From 989e7a8d4475644edc0e63d448ac68da0ec5a05a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Wed, 12 Nov 2025 12:01:46 +0100 Subject: [PATCH 1/8] Add bucket for private API config files --- tf/environments/dev/main.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index 55600339..f4472df2 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -249,6 +249,10 @@ resource "aws_s3_bucket" "oonith_codepipeline_bucket" { bucket = "codepipeline-oonith-${var.aws_region}-${random_id.artifact_id.hex}" } +resource "aws_s3_bucket" "ooni_private_config_bucket" { + bucket = "ooni-config-${var.aws_region}-${random_id.artifact_id.hex}" +} + data "aws_secretsmanager_secret_version" "deploy_key" { secret_id = module.adm_iam_roles.oonidevops_deploy_key_arn depends_on = [module.adm_iam_roles] @@ -417,6 +421,7 @@ module "ooniapi_ooniprobe" { FASTPATH_URL = "http://fastpath.${local.environment}.ooni.io:8472" FAILED_REPORTS_BUCKET = aws_s3_bucket.ooniprobe_failed_reports.bucket COLLECTOR_ID = 3 # use a different one in prod + CONFIG_BUCKET = aws_s3_bucket.ooni_private_config_bucket.bucket } ooniapi_service_security_groups = [ From 9a63463586fbd1e5a3c80e580496bd030f145f5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Wed, 12 Nov 2025 12:34:15 +0100 Subject: [PATCH 2/8] Set branch of ooniprobe to test config file read --- tf/environments/dev/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index f4472df2..24ba9623 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -382,7 +382,7 @@ module "ooniapi_ooniprobe_deployer" { service_name = "ooniprobe" repo = "ooni/backend" - branch_name = "investigate-geoip-reporting" + branch_name = "s3-config-dependency" trigger_path = "ooniapi/services/ooniprobe/**" buildspec_path = "ooniapi/services/ooniprobe/buildspec.yml" codestar_connection_arn = aws_codestarconnections_connection.oonidevops.arn From 2ea81302b1bb24fe652a3a2222d43c4d87e0d0d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Wed, 12 Nov 2025 12:45:17 +0100 Subject: [PATCH 3/8] fix bad backend-hel path --- tf/environments/dev/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index 24ba9623..b3037839 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -932,7 +932,7 @@ module "ooniapi_oonimeasurements" { task_environment = { # it has to be a json-compliant array - OTHER_COLLECTORS = jsonencode(["https://backend-", "http://fastpath.${local.environment}.ooni.io:8475"]) + OTHER_COLLECTORS = jsonencode(["http://fastpath.${local.environment}.ooni.io:8475", "https://backend-hel.ooni.org"]) BASE_URL = "https://api.${local.environment}.ooni.io" S3_BUCKET_NAME = "ooni-data-eu-fra-test" } From 63691ebd39c7eac1b2de9f6c7b369d92d7da68a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Wed, 12 Nov 2025 13:22:53 +0100 Subject: [PATCH 4/8] Add read permission to ooniprobe for configs bucket --- tf/environments/dev/main.tf | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index b3037839..81066d58 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -144,10 +144,10 @@ module "oonidevops_github_user" { module "oonipg" { source = "../../modules/postgresql" - name = "ooni-tier0-postgres" - aws_region = var.aws_region - vpc_id = module.network.vpc_id - subnet_ids = module.network.vpc_subnet_public[*].id + name = "ooni-tier0-postgres" + aws_region = var.aws_region + vpc_id = module.network.vpc_id + subnet_ids = module.network.vpc_subnet_public[*].id # By default, max_connections is computed as: # LEAST({DBInstanceClassMemory/9531392}, 5000) # see https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Limits.html @@ -371,6 +371,12 @@ resource "aws_iam_role_policy" "ooniprobe_role" { "Effect": "Allow", "Action": "s3:PutObject", "Resource": "${aws_s3_bucket.ooniprobe_failed_reports.arn}/*" + }, + { + "Sid": "", + "Effect": "Allow", + "Action": "s3:GetObject", + "Resource": "${aws_s3_bucket.ooni_private_config_bucket.arn}/*" } ] } @@ -421,7 +427,7 @@ module "ooniapi_ooniprobe" { FASTPATH_URL = "http://fastpath.${local.environment}.ooni.io:8472" FAILED_REPORTS_BUCKET = aws_s3_bucket.ooniprobe_failed_reports.bucket COLLECTOR_ID = 3 # use a different one in prod - CONFIG_BUCKET = aws_s3_bucket.ooni_private_config_bucket.bucket + CONFIG_BUCKET = aws_s3_bucket.ooni_private_config_bucket.bucket } ooniapi_service_security_groups = [ @@ -921,7 +927,7 @@ module "ooniapi_oonimeasurements" { dns_zone_ooni_io = local.dns_zone_ooni_io key_name = module.adm_iam_roles.oonidevops_key_name ecs_cluster_id = module.oonitier1plus_cluster.cluster_id - service_desired_count = 2 + service_desired_count = 2 task_secrets = { POSTGRESQL_URL = data.aws_ssm_parameter.oonipg_url.arn @@ -933,8 +939,8 @@ module "ooniapi_oonimeasurements" { task_environment = { # it has to be a json-compliant array OTHER_COLLECTORS = jsonencode(["http://fastpath.${local.environment}.ooni.io:8475", "https://backend-hel.ooni.org"]) - BASE_URL = "https://api.${local.environment}.ooni.io" - S3_BUCKET_NAME = "ooni-data-eu-fra-test" + BASE_URL = "https://api.${local.environment}.ooni.io" + S3_BUCKET_NAME = "ooni-data-eu-fra-test" } ooniapi_service_security_groups = [ @@ -1100,7 +1106,7 @@ module "ooni_anonc" { to_port = 9100, protocol = "tcp" cidr_blocks = ["${module.ooni_monitoring_proxy.aws_instance_private_ip}/32"], - }] + }] egress_rules = [{ from_port = 0, From 0ba0a457f59ec663f49dde7a793921ae04ed3772 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Wed, 12 Nov 2025 13:36:46 +0100 Subject: [PATCH 5/8] Point ooniprobe back to master --- tf/environments/dev/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index 81066d58..cd12309e 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -388,7 +388,7 @@ module "ooniapi_ooniprobe_deployer" { service_name = "ooniprobe" repo = "ooni/backend" - branch_name = "s3-config-dependency" + branch_name = "master" trigger_path = "ooniapi/services/ooniprobe/**" buildspec_path = "ooniapi/services/ooniprobe/buildspec.yml" codestar_connection_arn = aws_codestarconnections_connection.oonidevops.arn From b37d12a29b77fa623fcfa252c3c4724c4b17cce5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Wed, 12 Nov 2025 13:40:31 +0100 Subject: [PATCH 6/8] Add configs bucket to prod --- tf/environments/prod/main.tf | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf index e2d70e44..2994600e 100644 --- a/tf/environments/prod/main.tf +++ b/tf/environments/prod/main.tf @@ -269,6 +269,10 @@ resource "aws_s3_bucket" "oonith_codepipeline_bucket" { bucket = "codepipeline-oonith-${var.aws_region}-${random_id.artifact_id.hex}" } +resource "aws_s3_bucket" "ooni_private_config_bucket" { + bucket = "ooni-config-${var.aws_region}-${random_id.artifact_id.hex}" +} + data "aws_secretsmanager_secret_version" "deploy_key" { secret_id = module.adm_iam_roles.oonidevops_deploy_key_arn depends_on = [module.adm_iam_roles] @@ -588,6 +592,12 @@ resource "aws_iam_role_policy" "ooniprobe_role" { "Effect": "Allow", "Action": "s3:PutObject", "Resource": "${aws_s3_bucket.ooniprobe_failed_reports.arn}/*" + }, + { + "Sid": "", + "Effect": "Allow", + "Action": "s3:GetObject", + "Resource": "${aws_s3_bucket.ooni_private_config_bucket.arn}/*" } ] } From dfc7b539ad478e518b369a75a14b3326ce272dc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Wed, 12 Nov 2025 13:41:46 +0100 Subject: [PATCH 7/8] Add CONFIG_BUCKET setting in prod --- tf/environments/prod/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf index 2994600e..44735913 100644 --- a/tf/environments/prod/main.tf +++ b/tf/environments/prod/main.tf @@ -648,6 +648,7 @@ module "ooniapi_ooniprobe" { FASTPATH_URL = "http://fastpath.${local.environment}.ooni.io:8472" FAILED_REPORTS_BUCKET = aws_s3_bucket.ooniprobe_failed_reports.bucket COLLECTOR_ID = 4 # be sure this is different from dev + CONFIG_BUCKET = aws_s3_bucket.ooni_private_config_bucket.bucket } ooniapi_service_security_groups = [ From 9f9ed4ed433345f6a7459e1ae363039252721f4d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Wed, 12 Nov 2025 13:55:37 +0100 Subject: [PATCH 8/8] Add permission for ooniprobe to access configs bucket --- tf/environments/prod/main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf index 44735913..1e636db8 100644 --- a/tf/environments/prod/main.tf +++ b/tf/environments/prod/main.tf @@ -584,7 +584,7 @@ resource "aws_iam_role_policy" "ooniprobe_role" { role = module.ooniapi_cluster.container_host_role.name policy = <