More changes in support of multiple orchestrations #32
Conversation
There was a problem hiding this comment.
These changes aside from some small things I think you're already working to clean up generally look great. One thing to look into though is why the security group rules for the application security group are being dropped. We saw in your test account that the security group is missing rules, though it is not obvious from the code changes why.
| class SingletonManager(): | ||
|
|
||
| def __init__(self, singleton_class, *singleton_args, **singleton_kwargs): | ||
| self._singleton = None | ||
| self._singleton_class = singleton_class | ||
| self._singleton_args = singleton_args | ||
| self._singleton_kwargs = singleton_kwargs | ||
|
|
||
| @property | ||
| def singleton(self): | ||
| if not self._singleton: | ||
| self._singleton = self._singleton_class(*self._singleton_args or (), **self._singleton_kwargs or {}) | ||
| return self._singleton |
There was a problem hiding this comment.
Probably but not today. I'll make a note for the future.
| app_utils_obj = AppUtils() | ||
|
|
||
| # app_utils_obj = AppUtils() | ||
| app_utils_manager = SingletonManager(AppUtils) |
There was a problem hiding this comment.
Is the concern multiple initialization? I think chalice prevents that from happening, but admit I'm not sure. We have not had issues with this in the past though.
There was a problem hiding this comment.
Yeah. We can look at that later. Seems harmless if it's done elsewhere too.
|
|
||
|
|
||
| ######################## | ||
| # Misc utility functions | ||
| ######################## | ||
|
|
||
|
|
||
| def compute_valid_deploy_stages(): | ||
| return list(Deploy.CONFIG_BASE['stages'].keys()) + ['test'] |
There was a problem hiding this comment.
test is not a deploy stage I'm aware of.
There was a problem hiding this comment.
It's allowed somewhere, and not due to me. We should hunt this down sometime. I'm going to leave this.
| source ~/.aws_test/test_creds.sh | ||
| poetry run cli provision --trial --output_file out/foursight-dev-tmp/ --stage dev foursight --alpha --upload_change_set | ||
| source custom/aws_creds/test_creds.sh | ||
| poetry run cli provision --output_file out/foursight-dev-tmp/ --stage dev foursight --upload_change_set |
There was a problem hiding this comment.
A note on dev vs. prod stage is probably useful here.
There was a problem hiding this comment.
I added a "to do" note in the doc.
| secrets = self._load_config(self.SECRETS_FILE) | ||
| if True: | ||
| if not secrets.get(Secrets.S3_ENCRYPT_KEY): # if missing or empty, try to default from file | ||
| secrets[Secrets.S3_ENCRYPT_KEY] = ConfigManager.get_s3_encrypt_key_from_file() | ||
| else: | ||
| print(f"WARNING: {Secrets.S3_ENCRYPT_KEY} is not in {self.SECRETS_FILE}," | ||
| f" and the file {self.S3_ENCRYPT_KEY_FILE} does not exist.") |
There was a problem hiding this comment.
if True is this intended?
| ignorable(indexer) | ||
| template.add_resource(self.ecs_ingester_task()) | ||
| ingester = template.add_resource(self.ecs_ingester_service()) | ||
| ignorable(ingester) |
There was a problem hiding this comment.
These variables are from old code and can just be removed.
There was a problem hiding this comment.
Fixed in sources to be uploaded shortl.
| # VERY IMPORTANT - this environment variable determines which identity in the secrets manager | ||
| # to use. If this secret does not exist, things will not start up correctly - this is ok in | ||
| # the short term, but shortly after orchestration the secret value should be set. |
There was a problem hiding this comment.
Should probably be updated to indicate that ECS may not come online at all if the secret is not filled out fully.
| @@ -680,15 +696,17 @@ def ecs_deployment_task(self, cpus='256', mem='512', identity=None, initial=Fals | |||
| LogConfiguration=LogConfiguration( | |||
| LogDriver='awslogs', | |||
| Options={ | |||
| 'awslogs-group': self.LOGGING_EXPORTS.import_value(C4LoggingExports.CGAP_APPLICATION_LOG_GROUP), | |||
| 'awslogs-group': | |||
| self.LOGGING_EXPORTS.import_value(C4LoggingExports.CGAP_APPLICATION_LOG_GROUP), | |||
| 'awslogs-region': Ref(AWS_REGION), | |||
| 'awslogs-stream-prefix': 'cgap-deployment' | |||
There was a problem hiding this comment.
This prefix should probably be cgap-initial-deployment so that it can be distinguished easily from other deployment logs.
| "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", | ||
| # Maybe? | ||
| # "arn:aws:iam::aws:policy/aws-service-role/AmazonECSServiceRolePolicy" | ||
| # Maybe? | ||
| # "arn:aws:iam::aws:policy/aws-service-role/AmazonECSServiceRolePolicy" |
There was a problem hiding this comment.
The ECS role policy is the desired one and we don't require the EC2 perms either IRC.
| SUBNETS = { | ||
| 'PrivateSubnetA': {'name': 'PrivateSubnetA', 'cidr_block': '10.0.0.0/18', 'az': 'us-east-1a', 'kind': 'private'}, | ||
| 'PublicSubnetA': {'name': 'PublicSubnetA', 'cidr_block': '10.0.64.0/18', 'az': 'us-east-1a', 'kind': 'public'}, | ||
| 'PrivateSubnetB': {'name': 'PrivateSubnetB', 'cidr_block': '10.0.128.0/18', 'az': 'us-east-1b', 'kind': 'private'}, | ||
| 'PublicSubnetB': {'name': 'PublicSubnetB', 'cidr_block': '10.0.192.0/18', 'az': 'us-east-1b', 'kind': 'public'}, | ||
| } |
There was a problem hiding this comment.
Might consider allowing some of this to come from settings, especially AZ's.
This is work in progress.PLEASE IGNORE THE FOLLOWING, which I'll be cleaning up more: