feat: hoist the refresh geodb outside of the Dockerfile (#464)

* feat: hoist the refresh geodb outside of the Dockerfile

* feat: change to run refresh every 4 hours

* chore: remove unused arg

* fix: update script to fetch the geodb data

.github/workflows/build_and_deploy.yml

@@ -35,6 +35,10 @@ jobs:
           role-session-name: SREBotGitHubActions
           aws-region: "ca-central-1"
 
+      - name: Download GeoDB from S3
+        run: |
+          aws s3 cp s3://${{ secrets.GEO_DB_BUCKET }}/GeoLite2-City.tar.gz ./app/geodb/GeoLite2-City.tar.gz
+
       - name: Login to Amazon ECR
         id: login-ecr
         uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1
@@ -44,7 +48,6 @@ jobs:
         run: |
           docker build \
           --build-arg git_sha=$GITHUB_SHA \
-          --build-arg LICENSE_KEY=${{ secrets.MAXMIND_LICENSE }} \
           -t $REGISTRY/sre-bot:$GITHUB_SHA-`date '+%Y-%m-%d'` \
           -t $REGISTRY/sre-bot:latest .
 

.github/workflows/ci_container.yml

@@ -8,6 +8,10 @@ env:
   GITHUB_SHA: ${{ github.sha }}
   REGISTRY: 283582579564.dkr.ecr.ca-central-1.amazonaws.com/sre-bot
 
+permissions:
+  id-token: write
+  contents: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -22,12 +26,22 @@ jobs:
       - name: Checkout
         uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
+      - name: Configure aws credentials using OIDC
+        uses: aws-actions/configure-aws-credentials@master
+        with:
+          role-to-assume: arn:aws:iam::283582579564:role/sre-bot-plan
+          role-session-name: SREBotGitHubActions
+          aws-region: "ca-central-1"
+
+      - name: Download GeoDB from S3
+        run: |
+          aws s3 cp s3://${{ secrets.GEO_DB_BUCKET }}/GeoLite2-City.tar.gz ./app/geodb/GeoLite2-City.tar.gz
+
       - name: Build container
         working-directory: ./
         run: |
           docker build \
           --build-arg git_sha=$GITHUB_SHA \
-          --build-arg LICENSE_KEY=${{ secrets.MAXMIND_LICENSE }} \
           -t sre-bot:latest \
           -t $REGISTRY/sre-bot:$GITHUB_SHA-`date '+%Y-%m-%d'` \
           -t $REGISTRY/sre-bot:latest .

.github/workflows/refresh_geodb.yml

@@ -0,0 +1,29 @@
+name: Refresh GeoDB
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 */4 * * *"
+
+jobs:
+  s3-backup:
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      with:
+        aws-access-key-id: ${{ secrets.AWS_S3_BACKUP_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_S3_BACKUP_SECRET_ACCESS_KEY }}
+        aws-region: ca-central-1
+
+    - name: Download GeoDB and update to bucket
+      run: |
+        wget -O GeoLite2-City.tar.gz "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=${{ secrets.MAXMIND_LICENSE }}&suffix=tar.gz"
+        aws s3 cp GeoLite2-City.tar.gz s3://${{ secrets.GEO_DB_BUCKET }}/GeoLite2-City.tar.gz
+
+    - name: Notify Slack channel if this job failed
+      if: ${{ failure() }}
+      run: |
+        json='{"text":"GeoDB Refresh failed in <https://github.com/${{ github.repository }}>!"}'
+        curl -X POST -H 'Content-type: application/json' --data "$json"  ${{ secrets.SLACK_NOTIFY_WEBHOOK }}

Dockerfile

@@ -23,15 +23,13 @@ RUN pip install --no-cache-dir -r requirements.txt
 
 COPY app/ .
 
-ARG LICENSE_KEY
+COPY app/geodb/GeoLite2-City.tar.gz /app/geodb/GeoLite2-City.tar.gz
 
-RUN mkdir -p /app/geodb
-RUN wget -O "/app/geodb/GeoLite2-City.tar.gz" "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=$LICENSE_KEY&suffix=tar.gz"
 RUN tar -xzvf /app/geodb/GeoLite2-City.tar.gz -C /app/geodb
 RUN cp /app/geodb/GeoLite2-City_*/GeoLite2-City.mmdb /app/geodb/GeoLite2-City.mmdb
 RUN rm -rf /app/geodb/GeoLite2-City_*
 RUN rm /app/geodb/GeoLite2-City.tar.gz
 
 COPY app/bin/entry.sh /app/entry.sh
 
-ENTRYPOINT [ "/app/entry.sh" ]
+ENTRYPOINT [ "/app/entry.sh" ]