Separate indexer

[joverlee521]

Description of proposed changes

This PR starts the use of versioned resource index JSONs so that we no longer run into out-of-sync issues between the canary and production servers.

Major changes:

• the scheduled index resources workflow updates both canary and production resource index JSONs if they are different versions
• the CI workflow rebuilds the resource index before deployment of canary
• the CI workflow builds a /tmp/<branch> prefixed resource index for review apps

Related issue(s)

Related to #829

Checklist

• Checks pass
• index resources workflow for canary/production
• CI run builds/uploads /tmp/<branch> resource index
• Deploy env/production Terraform changes
• [ ] Tick the wait for CI box in Heroku
• post-merge: verify CI rebuilds index for deployment (after several fixes: CI: fix use of index-resources.yml #864, a77b0f2, index-resources.yml: Add is-workflow-call input #865, 11fbc22)
• post-merge: update S3 lifecycle
• Write up changes that require bumping the resource index version

[tsibley]

This behaviour will be good to have! Checkpointing my review commentary for now. Will finish up tomorrow.

[tsibley]

we can use terraform providers lock to pre-populate hashes for different platforms.¹

Looks like the added hashes are for darwin_arm64 (and existing ones are for linux_amd64), so we're just missing darwin_amd64 if any devs are running that combo. I think fine to leave it as-is for now, but good to know about terraform providers lock!

[jameshadfield]

This is going to be a nice improvement. I got a bit lost in the second half of the commits as the interconnectedness ramps up, so I'll try to re-read them tomorrow if I get a change.

One missing piece seems to be documentation on incrementing the resource id¹ (e.g. v1.json to v2.json), and the relationship between the test/production environments vs local indexes once you do increment it.

¹ I still think it shouldn't be called v* as it's overloading the word "version". But I won't keep pressing on this.

[jameshadfield]

Related to this change, there's a not-in-terraform lifecycle delete old versions of the index. The prefix on this lifecycle needs to be updated. I'm happy to help here, and it's not blocking the merge of this PR (in fact it's easier to do it after merge).

[joverlee521]

OH good to know! I added this to the PR checklist.

[tsibley]

It'd be nice to have that sort of thing in Terraform for exactly this reason.

[joverlee521]

From what I understand, the lifecycle only accepts a prefix and not regex/pattern matching. So I've updated the lifecycle delete old versions of the index to the prefix resources to capture both the old resources.json.gz and the new resources/*.json.gz files.

[jameshadfield]

I'm admittedly not great at jq so could you explain what's hapenning here? My reading/testing is that we're just setting a string with identical contents to that of $jq_filter

[joverlee521]

Ah, bad naming on my part! Like you said, this is just my way of ensuring I am building a properly formatted JSON array.

[tsibley]

In case it's clarifying, the difference between:

ref_matrix=$(jq -c --null-input "[ env.PRODUCTION_COMMIT, env.CANARY_COMMIT ]")

and something like:

ref_matrix="[ \"$PRODUCTION_COMMIT\", \"$CANARY_COMMIT\" ]"

is that the former ensures a valid JSON value and the latter does not.

[jameshadfield]

What's the use case for running this manually? (I can't think of one, but maybe there is?) If we are going to call this manually I think we need to add documentation explaining why we would do it.

[joverlee521]

What's the use case for running this manually?

The one use case I can think of is if we create a review app directly within Heroku without a PR that triggers the automated CI workflow rebuild of the index. We would manually run the index-resources.yml to upload the tmp index.

[jameshadfield]

I think the language here needs to be a bit more precise. It's not a prefix in the S3 sense of the word, it's a string that'll be added within the final s3 key, akin to a directory name.

[joverlee521]

No longer relevant for this PR since I'm going to do the review-app stuff separately.

[jameshadfield]

I found this line quite confusing and (for me) it would be easier to understand if you renamed the get_branch job toget_resource_index_prefix

[joverlee521]

No longer relevant for this PR since I'm going to do the review-app stuff separately.

[jameshadfield]

Do you have some docs on HEROKU_BRANCH? I can only find this page which implies it's only for review apps, but also implies that it's not stable and is likely to change in the future.

It'd be clearer to prepend the server call with a env-setting function, like set-review-app-variables which could self-document the steps that are going on, and perhaps query other env variables to ensure we are indeed running on a review app.

[tsibley]

Note that we already use one of those variables, HEROKU_PR_NUMBER, to detect review app-ness:

nextstrain.org/src/config.js

Lines 36 to 46 in 31ecbc4

	/**
	* Running as a Heroku Review app?
	*
	* These run in production mode but do not have access to sensitive information
	* (private S3 buckets, production Redis, production encryption keys, etc).
	*
	* See {@link https://devcenter.heroku.com/articles/github-integration-review-apps#injected-environment-variables}.
	*
	* @type {boolean}
	*/
	export const REVIEW_APP = !!process.env.HEROKU_PR_NUMBER;

and adjust config:

nextstrain.org/src/config.js

Lines 391 to 412 in 31ecbc4

	/**
	* Flag indicating if Redis (via REDIS_URL) is required.
	*
	* Defaults to true if {@link PRODUCTION} and not {@link REVIEW_APP}, otherwise
	* false.
	*
	* @type {boolean}
	*/
	/* XXX TODO: Provision lowest-tier Heroku Redis addon for review apps and
	* remove the !REVIEW_APP condition.
	*
	* Heroku has good support for this, but to enable it I think we need to switch
	* how we configure review apps. Currently they're configured via the Heroku
	* Dashboard¹. I think we need to switch to the app.json file² instead, as
	* described in the review app documentation.³
	* -trs, 12 Oct 2023
	*
	* ¹ <https://dashboard.heroku.com/pipelines/38f67fc7-d93c-40c6-a182-501da2f89d9d/settings>
	* ² <https://devcenter.heroku.com/articles/app-json-schema>
	* ³ <https://devcenter.heroku.com/articles/github-integration-review-apps>
	*/
	export const REDIS_REQUIRED = fromEnvOrConfig("REDIS_REQUIRED", PRODUCTION && !REVIEW_APP);

[jameshadfield]

Since we already have the concept of heroku review apps in the config.js, and that's also where the index location is defined (as in, the location definition the server's actually using), let's modify the logic of the following section (and related docs) to account for running on heroku review apps:

nextstrain.org/src/config.js

Lines 455 to 464 in 31ecbc4

	/**
	* Location of the JSON file to be used as the resource collection index. Can be
	* a S3 address or a local filepath, if S3 then the file must be gzipped.
	*
	* If sourced from the config file, relative paths are resolved relative to the
	* repo root directory ("nextstrain.org").
	*
	* Falsey values result in the resource collection functionality not being used.
	*/
	export const RESOURCE_INDEX = fromEnvOrConfig("RESOURCE_INDEX", null);

[tsibley]

I was hesitant to suggest that because it means that the value passed in as RESOURCE_INDEX won't be what's actually used depending on unseen other values (i.e. HEROKU_PR_NUMBER), and that seemed undesirable/confusing and a first for the config. I think RESOURCE_INDEX for review apps should still be set outside of the app, like it is for production.

[joverlee521]

No longer relevant for this PR since I'm going to do the review-app stuff separately.

[tsibley]

It will be helpful to have separate indexes!

I wonder though about approaching the machinery for setting them up a bit differently, as noted in my comments.

[tsibley]

Note that we already use one of those variables, HEROKU_PR_NUMBER, to detect review app-ness:

nextstrain.org/src/config.js

Lines 36 to 46 in 31ecbc4

	/**
	* Running as a Heroku Review app?
	*
	* These run in production mode but do not have access to sensitive information
	* (private S3 buckets, production Redis, production encryption keys, etc).
	*
	* See {@link https://devcenter.heroku.com/articles/github-integration-review-apps#injected-environment-variables}.
	*
	* @type {boolean}
	*/
	export const REVIEW_APP = !!process.env.HEROKU_PR_NUMBER;

and adjust config:

nextstrain.org/src/config.js

Lines 391 to 412 in 31ecbc4

	/**
	* Flag indicating if Redis (via REDIS_URL) is required.
	*
	* Defaults to true if {@link PRODUCTION} and not {@link REVIEW_APP}, otherwise
	* false.
	*
	* @type {boolean}
	*/
	/* XXX TODO: Provision lowest-tier Heroku Redis addon for review apps and
	* remove the !REVIEW_APP condition.
	*
	* Heroku has good support for this, but to enable it I think we need to switch
	* how we configure review apps. Currently they're configured via the Heroku
	* Dashboard¹. I think we need to switch to the app.json file² instead, as
	* described in the review app documentation.³
	* -trs, 12 Oct 2023
	*
	* ¹ <https://dashboard.heroku.com/pipelines/38f67fc7-d93c-40c6-a182-501da2f89d9d/settings>
	* ² <https://devcenter.heroku.com/articles/app-json-schema>
	* ³ <https://devcenter.heroku.com/articles/github-integration-review-apps>
	*/
	export const REDIS_REQUIRED = fromEnvOrConfig("REDIS_REQUIRED", PRODUCTION && !REVIEW_APP);

[tsibley]

non-blocking

This whole thing would be nice to simplify away with #853.

[tsibley]

non-blocking

How much simpler would it be if we used the commit id as the "index version" instead of a monotonically-increasing number? (I know we floated both ideas, but I don't recall discussing which to use…)

[joverlee521]

Hmm, if we use commit id, we wouldn't run into potential version number clashes between branches.

I thought using commit id comes with it's own weirdness if we continue to store the RESOURCE_INDEX in the config.json. E.g. the commit id in the RESOURCE_INDEX would be pointing to the parent commit id. Also, instead of updating it manually, we would probably want to set up a commit hook to automatically update the RESOURCE_INDEX on every commit?

[joverlee521]

Chatted more about this with @tsibley in our 1:1 today.

If we do use the commit id as the version, then we would probably stop hard-coding the RESOURCE_INDEX within the config.json and just set it within the Heroku slug. It would be less obvious of what RESOURCE_INDEX the deployed site is using unless you download the slug or we implement #853.

---

Leaving this as a future decision as we can make do with the number versions for now.

[tsibley]

Ah, yeah. Let's not rewrite files on every single commit! We could instead do something similar as part of the build process (e.g. bake in an updated RESOURCE_INDEX, or bake in a commit id in a file that's used at runtime to construct the right path, etc.). This could even be done via Git's ident munging (à la RCS). [Update: Ah, not quite. That's the blob id, not the commit id. A custom filter clean/smudge would be needed.] But let's leave that for the future, if ever.

[joverlee521]

We can revisit this idea in #867

[joverlee521]

I'm planning to merge this tomorrow ~morning, so I can monitor the first CI deployment.

[joverlee521]

The first merge/deploy failed because I missed the secrets weren't being passed from CI to index-resources. Fixed in #864.

However still running into some issues:

1. The second merge/deploy succeeded, however, the build-index-matrix job pointed to the nextstrain-server ref -> This is more complicated because the github context is the caller workflows context! (Looking into workarounds in How do you identify the trigger action that's coming from Workflow Call? actions/runner#1884). --> Fixing in index-resources.yml: Add is-workflow-call input #865

2. I manually triggered the index-resources workflow, but the created matrix hash for the nextstrain-canary is the shortened version instead of the full hash. -> Fixing with a77b0f2.

[joverlee521]

Last night's scheduled index resources workflow ran as expected, updating both the nextstrain-server resources.json.gz and the nextstrain-canary resources/v1.json.gz 🎉