Vintner
Job Execution

Worker & Utility Jobs

DEPLOY_WORKER, UPDATE_WORKER, DESTROY_WORKER, and CONNECTION_TEST jobs.

Worker & Utility Jobs

These job types manage Tendril infrastructure and validate cloud connections.

DEPLOY_WORKER

Provisions a new cloud-hosted Tendril in ECS Fargate.

Use platform credentials

Worker jobs use the platform's own AWS credentials (not the user's cloud identity).

Generate Terraform config

Creates ECS task definition, IAM roles (execution + task), CloudWatch log group, security groups from the Tendril templates.

terraform apply

Provisions the infrastructure in the specified region.

Register with Trellis

Calls POST /api/tendrils/register to create a worker record. Returns the worker ID and token, which are injected as environment variables into the ECS task.

Report results

Job status → SUCCESS. The new Tendril boots, registers its heartbeat, and appears as ONLINE in the Tendrils page.

UPDATE_WORKER

Updates an existing Tendril to the latest release.

  1. Updates the ECS task definition with the latest Docker image tag
  2. Forces a new ECS Fargate deployment (--force-new-deployment)
  3. The old task drains gracefully, the new task starts with the updated image

DESTROY_WORKER

Tears down a Tendril's infrastructure.

  1. Runs terraform destroy on the Tendril's ECS resources
  2. Removes the worker registration from Trellis
  3. Any jobs assigned to this Tendril are requeued to other available Tendrils

CONNECTION_TEST

Validates cloud provider credentials and discovers existing resources.

Assume cloud credentials

Uses the specified cloud identity.

Verify identity

  • AWS: sts:GetCallerIdentity — confirms the assumed role
  • GCP: Token exchange validation
  • Azure: Resource Manager authentication check

Discover resources

Queries the cloud account for existing resources:

VPCs, subnets, hosted zones, IAM users, security groups

VPC networks, subnets, DNS managed zones

VNets, subnets, DNS zones

Cache results

Discovered resources are stored in cloud_identities.credentials (JSONB) for use in the Plant a Vine form (e.g., "Use existing VPC" dropdown).

FETCH_RESOURCES

Same as CONNECTION_TEST but without the initial identity verification. Used for refreshing the cached resource list (e.g., when the user clicks "Refresh" in the Provider Ribbon).

Destroy Jobs

How Tendril executes DESTROY jobs — terraform destroy with state cleanup.

Cloud Credential Management

How Tendril assumes temporary credentials per job for AWS, GCP, and Azure.

On this page

Worker & Utility JobsDEPLOY_WORKERUse platform credentialsGenerate Terraform configterraform applyRegister with TrellisReport resultsUPDATE_WORKERDESTROY_WORKERCONNECTION_TESTAssume cloud credentialsVerify identityDiscover resourcesCache resultsFETCH_RESOURCES