EAS-856 Fix non-root user & credentials to get scheduled jobs running (…

…#18) * add redis to make celery work * remove unnecessary function from start-celery script * clean up docker files and get redis flag from environment variable * remove unnecessary redis instance * remove unecessary redis env vars, and re-add aws-cli to avoid version resolution issue on bootstrap * remove unused file * use role-based credentials
alphagov · Mar 30, 2023 · 77be931 · 77be931
1 parent 96818d1
commit 77be931
Show file tree

Hide file tree

Showing 9 changed files with 60 additions and 23 deletions.
diff --git a/Dockerfile.eas-api b/Dockerfile.eas-api
@@ -23,4 +23,4 @@ RUN useradd -ms /bin/bash easuser && chown -R easuser:easuser $API_DIR
 COPY scripts/start-api.sh /
 CMD bash /start-api.sh
 
-EXPOSE 6011 6379 6013
+EXPOSE 6011 6013
diff --git a/Dockerfile.eas-celery b/Dockerfile.eas-celery
@@ -7,17 +7,19 @@ ENV API_DIR=/eas/emergency-alerts-api
 # Create root directory and copy repo
 COPY . $API_DIR
 
+# Download the database certificate
+RUN wget https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem -O /etc/ssl/certs/global-bundle.pem && \
+    update-ca-certificates
+
 # Build emergency-alerts-api
 RUN $PYTHON_VERSION -m venv $VENV_API && cd $API_DIR && . $VENV_API/bin/activate && \
     pip3 install pycurl && make bootstrap
 
 # Create a blank configuration file
 RUN echo "" > $API_DIR/environment.sh
 
-RUN useradd -ms /bin/bash celery && chown -R celery:celery $API_DIR
+RUN useradd -ms /bin/bash easuser && chown -R easuser:easuser $API_DIR
 
 COPY scripts/healthcheck.sh /
 COPY scripts/start-celery.sh /
 CMD bash /start-celery.sh
-
-EXPOSE 8125
diff --git a/app/celery/scheduled_tasks.py b/app/celery/scheduled_tasks.py
@@ -69,11 +69,10 @@
 
 
 @notify_celery.task(name="run-health-check")
-@cronitor("run-health-check")
 def run_health_check():
     try:
         time_stamp = int(time.time())
-        with open("/eas/celery-beat-healthcheck", mode="w") as file:
+        with open("/eas/emergency-alerts-api/celery-beat-healthcheck", mode="w") as file:
             file.write(str(time_stamp))
     except Exception:
         current_app.logger.exception("Unable to generate health-check timestamp")

diff --git a/app/config.py b/app/config.py
@@ -203,7 +203,7 @@ class Config(object):
             # app/celery/scheduled_tasks.py
             "run-health-check": {
                 "task": "run-health-check",
-                "schedule": crontab(),
+                "schedule": crontab(minute='*/1'),
                 "options": {"queue": QueueNames.PERIODIC},
             },
             "run-scheduled-jobs": {
@@ -223,12 +223,12 @@ class Config(object):
             },
             "switch-current-sms-provider-on-slow-delivery": {
                 "task": "switch-current-sms-provider-on-slow-delivery",
-                "schedule": crontab(),  # Every minute
+                "schedule": crontab(minute='*/1'),  # Every minute
                 "options": {"queue": QueueNames.PERIODIC},
             },
             "check-job-status": {
                 "task": "check-job-status",
-                "schedule": crontab(),
+                "schedule": crontab(minute='*/1'),
                 "options": {"queue": QueueNames.PERIODIC},
             },
             "tend-providers-back-to-middle": {

diff --git a/requirements.in b/requirements.in
@@ -1,6 +1,7 @@
 # Run `make freeze-requirements` to update requirements.txt
 # with package version changes made in requirements.in
 
+awscli==1.27.101
 cffi==1.15.1
 celery[sqs]==5.2.7
 Flask-Bcrypt==1.0.1

diff --git a/requirements.txt b/requirements.txt
@@ -16,6 +16,8 @@ async-timeout==4.0.2
     # via redis
 attrs==22.1.0
     # via jsonschema
+awscli==1.27.101
+    # via -r requirements.in
 bcrypt==4.0.0
     # via flask-bcrypt
 beautifulsoup4==4.11.1
@@ -26,8 +28,9 @@ blinker==1.5
     # via gds-metrics
 boto3==1.26.100
     # via emergency-alerts-utils
-botocore==1.29.100
+botocore==1.29.101
     # via
+    #   awscli
     #   boto3
     #   s3transfer
 cachetools==5.2.0
@@ -60,10 +63,14 @@ click-plugins==1.1.1
     # via celery
 click-repl==0.2.0
     # via celery
+colorama==0.4.4
+    # via awscli
 dnspython==2.2.1
     # via eventlet
 docopt==0.6.2
     # via notifications-python-client
+docutils==0.16
+    # via awscli
 eventlet==0.33.1
     # via gunicorn
 flask==2.2.2
@@ -167,6 +174,8 @@ prompt-toolkit==3.0.31
     # via click-repl
 psycopg2-binary==2.9.3
     # via -r requirements.in
+pyasn1==0.4.8
+    # via rsa
 pycparser==2.21
     # via cffi
 pyjwt==2.5.0
@@ -192,7 +201,9 @@ pytz==2022.4
     #   celery
     #   emergency-alerts-utils
 pyyaml==5.4.1
-    # via emergency-alerts-utils
+    # via
+    #   awscli
+    #   emergency-alerts-utils
 redis==4.5.3
     # via flask-redis
 requests==2.28.1
@@ -204,8 +215,12 @@ rfc3339-validator==0.1.4
     # via jsonschema
 rfc3987==1.3.8
     # via jsonschema
+rsa==4.7.2
+    # via awscli
 s3transfer==0.6.0
-    # via boto3
+    # via
+    #   awscli
+    #   boto3
 shapely==2.0.1
     # via emergency-alerts-utils
 six==1.16.0

diff --git a/scripts/healthcheck.sh b/scripts/healthcheck.sh
@@ -1,6 +1,6 @@
 #! /bin/sh
-timestamp_filename='/eas/celery-beat-healthcheck'
-expected_update_interval=600
+timestamp_filename='/eas/emergency-alerts-api/celery-beat-healthcheck'
+expected_update_interval=240
 previous_timestamp=0
 current_timestamp=$(date +%s)
 

diff --git a/scripts/start-api.sh b/scripts/start-api.sh
@@ -6,17 +6,15 @@ echo "Start script executing for api.."
 # for "Task IAM role" for more information about this endpoint)
 session_tokens=$(curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)
 
-if [[ -z $AWS_ACCESS_KEY_ID ]] || [[ "$AWS_ACCESS_KEY_ID" == "" ]]; then
-  export AWS_ACCESS_KEY_ID=$(echo $session_tokens | jq -j .AccessKeyId)
+if [[ -z $CONTAINER_ROLE ]] || [[ "$CONTAINER_ROLE" == "" ]]; then
+  export CONTAINER_ROLE=$(echo $session_tokens | jq -j .RoleArn)
 fi
 
-if [[ -z $AWS_SECRET_ACCESS_KEY ]] || [[ "$AWS_SECRET_ACCESS_KEY" == "" ]]; then
-  export AWS_SECRET_ACCESS_KEY=$(echo $session_tokens | jq -j .SecretAccessKey)
-fi
-
-if [[ -z $AWS_SESSION_TOKEN ]] || [[ "$AWS_SESSION_TOKEN" == "" ]]; then
-  export AWS_SESSION_TOKEN=$(echo $session_tokens | jq -j .Token)
-fi
+function configure_container_role(){
+  aws configure set role_arn $CONTAINER_ROLE
+  aws configure set credential_source EcsContainer
+  aws configure set default.region eu-west-2
+}
 
 function run_celery(){
   cd $API_DIR;
@@ -28,5 +26,6 @@ function run_api(){
   . $VENV_API/bin/activate && flask run -p 6011 --host=0.0.0.0
 }
 
+configure_container_role
 run_celery
 run_api
diff --git a/scripts/start-celery.sh b/scripts/start-celery.sh
@@ -2,9 +2,30 @@
 
 echo "Start script executing for celery beat.."
 
+# Query the fixed container agent IP address for credentials (search the AWS docs
+# for "Task IAM role" for more information about this endpoint)
+session_tokens=$(curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)
+
+if [[ -z $CONTAINER_ROLE ]] || [[ "$CONTAINER_ROLE" == "" ]]; then
+  export CONTAINER_ROLE=$(echo $session_tokens | jq -j .RoleArn)
+fi
+
+function configure_container_role(){
+  aws configure set role_arn $CONTAINER_ROLE
+  aws configure set credential_source EcsContainer
+  aws configure set default.region eu-west-2
+}
+
+function run_celery(){
+  cd $API_DIR;
+  . $VENV_API/bin/activate && make run-celery &
+}
+
 function run_celery_beat(){
   cd $API_DIR;
   . $VENV_API/bin/activate && make run-celery-beat
 }
 
+configure_container_role
+run_celery
 run_celery_beat