Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(coprocessor): auth coprocessor poc [WIP] #1026

Open
wants to merge 14 commits into
base: main
Choose a base branch
from
Open

feat(coprocessor): auth coprocessor poc [WIP] #1026

wants to merge 14 commits into from

Conversation

kschelonka
Copy link
Contributor

@kschelonka kschelonka commented Jan 13, 2025
edited
Loading

Proof of concept which bypasses the web repo for auth, removing the need to proxy the graphql request for token injection

@kschelonka kschelonka requested a review from a team as a code owner January 13, 2025 22:18
@kschelonka kschelonka requested review from marcin-kozinski and removed request for a team January 13, 2025 22:18
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 13, 2025
edited
Loading

Plan Result (@infrastructure/client-api-production)

CI link

⚠️ Resource Deletion will happen ⚠️

This plan contains resource delete operation. Please check the plan result very carefully!

Plan: 4 to add, 1 to change, 1 to destroy.
  • Create
    • aws_cloudwatch_log_group.coprocessor-log-group
    • aws_ecr_lifecycle_policy.application_ecs_service_ecr-coprocessor_ecr-repo-lifecyclepolicy_102419E1
    • aws_ecr_repository.application_ecs_service_ecr-coprocessor_ecr-repo_FDA037E9
  • Update
    • aws_codedeploy_deployment_group.application_ecs_service_ecs_codedeploy_ecs_codedeploy_deployment_group_48384247
  • Replace
    • aws_ecs_task_definition.application_ecs_service_ecs-task_461CC9D4
Change Result (Click me) 
  # aws_cloudwatch_log_group.coprocessor-log-group will be created
  + resource "aws_cloudwatch_log_group" "coprocessor-log-group" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + log_group_class   = (known after apply)
      + name              = "/Backend/ClientAPI-Prod/ecs/coprocessor"
      + name_prefix       = (known after apply)
      + retention_in_days = 90
      + skip_destroy      = true
      + tags              = {
          + "app_code"       = "pocket-content-shared"
          + "component_code" = "pocket-content-shared-clientapi"
          + "costCenter"     = "Shared"
          + "env_code"       = "prod"
          + "environment"    = "Prod"
          + "owner"          = "Pocket"
          + "service"        = "ClientAPI"
        }
      + tags_all          = {
          + "app_code"       = "pocket-content-shared"
          + "component_code" = "pocket-content-shared-clientapi"
          + "costCenter"     = "Shared"
          + "env_code"       = "prod"
          + "environment"    = "Prod"
          + "owner"          = "Pocket"
          + "service"        = "ClientAPI"
        }
    }

  # aws_codedeploy_deployment_group.application_ecs_service_ecs_codedeploy_ecs_codedeploy_deployment_group_48384247 will be updated in-place
  ~ resource "aws_codedeploy_deployment_group" "application_ecs_service_ecs_codedeploy_ecs_codedeploy_deployment_group_48384247" {
      ~ deployment_config_name      = "CodeDeployDefault.ECSAllAtOnce" -> "CodeDeployDefault.ECSCanary10Percent5Minutes"
        id                          = "2d1e8022-60f3-44d0-97ec-ba83a381e314"
        tags                        = {
            "app_code"       = "pocket-content-shared"
            "component_code" = "pocket-content-shared-clientapi"
            "costCenter"     = "Shared"
            "env_code"       = "prod"
            "environment"    = "Prod"
            "owner"          = "Pocket"
            "service"        = "ClientAPI"
        }
        # (10 unchanged attributes hidden)

        # (5 unchanged blocks hidden)
    }

  # aws_ecr_lifecycle_policy.application_ecs_service_ecr-coprocessor_ecr-repo-lifecyclepolicy_102419E1 will be created
  + resource "aws_ecr_lifecycle_policy" "application_ecs_service_ecr-coprocessor_ecr-repo-lifecyclepolicy_102419E1" {
      + id          = (known after apply)
      + policy      = jsonencode(
            {
              + rules = [
                  + {
                      + action       = {
                          + type = "expire"
                        }
                      + description  = "expire old images"
                      + rulePriority = 1
                      + selection    = {
                          + countNumber = 800
                          + countType   = "imageCountMoreThan"
                          + tagStatus   = "any"
                        }
                    },
                ]
            }
        )
      + registry_id = (known after apply)
      + repository  = "clientapi-prod-coprocessor"
    }

  # aws_ecr_repository.application_ecs_service_ecr-coprocessor_ecr-repo_FDA037E9 will be created
  + resource "aws_ecr_repository" "application_ecs_service_ecr-coprocessor_ecr-repo_FDA037E9" {
      + arn                  = (known after apply)
      + id                   = (known after apply)
      + image_tag_mutability = "MUTABLE"
      + name                 = "clientapi-prod-coprocessor"
      + registry_id          = (known after apply)
      + repository_url       = (known after apply)
      + tags                 = {
          + "app_code"       = "pocket-content-shared"
          + "component_code" = "pocket-content-shared-clientapi"
          + "costCenter"     = "Shared"
          + "env_code"       = "prod"
          + "environment"    = "Prod"
          + "owner"          = "Pocket"
          + "service"        = "ClientAPI"
        }
      + tags_all             = {
          + "app_code"       = "pocket-content-shared"
          + "component_code" = "pocket-content-shared-clientapi"
          + "costCenter"     = "Shared"
          + "env_code"       = "prod"
          + "environment"    = "Prod"
          + "owner"          = "Pocket"
          + "service"        = "ClientAPI"
        }

      + image_scanning_configuration {
          + scan_on_push = true
        }
    }

  # aws_ecs_task_definition.application_ecs_service_ecs-task_461CC9D4 must be replaced
-/+ resource "aws_ecs_task_definition" "application_ecs_service_ecs-task_461CC9D4" {
      ~ arn                      = "arn:aws:ecs:us-east-1:996905175585:task-definition/ClientAPI-Prod:530" -> (known after apply)
      ~ arn_without_revision     = "arn:aws:ecs:us-east-1:996905175585:task-definition/ClientAPI-Prod" -> (known after apply)
      ~ container_definitions    = jsonencode(
            [
              - {
                  - environment            = [
                      - {
                          - name  = "APOLLO_GRAPH_REF"
                          - value = "pocket-client-api@current"
                        },
                      - {
                          - name  = "APP_ENVIRONMENT"
                          - value = "production"
                        },
                      - {
                          - name  = "OTLP_COLLECTOR_URL"
                          - value = "https://otel-collector.readitlater.com:443"
                        },
                      - {
                          - name  = "PORT"
                          - value = "4001"
                        },
                      - {
                          - name  = "REDIS_ENDPOINT"
                          - value = "clientapi-prod-serverless-zcx42u.serverless.use1.cache.amazonaws.com"
                        },
                    ]
                  - essential              = true
                  - healthCheck            = {
                      - command     = [
                          - "CMD-SHELL",
                          - "curl -f http://localhost:4001/.well-known/apollo/server-health || exit 1",
                        ]
                      - interval    = 15
                      - retries     = 3
                      - startPeriod = 0
                      - timeout     = 5
                    }
                  - image                  = "996905175585.dkr.ecr.us-east-1.amazonaws.com/clientapi-prod-app:latest"
                  - logConfiguration       = {
                      - logDriver     = "awslogs"
                      - options       = {
                          - awslogs-group             = "/Backend/ClientAPI-Prod/ecs/app"
                          - awslogs-multiline-pattern = "^\\S.+"
                          - awslogs-region            = "us-east-1"
                          - awslogs-stream-prefix     = "ecs"
                        }
                      - secretOptions = []
                    }
                  - mountPoints            = []
                  - name                   = "app"
                  - portMappings           = [
                      - {
                          - containerPort = 4001
                          - hostPort      = 4001
                          - protocol      = "tcp"
                        },
                    ]
                  - readonlyRootFilesystem = false
                  - secrets                = [
                      - {
                          - name      = "APOLLO_KEY"
                          - valueFrom = "arn:aws:ssm:us-east-1:996905175585:parameter/ClientAPI/Prod/APOLLO_KEY"
                        },
                      - {
                          - name      = "SENTRY_DSN"
                          - valueFrom = "arn:aws:ssm:us-east-1:996905175585:parameter/ClientAPI/Prod/SENTRY_DSN"
                        },
                    ]
                  - systemControls         = []
                  - volumesFrom            = []
                },
            ] # forces replacement
        ) -> (known after apply) # forces replacement
      ~ id                       = "ClientAPI-Prod" -> (known after apply)
      ~ revision                 = 530 -> (known after apply)
        tags                     = {
            "app_code"       = "pocket-content-shared"
            "component_code" = "pocket-content-shared-clientapi"
            "costCenter"     = "Shared"
            "env_code"       = "prod"
            "environment"    = "Prod"
            "owner"          = "Pocket"
            "service"        = "ClientAPI"
        }
        # (12 unchanged attributes hidden)
    }

Plan: 4 to add, 1 to change, 1 to destroy.

Changes to Outputs:
  ~ ecs-task-arn           = "arn:aws:ecs:us-east-1:996905175585:task-definition/ClientAPI-Prod:530" -> (known after apply)

@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 13, 2025
edited
Loading

Plan Result (@infrastructure/parser-graphql-wrapper-production)

CI link

No changes. Your infrastructure matches the configuration.

@github-actions github-actions bot deployed to @server/otel-collector-dev January 13, 2025 22:52 Active
@github-actions github-actions bot deployed to @server/braze-content-proxy-dev January 13, 2025 22:53 Active
@github-actions github-actions bot deployed to @server/shared-snowplow-consumer-dev January 13, 2025 22:53 Active
@github-actions github-actions bot deployed to @server/shares-api-dev January 13, 2025 22:53 Active
@github-actions github-actions bot deployed to @server/image-api-dev January 13, 2025 22:53 Active
@github-actions github-actions bot deployed to @server/v3-proxy-api-dev January 13, 2025 22:53 Active
@github-actions github-actions bot deployed to @server/annotations-api-dev January 13, 2025 22:53 Active
@github-actions github-actions bot deployed to @server/shareable-lists-api-dev January 13, 2025 22:54 Active
@github-actions github-actions bot deployed to @server/parser-graphql-wrapper-dev January 13, 2025 22:54 Active
@github-actions github-actions bot deployed to @server/list-api-dev January 13, 2025 22:54 Active
@github-actions github-actions bot deployed to @server/account-data-deleter-dev January 13, 2025 22:54 Active
@github-actions github-actions bot deployed to @server/user-api-dev January 13, 2025 22:54 Active
@github-actions github-actions bot deployed to @server/feature-flags-dev January 13, 2025 22:54 Active
@kschelonka
feat(auth): [WIP] attempt at JWT coprocessor POC
d8131a0
@kschelonka
feat(auth): [WIP] add scope extraction
520efa8
@kschelonka
feat(coprocessor): set up infra and deployment pattern
162232a
@kschelonka
chore: regenerate lockfile
25f7931
@kschelonka
chore: fix-mismatches
01ff793
@kschelonka
feat(tfmodules): make deploymentConfigName configurable
515688e 
Enable different traffic patterns for deployment
(defaults to All at Once)
@kschelonka
chore: fix build issues
d63f51b 
Forces build to use the docker file in the root directory

Remove test files (since we have no tests atm)
@kschelonka
fix(ci/cd): set default terraform-output
c4528cf 
Check for empty terraform input in code deploy docker image step
@kschelonka
fix: set env var for making request to coprocessor sidecar
3707451
@kschelonka
fix(ci): try setting terraform-output explicitly to empty string
a5c7685
@kschelonka
fix: try setting terraform-output to empty object
c03295c
@kschelonka
fix: trying another terraform-output default
41efbbe
@kschelonka kschelonka force-pushed the feat/auth-coprocessor branch from b303e9c to d4fc450 Compare January 14, 2025 22:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcin-kozinski marcin-kozinski Awaiting requested review from marcin-kozinski marcin-kozinski is a code owner automatically assigned from Pocket/pocket

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@kschelonka