:

service [alpha-retool-main-service](https://us-east-1.console.aws.amazon.com/ecs/home?region=us-east-1#/clusters/alpha-retool-ecs/services/alpha-retool-main-service) 
was unable to place a task because no container instance met all of its requirements. 
The closest matching container-instance is already using a port required by your task. For more information, see the [Troubleshooting section]
(http://docs.aws.amazon.com/AmazonECS/latest/developerguide/troubleshooting.html).

In the AWS ECS setup, the aws_ecs_service resource doesn't propagate tags to the tasks. This results in large amounts of fargate VCPU usage going untagged and potentially not visible in AWS Cost Explorer.

Could we get this added as per the AWS terraform documentation documentation on the service resource. There are two options, so perhaps defaulting to one and allowing a variable for the other would make sense.

module "retool" {
  source  = "[email protected]:tryretool/retool-terraform.git//modules/aws_ecs"
  deployment_name = var.app_name
  launch_type     = "EC2"

  ecs_cluster_name   = var.environment
  ecs_cluster_region = var.region

  workflows_enabled = false
}

TF Lint warning/error:

> TFLint in ./:
> 1 issue(s) found:
> 
> Warning: Module source "[email protected]:tryretool/retool-terraform.git//modules/aws_ecs" is not pinned (terraform_module_pinned_source)