I recently reviewed the Healthcare application development best practices for HIPAA post, and understand that Retool does not enter into BAA's but that customers can use the self-hosted option for using Retool in HIPAA-compliant environments.
I was then was then reviewing the documentation titled Deploy Self-hosted Retool on AWS Fargate and ECS with Terraform, but got a little confused about the role that plays for Temporal plays in the self-hosted setup.
- I see three options listed in the docs, "Retool-managed cluster", "Self-managed cluster", and "Local cluster". My understanding is that "Local cluster" is the only option that would self-host the Temporal cluster and keep all of our infrastructure within AWS so that it falls under AWS's HIPAA BAA, is that right? Is it accurate to say that the other two options would make use of Temporal's services, which would otherwise require a BAA with Temporal? (I'm not even sure if that's an option to enter into a BAA with Temporal or suggesting that, I'm just looking to understand the moving pieces better!)
- Are there any limitations that come with selecting the "Local cluster" option? For example, in the docs listed above, it looks like using the local cluster option requires setting
workflows_enabled = false in the Terraform configuration. What does disabling workflows do?
Are there any other considerations that are required for a HIPAA-compliant self-hosted setup? For example, I thought I read a forum post somewhere that a custom PostgreSQL cluster is needed for HIPAA-compliant self-hosted Retool, but didn't see that mentioned in the docs I linked to above. Is that handled transparently by the Terraform module, or is there another step needed for that?
Hi @edahlseng I'm unable to provide any specific guidance concerning HIPPA compliance beyond what Tess has shared in the separate post. But I can answer the parts of your questions specific to the Retool templates that don't concern HIPPA compliance!
My understanding is that "Local cluster" is the only option that would self-host the Temporal cluster
Right! The Local Cluster is the available option to host a Temporal Cluster alongside your other Retool services on your infrastructure.
Are there any limitations that come with selecting the "Local cluster" option?
Hosting the Temporal cluster does come with the added administrative overhead and cost of configuring and hosting additional infrastructure. The Retool-managed cluster option is available to lessen this burden in the cases where it's a viable option. And the Self-managed cluster option is available for customers who already have a separately deployed Temporal Cluster or Temporal Cloud namespace.
For example, in the docs listed above, it looks like using the local cluster option requires setting workflows_enabled = false in the Terraform configuration. What does disabling workflows do?
In order to deploy the services necessary for the Workflows feature, you need to set workflows_enabled = true - terraform-retool-modules/modules/aws_ecs/variables.tf at main · tryretool/terraform-retool-modules · GitHub. If you don't need to use Workflows, then you don't need to deploy the Workflow related services, and you can simply set this to false!
The documentation you linked is a bit confusing concerning workflows_enabled. I've put in a request to update that page to clarify that workflows_enabled must be true if you wish to use Workflows on your deployed Retool instance!
Hi @everett_smith, thank you very much for your response, it's incredibly helpful! Your clarification about the workflows_enabled field, in particular, helps clarify the documentation.
I think I understand almost all of the moving pieces. I have just one last clarification: If we use the Terraform module to self-host Retool on AWS Fargate and ECS, and we specify the "Local cluster" option, will there be any other pieces of infrastructure hosted outside of our AWS account (any other settings in the Terraform module to look out for?), or will that ensure that everything is hosted within our AWS infrastructure?
Glad to hear that was helpful!
I have just one last clarification: If we use the Terraform module to self-host Retool on AWS Fargate and ECS, and we specify the "Local cluster" option, will there be any other pieces of infrastructure hosted outside of our AWS account (any other settings in the Terraform module to look out for?), or will that ensure that everything is hosted within our AWS infrastructure?
Your Retool self-hosted instance must allow network connectivity to several services hosted by Retool for license checks, for usage reporting, and (optionally) to send email invites.
Aside from those networking requirements, with the Local Temporal option it is possible for you to host your Retool services within your infrastructure!
1 Like