CFDB stack

.github/workflows/deploy-to-ecr.yml

@@ -6,21 +6,17 @@ on:
       - master
 
 jobs:
-  build:
+  build-and-deploy:
     if: github.repository == 'abdenlab/cfdb'
-    # Available versions:
-    # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#jobsjob_idruns-on
     runs-on: ubuntu-24.04
     permissions:
         id-token: write
         contents: read
 
-    # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       - uses: actions/checkout@v4
 
       - name: Configure AWS Credentials
-        if: ${{ github.event_name == 'push' && github.ref  == 'refs/heads/master' }}
         uses: aws-actions/configure-aws-credentials@v3
         with:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
@@ -30,11 +26,24 @@ jobs:
         id: login-ecr
         uses: aws-actions/amazon-ecr-login@v2
 
-      - name: Push to ECR
+      - name: Build and push to ECR
         env:
           REGISTRY: ${{ steps.login-ecr.outputs.registry }}
           REPOSITORY: cfdb
-          IMAGE_TAG: latest
         run: |
-            docker build --file Dockerfile.api -t $REGISTRY/$REPOSITORY:$IMAGE_TAG .
-            docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG
+          SHA_TAG=${GITHUB_SHA::8}
+          docker build --file Dockerfile.api \
+            -t $REGISTRY/$REPOSITORY:latest \
+            -t $REGISTRY/$REPOSITORY:$SHA_TAG .
+          docker push $REGISTRY/$REPOSITORY:latest
+          docker push $REGISTRY/$REPOSITORY:$SHA_TAG
+
+      - name: Deploy to ECS
+        env:
+          ECS_CLUSTER: ${{ secrets.ECS_CLUSTER }}
+          ECS_SERVICE: ${{ secrets.ECS_SERVICE }}
+        run: |
+          aws ecs update-service \
+            --cluster $ECS_CLUSTER \
+            --service $ECS_SERVICE \
+            --force-new-deployment

Dockerfile.api

@@ -10,6 +10,12 @@ EXPOSE 8000
 ENV DATABASE_URL="mongodb://cvh-backend:27017"
 WORKDIR /app
 
+# Install curl (for ECS health checks) and download AWS DocumentDB CA bundle
+RUN apt-get update && apt-get install -y --no-install-recommends curl && rm -rf /var/lib/apt/lists/* \
+    && mkdir -p /etc/cfdb/certs \
+    && curl --fail -sS -o /etc/cfdb/certs/global-bundle.pem https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem \
+    && chmod 644 /etc/cfdb/certs/global-bundle.pem
+
 # Install the materializer binary
 COPY --from=builder /build/target/release/materialize /usr/local/bin/materialize
 

Dockerfile.mongodb

@@ -3,87 +3,37 @@ FROM mongo:latest
 # Copy database dump and scripts
 COPY database/ /data/database/
 COPY scripts/create-indexes.js /scripts/create-indexes.js
-COPY scripts/create-x509-users.js /scripts/create-x509-users.js
 
-# Copy TLS configuration
-COPY docker/mongodb/mongod-tls.conf /etc/mongodb/mongod-tls.conf
-
-# Create startup script with conditional TLS support
+# Create startup script (development mode only)
 COPY <<'EOF' /startup.sh
 #!/bin/bash
 set -e
 
-# Check if TLS certificates are mounted (production mode)
-if [ -f /etc/mongodb/certs/server-bundle.pem ] && [ -f /etc/mongodb/certs/ca.pem ]; then
-    echo "=== TLS certificates found - starting in PRODUCTION mode ==="
-
-    # Phase 1: Start MongoDB with TLS but WITHOUT auth (for initial setup)
-    echo "Phase 1: Starting MongoDB with TLS (no auth for setup)..."
-    mongod --bind_ip_all \
-           --tlsMode requireTLS \
-           --tlsCertificateKeyFile /etc/mongodb/certs/server-bundle.pem \
-           --tlsCAFile /etc/mongodb/certs/ca.pem \
-           --tlsAllowConnectionsWithoutCertificates &
-    MONGOD_PID=$!
-
-    # Wait for MongoDB to be ready
-    echo "Waiting for MongoDB to start..."
-    until mongosh --tls --tlsAllowInvalidCertificates \
-                  --eval "db.adminCommand('ping')" >/dev/null 2>&1; do
-        sleep 1
-    done
-    echo "MongoDB started with TLS (no auth)."
-
-    # Restore database
-    echo "Restoring database..."
-    mongorestore --gzip /data/database \
-                 --ssl --sslAllowInvalidCertificates
-
-    # Create indexes
-    echo "Creating indexes..."
-    mongosh --tls --tlsAllowInvalidCertificates \
-            cfdb /scripts/create-indexes.js
-
-    # Create X.509 users
-    echo "Creating X.509 users..."
-    mongosh --tls --tlsAllowInvalidCertificates \
-            admin /scripts/create-x509-users.js
-
-    echo "Phase 1 complete. Restarting MongoDB with auth enabled..."
-
-    # Phase 2: Shutdown and restart with full security
-    kill $MONGOD_PID
-    wait $MONGOD_PID 2>/dev/null
-
-    echo "Phase 2: Starting MongoDB with TLS and X.509 authentication..."
-    exec mongod --config /etc/mongodb/mongod-tls.conf --setParameter authenticationMechanisms=MONGODB-X509
-else
-    echo "=== No TLS certificates found - starting in DEVELOPMENT mode ==="
+echo "=== Starting MongoDB in DEVELOPMENT mode ==="
 
-    # Start MongoDB without TLS (original behavior)
-    mongod --bind_ip_all &
-    MONGOD_PID=$!
+# Start MongoDB without TLS
+mongod --bind_ip_all &
+MONGOD_PID=$!
 
-    # Wait for MongoDB to be ready
-    echo "Waiting for MongoDB to start..."
-    until mongosh --eval "db.adminCommand('ping')" >/dev/null 2>&1; do
-        sleep 1
-    done
-    echo "MongoDB started."
+# Wait for MongoDB to be ready
+echo "Waiting for MongoDB to start..."
+until mongosh --eval "db.adminCommand('ping')" >/dev/null 2>&1; do
+    sleep 1
+done
+echo "MongoDB started."
 
-    # Restore database
-    echo "Restoring database..."
-    mongorestore --gzip /data/database
+# Restore database
+echo "Restoring database..."
+mongorestore --gzip /data/database
 
-    # Create indexes
-    echo "Creating indexes..."
-    mongosh cfdb /scripts/create-indexes.js
+# Create indexes
+echo "Creating indexes..."
+mongosh cfdb /scripts/create-indexes.js
 
-    echo "=== Development initialization complete ==="
+echo "=== Development initialization complete ==="
 
-    # Keep MongoDB running
-    wait $MONGOD_PID
-fi
+# Keep MongoDB running
+wait $MONGOD_PID
 EOF
 
 RUN chmod +x /startup.sh

Makefile

@@ -1,6 +1,3 @@
-# Certificate directory (customize for production)
-CERT_DIR ?= $(PWD)/certs
-
 network:
 	@echo "Checking if Docker network 'cvh-backend-network' exists..."
 	@if ! docker network inspect cvh-backend-network >/dev/null 2>&1; then \
@@ -10,40 +7,16 @@ network:
 		echo "Network cvh-backend-network already exists."; \
 	fi
 
-# Generate certificates for TLS/X.509 authentication
-certs:
-	@echo "Generating TLS certificates..."
-	./certs/generate-certs.sh
-	@echo "Certificates generated in $(CERT_DIR)"
-
-# Development mode (no authentication)
 mongodb:
 	make network
 	@docker stop mongodb 2>/dev/null || true
 	@docker rm mongodb 2>/dev/null || true
 	@echo "Building MongoDB image..."
 	docker build -t cfdb-mongodb -f Dockerfile.mongodb .
-	@echo "Starting MongoDB container in DEVELOPMENT mode (no TLS)..."
+	@echo "Starting MongoDB container..."
 	docker run -d --name mongodb --network cvh-backend-network --network-alias cvh-backend -p 27017:27017 cfdb-mongodb
 	@echo "MongoDB container starting on port 27017. Check logs with: docker logs -f mongodb"
 
-# Production mode (TLS/X.509 authentication)
-mongodb-prod:
-	make network
-	@docker stop mongodb 2>/dev/null || true
-	@docker rm mongodb 2>/dev/null || true
-	@echo "Building MongoDB image..."
-	docker build -t cfdb-mongodb -f Dockerfile.mongodb .
-	@echo "Starting MongoDB container in PRODUCTION mode (TLS/X.509)..."
-	docker run -d --name mongodb \
-		--network cvh-backend-network \
-		--network-alias cvh-backend \
-		-p 27017:27017 \
-		-v $(CERT_DIR)/ca/ca.pem:/etc/mongodb/certs/ca.pem:ro \
-		-v $(CERT_DIR)/server/cvh-backend-bundle.pem:/etc/mongodb/certs/server-bundle.pem:ro \
-		cfdb-mongodb
-	@echo "MongoDB container starting on port 27017 with TLS. Check logs with: docker logs -f mongodb"
-
 build-materialize:
 	@echo "Building materializer..."
 	cd materialize && cargo build --release
@@ -54,64 +27,22 @@ install-materialize: build-materialize
 	sudo cp materialize/target/release/materialize /usr/local/bin/
 	@echo "Materializer installed."
 
-# Development mode (no authentication)
 materialize-files: build-materialize
-	@echo "Materializing 'files' collection (dev mode)..."
+	@echo "Materializing 'files' collection..."
 	./materialize/target/release/materialize
 	@echo "Files collection created successfully."
 
 materialize-dcc: build-materialize
-	@echo "Materializing file metadata for $(DCC) (dev mode)..."
-	./materialize/target/release/materialize --submission $(DCC)
-	@echo "Done."
-
-# Production mode (TLS/X.509 authentication)
-materialize-files-prod: build-materialize
-	@echo "Materializing 'files' collection (TLS/X.509)..."
-	MONGODB_TLS_ENABLED=true \
-	MONGODB_CERT_PATH=$(CERT_DIR)/clients/cfdb-materializer-bundle.pem \
-	MONGODB_CA_PATH=$(CERT_DIR)/ca/ca.pem \
-	DATABASE_URL=mongodb://cvh-backend:27017 \
-	./materialize/target/release/materialize
-	@echo "Files collection created successfully."
-
-materialize-dcc-prod: build-materialize
-	@echo "Materializing file metadata for $(DCC) (TLS/X.509)..."
-	MONGODB_TLS_ENABLED=true \
-	MONGODB_CERT_PATH=$(CERT_DIR)/clients/cfdb-materializer-bundle.pem \
-	MONGODB_CA_PATH=$(CERT_DIR)/ca/ca.pem \
-	DATABASE_URL=mongodb://cvh-backend:27017 \
+	@echo "Materializing file metadata for $(DCC)..."
 	./materialize/target/release/materialize --submission $(DCC)
 	@echo "Done."
 
-# Development mode (no authentication)
 api:
 	make network
 	@docker stop api 2>/dev/null || true
 	@docker rm api 2>/dev/null || true
 	@echo "Building the API Docker image..."
 	docker build -t api -f Dockerfile.api .
-	@echo "Starting the API container in DEVELOPMENT mode (no TLS)..."
+	@echo "Starting the API container..."
 	docker run -d --name api --network cvh-backend-network --network-alias cvh-backend -p 8000:8000 -e SYNC_API_KEY=dev-sync-key -e SYNC_DATA_DIR=/tmp/sync-data api
 	@echo "API container is up and running on port 8000 (http://0.0.0.0:8000/metadata)."
-
-# Production mode (TLS/X.509 authentication)
-api-prod:
-	make network
-	@docker stop api 2>/dev/null || true
-	@docker rm api 2>/dev/null || true
-	@echo "Building the API Docker image..."
-	docker build -t api -f Dockerfile.api .
-	@echo "Starting the API container in PRODUCTION mode (TLS/X.509)..."
-	docker run -d --name api \
-		--network cvh-backend-network \
-		--network-alias cvh-backend \
-		-p 8000:8000 \
-		-e MONGODB_TLS_ENABLED=true \
-		-e DATABASE_URL=mongodb://cvh-backend:27017 \
-		-e SYNC_API_KEY=$(SYNC_API_KEY) \
-		-e SYNC_DATA_DIR=/tmp/sync-data \
-		-v $(CERT_DIR)/ca/ca.pem:/etc/cfdb/certs/ca.pem:ro \
-		-v $(CERT_DIR)/clients/cfdb-api-bundle.pem:/etc/cfdb/certs/client-bundle.pem:ro \
-		api
-	@echo "API container is up with TLS on port 8000 (http://0.0.0.0:8000/metadata)."