diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index 55600339..cd12309e 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -144,10 +144,10 @@ module "oonidevops_github_user" { module "oonipg" { source = "../../modules/postgresql" - name = "ooni-tier0-postgres" - aws_region = var.aws_region - vpc_id = module.network.vpc_id - subnet_ids = module.network.vpc_subnet_public[*].id + name = "ooni-tier0-postgres" + aws_region = var.aws_region + vpc_id = module.network.vpc_id + subnet_ids = module.network.vpc_subnet_public[*].id # By default, max_connections is computed as: # LEAST({DBInstanceClassMemory/9531392}, 5000) # see https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Limits.html @@ -249,6 +249,10 @@ resource "aws_s3_bucket" "oonith_codepipeline_bucket" { bucket = "codepipeline-oonith-${var.aws_region}-${random_id.artifact_id.hex}" } +resource "aws_s3_bucket" "ooni_private_config_bucket" { + bucket = "ooni-config-${var.aws_region}-${random_id.artifact_id.hex}" +} + data "aws_secretsmanager_secret_version" "deploy_key" { secret_id = module.adm_iam_roles.oonidevops_deploy_key_arn depends_on = [module.adm_iam_roles] @@ -367,6 +371,12 @@ resource "aws_iam_role_policy" "ooniprobe_role" { "Effect": "Allow", "Action": "s3:PutObject", "Resource": "${aws_s3_bucket.ooniprobe_failed_reports.arn}/*" + }, + { + "Sid": "", + "Effect": "Allow", + "Action": "s3:GetObject", + "Resource": "${aws_s3_bucket.ooni_private_config_bucket.arn}/*" } ] } @@ -378,7 +388,7 @@ module "ooniapi_ooniprobe_deployer" { service_name = "ooniprobe" repo = "ooni/backend" - branch_name = "investigate-geoip-reporting" + branch_name = "master" trigger_path = "ooniapi/services/ooniprobe/**" buildspec_path = "ooniapi/services/ooniprobe/buildspec.yml" codestar_connection_arn = aws_codestarconnections_connection.oonidevops.arn @@ -417,6 +427,7 @@ module "ooniapi_ooniprobe" { FASTPATH_URL = "http://fastpath.${local.environment}.ooni.io:8472" FAILED_REPORTS_BUCKET = aws_s3_bucket.ooniprobe_failed_reports.bucket COLLECTOR_ID = 3 # use a different one in prod + CONFIG_BUCKET = aws_s3_bucket.ooni_private_config_bucket.bucket } ooniapi_service_security_groups = [ @@ -916,7 +927,7 @@ module "ooniapi_oonimeasurements" { dns_zone_ooni_io = local.dns_zone_ooni_io key_name = module.adm_iam_roles.oonidevops_key_name ecs_cluster_id = module.oonitier1plus_cluster.cluster_id - service_desired_count = 2 + service_desired_count = 2 task_secrets = { POSTGRESQL_URL = data.aws_ssm_parameter.oonipg_url.arn @@ -927,9 +938,9 @@ module "ooniapi_oonimeasurements" { task_environment = { # it has to be a json-compliant array - OTHER_COLLECTORS = jsonencode(["https://backend-", "http://fastpath.${local.environment}.ooni.io:8475"]) - BASE_URL = "https://api.${local.environment}.ooni.io" - S3_BUCKET_NAME = "ooni-data-eu-fra-test" + OTHER_COLLECTORS = jsonencode(["http://fastpath.${local.environment}.ooni.io:8475", "https://backend-hel.ooni.org"]) + BASE_URL = "https://api.${local.environment}.ooni.io" + S3_BUCKET_NAME = "ooni-data-eu-fra-test" } ooniapi_service_security_groups = [ @@ -1095,7 +1106,7 @@ module "ooni_anonc" { to_port = 9100, protocol = "tcp" cidr_blocks = ["${module.ooni_monitoring_proxy.aws_instance_private_ip}/32"], - }] + }] egress_rules = [{ from_port = 0, diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf index e2d70e44..1e636db8 100644 --- a/tf/environments/prod/main.tf +++ b/tf/environments/prod/main.tf @@ -269,6 +269,10 @@ resource "aws_s3_bucket" "oonith_codepipeline_bucket" { bucket = "codepipeline-oonith-${var.aws_region}-${random_id.artifact_id.hex}" } +resource "aws_s3_bucket" "ooni_private_config_bucket" { + bucket = "ooni-config-${var.aws_region}-${random_id.artifact_id.hex}" +} + data "aws_secretsmanager_secret_version" "deploy_key" { secret_id = module.adm_iam_roles.oonidevops_deploy_key_arn depends_on = [module.adm_iam_roles] @@ -580,7 +584,7 @@ resource "aws_iam_role_policy" "ooniprobe_role" { role = module.ooniapi_cluster.container_host_role.name policy = <