From 560d0d3e7f5dbfd54c50c90351c854d4238b2ffd Mon Sep 17 00:00:00 2001 From: David Vega Date: Wed, 11 Sep 2024 08:41:15 -0700 Subject: [PATCH 1/4] Deleting old copy of script --- iac/deploy-tags.sh | 180 --------------------------------------------- 1 file changed, 180 deletions(-) delete mode 100755 iac/deploy-tags.sh diff --git a/iac/deploy-tags.sh b/iac/deploy-tags.sh deleted file mode 100755 index 9547f3d..0000000 --- a/iac/deploy-tags.sh +++ /dev/null @@ -1,180 +0,0 @@ -#!/bin/sh - -# Usage function for the main script -usage() { - echo "Usage: $0 {tag|find} [options]" - echo "" - echo "Subcommands:" - echo " tag Create and push a tag." - echo " find Find and list tags." - echo "" - echo "Use '$0 tag --help' or '$0 find --help' for subcommand-specific options." - exit 1 -} - -# Usage function for the 'tag' subcommand -usage_tag() { - echo "Usage: $0 tag [options]" - echo "Options:" - echo " -d, --date [date] (Optional) Tag with the specified date. If no date is provided, the current date/time is used (format: YYYY/MM/DD/HH_mm_ss)." - echo " -c, --current Update the 'deploy//current' tag to the specified deployment." - echo " --dry-run Print the commands instead of executing them." - echo " -h, --help Show this help message." - exit 1 -} - -# Usage function for the 'find' subcommand -usage_find() { - echo "Usage: $0 find [options]" - echo "Options:" - echo " -d, --date [date] Find tags matching the specified date. If no date is provided, return all tags." - echo " -c, --current Find the current deployment tag." - echo " --dry-run Print the commands instead of executing them." - echo " -h, --help Show this help message." - exit 1 -} - -# Function to create and push tags with the specified options -tag() { - branch=$(git rev-parse --abbrev-ref HEAD) - date_flag="" - current_flag="false" - dry_run="false" - date_provided="false" - - # If no options are passed, show usage - if [ $# -eq 0 ]; then - usage_tag - fi - - # Parse options - while [ $# -gt 0 ]; do - case "$1" in - -d|--date) - date_provided="true" - # If the next argument starts with "-" or is absent, use the current date/time - if [ -z "$2" ] || [ "${2#-}" != "$2" ]; then - date_flag=$(date "+%Y/%m/%d/%H-%M-%S") - else - # Use the provided date - date_flag="$2" - shift - fi - ;; - -c|--current) - current_flag="true" - ;; - --dry-run) - dry_run="true" - ;; - -h|--help) - usage_tag - ;; - *) - echo "Invalid option: $1" >&2 - usage_tag - ;; - esac - shift - done - - # If --date is provided without a value, generate a date, otherwise don't generate one - if [ "$date_provided" = "false" ]; then - date_flag="" - fi - - # If no date is provided and no --date flag is used, use the current date/time - if [ -n "$date_flag" ]; then - tag_name="deploy/${branch}/${date_flag}" - else - tag_name="" - fi - - current_tag="deploy/${branch}/current" - - # Print commands instead of executing them if --dry-run is specified - if [ "$dry_run" = "true" ]; then - if [ -n "$tag_name" ]; then - echo "git tag $tag_name" - echo "git push origin $tag_name" - fi - if [ "$current_flag" = "true" ]; then - echo "git tag -f $current_tag" - echo "git push origin -f $current_tag" - fi - else - # Create the date-based tag and push it if a date tag was provided - if [ -n "$tag_name" ]; then - git tag "$tag_name" - git push origin "$tag_name" - echo "Tag created and pushed: $tag_name" - fi - - # Update the 'deploy//current' tag if --current is specified - if [ "$current_flag" = "true" ]; then - git tag -f "$current_tag" - git push origin -f "$current_tag" - echo "'$current_tag' tag updated and pushed" - fi - fi -} - -# Function to find tags based on options -find_tags() { - filter="latest" - dry_run="false" - - # Parse options - while [ $# -gt 0 ]; do - case "$1" in - -d|--date) - if [ -z "$2" ]; then - filter="*" - else - filter="*$2*" - shift - fi - shift - ;; - -c|--current) - branch=$(git rev-parse --abbrev-ref HEAD) - filter="deploy/${branch}/current" - shift - ;; - --dry-run) - dry_run="true" - shift - ;; - -h|--help) - usage_find - ;; - *) - echo "Invalid option: $1" >&2 - usage_find - ;; - esac - done - - # Print the command in dry-run mode - if [ "$dry_run" = "true" ]; then - echo "git tag -l '$filter'" - else - # Actually list the matching tags - git tag -l "$filter" - fi -} - -# Main script logic -case "$1" in - tag) - shift - tag "$@" - ;; - find) - shift - find_tags "$@" - ;; - *) - usage - ;; -esac \ No newline at end of file From 5be1bc562b0b882f19b9063dcecc0f687c3bb322 Mon Sep 17 00:00:00 2001 From: David Vega Date: Wed, 11 Sep 2024 09:23:14 -0700 Subject: [PATCH 2/4] Correction to diagram --- docs/adrs/9 - Database Pasword Security.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/adrs/9 - Database Pasword Security.md b/docs/adrs/9 - Database Pasword Security.md index 0116f50..7c16d04 100644 --- a/docs/adrs/9 - Database Pasword Security.md +++ b/docs/adrs/9 - Database Pasword Security.md @@ -14,11 +14,11 @@ The design boils down to: - The secret version will be updated by the admin through Github Actions (**this is required for Terraform to change the RDS master password**). ```mermaid -graph +graph subgraph "core" CoreTerraformState[("tfstate")] subgraph "pipeline" - RDSPasswordEnvSecret + PipelineServiceAccount end end @@ -41,7 +41,7 @@ graph RDSPasswordSecret -- consumed securely by --> ECS RDSPasswordEnvSecret -- sent securely --> EncryptedState - RDSPasswordEnvSecret -. updates .-> RDSPasswordSecretVersion + PipelineServiceAccount -. updates .-> RDSPasswordSecretVersion style EncryptedState stroke:#f00, stroke-width:2px, fill:#600 style Admin stroke:#f00, stroke-width:2px, fill:#600 From 3526b3b7d38efd446d397143fb504e43dd2a0a16 Mon Sep 17 00:00:00 2001 From: David Vega Date: Wed, 11 Sep 2024 09:30:59 -0700 Subject: [PATCH 3/4] Added some formatting --- docs/adrs/10 - Healtcheck endpoint.md | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/docs/adrs/10 - Healtcheck endpoint.md b/docs/adrs/10 - Healtcheck endpoint.md index 8318aba..a22bd14 100644 --- a/docs/adrs/10 - Healtcheck endpoint.md +++ b/docs/adrs/10 - Healtcheck endpoint.md @@ -2,13 +2,24 @@ Accepted ## Context -When hooking up the service to a load balancer, a challenge was encountered. The balancer was configured to expect a "200" status from the root ("/") endpoint for health checks, but the application, by default, returned a "404". Altering the root endpoint was considered, but the principle of Chesterton's Fence suggested caution: it's unwise to change something without understanding why it exists in the first place. +When hooking up the service to a load balancer, a challenge was encountered. The balancer was configured to expect a "200" status from the root ("/") endpoint for health checks, but the application, by default, returned a "404". + +Altering the root endpoint was considered, but the principle of [Chesterton's Fence](https://www.youtube.com/watch?v=qPGbl2gxGqI) suggested caution: it's unwise to change something without understanding why it exists in the first place. ## Decision -Rather than altering the existing root endpoint, a new "/healthcheck" endpoint was introduced. This endpoint performs a database connectivity check and returns the application's version. This approach satisfies the load balancer's requirements without modifying the root endpoint's behavior. +Rather than altering the existing root endpoint, a new `/healthcheck` endpoint was introduced. + +This endpoint performs a **database connectivity check** and returns the application's version. + +This approach satisfies the load balancer's requirements without modifying the root endpoint's behavior. ## Consequences -1. Elimination of unnecessary ECS restarts, as the load balancer now receives the "200" status it requires. -2. Preservation of the root endpoint's original design, respecting its intended purpose. +1. Elimination of unnecessary ECS restarts if there is oversight in configuring the load balancer at any point, as the load balancer now receives the "200" status it requires. + +2. Preservation of the root endpoint's original design, respecting its intended purpose if any. + 3. Enhancement of debugging capabilities through the inclusion of the application's version in the health check response. -4. Establishment of a precedent for future health check adjustments without disrupting other application parts. \ No newline at end of file + +4. Establishment of a precedent for *future health check adjustments* without disrupting other application parts. + +5. **Reduced attack surface** by limiting the matcher to a well-known HTTP status code, that can be used to test the infrastructure with other images. \ No newline at end of file From 216f4f8a40aae0ef73ac64364eeee59d4c7acc37 Mon Sep 17 00:00:00 2001 From: David Vega Date: Wed, 11 Sep 2024 09:35:08 -0700 Subject: [PATCH 4/4] Fixing link / reference in documentation --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7477fbc..08272c7 100644 --- a/README.md +++ b/README.md @@ -89,7 +89,7 @@ If this is not your first run, use `terraform init -backend-config=backend.hcl` #### Quickstart -For full instructions including how to migrate to an S3 backend from an initial run (highly recommended), see the [README](iac/terraform/core/README.md) in the `iac/terraform/core` directory. +For full instructions including how to migrate to an S3 backend from an initial run (highly recommended), see the [README](iac/terraform/app/README.md) in the `iac/terraform/app` directory. 1. Copy the `.env.sh.dist` file to `.env.sh` and fill in the required values, then run: