Page MenuHomePhabricator

[terraform] Run automatic identity search sync cron task
ClosedPublic

Authored by will on Feb 20 2024, 7:35 AM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Nov 27, 5:46 PM
Unknown Object (File)
Wed, Nov 27, 5:46 PM
Unknown Object (File)
Wed, Nov 27, 3:45 PM
Unknown Object (File)
Tue, Nov 12, 10:39 PM
Unknown Object (File)
Tue, Nov 12, 10:39 PM
Unknown Object (File)
Tue, Nov 12, 10:39 PM
Unknown Object (File)
Tue, Nov 12, 10:39 PM
Unknown Object (File)
Tue, Nov 12, 10:39 PM
Subscribers

Details

Summary

This automatically runs the identity sync-identity-search command once a day at midnight UTC

Depends on D11161

Test Plan

Just terraform applied on staging. Won't land until confirmed working functionally

Diff Detail

Repository
rCOMM Comm
Lint
No Lint Coverage
Unit
No Test Coverage

Event Timeline

will held this revision as a draft.
will published this revision for review.Feb 21 2024, 9:02 PM

Won't land until I've properly tested on staging

varun requested changes to this revision.Feb 22 2024, 8:35 PM

is it possible to reuse some of the resources from task_blob_cleanup.tf?

services/terraform/remote/task_sync_identity_search.tf
18 ↗(On Diff #37419)

what does identity=trace mean here?

36 ↗(On Diff #37419)

is this the right role?

This revision now requires changes to proceed.Feb 22 2024, 8:35 PM
services/terraform/remote/task_sync_identity_search.tf
18 ↗(On Diff #37419)

This is for the tracing crate. The blob task sets blob= trace to provide highest setting of verbosity. I did the same, but this can also be removed without consequence.

Given that the logs for the task don't spill anywhere else, I think it's fine we keep this?

36 ↗(On Diff #37419)

I believe so. This is the same role provided to the service_identity ecs task that grants access to dynamodb for r/w

is it possible to reuse some of the resources from task_blob_cleanup.tf?

We can move the iam policy and role for scheduling to aws_iam.tf and use them in both. Will include in next rebase

Rebase. Removing unnecessary scheduler code

In D11125#322403, @will wrote:

is it possible to reuse some of the resources from task_blob_cleanup.tf?

We can move the iam policy and role for scheduling to aws_iam.tf and use them in both. Will include in next rebase

Actually. Rethinking this. If we included the policy, we'd probably want to put all our tasks in a single file to refer to the ws_ecs_task_definitions in the Resources block. The only thing that can probably be shared is the aws_iam_role scheduler role which would then share multiple permissions for ecs. The role could be placed in aws_iam.tf

will edited the summary of this revision. (Show Details)

rebase

The role could be placed in aws_iam.tf

before landing, can you please address my inline question and move this role from task_blob_cleanup.tf to aws_iam.tf? we should also give it a more precise name than scheduler, maybe task_scheduler?

services/terraform/remote/task_sync_identity_search.tf
18 ↗(On Diff #37419)

seems fine. i was unfamiliar with "info,identity=trace,comm_lib=debug". looks like this sets the global log level to info, but the identity crate log level is trace and the comm_lib namespace log level is debug. this is probably so we can see the debug logs for the identity service without the noise from aws-sdk and other crates

36 ↗(On Diff #37419)

but doesn't your task need to read from ddb and write to the opensearch index?

This revision is now accepted and ready to land.Feb 25 2024, 6:11 PM

The role could be placed in aws_iam.tf

before landing, can you please address my inline question and move this role from task_blob_cleanup.tf to aws_iam.tf? we should also give it a more precise name than scheduler, maybe task_scheduler?

Forgot to leave a comment with the diff that address this: https://phab.comm.dev/D11161. I'll rebase it from scheduler to task-scheduler.

The role could be placed in aws_iam.tf

before landing, can you please address my inline question and move this role from task_blob_cleanup.tf to aws_iam.tf? we should also give it a more precise name than scheduler, maybe task_scheduler?

ah nvm i see you moved the role in D11161. please address the inline question, though

services/terraform/remote/task_sync_identity_search.tf
36 ↗(On Diff #37419)

On rereading my config, it looks like I'm allowing access from resources in the vpc which would include the ecs task. I'm not sure if this is too permissive and I can remove if needed.

Allowing access from any vpc resource would seemingly defeat the purpose of the Opensearch role access granted to the lambda. So we can either allow free range vpc access or limit to the role.

rebase with task_scheduler rename

services/terraform/remote/task_sync_identity_search.tf
36 ↗(On Diff #37419)

Here's a linear task tracking removal of replacing vpc-based access with role-based access as a identity search followup:
https://linear.app/comm/issue/ENG-6992/restrict-opensearch-access-by-role-rather-than-vpc-cidr-range