From 1f8e770bbefb88aed80a7416a97215c185076063 Mon Sep 17 00:00:00 2001 From: Christopher Lo <46541035+topher-lo@users.noreply.github.com> Date: Tue, 19 Mar 2024 04:38:56 +0000 Subject: [PATCH] ci(engine): Add missing shared secrets to task containers and setup log group --- aws/stack.py | 31 ++++++++++++++++++++++++++++--- docker-compose.yaml | 2 +- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/aws/stack.py b/aws/stack.py index cabe9946..6902f246 100644 --- a/aws/stack.py +++ b/aws/stack.py @@ -8,11 +8,12 @@ import os -from aws_cdk import Duration, Stack +from aws_cdk import Duration, RemovalPolicy, Stack from aws_cdk import aws_ec2 as ec2 from aws_cdk import aws_ecs as ecs from aws_cdk import aws_elasticloadbalancingv2 as elbv2 from aws_cdk import aws_iam as iam +from aws_cdk import aws_logs as logs from aws_cdk import aws_route53 as route53 from aws_cdk import aws_secretsmanager as secretsmanager from aws_cdk.aws_certificatemanager import Certificate @@ -110,10 +111,19 @@ def __init__(self, scope: Construct, id: str, **kwargs) -> None: tracecat_secret = secretsmanager.Secret.from_secret_complete_arn( self, "Secret", secret_complete_arn=AWS_SECRET__ARN ) - api_secrets = { + shared_secrets = { "TRACECAT__SIGNING_SECRET": ecs.Secret.from_secrets_manager( tracecat_secret, field="signing-secret" ), + "TRACECAT__SERVICE_KEY": ecs.Secret.from_secrets_manager( + tracecat_secret, field="service-key" + ), + "TRACECAT__DB_ENCRYPTION_KEY": ecs.Secret.from_secrets_manager( + tracecat_secret, field="db-encryption-key" + ), + } + api_secrets = { + **shared_secrets, "SUPABASE_JWT_SECRET": ecs.Secret.from_secrets_manager( tracecat_secret, field="supabase-jwt-secret" ), @@ -125,9 +135,10 @@ def __init__(self, scope: Construct, id: str, **kwargs) -> None: ), } runner_secrets = { + **shared_secrets, "OPENAI_API_KEY": ecs.Secret.from_secrets_manager( tracecat_secret, field="openai-api-key" - ) + ), } # # Define EFS @@ -155,6 +166,14 @@ def __init__(self, scope: Construct, id: str, **kwargs) -> None: # ], ) + # Set up a log group + log_group = logs.LogGroup( + self, + "TracecatLogGroup", + log_group_name="/ecs/tracecat", + removal_policy=RemovalPolicy.RETAIN, # Retain the log group when the stack is deleted + ) + # Tracecat API task_definition.add_container( "ApiContainer", @@ -177,6 +196,9 @@ def __init__(self, scope: Construct, id: str, **kwargs) -> None: }, secrets=api_secrets, port_mappings=[ecs.PortMapping(container_port=8000)], + logging=ecs.LogDrivers.aws_logs( + stream_prefix="tracecat-api", log_group=log_group + ), ) # api_container.add_mount_points( # ecs.MountPoint( @@ -205,6 +227,9 @@ def __init__(self, scope: Construct, id: str, **kwargs) -> None: environment={"API_MODULE": "tracecat.runner.app:app", "PORT": "8001"}, secrets=runner_secrets, port_mappings=[ecs.PortMapping(container_port=8001)], + logging=ecs.LogDrivers.aws_logs( + stream_prefix="tracecat-runner", log_group=log_group + ), ) # runner_container.add_mount_points( # ecs.MountPoint( diff --git a/docker-compose.yaml b/docker-compose.yaml index ea07f87d..e677407d 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -10,8 +10,8 @@ services: environment: API_MODULE: "tracecat.api.app:app" TRACECAT__SIGNING_SECRET: ${TRACECAT__SIGNING_SECRET} - TRACECAT__DB_ENCRYPTION_KEY: ${TRACECAT__DB_ENCRYPTION_KEY} TRACECAT__SERVICE_KEY: ${TRACECAT__SERVICE_KEY} + TRACECAT__DB_ENCRYPTION_KEY: ${TRACECAT__DB_ENCRYPTION_KEY} SUPABASE_JWT_SECRET: ${SUPABASE_JWT_SECRET} SUPABASE_JWT_ALGORITHM: ${SUPABASE_JWT_ALGORITHM} SUPABASE_PSQL_URL: ${SUPABASE_PSQL_URL}