add logs to modules

[flybayer]

Greptile Summary

This PR adds a logs UI section to five module definitions (ECS Web, ECS Worker, RDS, Route 53, VPC), wiring each module to its corresponding CloudWatch log group so users get a Logs tab in the Flightcontrol UI. It also includes an unrelated change to the shared ECS deploy partial.

• ECS Web & Worker: static log entries reference stack.output.log_group_name and log_stream_prefix; straightforward and consistent with how metrics are already wired.
• RDS, Route 53, VPC: dynamic/conditional log entries are guarded by the relevant enable flags and stack outputs (e.g. flow_log_cloudwatch_log_group_name is null for S3-destination VPC flow logs, correctly suppressing the tab). Route 53 correctly hardcodes us-east-1 for query logs.
• partials/deploy/ecs-service-deploy-common.yml: renames ecs_service_arns (YAML list) to ecs_service_arn (scalar) — a schema contract change that only the ECS Worker consumes from this partial (the ECS Web overrides infrastructure in its own merge), and needs platform-side confirmation before merging.

Confidence Score: 4/5

Safe to merge once the deploy schema change in the ECS partial is confirmed against the platform's expected field name for ECS service ARNs.

All five log wiring additions are correct — conditional guards, region handling, and output references all look right. The one concern is in ecs-service-deploy-common.yml: renaming ecs_service_arns (array) to ecs_service_arn (scalar) is a schema contract change that the ECS Worker module depends on directly. If the platform deploy runner still reads the old key, worker deploys will silently fail to locate the service. Confirming that the platform has already moved to ecs_service_arn removes this risk entirely.

partials/deploy/ecs-service-deploy-common.yml — the deploy schema key rename needs platform-side verification.

Important Files Changed

Filename	Overview
compute/ecs_service/rvn-ecs-web-definition.yml	Adds a static CloudWatch logs entry to the UI using stack outputs log_group_name and log_stream_prefix; version bumped to 0.7.0. Logic is straightforward and correct.
compute/ecs_service/rvn-ecs-worker-definition.yml	Adds a static CloudWatch logs entry to the worker's UI section; version bumped to 0.2.0. Uses the same pattern as the web definition.
database/rds/rvn-rds-definition.yml	Adds a dynamic logs section using a map expression over enabled_cloudwatch_logs_exports; version bumped to 0.4.0. The nil and empty-array guard is correct.
networking/route53/rvn-route53-definition.yml	Adds a conditional logs entry for Route 53 query logs; region is correctly hardcoded to us-east-1 because Route 53 query logging always writes to CloudWatch in that region. Version bumped to 0.2.0.
networking/vpc/rvn-aws-network-definition.yml	Adds a conditional logs entry guarded by both flow_logs_enabled and the stack output flow_log_cloudwatch_log_group_name, which is null when the destination is S3 — correctly prevents the tab from appearing for S3-destination configs. Version bumped to 0.2.0.
partials/deploy/ecs-service-deploy-common.yml	Renames ecs_service_arns (YAML list) to ecs_service_arn (scalar string) in the shared deploy partial. The ECS web definition overrides infrastructure in its own merge, so only the ECS worker was consuming this field from the partial — this is a schema contract change that needs platform-side confirmation.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Module Definition] --> B{Log source type}
    B --> C[ECS Web / Worker]
    B --> D[RDS]
    B --> E[VPC]
    B --> F[Route 53]

    C --> C1[Static entry\nlog_group_name + log_stream_prefix\nAlways shown]
    C1 --> OUT[CloudWatch Logs UI Tab]

    D --> D1{enabled_cloudwatch_logs_exports\nnot nil and not empty?}
    D1 -->|Yes| D2[One entry per export type\n/aws/rds/instance/id/type]
    D1 -->|No| NONE[No tab shown]
    D2 --> OUT

    E --> E1{flow_logs_enabled AND\nflow_log_cloudwatch_log_group_name set?}
    E1 -->|Yes CloudWatch dest| E2[VPC flow logs entry]
    E1 -->|No or S3 dest| NONE
    E2 --> OUT

    F --> F1{query_logging_enabled AND\nquery_log_group_name set?}
    F1 -->|Yes| F2[Route 53 query logs\nregion hardcoded us-east-1]
    F1 -->|No| NONE
    F2 --> OUT

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[Module Definition] --> B{Log source type}
    B --> C[ECS Web / Worker]
    B --> D[RDS]
    B --> E[VPC]
    B --> F[Route 53]

    C --> C1[Static entry\nlog_group_name + log_stream_prefix\nAlways shown]
    C1 --> OUT[CloudWatch Logs UI Tab]

    D --> D1{enabled_cloudwatch_logs_exports\nnot nil and not empty?}
    D1 -->|Yes| D2[One entry per export type\n/aws/rds/instance/id/type]
    D1 -->|No| NONE[No tab shown]
    D2 --> OUT

    E --> E1{flow_logs_enabled AND\nflow_log_cloudwatch_log_group_name set?}
    E1 -->|Yes CloudWatch dest| E2[VPC flow logs entry]
    E1 -->|No or S3 dest| NONE
    E2 --> OUT

    F --> F1{query_logging_enabled AND\nquery_log_group_name set?}
    F1 -->|Yes| F2[Route 53 query logs\nregion hardcoded us-east-1]
    F1 -->|No| NONE
    F2 --> OUT

Loading

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
partials/deploy/ecs-service-deploy-common.yml:7
**Deploy schema key renamed from array to scalar**

The field was changed from `ecs_service_arns` (a YAML list containing one item) to `ecs_service_arn` (a scalar string). The ECS web definition overrides the `infrastructure` block in its own merge, so it was never consuming this field from the partial — but the ECS worker definition does not override `infrastructure` and was relying on `ecs_service_arns` from this partial. If the platform's deploy runner still expects `ecs_service_arns` for existing worker stacks (or if any other consumer reads that key), those deployments will silently receive a missing field. Worth confirming the platform schema has been updated to `ecs_service_arn` (singular) before merging.

_{Reviews (1): Last reviewed commit: "add logs to modules" | Re-trigger Greptile}

Greptile also left 1 inline comment on this PR.

[github-actions]

Ravion Module Publish Plan

Dry run only. No Ravion API mutations were made.

Module	Current Version	New Version	Description
rvn-aws-network	0.1.1	0.2.0	Add Logs tab for CloudWatch.
rvn-ecs-web	0.6.1	0.7.0	Add Logs tab for CloudWatch.
rvn-ecs-worker	0.1.0	0.2.0	Add Logs tab for CloudWatch.
rvn-rds	0.3.3	0.4.0	Add Logs tab for CloudWatch.
rvn-route53	0.1.2	0.2.0	Add Logs tab for CloudWatch.

Diffs

rvn-aws-network 0.1.1 -> 0.2.0

--- remote
+++ compiled
   - **VPC Flow Logs** for network traffic monitoring and SOC 2 compliance
   - **VPC Peering** to connect with existing VPCs across accounts or regions
 
-   Terraform source: [flightcontrolhq/modules/networking/vpc](https://github.com/flightcontrolhq/modules/tree/rvn-aws-network@0.1.1/networking/vpc)
+   Terraform source: [flightcontrolhq/modules/networking/vpc](https://github.com/flightcontrolhq/modules/tree/rvn-aws-network@0.2.0/networking/vpc)
 
   ## Use cases
 
@@
         base_path: networking/vpc
         branch: main
         execution_environment_id: << module.input.execution_environment_id >>
-        ref: rvn-aws-network@0.1.1
+        ref: rvn-aws-network@0.2.0
         repo: https://github.com/flightcontrolhq/modules
         stack_id: <<stack.id>>
         terraform_variables:
@@
       pipeline_id: << defaults.destroy_pipeline_id >>
   ravion_state_backend_workspace: << module.input.ravion_state_backend_workspace || project.given_id + "-" + environment.given_id + "-" + module.given_id + "-" + stack.id>>
   type: opentofu
+ui:
+  logs: |-
+    <<
+    module.input.flow_logs_enabled && stack.output.flow_log_cloudwatch_log_group_name ? [{
+      "id":"vpc_flow_logs",
+      "name":"VPC flow logs",
+      "source":{
+        "type":"cloudwatch",
+        "aws_account_id":module.input.aws_account_id,
+        "region":stack.output.region,
+        "log_group":stack.output.flow_log_cloudwatch_log_group_name
+      }
+    }] : []
+    >>

rvn-ecs-web 0.6.1 -> 0.7.0

--- remote
+++ compiled
 
   The module is intentionally focused on web services behind an Application Load Balancer. It uses the selected ECS cluster to inherit AWS account, region, VPC, subnets, capacity providers, load balancer listeners, and load balancer security groups.
 
-  Terraform source: [flightcontrolhq/modules/compute/ecs_service](https://github.com/flightcontrolhq/modules/tree/rvn-ecs-web@0.6.1/compute/ecs_service)
+  Terraform source: [flightcontrolhq/modules/compute/ecs_service](https://github.com/flightcontrolhq/modules/tree/rvn-ecs-web@0.7.0/compute/ecs_service)
 
   ## Use cases
 
@@
         base_path: compute/ecs_service
         branch: main
         execution_environment_id: << module.input.execution_environment_id >>
-        ref: rvn-ecs-web@0.6.1
+        ref: rvn-ecs-web@0.7.0
         repo: https://github.com/flightcontrolhq/modules
         stack_id: <<stack.id>>
         terraform_variables:
@@
   ravion_state_backend_workspace: << module.input.ravion_state_backend_workspace || project.given_id + "-" + environment.given_id + "-" + module.given_id + "-" + stack.id>>
   type: opentofu
 ui:
+  logs:
+    - id: ecs_service_logs
+      name: ECS service logs
+      source:
+        aws_account_id: << module.input.aws_account_id >>
+        log_group: << stack.output.log_group_name >>
+        log_stream_prefix: << stack.output.log_stream_prefix >>
+        region: << stack.output.region >>
+        type: cloudwatch
   metrics:
     - id: cpu_utilization
       name: CPU utilization

rvn-ecs-worker 0.1.0 -> 0.2.0

--- remote
+++ compiled
     queue_size: 1
   infrastructure:
     ecs_cluster_arn: <<stack.output.service_cluster>>
-    ecs_service_arns:
-      - <<stack.output.service_arn>>
+    ecs_service_arn: <<stack.output.service_arn>>
   inputs:
     - description: Pass the image tag or digest to deploy. For Nixpacks or Dockerfile builds, this is resolved in the Ravion-created ECR repository. For Prebuilt image from registry mode, this is resolved in the repository configured on the module. Do not pass a full image URI.
       id: image_ref
@@
 
   The ECS Worker module creates an ECS service for background jobs, queue consumers, event processors, and other private workloads in an existing Ravion ECS cluster. It uses the same ECS service Terraform module as ECS Web Server, but does not create or attach a load balancer target group and does not expose a primary container port.
 
-  Terraform source: [flightcontrolhq/modules/compute/ecs_service](https://github.com/flightcontrolhq/modules/tree/rvn-ecs-worker@0.1.0/compute/ecs_service)
+  Terraform source: [flightcontrolhq/modules/compute/ecs_service](https://github.com/flightcontrolhq/modules/tree/rvn-ecs-worker@0.2.0/compute/ecs_service)
 
   ## Use cases
 
@@
         base_path: compute/ecs_service
         branch: main
         execution_environment_id: << module.input.execution_environment_id >>
-        ref: rvn-ecs-worker@0.1.0
+        ref: rvn-ecs-worker@0.2.0
         repo: https://github.com/flightcontrolhq/modules
         stack_id: <<stack.id>>
         terraform_variables:
@@
   ravion_state_backend_workspace: << module.input.ravion_state_backend_workspace || project.given_id + "-" + environment.given_id + "-" + module.given_id + "-" + stack.id>>
   type: opentofu
 ui:
+  logs:
+    - id: ecs_worker_logs
+      name: ECS worker logs
+      source:
+        aws_account_id: << module.input.aws_account_id >>
+        log_group: << stack.output.log_group_name >>
+        log_stream_prefix: << stack.output.log_stream_prefix >>
+        region: << stack.output.region >>
+        type: cloudwatch
   metrics:
     - id: cpu_utilization
       name: CPU utilization

rvn-rds 0.3.3 -> 0.4.0

--- remote
+++ compiled
   - [RDS DB instance classes](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.DBInstanceClass.html)
   - [RDS security](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html)
   - [RDS monitoring](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Monitoring.html)
-  - [Terraform source](https://github.com/flightcontrolhq/modules/tree/rvn-rds@0.3.3/database/rds)
+  - [Terraform source](https://github.com/flightcontrolhq/modules/tree/rvn-rds@0.4.0/database/rds)
 stack:
   pipelines:
     change:
@@
         base_path: database/rds
         branch: main
         execution_environment_id: << module.input.execution_environment_id >>
-        ref: rvn-rds@0.3.3
+        ref: rvn-rds@0.4.0
         repo: https://github.com/flightcontrolhq/modules
         stack_id: <<stack.id>>
         terraform_variables:
@@
   ravion_state_backend_workspace: << module.input.ravion_state_backend_workspace || project.given_id + "-" + environment.given_id + "-" + module.given_id + "-" + stack.id>>
   type: opentofu
 ui:
+  logs: |-
+    <<
+    module.input.enabled_cloudwatch_logs_exports != nil && module.input.enabled_cloudwatch_logs_exports != [] ? map(module.input.enabled_cloudwatch_logs_exports, {
+      "id":"rds_" + # + "_logs",
+      "name":"RDS " + # + " logs",
+      "source":{
+        "type":"cloudwatch",
+        "aws_account_id":module.input.aws_account_id,
+        "region":stack.output.region,
+        "log_group":"/aws/rds/instance/" + stack.output.db_instance_identifier + "/" + #
+      }
+    }) : []
+    >>
   metrics:
     - id: cpu_utilization
       name: CPU utilization

rvn-route53 0.1.2 -> 0.2.0

--- remote
+++ compiled
   - [Route 53 hosted zones](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html)
   - [Route 53 resource record sets](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/rrsets-working-with.html)
   - [Route 53 DNSSEC signing](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring-dnssec.html)
-  - [Source module](https://github.com/flightcontrolhq/modules/tree/rvn-route53@0.1.2/networking/route53)
+  - [Source module](https://github.com/flightcontrolhq/modules/tree/rvn-route53@0.2.0/networking/route53)
 stack:
   pipelines:
     change:
@@
         base_path: networking/route53
         branch: main
         execution_environment_id: << module.input.execution_environment_id >>
-        ref: rvn-route53@0.1.2
+        ref: rvn-route53@0.2.0
         repo: https://github.com/flightcontrolhq/modules
         stack_id: <<stack.id>>
         terraform_variables:
@@
       pipeline_id: << defaults.destroy_pipeline_id >>
   ravion_state_backend_workspace: << module.input.ravion_state_backend_workspace || project.given_id + "-" + environment.given_id + "-" + module.given_id + "-" + stack.id>>
   type: opentofu
+ui:
+  logs: |-
+    <<
+    module.input.query_logging_enabled && stack.output.query_log_group_name ? [{
+      "id":"route53_query_logs",
+      "name":"Route 53 query logs",
+      "source":{
+        "type":"cloudwatch",
+        "aws_account_id":module.input.aws_account_id,
+        "region":"us-east-1",
+        "log_group":stack.output.query_log_group_name
+      }
+    }] : []
+    >>