EAS-481 Modifications to enable Fargate deployment (#9)

* add serverless aurora config * add ssl cert to sqlalchemy config * temporarily take db password from env var * add default db * fix host name * some extra logging * work in progress - aurora serverless connectivity * Adding iam authentication * Updating config to correct endpoint addresses * Updating regions to eu-west-2 * Updating run celery with uid and hostname * remove dependence on specific tag version of utils * get lambda credentials from env vars not config * fix user and log level for non-scheduled celery runner * enable CBC proxy in serverlessdb mode * allow LogData to be extended with arbitrary key-value pairs * add requirements file generated by 'make freeze-requirements' * fix makefile step for serverless --------- Co-authored-by: Lewis Stevens <lewis.stevens@digital.cabinet-office.gov.uk>
alphagov · Feb 27, 2023 · 7ec99dd · 7ec99dd
1 parent 6476721
commit 7ec99dd
Show file tree

Hide file tree

Showing 16 changed files with 2,981 additions and 91 deletions.
diff --git a/Makefile b/Makefile
@@ -30,6 +30,10 @@ bootstrap: generate-version-file ## Set up everything to run the app
 	createdb emergency_alerts || true
 	(. environment.sh && flask db upgrade) || true
 
+.PHONY: bootstrap-serverless-db
+bootstrap-serverless-db: generate-version-file
+	pip3 install -r requirements_for_test.txt
+
 .PHONY: bootstrap-with-docker
 bootstrap-with-docker: ## Build the image to run the app in Docker
 	docker build -f docker/Dockerfile -t emergency-alerts-api .
@@ -42,9 +46,11 @@ run-flask: ## Run flask
 run-celery: ## Run celery
 	. environment.sh && celery \
 		-A run_celery.notify_celery worker \
-		--pidfile="/tmp/celery.pid" \
-		--loglevel=INFO \
-		--concurrency=4
+		--uid=$(shell id -u easuser) \
+		--pidfile=/tmp/celery.pid \
+		--loglevel=WARNING \
+		--concurrency=4 \
+		--hostname=0.0.0.0
 
 .PHONY: run-celery-with-docker
 run-celery-with-docker: ## Run celery in Docker container (useful if you can't install pycurl locally)

diff --git a/app/__init__.py b/app/__init__.py
@@ -1,9 +1,11 @@
 import os
 import random
+import ssl
 import string
 import time
 import uuid
 from time import monotonic
+import boto3
 
 from celery import current_task
 from emergency_alerts_utils import logging, request_helper
@@ -27,6 +29,7 @@
 from flask_sqlalchemy import SQLAlchemy as _SQLAlchemy
 from gds_metrics import GDSMetrics
 from gds_metrics.metrics import Gauge, Histogram
+from pathlib import Path
 from sqlalchemy import event
 from werkzeug.exceptions import HTTPException as WerkzeugHTTPException
 from werkzeug.local import LocalProxy
@@ -93,6 +96,16 @@ def create_app(application):
     metrics.init_app(application)
     request_helper.init_app(application)
     db.init_app(application)
+
+    boto_session = boto3.Session(region_name=os.environ["AWS_REGION"])
+    rds_client = boto_session.client('rds')
+
+    with application.app_context():
+        @event.listens_for(db.engine, "do_connect")
+        def receive_do_connect(dialect, conn_rec, cargs, cparams):
+            token = get_authentication_token(rds_client)
+            cparams['password'] = token
+
     migrate.init_app(application, db=db)
     ma.init_app(application)
     zendesk_client.init_app(application)
@@ -308,7 +321,22 @@ def register_v2_blueprints(application):
     application.register_blueprint(v2_broadcast_blueprint)
 
 
+def get_authentication_token(rds_client):
+    try:
+        auth_token = rds_client.generate_db_auth_token(
+            DBHostname=os.environ["RDS_HOST"],
+            Port=os.environ["RDS_PORT"],
+            DBUsername=os.environ["RDS_USER"],
+            Region=os.environ["RDS_REGION"]
+        )
+
+        return auth_token
+    except Exception as e:
+        print("Could not generate auth token due to {}".format(e))
+
+
 def init_app(app):
+
     @app.before_request
     def record_request_details():
         CONCURRENT_REQUESTS.inc()

diff --git a/app/broadcast_message/rest.py b/app/broadcast_message/rest.py
@@ -1,6 +1,9 @@
 import iso8601
+
+from botocore.exceptions import ClientError
+from emergency_alerts_utils.structured_logging import LogData, log_to_cloudwatch
 from emergency_alerts_utils.template import BroadcastMessageTemplate
-from flask import Blueprint, jsonify, request
+from flask import Blueprint, jsonify, request, current_app
 
 from app.broadcast_message import utils as broadcast_utils
 from app.broadcast_message.broadcast_message_schema import (
@@ -134,6 +137,19 @@ def update_broadcast_message_status(service_id, broadcast_message_id):
     validate(data, update_broadcast_message_status_schema)
     broadcast_message = dao_get_broadcast_message_by_id_and_service_id(broadcast_message_id, service_id)
 
+    try:
+        logData = LogData(
+            source = "eas-app-api",
+            module = "broadcast_message.rest",
+            method = "update_broadcast_message_status",
+            serviceId = service_id,
+            broadcastMessageId = broadcast_message_id
+        )
+        logData.addData("status", data["status"])
+        log_to_cloudwatch(logData)
+    except ClientError as e:
+        current_app.logger.info("Error writing to CloudWatch: %s", e)
+
     if not broadcast_message.service.active:
         raise InvalidRequest("Updating broadcast message is not allowed: service is inactive ", 403)
 

diff --git a/app/celery/research_mode_tasks.py b/app/celery/research_mode_tasks.py
@@ -149,7 +149,7 @@ def ses_notification_callback(reference):
             "processingTimeMillis": 2003,
             "recipients": ["success@simulator.amazonses.com"],
             "remoteMtaIp": "123.123.123.123",
-            "reportingMTA": "a7-32.smtp-out.eu-west-1.amazonses.com",
+            "reportingMTA": "a7-32.smtp-out.eu-west-2.amazonses.com",
             "smtpResponse": "250 2.6.0 Message received",
             "timestamp": "2017-11-17T12:14:03.646Z",
         },
@@ -174,7 +174,7 @@ def ses_notification_callback(reference):
             "messageId": reference,
             "sendingAccountId": "12341234",
             "source": '"TEST" <TEST@notify.works>',
-            "sourceArn": "arn:aws:ses:eu-west-1:12341234:identity/notify.works",
+            "sourceArn": "arn:aws:ses:eu-west-2:12341234:identity/notify.works",
             "sourceIp": "0.0.0.1",
             "timestamp": "2017-11-17T12:14:01.643Z",
         },
@@ -184,14 +184,14 @@ def ses_notification_callback(reference):
     return {
         "Type": "Notification",
         "MessageId": "8e83c020-1234-1234-1234-92a8ee9baa0a",
-        "TopicArn": "arn:aws:sns:eu-west-1:12341234:ses_notifications",
+        "TopicArn": "arn:aws:sns:eu-west-2:12341234:ses_notifications",
         "Subject": None,
         "Message": json.dumps(ses_message_body),
         "Timestamp": "2017-11-17T12:14:03.710Z",
         "SignatureVersion": "1",
         "Signature": "[REDACTED]",
-        "SigningCertUrl": "https://sns.eu-west-1.amazonaws.com/SimpleNotificationService-[REDACTED].pem",
-        "UnsubscribeUrl": "https://sns.eu-west-1.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=[REACTED]",
+        "SigningCertUrl": "https://sns.eu-west-2.amazonaws.com/SimpleNotificationService-[REDACTED].pem",
+        "UnsubscribeUrl": "https://sns.eu-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=[REACTED]",
         "MessageAttributes": {},
     }
 
@@ -219,7 +219,7 @@ def _ses_bounce_callback(reference, bounce_type):
             ],
             "feedbackId": "0102015fc9e676fb-12341234-1234-1234-1234-9301e86a4fa8-000000",
             "remoteMtaIp": "123.123.123.123",
-            "reportingMTA": "dsn; a7-31.smtp-out.eu-west-1.amazonses.com",
+            "reportingMTA": "dsn; a7-31.smtp-out.eu-west-2.amazonses.com",
             "timestamp": "2017-11-17T12:14:05.131Z",
         },
         "mail": {
@@ -243,7 +243,7 @@ def _ses_bounce_callback(reference, bounce_type):
             "messageId": reference,
             "sendingAccountId": "12341234",
             "source": '"TEST" <TEST@notify.works>',
-            "sourceArn": "arn:aws:ses:eu-west-1:12341234:identity/notify.works",
+            "sourceArn": "arn:aws:ses:eu-west-2:12341234:identity/notify.works",
             "sourceIp": "0.0.0.1",
             "timestamp": "2017-11-17T12:14:03.000Z",
         },
@@ -252,13 +252,13 @@ def _ses_bounce_callback(reference, bounce_type):
     return {
         "Type": "Notification",
         "MessageId": "36e67c28-1234-1234-1234-2ea0172aa4a7",
-        "TopicArn": "arn:aws:sns:eu-west-1:12341234:ses_notifications",
+        "TopicArn": "arn:aws:sns:eu-west-2:12341234:ses_notifications",
         "Subject": None,
         "Message": json.dumps(ses_message_body),
         "Timestamp": "2017-11-17T12:14:05.149Z",
         "SignatureVersion": "1",
         "Signature": "[REDACTED]",  # noqa
-        "SigningCertUrl": "https://sns.eu-west-1.amazonaws.com/SimpleNotificationService-[REDACTED]].pem",
-        "UnsubscribeUrl": "https://sns.eu-west-1.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=[REDACTED]]",
+        "SigningCertUrl": "https://sns.eu-west-2.amazonaws.com/SimpleNotificationService-[REDACTED]].pem",
+        "UnsubscribeUrl": "https://sns.eu-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=[REDACTED]]",
         "MessageAttributes": {},
     }