diff --git a/api/.env-sample b/api/.env-sample index dc2fba15..b59d598b 100644 --- a/api/.env-sample +++ b/api/.env-sample @@ -8,7 +8,6 @@ DATA_MODEL_DATABASE_URL=sqlite:///db_data_model.sqlite3 # DATABASE_URL_FOR_DOCKER=postgres://passport_scorer:passport_scorer_pwd@postgres:5432/passport_scorer ALLOWED_HOSTS='[]' TEST_MNEMONIC=test val is here ... -UI_DOMAINS=[localhost:3000, www.localhost:3000] CELERY_BROKER_URL=redis://localhost:6379/0 diff --git a/api/scorer/settings/base.py b/api/scorer/settings/base.py index 7b066b50..234fc6e5 100644 --- a/api/scorer/settings/base.py +++ b/api/scorer/settings/base.py @@ -29,8 +29,6 @@ CERAMIC_CACHE_API_KEY = env("CERAMIC_CACHE_API_KEY", default="") -UI_DOMAINS = env("UI_DOMAINS", default=["localhost:3000", "www.localhost:3000"]) - SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = env("GOOGLE_OAUTH_CLIENT_ID", default="") SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = env("GOOGLE_CLIENT_SECRET", default="") diff --git a/infra/aws/index.ts b/infra/aws/index.ts index b4d0bf68..55ca8b32 100644 --- a/infra/aws/index.ts +++ b/infra/aws/index.ts @@ -25,8 +25,6 @@ import { createVerifierService } from "./verifier"; import { createS3InitiatedECSTask } from "../lib/scorer/s3_initiated_ecs_task"; import { stack, defaultTags, StackType } from "../lib/tags"; -// The following vars are not allowed to be undefined, hence the `${...}` magic - ////////////////////////////////////////////////////////////// // Loading environment variables ////////////////////////////////////////////////////////////// @@ -44,19 +42,21 @@ const route53ZoneForPublicData = op.read.parse( `op://DevOps/passport-scorer-${stack}-env/ci/ROUTE_53_ZONE_FOR_PUBLIC_DATA` ); -const rootDomain = op.read.parse( +const legacyRootDomain = op.read.parse( `op://DevOps/passport-scorer-${stack}-env/ci/ROOT_DOMAIN` ); -const domain = +const legacyDomain = stack == "production" - ? `api.scorer.${rootDomain}` - : `api.${stack}.scorer.${rootDomain}`; + ? `api.scorer.${legacyRootDomain}` + : `api.${stack}.scorer.${legacyRootDomain}`; +// We only need the publicDataDomain for the legacyRootDomain +// as we hope to be able to drop that before finalizing the mirgation to the new domain const publicDataDomain = stack == "production" - ? `public.scorer.${rootDomain}` - : `public.${stack}.scorer.${rootDomain}`; + ? `public.scorer.${legacyRootDomain}` + : `public.${stack}.scorer.${legacyRootDomain}`; const current = aws.getCallerIdentity({}); const regionData = aws.getRegion({}); @@ -126,6 +126,14 @@ const vpcID = coreInfraStack.getOutput("vpcId"); const vpcPrivateSubnetIds = coreInfraStack.getOutput("privateSubnetIds"); const vpcPublicSubnetIds = coreInfraStack.getOutput("publicSubnetIds"); +const passportXyzDomainName = coreInfraStack.getOutput("passportXyzDomainName"); +const passportXyzHostedZoneId = coreInfraStack.getOutput( + "passportXyzHostedZoneId" +); +const passportXyzCertificateArn = coreInfraStack.getOutput( + "passportXyzCertificateArn" +); + const vpcPublicSubnetId1 = vpcPublicSubnetIds.apply((values) => values[0]); const vpcPublicSubnetId2 = vpcPublicSubnetIds.apply((values) => values[1]); @@ -449,7 +457,7 @@ const httpsListener = HTTPS_ALB_CERT_ARN.apply( // Create a DNS record for the load balancer const www = new aws.route53.Record("scorer", { zoneId: route53Zone, - name: domain, + name: legacyDomain, type: "A", aliases: [ { @@ -634,12 +642,10 @@ const serviceTaskRole = new aws.iam.Role("scorer-service-task-role", { ], Resource: "*", }, - // CloudFront + // CloudFront { Effect: "Allow", - Action: [ - "cloudfront:CreateInvalidation", - ], + Action: ["cloudfront:CreateInvalidation"], Resource: "*", }, ], @@ -667,7 +673,12 @@ const apiEnvironment = [ }, { name: "CSRF_TRUSTED_ORIGINS", - value: JSON.stringify([`https://${domain}`]), + value: passportXyzDomainName.apply((passportXyzDomainNameStr) => + JSON.stringify([ + `https://${legacyDomain}`, + `https://${passportXyzDomainNameStr}`, + ]) + ), }, { name: "CERAMIC_CACHE_CACAO_VALIDATION_URL", @@ -693,13 +704,12 @@ const apiEnvironment = [ name: "RESCORE_QUEUE_URL", value: rescoreQueue.url, }, - { - name: "UI_DOMAINS", - value: JSON.stringify(["scorer." + rootDomain, "www.scorer." + rootDomain]), - }, { name: "ALLOWED_HOSTS", - value: JSON.stringify([domain, "*"]), + value: passportXyzDomainName.apply((passportXyzDomainNameStr) => + // TODO: geri: investigate if using '*' here is a security risk + JSON.stringify([legacyDomain, passportXyzDomainNameStr, "*"]) + ), }, { name: "VERIFIER_URL", @@ -1268,7 +1278,7 @@ const redashHttpsListener = HTTPS_ALB_CERT_ARN.apply( const redashRecord = new aws.route53.Record("redash", { zoneId: route53Zone, - name: "redash." + domain, + name: "redash." + legacyDomain, type: "A", aliases: [ { @@ -1915,3 +1925,38 @@ const amplifyAppInfo = coreInfraStack }); export const amplifyAppHookUrl = pulumi.secret(amplifyAppInfo.webHook.url); + +// Create a DNS record for the load balancer +pulumi.all([passportXyzDomainName]).apply((passportXyzDomainNameStr) => { + const apiDomain = `api.${passportXyzDomainNameStr}`; + const apiDomainRecord = new aws.route53.Record(apiDomain, { + zoneId: passportXyzHostedZoneId, + name: "api", + type: "CNAME", + ttl: 300, + records: [alb.dnsName], + }); + + const redashDomain = `redash.${passportXyzDomainNameStr}`; + const redashRecord = new aws.route53.Record(redashDomain, { + zoneId: passportXyzHostedZoneId, + name: "redash", + type: "A", + aliases: [ + { + name: redashAlb.dnsName, + zoneId: redashAlb.zoneId, + evaluateTargetHealth: true, + }, + ], + }); +}); + +const coreAlbPassportXyz = new aws.lb.ListenerCertificate( + "core-alb-passport-xyz", + { + listenerArn: httpsListener.arn, + certificateArn: passportXyzCertificateArn, + }, + {} +); diff --git a/infra/lib/scorer/new_service.ts b/infra/lib/scorer/new_service.ts index 09378960..101e085c 100644 --- a/infra/lib/scorer/new_service.ts +++ b/infra/lib/scorer/new_service.ts @@ -45,7 +45,7 @@ export function createTargetGroup( vpcId: Input ): TargetGroup { return new TargetGroup(name, { - tags: { + tags: { ...defaultTags, Name: name }, port: 80, @@ -68,7 +68,7 @@ export function createScorerECSService({ environment: secretsManager.EnvironmentVar[]; secrets: pulumi.Output; loadBalancerAlarmThresholds: AlarmConfigurations; -}): awsx.ecs.FargateService { +}): awsx.ecs.FargateService | undefined { ////////////////////////////////////////////////////////////// // Create target group and load balancer rules ////////////////////////////////////////////////////////////// @@ -128,6 +128,7 @@ export function createScorerECSService({ }; const service = new awsx.ecs.FargateService(name, { + name: name, propagateTags: "TASK_DEFINITION", tags: { ...defaultTags, Name: name }, cluster: config.cluster.arn, @@ -144,7 +145,7 @@ export function createScorerECSService({ }, ], taskDefinitionArgs: { - tags: { name: name }, + tags: { ...defaultTags, Name: name }, logGroup: { existing: config.logGroup, }, @@ -914,7 +915,7 @@ export function buildHttpLambdaFn( function: lambdaFunction.name, principal: "elasticloadbalancing.amazonaws.com", sourceArn: lambdaTargetGroup.arn, - + }); const lambdaTargetGroupAttachment = new aws.lb.TargetGroupAttachment( @@ -922,7 +923,7 @@ export function buildHttpLambdaFn( { targetGroupArn: lambdaTargetGroup.arn, targetId: lambdaFunction.arn, - + }, { dependsOn: [withLb], diff --git a/infra/package.json b/infra/package.json index 2c39ceec..dc5e345a 100644 --- a/infra/package.json +++ b/infra/package.json @@ -13,6 +13,6 @@ "@pulumi/awsx": "^1.0.5", "@pulumi/command": "^0.10.0", "@pulumi/pulumi": "^3.79.0", - "infra-libs": "passportxyz/infra-libs#semver:^1.2.1" + "infra-libs": "passportxyz/infra-libs#semver:1.2.1" } } diff --git a/infra/yarn.lock b/infra/yarn.lock index fb687b6c..50530744 100644 --- a/infra/yarn.lock +++ b/infra/yarn.lock @@ -1673,7 +1673,7 @@ inflight@^1.0.4: once "^1.3.0" wrappy "1" -"infra-libs@passportxyz/infra-libs#semver:^1.2.1": +"infra-libs@passportxyz/infra-libs#semver:1.2.1": version "1.0.0" resolved "https://codeload.github.com/passportxyz/infra-libs/tar.gz/8170b9d4286cad3ad0809c252f65fc0d36776dae" dependencies: