locals { module_name = "hu-agent" version = regex("(.*:)(.*)", var.container_image)[1] } data "aws_caller_identity" "current" {} data "aws_region" "current" {} resource "aws_dynamodb_table" "daily_report" { name = "${local.module_name}-daily-report" billing_mode = "PAY_PER_REQUEST" hash_key = "pk" attribute { name = "pk" type = "S" } tags = { Service = local.module_name Environment = var.env } } module "iam_role" { source = "../modules/iam_role" iam_role_name = local.module_name assume_role_services = [ "ecs-tasks.amazonaws.com", ] extra_policies = [ { name = "${local.module_name}-task-permissions" description = "SSM, Secrets Manager and CodeArtifact access" policy = { Version = "2012-10-17" Statement = [ { Sid = "ReadParameters" Effect = "Allow" Action = [ "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath" ] Resource = ["arn:aws:ssm:*:${data.aws_caller_identity.current.account_id}:parameter/*"] Condition = {} }, { Sid = "ReadSecrets" Effect = "Allow" Action = [ "secretsmanager:GetSecretValue" ] Resource = ["arn:aws:secretsmanager:*:${data.aws_caller_identity.current.account_id}:secret:*"] Condition = {} }, { Sid = "DynamoDBAccess" Effect = "Allow" Action = [ "dynamodb:GetItem", "dynamodb:PutItem" ] Resource = [aws_dynamodb_table.daily_report.arn] Condition = {} }, { Sid = "CodeArtifactToken" Effect = "Allow" Action = [ "codeartifact:GetAuthorizationToken", "codeartifact:GetRepositoryEndpoint", "codeartifact:ReadFromRepository" ] Resource = [ "arn:aws:codeartifact:us-east-1:518514628507:domain/humand", "arn:aws:codeartifact:us-east-1:518514628507:repository/humand/*" ] Condition = {} }, { Sid = "CodeArtifactSTS" Effect = "Allow" Action = ["sts:GetServiceBearerToken"] Resource = ["*"] Condition = { StringEquals = { "sts:AWSServiceName" = "codeartifact.amazonaws.com" } } } ] } } ] } locals { env_vars = { DD_TRACE_ENABLED = "true" DD_TRACE_SAMPLE_RATE = "0.1" DD_PROFILING_ENABLED = "false" DD_REMOTE_CONFIGURATION_ENABLED = "false" DD_SERVICE = local.module_name DD_VERSION = local.version DD_ENV = var.env NODE_ENV = "production" NODE_OPTIONS = "--max-old-space-size=8192" PORT = tostring(var.container_port) LOG_LEVEL = "info" WORKDIR_PATH = "/app/workdir" JIRA_POLL_ENABLED = "true" JIRA_TICKET_REVIEW_ENABLED = "true" VIDEO_ATTACHMENTS_ENABLED = "true" ATTEND_FEEDBACK_IN_PR_ENABLED = "true" DAILY_REPORT_ENABLED = "true" DAILY_REPORT_HOURS = "9,17" DAILY_REPORT_TIMEZONE = "America/Argentina/Buenos_Aires" SQUAD_SCOPE = "*" CURSOR_MODEL = "claude-opus-4-7-thinking-high" GITHUB_BOT_USER = "hu-agent[bot]" IGNORED_COMMENT_LOGINS = "cursor[bot],hu-reviewer[bot],github-actions[bot]" GITHUB_APP_ID = "2940076" GITHUB_APP_INSTALLATION_ID = "112194326" DYNAMODB_TABLE_NAME = aws_dynamodb_table.daily_report.name SLACK_MENTIONS_ENABLED = "true" PR_MENTION_ENABLED = "true" # Member ID from Slack app settings — also defaulted in src/core/constants.ts SLACK_BOT_USER_ID = "U0AJU6F4RPV" # Channel routing — defaults mirror src/utils/config.ts SLACK_DAILY_REPORT_CHANNEL_ID = "C0ALG71FCHY" SLACK_ALERT_CHANNEL_ID = "C0ALL925DJ8" SLACK_PR_COMMENT_CHANNEL_ID = "C0ATP60H09E" JIRA_EMAIL = "secret::arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/hu-agent/jira-email" JIRA_API_TOKEN = "secret::arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/hu-agent/jira-api-token" JIRA_DOMAIN = "secret::arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/hu-agent/jira-domain" GITHUB_APP_PRIVATE_KEY = "secret::arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/hu-agent/github-token" CURSOR_API_KEY = "secret::arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/hu-agent/cursor-api-key" # Present in both envs (param exists in dev + prd). Only enforced by config when AGENT_PROVIDER=claude. ANTHROPIC_API_KEY = "secret::arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/hu-agent/anthropic-api-key" SLACK_BOT_TOKEN = "secret::arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/hu-agent/slack-bot-token" SLACK_CHANNEL_ID = "secret::arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/hu-agent/slack-channel-id" NPM_TOKEN_GOOGLE_SIGN_IN = "secret::arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/hu-agent/npm-token-google-sign-in" } all_env_vars = merge(local.env_vars, var.env_vars) secrets = { for k, v in local.all_env_vars : k => substr(v, 8, -1) if startswith(v, "secret::") } regular_env_vars = { for k, v in local.all_env_vars : k => v if !startswith(v, "secret::") } } module "service" { source = "../modules/service" service_name = local.module_name target_cluster_arn = var.service.target_cluster_arn service_role_arn = module.iam_role.role.arn container_image = var.container_image dd_source = "nodejs" cpu = var.service.resources.cpu memory = var.service.resources.memory fargate_spot_weight = var.service.resources.fargate_spot_weight fargate_weight = var.service.resources.fargate_weight ephemeral_storage_gib = var.service.resources.ephemeral_storage_gib env_vars = local.regular_env_vars secrets = local.secrets vpc_id = var.vpc_id env = var.env desired_count = 1 container_port = var.container_port target_group_arn = var.service.target_group_arn health_check_path = var.health_check_path stop_timeout = 120 }