add cf distro id to staging; support basicauth

deploy/group_vars/k8s.yml

@@ -103,6 +103,9 @@ env_email_host_password: !vault |
   31326137623163613135346565346632623661303839653038333866363565623865363766326465
   3232353563333332396133636565626662366332356638303166
 env_email_use_tls: "true"
+# Basic auth
+env_basicauth_username: ""
+env_basicauth_password: ""
 
 k8s_environment_variables:
   CONTAINER_IMAGE_TAG: "{{ k8s_container_image_tag }}"
@@ -115,6 +118,9 @@ k8s_environment_variables:
   ALLOWED_HOSTS: "{{ k8s_domain_names[0] }}"
   ENVIRONMENT: "{{ env_name }}"
   CACHE_HOST: "{{ env_cache_host }}"
+  CACHE_CLOUDFRONT_DISTRIBUTION_ID: "{{ env_cache_cloudfront_distribution_id }}"
+  CACHE_BASICAUTH_USERNAME: "{{ env_basicauth_username }}"
+  CACHE_BASICAUTH_PASSWORD: "{{ env_basicauth_password }}"
   BROKER_URL: "{{ env_broker_url }}"
   # *** Uploaded media
   DEFAULT_FILE_STORAGE: "{{ env_default_file_storage }}"

deploy/host_vars/production.yml

@@ -11,6 +11,7 @@ k8s_ingress_tls_domains_extra:
 
 env_contact_us_emails:
   - wcarpenter@forwardjustice.org
+env_cache_cloudfront_distribution_id: ""  # TODO: Set this value once the CloudFront distribution is created
 
 database_password: !vault |
   $ANSIBLE_VAULT;1.1;AES256

deploy/host_vars/staging.yml

@@ -7,6 +7,7 @@ env_contact_us_emails:
   - forwardjustice-team@caktusgroup.com
 
 env_media_location: "staging/"
+env_cache_cloudfront_distribution_id: E2OFFI0H5HY2N8
 
 database_password: !vault |
   $ANSIBLE_VAULT;1.1;AES256
@@ -16,6 +17,19 @@ database_password: !vault |
   3263343333363130630a373033353533613064653033623138313334623537383037356262383662
   36613231353732663637316637383061376566663466373865356539626539376161
 
+env_basicauth_username: forwardjustice
+# Update `k8s_container_htpasswd` below if this password changes. I wasn't able to
+# manually hash the password and get it to work.
+# https://httpd.apache.org/docs/2.4/misc/password_encryptions.html
+# https://docs.ansible.com/ansible/latest/collections/ansible/builtin/password_hash_filter.html
+# My failed attempt: "{{ env_basicauth_username }}:{SHA}{{ env_basicauth_password | hash('sha1') | b64encode }}"
+env_basicauth_password: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  64363233356237323034303932306231333765383966306639663465323664643065386635626464
+  3463303836643531613363636239646463383936383837380a316463386662656238653439353431
+  66616461386237636538366165613332306538623038343936316366613832343636313433326534
+  3565623766653963620a333937333535376666346165343036623964623037343461316135663230
+  3662
 k8s_container_htpasswd: !vault |
   $ANSIBLE_VAULT;1.1;AES256
   31356461656536343532333632356338616462346436386566643438376237333935373531633762

nc/prime_cache.py

@@ -1,5 +1,7 @@
 import logging
+import time
 
+import boto3
 import requests
 
 from django.conf import settings
@@ -83,11 +85,36 @@ def get_group_urls(agency_id: int, officer_id: int = None) -> list[str]:
 def prime_group_cache(agency_id: int, num_stops: int, officer_id: int = None):
     """Prime the cache for an agency (and optionally officer)"""
     logger.info(f"Priming cache ({agency_id=}, {officer_id=}, {num_stops=})...")
+    session = requests.Session()
+    # Configure basic auth if provided
+    if settings.CACHE_BASICAUTH_USERNAME and settings.CACHE_BASICAUTH_PASSWORD:
+        session.auth = (settings.CACHE_BASICAUTH_USERNAME, settings.CACHE_BASICAUTH_PASSWORD)
     urls = get_group_urls(agency_id=agency_id, officer_id=officer_id)
     for url in urls:
         logger.debug(f"Querying {url}")
-        response = requests.get(url)
+        response = session.get(url)
         if response.status_code != 200:
             logger.warning(f"Status not OK: {url} ({response.status_code})")
             raise Exception(f"Request to {url} failed: {response.status_code}")
     logger.info(f"Primed cache ({agency_id=}, {officer_id=}, {num_stops=})")
+
+
+def invalidate_cloudfront_cache() -> dict:
+    """
+    Invalidate the CloudFront cache before priming the cache.
+
+    https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cloudfront/client/create_invalidation.html
+    """
+    if settings.CACHE_CLOUDFRONT_DISTRIBUTION_ID:
+        logger.info(
+            f"Invalidating CloudFront distribution ({settings.CACHE_CLOUDFRONT_DISTRIBUTION_ID=})"
+        )
+        cf = boto3.client("cloudfront")
+        # Create CloudFront invalidation
+        return cf.create_invalidation(
+            DistributionId=settings.CACHE_CLOUDFRONT_DISTRIBUTION_ID,
+            InvalidationBatch={
+                "Paths": {"Quantity": 1, "Items": ["/*"]},
+                "CallerReference": str(time.time()).replace(".", ""),
+            },
+        )

nc/tasks.py

@@ -95,8 +95,7 @@ def prime_all_endpoints(
     less than this, stop.
     """
     if clear_cache:
-        logger.info("Clearing cache")
-        # TODO: Change to create CloudFront invalidation
+        prime_cache.invalidate_cloudfront_cache()
 
     if not skip_agencies:
         prime_groups_cache(by_officer=False, cutoff_count=agency_cutoff_count)

traffic_stops/settings/base.py

@@ -306,9 +306,10 @@ def __init__(self, tz_name=None):
 LOGIN_URL = "account_login"
 LOGIN_REDIRECT_URL = "home"
 
-REST_FRAMEWORK_EXTENSIONS = {"DEFAULT_CACHE_RESPONSE_TIMEOUT": 60 * 60 * 24 * 60}  # 60 days
-
-CACHE_COUNT_TIMEOUT = 60 * 60 * 24 * 60  # 60 days
+# Cache settings
+CACHE_CLOUDFRONT_DISTRIBUTION_ID = os.getenv("CACHE_CLOUDFRONT_DISTRIBUTION_ID", "")
+CACHE_BASICAUTH_USERNAME = os.getenv("CACHE_BASICAUTH_USERNAME", "")
+CACHE_BASICAUTH_PASSWORD = os.getenv("CACHE_BASICAUTH_PASSWORD", "")
 CACHE_HOST = os.getenv("CACHE_HOST", "")
 if "redis" in CACHE_HOST:
     CACHES = {