-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix spam on ICA rotator (and general upgrade) #411
base: master
Are you sure you want to change the base?
Changes from all commits
b1b0bcd
828881c
0a53993
e6fa0eb
2073b59
1ca694c
6639a18
5e5bdc2
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
EXECUTABLES = python3 uv npx | ||
K := $(foreach exec,$(EXECUTABLES), $(if $(shell which $(exec)),some string,$(error "No $(exec) in PATH"))) | ||
|
||
# | ||
# by default we do everything to set up for running python and check the source is good | ||
# | ||
|
||
all: setup-python-cdk typecheck | ||
|
||
setup: setup-python-cdk | ||
|
||
setup-python-cdk: .venv/install.touch | ||
|
||
.PHONY: all setup setup-python-cdk | ||
|
||
# | ||
# the actual targets that should be targeted for running the various interesting activities | ||
# | ||
|
||
deploy-cdk-dev: setup-python-cdk typecheck | ||
. .venv/bin/activate; npx --yes cdk deploy ica-credentials-dev-stack | ||
|
||
typecheck: | ||
. .venv/bin/activate; mypy lambdas/notify_slack_lambda/app | ||
. .venv/bin/activate; mypy lambdas/jwt_producer_lambda/app | ||
. .venv/bin/activate; mypy cdk | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I will try this typechecker soon - https://github.com/python/mypy There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 100% - Python without mypy is like writing straight javascript |
||
|
||
format: | ||
. .venv/bin/activate; black . | ||
|
||
.PHONY: deploy-cdk undeploy-cdk typecheck format | ||
|
||
# | ||
# clean up working folders | ||
# | ||
|
||
clean: clean-python-cdk | ||
|
||
clean-python-cdk: | ||
find . -type f -name '*.py[co]' -delete -o -type d -name __pycache__ -delete | ||
rm -rf .venv/ | ||
rm -rf cdk.out/ | ||
rm -rf .mypy_cache/ | ||
|
||
.PHONY: clean clean-python-cdk | ||
|
||
# actual rules that create files/folders and build things | ||
|
||
# track the existence of the virtual with the activate script - everything is essentially dependent on this | ||
# NOTE: the python version chosen here should match that chosen for lambdas in the CDK! | ||
.venv/bin/activate: | ||
uv venv -p 3.12 | ||
|
||
requirements.txt: requirements.in | ||
. .venv/bin/activate; uv pip compile requirements.in -o requirements.txt | ||
|
||
requirements-dev.txt: requirements-dev.in | ||
. .venv/bin/activate; uv pip compile requirements-dev.in -o requirements-dev.txt | ||
|
||
# track the actual time of pip install with a touch file - so that it will re-trigger on changes to requirements | ||
.venv/install.touch: .venv/bin/activate requirements.txt requirements-dev.txt | ||
. .venv/bin/activate; uv pip install -r requirements.txt -r requirements-dev.txt && touch .venv/install.touch |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,3 @@ | ||
{ | ||
"app": "python app.py" | ||
"app": "python cdk/app.py" | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,13 +1,10 @@ | ||
import os | ||
|
||
from aws_cdk import core as cdk | ||
from aws_cdk import App, Environment | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. these are all the v1 -> v2 migration |
||
|
||
from deployment import IcaCredentialsDeployment | ||
|
||
app = cdk.App() | ||
app = App() | ||
|
||
CDK_APP_NAME = "ica-credentials" | ||
CDK_APP_PYTHON_VERSION = "3.8" | ||
|
||
ICA_BASE_URL = "https://aps2.platform.illumina.com" | ||
ICAV2_BASE_URL = "https://ica.illumina.com" | ||
|
@@ -21,6 +18,7 @@ | |
IcaCredentialsDeployment( | ||
app, | ||
f"{CDK_APP_NAME}-dev", | ||
False, | ||
"dc8e6ba9-b744-437b-b070-4cf014694b3d", | ||
[ | ||
# development_workflows | ||
|
@@ -33,16 +31,14 @@ | |
SLACK_WEBHOOK_SSM_NAME, | ||
github_repos=[CWL_ICA_GITHUB_REPO], | ||
github_role_name=f"{CDK_APP_NAME}-dev-umccr-pipelines-deployment-role", | ||
env=cdk.Environment( | ||
account=os.environ["CDK_DEFAULT_ACCOUNT"], | ||
region=os.environ["CDK_DEFAULT_REGION"], | ||
), | ||
env=Environment(account="843407916570", region="ap-southeast-2"), | ||
) | ||
|
||
# Staging | ||
IcaCredentialsDeployment( | ||
app, | ||
f"{CDK_APP_NAME}-stg", | ||
False, | ||
"c9173925-a838-4394-9fc6-61cb93c252a1", | ||
[ | ||
# staging_workflows - no staging workflows project | ||
|
@@ -52,16 +48,14 @@ | |
SLACK_WEBHOOK_SSM_NAME, | ||
github_repos=[CWL_ICA_GITHUB_REPO], | ||
github_role_name=f"{CDK_APP_NAME}-stg-umccr-pipelines-deployment-role", | ||
env=cdk.Environment( | ||
account="455634345446", | ||
region="ap-southeast-2" | ||
), | ||
env=Environment(account="455634345446", region="ap-southeast-2"), | ||
) | ||
|
||
# Production | ||
IcaCredentialsDeployment( | ||
app, | ||
f"{CDK_APP_NAME}-prod", | ||
False, | ||
"20b42a71-1ebc-4e7b-b659-313f2f4524c3", | ||
[ | ||
# production_workflows | ||
|
@@ -72,25 +66,7 @@ | |
SLACK_WEBHOOK_SSM_NAME, | ||
github_repos=[CWL_ICA_GITHUB_REPO], | ||
github_role_name=f"{CDK_APP_NAME}-prod-umccr-pipelines-deployment-role", | ||
env=cdk.Environment( | ||
account="472057503814", | ||
region="ap-southeast-2" | ||
), | ||
) | ||
|
||
# V2 (single token) | ||
IcaCredentialsDeployment( | ||
app, | ||
f"{CDK_APP_NAME}-dev-v2", | ||
None, # Token does not require project context in v2 | ||
None, # Token does not require additional project list in v2 | ||
ICAV2_BASE_URL, | ||
SLACK_HOST_SSM_NAME, | ||
SLACK_WEBHOOK_SSM_NAME, | ||
env=cdk.Environment( | ||
account=os.environ["CDK_DEFAULT_ACCOUNT"], | ||
region=os.environ["CDK_DEFAULT_REGION"], | ||
), | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I took out the ability for these to be deployed account agnostic - because I don't know the use case for that? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. One for Alexis There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Happy to drop this |
||
env=Environment(account="472057503814", region="ap-southeast-2"), | ||
) | ||
|
||
app.synth() |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,30 +1,33 @@ | ||
from typing import Any, List, Optional, Dict | ||
from typing import List, Optional, Any | ||
|
||
from aws_cdk import core as cdk | ||
from constructs import Construct | ||
from aws_cdk import App, Stack, Stage | ||
|
||
from secrets.infrastructure import Secrets | ||
|
||
|
||
class IcaCredentialsDeployment(cdk.Stage): | ||
class IcaCredentialsDeployment(Stack): | ||
def __init__( | ||
self, | ||
scope: cdk.Construct, | ||
scope: Construct, | ||
id_: str, | ||
v2_naming: bool, | ||
data_project: Optional[str], | ||
workflow_projects: Optional[List[str]], | ||
ica_base_url: str, | ||
slack_host_ssm_name: str, | ||
slack_webhook_ssm_name: str, | ||
github_role_name: Optional[str] = None, | ||
github_repos: Optional[List] = None, | ||
**kwargs, | ||
github_repos: Optional[List[str]] = None, | ||
**kwargs: Any, | ||
): | ||
""" | ||
Represents the deployment of our stack(s) to a particular environment with a particular set of settings. | ||
|
||
Args: | ||
scope: | ||
id_: | ||
v2_naming: | ||
data_project: | ||
workflow_projects: | ||
ica_base_url: | ||
|
@@ -34,19 +37,19 @@ def __init__( | |
""" | ||
super().__init__(scope, id_, **kwargs) | ||
|
||
stateful = cdk.Stack(self, "stack") | ||
# stateful = Stack(self, "stack") | ||
|
||
# this name becomes the prefix of our secrets so we slip in the word ICA to make it | ||
# obvious when someone sees them that they are associated with ICA | ||
Secrets( | ||
stateful, | ||
"IcaSecrets", | ||
self, | ||
"IcaV2Secrets" if v2_naming else "IcaSecrets", | ||
data_project, | ||
workflow_projects, | ||
ica_base_url, | ||
"cron(0 4/12 * * ? *)", | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Using cron expressions to give more certainty to timings |
||
slack_host_ssm_name, | ||
slack_webhook_ssm_name, | ||
github_role_name=github_role_name, | ||
github_repos=github_repos, | ||
cdk_env=kwargs.get("env") | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this was only here because cdk used to be missing these