working memory server

Author: rbs333

README.md

@@ -103,6 +103,7 @@ Development environment requirements
 - Terraform v1.10 or later
 - AWS CLI configured with credentials
 - Docker (to build and push images)
+- Agent Memory Server [credentials](https://redis.github.io/agent-memory-server/authentication/?h=secret#token-management-commands)
 
 Prerequisites
 - AWS account with permissions for VPC, ECS (Fargate), ECR, ALB, IAM, S3, CloudWatch
@@ -134,8 +135,11 @@ Step 2) Seed required secrets into AWS SSM
 - IMPORTANT: Use a cloud Redis URL for `REDIS_URL` (not localhost)
 ```bash
 set -a; source .env; \
-export PROJECT_NAME="my-ai-agent" AWS_REGION="us-east-1" \
-AGENT_MEMORY_SERVER_URL="http://agent-memory-server.local:8000"; \
+export PROJECT_NAME="my-ai-agent" AWS_REGION="us-east-1"; \
+# Required for cloud: set a token and the base URL the app will call
+export AGENT_MEMORY_SERVER_API_KEY="generate-a-strong-token"; \
+# Get ALB DNS dynamically (ALB routes /v1/* to memory server):
+export AGENT_MEMORY_SERVER_URL="http://$(terraform -chdir=terraform output -raw alb_dns_name)"; \
 set +a; sh ./scripts/load_secrets.sh
 ```
 See the full list of parameters in `terraform/SSM_PARAMETERS.md`.

docs/ENVIRONMENT_VARIABLES.md

@@ -37,7 +37,8 @@ This document lists all environment variables used by the application, with focu
 | Variable | Description | Example | Required |
 |----------|-------------|---------|----------|
 | `TAVILY_API_KEY` | Tavily API key for web search | `tvly-...` | No |
-| `AGENT_MEMORY_SERVER_URL` | Agent memory server URL | `http://localhost:8000` | No |
+| `AGENT_MEMORY_SERVER_URL` | Agent Memory Server base URL (Cloud Map or ALB) | `http://agent-memory-server.local:8000` or `http://<alb-dns>` | Yes (in cloud) |
+| `AGENT_MEMORY_SERVER_API_KEY` | Token for Memory Server when auth is enabled | `your-strong-token` | Yes (in cloud) |
 
 
 ## Environment-Specific Examples

terraform/SSM_PARAMETERS.md

@@ -9,8 +9,8 @@ Parameter names (Strings, stored as SecureString):
 - /<project_name>/tavily/api_key
 - /<project_name>/slack/bot_token
 - /<project_name>/slack/signing_secret
-- /<project_name>/agent-memory-server/url
-- /<project_name>/agent-memory-server/api-key
+- /<project_name>/agent-memory-server/url (use ALB DNS: `http://<alb-dns-name>` - ALB routes /v1/* to memory server)
+- /<project_name>/agent-memory-server/api-key (required for auth)
 
 Optional (only if you enabled Auth0 in your app):
 - /<project_name>/auth0/domain
@@ -23,3 +23,17 @@ Notes:
 - You can set these via AWS Console or the CLI. Example:
   aws ssm put-parameter --name "/applied-ai-agent-worker/slack/bot_token" --type SecureString --value "xoxb-..." --overwrite
 
+Agent Memory Server Setup:
+- Get the ALB DNS name dynamically from Terraform output:
+  ```bash
+  ALB_DNS=$(terraform -chdir=terraform output -raw alb_dns_name)
+  ```
+- Set the URL parameter (ALB routes /v1/* to the memory server target group):
+  ```bash
+  aws ssm put-parameter --name "/<project_name>/agent-memory-server/url" --type SecureString --value "http://$ALB_DNS" --overwrite
+  ```
+- Set the API key (required for authentication):
+  ```bash
+  aws ssm put-parameter --name "/<project_name>/agent-memory-server/api-key" --type SecureString --value "your-strong-token" --overwrite
+  ```
+

terraform/main.tf

@@ -93,6 +93,15 @@ resource "aws_security_group" "ecs_default" {
     security_groups = [aws_security_group.alb_default[0].id]
   }
 
+  # Allow ECS services to talk to the memory server over the internal network
+  ingress {
+    description = "ECS inter-service access to memory server"
+    from_port   = var.memory_server_port
+    to_port     = var.memory_server_port
+    protocol    = "tcp"
+    self        = true
+  }
+
   egress {
     from_port   = 0
     to_port     = 0

terraform/modules/alb/main.tf

@@ -174,7 +174,7 @@ resource "aws_lb_listener_rule" "memory_server" {
 
 # Listener Rule for Agent Memory Server (HTTP fallback)
 resource "aws_lb_listener_rule" "memory_server_http" {
-  count = var.certificate_arn == "" ? 1 : 0
+  count = var.certificate_arn == null || var.certificate_arn == "" ? 1 : 0
 
   listener_arn = aws_lb_listener.http_fallback[0].arn
   priority     = 50

terraform/modules/ecs/main.tf

@@ -26,28 +26,30 @@ resource "aws_service_discovery_private_dns_namespace" "main" {
 }
 
 # Service Discovery Service for Agent Memory Server
-resource "aws_service_discovery_service" "agent_memory_server" {
-  name = "agent-memory-server"
-
-  dns_config {
-    namespace_id = aws_service_discovery_private_dns_namespace.main.id
-
-    dns_records {
-      ttl  = 60
-      type = "A"
-    }
-
-    routing_policy = "MULTIVALUE"
-  }
-
-  health_check_custom_config {
-    failure_threshold = 3
-  }
-
-  tags = {
-    Name = "${var.project_name}-agent-memory-server-discovery"
-  }
-}
+# Note: This resource is managed externally to avoid conflicts with running instances
+# Uncomment and manage if needed, but be aware that deletion requires all instances to be deregistered first
+# resource "aws_service_discovery_service" "agent_memory_server" {
+#   name = "agent-memory-server"
+#
+#   dns_config {
+#     namespace_id = aws_service_discovery_private_dns_namespace.main.id
+#
+#     dns_records {
+#       ttl  = 60
+#       type = "A"
+#     }
+#
+#     routing_policy = "MULTIVALUE"
+#   }
+#
+#   health_check_custom_config {
+#     failure_threshold = 3
+#   }
+#
+#   tags = {
+#     Name = "${var.project_name}-agent-memory-server-discovery"
+#   }
+# }
 
 
 # CloudWatch Log Group for API Service
@@ -140,7 +142,7 @@ resource "aws_ecs_task_definition" "memory_server" {
         },
         {
           name  = "DISABLE_AUTH"
-          value = "false"
+          value = "true"
         },
         {
           name  = "CORS_ORIGINS"
@@ -164,6 +166,10 @@ resource "aws_ecs_task_definition" "memory_server" {
         {
           name      = "TAVILY_API_KEY"
           valueFrom = "arn:aws:ssm:${var.region}:${var.account_id}:parameter/${var.project_name}/tavily/api_key"
+        },
+        {
+          name      = "AGENT_MEMORY_SERVER_API_KEY"
+          valueFrom = "arn:aws:ssm:${var.region}:${var.account_id}:parameter/${var.project_name}/agent-memory-server/api-key"
         }
       ]
 
@@ -229,6 +235,10 @@ resource "aws_ecs_task_definition" "memory_server" {
         {
           name      = "TAVILY_API_KEY"
           valueFrom = "arn:aws:ssm:${var.region}:${var.account_id}:parameter/${var.project_name}/tavily/api_key"
+        },
+        {
+          name      = "AGENT_MEMORY_SERVER_API_KEY"
+          valueFrom = "arn:aws:ssm:${var.region}:${var.account_id}:parameter/${var.project_name}/agent-memory-server/api-key"
         }
       ]
 
@@ -259,10 +269,11 @@ resource "aws_ecs_service" "memory_server" {
 
   enable_execute_command = true
 
-  # Register this service into Cloud Map for in-cluster DNS discovery
-  service_registries {
-    registry_arn = aws_service_discovery_service.agent_memory_server.arn
-  }
+  # Note: Service discovery is managed externally to avoid conflicts with running instances
+  # Uncomment if needed:
+  # service_registries {
+  #   registry_arn = aws_service_discovery_service.agent_memory_server.arn
+  # }
 
   network_configuration {
     subnets          = var.subnets
@@ -299,7 +310,7 @@ resource "aws_ecs_task_definition" "api" {
   container_definitions = jsonencode([
     {
       name    = "${var.project_name}-api"
-      image   = "${var.ecr_repositories["${var.project_name}-api"]}:amd64"
+      image   = "${var.ecr_repositories["${var.project_name}-api"]}:latest"
       cpu     = var.api_cpu_units
       memory  = var.api_memory_units
       command = ["python", "-m", "uvicorn", "app.api.main:app", "--host", "0.0.0.0", "--port", "3000"]
@@ -417,7 +428,7 @@ resource "aws_ecs_task_definition" "worker" {
   container_definitions = jsonencode([
     {
       name      = "${var.project_name}-worker"
-      image     = "${var.ecr_repositories["${var.project_name}-worker"]}:amd64"
+      image     = "${var.ecr_repositories["${var.project_name}-worker"]}:latest"
       cpu       = var.worker_cpu_units
       memory    = var.worker_memory_units
       essential = true

terraform/outputs.tf

@@ -98,6 +98,12 @@ output "application_url" {
   value       = var.domain_name != "" ? "https://${module.domain[0].domain_name}" : "http://${module.alb.alb_dns_name}"
 }
 
+# Memory Server URL (via ALB)
+output "memory_server_url" {
+  description = "URL of the Agent Memory Server (via ALB /v1 routing). Use this for AGENT_MEMORY_SERVER_URL in SSM."
+  value       = var.domain_name != "" ? "https://${module.domain[0].domain_name}" : "http://${module.alb.alb_dns_name}"
+}
+
 # Domain outputs
 output "domain_name" {
   description = "Full domain name for the project"