feat(coprocessor): auth coprocessor poc [WIP]

.github/workflows/client-api.yml

@@ -10,6 +10,7 @@ on:
       - '.github/actions/**'
       - '.github/workflows/client-api.yml'
       - '.github/workflows/reuse-*.yml'
+      - 'servers/coprocessor/**'
   push:
     branches:
       - main
@@ -22,22 +23,36 @@ on:
       - '.github/actions/**'
       - '.github/workflows/client-api.yml'
       - '.github/workflows/reuse-*.yml'
-jobs:
+      - 'servers/coprocessor/**'
 
+jobs:
   infrastructure:
     uses: ./.github/workflows/reuse-infrastructure.yml
     with:
       scope: '@infrastructure/client-api'
       stack-output-path: infrastructure/client-api/cdktf.out/stacks/client-api
     secrets: inherit
 
-  api:
+  coprocessor:
     uses: ./.github/workflows/reuse-build-and-push-image.yml
     needs: [infrastructure]
+    with:
+      scope: '@server/coprocessor'
+      docker-repo-name-pattern: clientapi-{0}-coprocessor
+      app-path: servers/coprocessor
+      # Do not pass terraform-output because we don't want to redo codedeploy
+      # and it's conditional on this output
+    secrets: inherit
+
+  api:
+    uses: ./.github/workflows/reuse-build-and-push-image.yml
+    # Require coprocessor dependency because we need the image to
+    # be built and pushed prior to codedeploy
+    needs: [infrastructure, coprocessor]
     with:
       scope: '@server/client-api'
       docker-repo-name-pattern: clientapi-{0}-app
       context: servers/client-api
       app-path: servers/client-api
       terraform-output: ${{needs.infrastructure.outputs.terraform-output}}
-    secrets: inherit
+    secrets: inherit

.github/workflows/reuse-build-and-push-image.yml

@@ -47,6 +47,7 @@ on:
       terraform-output:
         description: 'The terraform output which is used to get the ECS_Service and Task Defintion arns for codedeploy'
         required: false
+        default: '{"ecs-task-containerName": {"value":""}}'
         type: string
       archive-download-name:
         description: 'If specified, download this archive instead of checkout'
@@ -55,117 +56,116 @@ on:
         default: ''
 
 permissions:
-  contents: read  # This is required for actions/checkout
-  id-token: write  # Access the Github JWT for AWS access
+  contents: read # This is required for actions/checkout
+  id-token: write # Access the Github JWT for AWS access
   deployments: write
 
 jobs:
-    # Let's build the image on every pull request just like we would on production
-    pull-request:
-      # Only run this job on a pull request event
-      if: github.event_name == 'pull_request'
-      runs-on: ubuntu-latest
-      steps:
-        - name: Checkout
-          if: inputs.archive-download-name == ''
-          uses: actions/checkout@v4   
-        - name: Archive download
-          if: inputs.archive-download-name != ''
-          uses: actions/download-artifact@v4
-          with:
-              name: ${{inputs.archive-download-name}}
-        - name: Build Docker Image
-          uses: pocket/pocket-monorepo/.github/actions/containerize@main
-          with:
-            docker-repo-name: "${{inputs.development-aws-registry }}/${{ format(inputs.docker-repo-name-pattern, 'dev') }}"
-            app-path: ${{inputs.app-path}}
-            app-port: ${{inputs.app-port}}
-            context: ${{inputs.context}}
-            sentry-project: ${{inputs.sentry-project}}
-            sentry-org: ${{inputs.sentry-org}}
-            sentry-token: ${{secrets.SENTRY_BEARER}}
-            dockerhub-username: ${{secrets.DOCKERHUB_USERNAME}}
-            dockerhub-token: ${{secrets.DOCKERHUB_TOKEN}}
-            scope: ${{inputs.scope}}
+  # Let's build the image on every pull request just like we would on production
+  pull-request:
+    # Only run this job on a pull request event
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        if: inputs.archive-download-name == ''
+        uses: actions/checkout@v4
+      - name: Archive download
+        if: inputs.archive-download-name != ''
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{inputs.archive-download-name}}
+      - name: Build Docker Image
+        uses: pocket/pocket-monorepo/.github/actions/containerize@main
+        with:
+          docker-repo-name: "${{inputs.development-aws-registry }}/${{ format(inputs.docker-repo-name-pattern, 'dev') }}"
+          app-path: ${{inputs.app-path}}
+          app-port: ${{inputs.app-port}}
+          context: ${{inputs.context}}
+          sentry-project: ${{inputs.sentry-project}}
+          sentry-org: ${{inputs.sentry-org}}
+          sentry-token: ${{secrets.SENTRY_BEARER}}
+          dockerhub-username: ${{secrets.DOCKERHUB_USERNAME}}
+          dockerhub-token: ${{secrets.DOCKERHUB_TOKEN}}
+          scope: ${{inputs.scope}}
 
+  development:
+    if: github.ref == 'refs/heads/dev'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        if: inputs.archive-download-name == ''
+        uses: actions/checkout@v4
+      - name: Archive download
+        if: inputs.archive-download-name != ''
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{inputs.archive-download-name}}
+      # Get the AWS credentials
+      - name: AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-east-1
+          role-to-assume: arn:aws:iam::410318598490:role/PocketGHARole
+      - name: Build and Push Development Docker Image
+        id: dev-docker-build
+        uses: pocket/pocket-monorepo/.github/actions/containerize@main
+        with:
+          docker-repo-name: "${{inputs.development-aws-registry }}/${{ format(inputs.docker-repo-name-pattern, 'dev') }}"
+          app-path: ${{inputs.app-path}}
+          app-port: ${{inputs.app-port}}
+          context: ${{inputs.context}}
+          sentry-project: ${{inputs.sentry-project}}
+          sentry-org: ${{inputs.sentry-org}}
+          sentry-token: ${{secrets.SENTRY_BEARER}}
+          dockerhub-username: ${{secrets.DOCKERHUB_USERNAME}}
+          dockerhub-token: ${{secrets.DOCKERHUB_TOKEN}}
+          scope: ${{inputs.scope}}
+          push: true
+      - name: Code Deploy Docker Image
+        uses: pocket/pocket-monorepo/.github/actions/ecs-codedeploy@main
+        if: inputs.terraform-output != '' && fromJSON(inputs.terraform-output).ecs-task-containerName.value != ''
+        with:
+          docker-image-name: ${{steps.dev-docker-build.outputs.docker-image-name}}
+          terraform-output: ${{ inputs.terraform-output }}
+          name: ${{inputs.scope}}
 
-    development:
-      if: github.ref == 'refs/heads/dev'
-      runs-on: ubuntu-latest
-      steps:        
-        - name: Checkout
-          if: inputs.archive-download-name == ''
-          uses: actions/checkout@v4   
-        - name: Archive download
-          if: inputs.archive-download-name != ''
-          uses: actions/download-artifact@v4
-          with:
-              name: ${{inputs.archive-download-name}}
-        # Get the AWS credentials
-        - name: AWS Credentials
-          uses: aws-actions/configure-aws-credentials@v4
-          with:
-            aws-region: us-east-1
-            role-to-assume: arn:aws:iam::410318598490:role/PocketGHARole
-        - name: Build and Push Development Docker Image
-          id: dev-docker-build
-          uses: pocket/pocket-monorepo/.github/actions/containerize@main
-          with:
-            docker-repo-name: "${{inputs.development-aws-registry }}/${{ format(inputs.docker-repo-name-pattern, 'dev') }}"
-            app-path: ${{inputs.app-path}}
-            app-port: ${{inputs.app-port}}
-            context: ${{inputs.context}}
-            sentry-project: ${{inputs.sentry-project}}
-            sentry-org: ${{inputs.sentry-org}}
-            sentry-token: ${{secrets.SENTRY_BEARER}}
-            dockerhub-username: ${{secrets.DOCKERHUB_USERNAME}}
-            dockerhub-token: ${{secrets.DOCKERHUB_TOKEN}}
-            scope: ${{inputs.scope}}
-            push: true
-        - name: Code Deploy Docker Image
-          uses: pocket/pocket-monorepo/.github/actions/ecs-codedeploy@main
-          if: fromJSON(inputs.terraform-output).ecs-task-containerName.value != ''
-          with:
-            docker-image-name: ${{steps.dev-docker-build.outputs.docker-image-name}}
-            terraform-output: ${{ inputs.terraform-output }}
-            name: ${{inputs.scope}}
-
-    production:
-      if: github.ref == 'refs/heads/main'
-      runs-on: ubuntu-latest
-      steps:
-        - name: Checkout
-          if: inputs.archive-download-name == ''
-          uses: actions/checkout@v4   
-        - name: Archive download
-          if: inputs.archive-download-name != ''
-          uses: actions/download-artifact@v4
-          with:
-              name: ${{inputs.archive-download-name}}
-        - name: AWS Credentials
-          uses: aws-actions/configure-aws-credentials@v4
-          with:
-            aws-region: us-east-1
-            role-to-assume: arn:aws:iam::996905175585:role/PocketGHARole
-        - name: Build and Push Production Docker Image
-          id: prod-docker-build
-          uses: pocket/pocket-monorepo/.github/actions/containerize@main
-          with:
-            docker-repo-name: "${{inputs.production-aws-registry }}/${{ format(inputs.docker-repo-name-pattern, 'prod') }}"
-            app-path: ${{inputs.app-path}}
-            app-port: ${{inputs.app-port}}
-            context: ${{inputs.context}}
-            sentry-project: ${{inputs.sentry-project}}
-            sentry-org: ${{inputs.sentry-org}}
-            sentry-token: ${{secrets.SENTRY_BEARER}}
-            dockerhub-username: ${{secrets.DOCKERHUB_USERNAME}}
-            dockerhub-token: ${{secrets.DOCKERHUB_TOKEN}}
-            scope: ${{inputs.scope}}
-            push: true
-        - name: Code Deploy Docker Image
-          uses: pocket/pocket-monorepo/.github/actions/ecs-codedeploy@main
-          if: fromJSON(inputs.terraform-output).ecs-task-containerName.value != ''
-          with:
-            docker-image-name: ${{steps.prod-docker-build.outputs.docker-image-name}}
-            terraform-output: ${{ inputs.terraform-output }}
-            name: ${{inputs.scope}}
+  production:
+    if: github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        if: inputs.archive-download-name == ''
+        uses: actions/checkout@v4
+      - name: Archive download
+        if: inputs.archive-download-name != ''
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{inputs.archive-download-name}}
+      - name: AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-east-1
+          role-to-assume: arn:aws:iam::996905175585:role/PocketGHARole
+      - name: Build and Push Production Docker Image
+        id: prod-docker-build
+        uses: pocket/pocket-monorepo/.github/actions/containerize@main
+        with:
+          docker-repo-name: "${{inputs.production-aws-registry }}/${{ format(inputs.docker-repo-name-pattern, 'prod') }}"
+          app-path: ${{inputs.app-path}}
+          app-port: ${{inputs.app-port}}
+          context: ${{inputs.context}}
+          sentry-project: ${{inputs.sentry-project}}
+          sentry-org: ${{inputs.sentry-org}}
+          sentry-token: ${{secrets.SENTRY_BEARER}}
+          dockerhub-username: ${{secrets.DOCKERHUB_USERNAME}}
+          dockerhub-token: ${{secrets.DOCKERHUB_TOKEN}}
+          scope: ${{inputs.scope}}
+          push: true
+      - name: Code Deploy Docker Image
+        uses: pocket/pocket-monorepo/.github/actions/ecs-codedeploy@main
+        if: inputs.terraform-output != '' && fromJSON(inputs.terraform-output).ecs-task-containerName.value != ''
+        with:
+          docker-image-name: ${{steps.prod-docker-build.outputs.docker-image-name}}
+          terraform-output: ${{ inputs.terraform-output }}
+          name: ${{inputs.scope}}

.vscode/launch.json

@@ -4,6 +4,7 @@
   // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
   "version": "0.2.0",
   "configurations": [
+
     {
       "type": "node",
       "request": "attach",
@@ -14,6 +15,16 @@
       "localRoot": "${workspaceFolder}/servers/v3-proxy-api/src",
       "outFiles": ["${workspaceFolder}/servers/v3-proxy-api/dist/**/*.js"]
     },
+    {
+      "type": "node",
+      "request": "attach",
+      "name": "Attach to auth-coprocessor",
+      "remoteRoot": null,
+      "port": 9229,
+      "sourceMaps": true,
+      "localRoot": "${workspaceFolder}/servers/auth-coprocessor/src",
+      "outFiles": ["${workspaceFolder}/servers/auth-coprocessor/dist/**/*.js"]
+    },
     {
       "type": "node",
       "request": "attach",

infrastructure/client-api/src/main.ts

@@ -238,6 +238,10 @@ class ClientAPI extends TerraformStack {
               name: 'OTLP_COLLECTOR_URL',
               value: `${config.tracing.url}`,
             },
+            {
+              name: 'COPROCESSOR_URL',
+              value: 'http://localhost:3007',
+            },
             {
               name: 'REDIS_ENDPOINT',
               value: cache,
@@ -266,11 +270,54 @@ class ClientAPI extends TerraformStack {
             startPeriod: 0,
           },
         },
+        {
+          name: 'coprocessor',
+          portMappings: [
+            {
+              hostPort: 3007,
+              containerPort: 3007,
+              protocol: 'tcp',
+            },
+          ],
+          envVars: [
+            {
+              name: 'PORT',
+              value: '3007',
+            },
+            {
+              name: 'APP_ENVIRONMENT',
+              value: config.isProd ? 'production' : 'development',
+            },
+          ],
+          logGroup: this.createCustomLogGroup('coprocessor'),
+          logMultilinePattern: '^\\S.+',
+          secretEnvVars: [
+            {
+              name: 'SENTRY_DSN',
+              valueFrom: `arn:aws:ssm:${region.name}:${caller.accountId}:parameter/${config.name}/${config.environment}/SENTRY_DSN`,
+            },
+          ],
+          healthCheck: {
+            command: [
+              'CMD-SHELL',
+              'curl -f http://localhost:3007/health || exit 1',
+            ],
+            interval: 15,
+            retries: 3,
+            timeout: 5,
+            startPeriod: 0,
+          },
+        },
       ],
       codeDeploy: {
         useCodeDeploy: true,
         useCodePipeline: false,
         useTerraformBasedCodeDeploy: false,
+        // Shifts 10 percent of traffic in the first increment.
+        // The remaining 90 percent is deployed five minutes later.
+        deploymentConfigName: config.isProd
+          ? 'CodeDeployDefault.ECSCanary10Percent5Minutes'
+          : 'CodeDeployDefault.ECSAllAtOnce',
         generateAppSpec: false,
         snsNotificationTopicArn: snsTopic.arn,
         successTerminationWaitTimeInMinutes: 5,
@@ -281,6 +328,7 @@ class ClientAPI extends TerraformStack {
           notifyOnSucceeded: false,
         },
       },
+      // This doesn't need to be exposed; expose only client-api
       exposedContainer: {
         name: 'app',
         port: 4001,