Merge pull request #309 from caktus/develop

Production release v1.21.0

.github/workflows/deploy.yaml

@@ -2,7 +2,7 @@ name: deploy
 
 on:
   push:
-    branches: [main, develop, CU-8686edfh0-performance]
+    branches: [main, develop, CU-86897a79g-cache-misses]
 
 jobs:
   deploy:

.github/workflows/test.yaml

@@ -34,7 +34,7 @@ jobs:
       - name: Install dependencies
         run: |
           sudo apt update
-          sudo apt install -y --no-install-recommends postgresql-client-14
+          sudo apt install -y --no-install-recommends postgresql-client
           python -m pip install pip-tools
           pip-sync requirements/base/base.txt requirements/dev/dev.txt requirements/test/test.txt
       - name: Create NC database

.pre-commit-config.yaml

@@ -1,22 +1,22 @@
 repos:
   - repo: https://github.com/psf/black
-    rev: 22.3.0
+    rev: 24.10.0
     hooks:
       - id: black
         language_version: python3.10
         exclude: migrations
   - repo: https://github.com/PyCQA/flake8
-    rev: 4.0.1
+    rev: 7.1.1
     hooks:
       - id: flake8
         exclude: settings|migrations|tests
   - repo: https://github.com/pycqa/isort
-    rev: 5.12.0
+    rev: 5.13.2
     hooks:
       - id: isort
         args: ["--profile", "black", "--filter-files"]
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.1.0
+    rev: v5.0.0
     hooks:
       - id: trailing-whitespace
       - id: end-of-file-fixer

Dockerfile

@@ -1,21 +1,19 @@
-FROM node:18.17.0-bullseye-slim as static_files
+FROM node:18.17.0-bullseye-slim AS static_files
 
 WORKDIR /code
-ENV PATH /code/node_modules/.bin:$PATH
+ENV PATH=/code/node_modules/.bin:$PATH
 COPY frontend/package.json frontend/package-lock.json /code/
-RUN npm install -g npm@latest
 RUN npm install --silent
 COPY frontend/ /code/
 RUN npm run build
 
-FROM python:3.10-slim-bullseye as base
+FROM python:3.10-slim-bullseye AS base
 
 # Create a group and user to run our app
 ARG APP_USER=appuser
 RUN groupadd -r ${APP_USER} && useradd --no-log-init -r -g ${APP_USER} ${APP_USER}
 
 # Install packages needed to run your application (not build deps):
-#   mime-support -- for mime types when serving static files
 #   postgresql-client -- for running database commands
 # We need to recreate the /usr/share/man/man{1..8} directories first because
 # they were clobbered by a parent image.
@@ -127,7 +125,6 @@ RUN --mount=type=cache,target=/var/cache/apt --mount=type=cache,target=/var/lib/
     jq \
     libpcre3 \
     libpq-dev \
-    mime-support \
     nodejs \
     openssh-client \
     postgresql-client-12 \

Makefile

@@ -9,7 +9,7 @@ update_requirements:
 	pip-compile --output-file=requirements/base/base.txt requirements/base/base.in
 	pip-compile --output-file=requirements/test/test.txt requirements/test/test.in
 	pip-compile --output-file=requirements/dev/dev.txt requirements/dev/dev.in
-	pip-compile --output-file=requirements/deploy/deploy.txt requirements/deploy/deploy.in
+	pip-compile --upgrade --output-file=requirements/deploy/deploy.txt requirements/deploy/deploy.in
 
 install_requirements:
 	@echo 'Installing pip-tools...'

deploy/deploy-cf-stack.yml

@@ -15,3 +15,22 @@
           unexpectedly), execute the changeset. When complete, hit RETURN to continue or Control-C,
           then A to abort.
       when: cloudformation_stack_result is changed
+
+- name: cdn (cloudfront) management
+  hosts: cdn
+  gather_facts: false
+  tags: cdn
+  vars:
+    ansible_connection: local
+    ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  roles:
+    - role: caktus.aws-web-stacks
+  tasks:
+    - name: Prompt if CloudFormation stack changed
+      pause:
+        prompt: >
+          A changeset was created for the CloudFormation stack. You MUST login to the AWS console,
+          inspect the changeset, and if everything looks good (i.e., it's not DELETING anything
+          unexpectedly), execute the changeset. When complete, hit RETURN to continue or Control-C,
+          then A to abort.
+      when: cloudformation_stack_result is changed

deploy/group_vars/all.yml

@@ -23,41 +23,37 @@ admin_database_password: !vault |
 #                        provisioning with aws-web-stacks.
 # ----------------------------------------------------------------------------
 
-stack_name: "{{ app_name }}-stack"
-
-cloudformation_stack:
-  region: "{{ aws_region }}"
-  stack_name: "{{ stack_name }}"
-  template_bucket: "aws-web-stacks-{{ app_name }}"
-  # Webstacks required variable
-  template_local_path: '{{ playbook_dir + "/stack/eks-no-nat.yml" }}'
-  create_changeset: true
-  termination_protection: true
-
-  template_parameters:
-    PrimaryAZ: "{{ aws_region }}a"
-    SecondaryAZ: "{{ aws_region }}b"
-    DesiredScale: 2
-    MaxScale: 4
-    UseAES256Encryption: "true"
-    CustomerManagedCmkArn: ""
-    ContainerInstanceType: t3a.large
-    ContainerVolumeSize: 40
-    DatabaseAllocatedStorage: 100
-    DatabaseClass: db.t3.large
-    DatabaseEngineVersion: "12"
-    DatabaseParameterGroupFamily: postgres12
-    DatabaseMultiAZ: "false"
-    DatabaseUser: "{{ app_name }}_admin"
-    DatabasePassword: "{{ admin_database_password }}"
-    DatabaseName: "{{ app_name }}"
-    DomainName: nccopwatch.org
-    DomainNameAlternates: ""
-    AssetsCloudFrontDomain: files.nccopwatch.org
-    AssetsCloudFrontCertArn: arn:aws:acm:us-east-1:606178775542:certificate/379950bb-4b29-4308-8418-122674fe1076
-    AssetsUseCloudFront: "true"
-  tags:
-    Environment: "{{ app_name }}"
+cloudformation_stack_state: present
+cloudformation_stack_profile: '{{ aws_profile }}'
+cloudformation_stack_region: '{{ aws_region }}'
+cloudformation_stack_name: "{{ app_name }}-stack"
+cloudformation_stack_termination_protection: true
+cloudformation_stack_template_bucket: "aws-web-stacks-{{ app_name }}"
+cloudformation_stack_template_local_path: '{{ playbook_dir + "/stack/eks-no-nat.yml" }}'
+cloudformation_stack_template_parameters:
+  PrimaryAZ: "{{ aws_region }}a"
+  SecondaryAZ: "{{ aws_region }}b"
+  DesiredScale: 2
+  MaxScale: 4
+  UseAES256Encryption: "true"
+  CustomerManagedCmkArn: ""
+  ContainerInstanceType: db.t4g.xlarge
+  ContainerVolumeSize: 40
+  DatabaseAllocatedStorage: 100
+  DatabaseClass: db.t4g.xlarge
+  DatabaseEngineVersion: "12"
+  DatabaseParameterGroupFamily: postgres12
+  DatabaseMultiAZ: "false"
+  DatabaseUser: "{{ app_name }}_admin"
+  DatabasePassword: "{{ admin_database_password }}"
+  DatabaseName: "{{ app_name }}"
+  DomainName: nccopwatch.org
+  DomainNameAlternates: ""
+  AssetsCloudFrontDomain: files.nccopwatch.org
+  AssetsCloudFrontCertArn: arn:aws:acm:us-east-1:606178775542:certificate/379950bb-4b29-4308-8418-122674fe1076
+  AssetsUseCloudFront: "true"
+cloudformation_stack_tags:
+  Environment: "{{ app_name }}"
 
 # Install Descheduler to attempt to spread out pods again after node failures
 k8s_install_descheduler: yes
@@ -79,7 +75,7 @@ k8s_descheduler_release_values:
 #                         clusters for web apps.
 # ----------------------------------------------------------------------------
 
-k8s_cluster_name: "{{ cloudformation_stack.stack_name }}-cluster"
+k8s_cluster_name: "{{ cloudformation_stack_name }}-cluster"
 k8s_context: "arn:aws:eks:us-east-2:606178775542:cluster/{{ k8s_cluster_name }}"
 k8s_cluster_type: aws
 

deploy/group_vars/cdn.yml

@@ -0,0 +1,23 @@
+cloudfront_domain_name: "{{ k8s_domain_names[0] }}"
+cloudfront_domain_name_origin: "{{ env_name }}-origin.nccopwatch.org"
+
+cloudformation_stack_state: present
+cloudformation_stack_profile: '{{ aws_profile }}'
+cloudformation_stack_region: '{{ aws_region }}'
+cloudformation_stack_name: 'cdn-{{ env_name }}'
+cloudformation_stack_template_bucket: 'aws-web-stacks-trafficstops'
+cloudformation_stack_template_bucket_path: 'templates/cdn.yml'
+cloudformation_stack_template_local_path: '{{ playbook_dir + "/stack/cloudfront.yml" }}'
+cloudformation_stack_template_parameters:
+  AppCloudFrontCertArn: arn:aws:acm:us-east-1:606178775542:certificate/5bcc16cb-7ca3-4277-8992-a4e20500cc0b
+  AppCloudFrontForwardedHeaders: "Host,Authorization"
+  DomainName: "{{ cloudfront_domain_name }}"
+  AppCloudFrontOriginDomainName: "{{ cloudfront_domain_name_origin }}"
+  # Allow key-less access to create CloudFront invalidations
+  AppCloudFrontRoleArn: trafficstops-stack-ContainerInstanceRole-1XMBM3VLAYOVE
+  # Required for the CloudFront template
+  DomainNameAlternates: ""
+  CustomAppCertificateArn: ""
+  CertificateValidationMethod: "(none)"
+cloudformation_stack_tags:
+  Environment: "{{ env_name }}"

deploy/group_vars/k8s.yml

@@ -40,7 +40,7 @@ k8s_collectstatic_enabled: false
 
 # Auxillary pod configuration:
 k8s_worker_enabled: true
-k8s_worker_replicas: 1
+k8s_worker_replicas: 2
 k8s_worker_celery_app: "traffic_stops"
 k8s_worker_command:
   - newrelic-admin
@@ -103,6 +103,9 @@ env_email_host_password: !vault |
   31326137623163613135346565346632623661303839653038333866363565623865363766326465
   3232353563333332396133636565626662366332356638303166
 env_email_use_tls: "true"
+# Basic auth
+env_basicauth_username: ""
+env_basicauth_password: ""
 
 k8s_environment_variables:
   CONTAINER_IMAGE_TAG: "{{ k8s_container_image_tag }}"
@@ -115,6 +118,9 @@ k8s_environment_variables:
   ALLOWED_HOSTS: "{{ k8s_domain_names[0] }}"
   ENVIRONMENT: "{{ env_name }}"
   CACHE_HOST: "{{ env_cache_host }}"
+  CACHE_CLOUDFRONT_DISTRIBUTION_ID: "{{ env_cache_cloudfront_distribution_id }}"
+  CACHE_BASICAUTH_USERNAME: "{{ env_basicauth_username }}"
+  CACHE_BASICAUTH_PASSWORD: "{{ env_basicauth_password }}"
   BROKER_URL: "{{ env_broker_url }}"
   # *** Uploaded media
   DEFAULT_FILE_STORAGE: "{{ env_default_file_storage }}"

deploy/host_vars/production.yml

@@ -11,6 +11,7 @@ k8s_ingress_tls_domains_extra:
 
 env_contact_us_emails:
   - wcarpenter@forwardjustice.org
+env_cache_cloudfront_distribution_id: "ERRFDXQVT6ZBM"
 
 database_password: !vault |
   $ANSIBLE_VAULT;1.1;AES256

deploy/host_vars/staging.yml

@@ -7,6 +7,7 @@ env_contact_us_emails:
   - forwardjustice-team@caktusgroup.com
 
 env_media_location: "staging/"
+env_cache_cloudfront_distribution_id: E2OFFI0H5HY2N8
 
 database_password: !vault |
   $ANSIBLE_VAULT;1.1;AES256
@@ -16,6 +17,19 @@ database_password: !vault |
   3263343333363130630a373033353533613064653033623138313334623537383037356262383662
   36613231353732663637316637383061376566663466373865356539626539376161
 
+env_basicauth_username: forwardjustice
+# Update `k8s_container_htpasswd` below if this password changes. I wasn't able to
+# manually hash the password and get it to work.
+# https://httpd.apache.org/docs/2.4/misc/password_encryptions.html
+# https://docs.ansible.com/ansible/latest/collections/ansible/builtin/password_hash_filter.html
+# My failed attempt: "{{ env_basicauth_username }}:{SHA}{{ env_basicauth_password | hash('sha1') | b64encode }}"
+env_basicauth_password: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  64363233356237323034303932306231333765383966306639663465323664643065386635626464
+  3463303836643531613363636239646463383936383837380a316463386662656238653439353431
+  66616461386237636538366165613332306538623038343936316366613832343636313433326534
+  3565623766653963620a333937333535376666346165343036623964623037343461316135663230
+  3662
 k8s_container_htpasswd: !vault |
   $ANSIBLE_VAULT;1.1;AES256
   31356461656536343532333632356338616462346436386566643438376237333935373531633762

deploy/inventory

@@ -2,5 +2,9 @@
 staging
 production
 
+[cdn]
+staging
+production
+
 [cluster]
 aws.amazon.com ansible_connection=local ansible_python_interpreter='/usr/bin/env python3'

deploy/requirements.yml

@@ -6,7 +6,7 @@
 
 - src: https://github.com/caktus/ansible-role-aws-web-stacks
   name: caktus.aws-web-stacks
-  version: ''
+  version: v0.3.0
 
 - src: https://github.com/caktus/ansible-role-k8s-web-cluster
   name: caktus.k8s-web-cluster