From be4e5926e000ae66bf5463e557349dbc7257a71f Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 13 Sep 2024 05:36:07 -0700 Subject: [PATCH 01/26] run s3 jobs for step functions --- infra/modules/service/events_jobs.tf | 113 +++++++++++++-------------- infra/modules/service/events_role.tf | 44 ++++++----- 2 files changed, 82 insertions(+), 75 deletions(-) diff --git a/infra/modules/service/events_jobs.tf b/infra/modules/service/events_jobs.tf index f0051aa1..4a2442be 100644 --- a/infra/modules/service/events_jobs.tf +++ b/infra/modules/service/events_jobs.tf @@ -40,68 +40,67 @@ resource "aws_cloudwatch_event_target" "document_upload_jobs" { target_id = "${local.cluster_name}-${each.key}" rule = aws_cloudwatch_event_rule.file_upload_jobs[each.key].name - arn = aws_ecs_cluster.cluster.arn + arn = aws_sfn_state_machine.file_upload_jobs[each.key].arn role_arn = aws_iam_role.events.arn +} - ecs_target { - task_definition_arn = aws_ecs_task_definition.app.arn - launch_type = "FARGATE" - propagate_tags = "TASK_DEFINITION" +resource "aws_sfn_state_machine" "file_upload_jobs" { + for_each = var.file_upload_jobs - # Configuring Network Configuration is required when the task definition uses the awsvpc network mode. - network_configuration { - subnets = var.private_subnet_ids - security_groups = [aws_security_group.app.id] - } - } + name = "${var.service_name}-${each.key}" + role_arn = aws_iam_role.workflow_orchestrator.arn - input_transformer { - input_paths = { - bucket_name = "$.detail.bucket.name", - object_key = "$.detail.object.key", + definition = jsonencode({ + "StartAt" : "RunTask", + "States" : { + "RunTask" : { + "Type" : "Task", + # docs: https://docs.aws.amazon.com/step-functions/latest/dg/connect-ecs.html + "Resource" : "arn:aws:states:::ecs:runTask.sync", + "Parameters" : { + "Cluster" : aws_ecs_cluster.cluster.arn, + "TaskDefinition" : aws_ecs_task_definition.app.arn, + "LaunchType" : "FARGATE", + "NetworkConfiguration" : { + "AwsvpcConfiguration" : { + "Subnets" : var.private_subnet_ids, + "SecurityGroups" : [aws_security_group.app.id], + } + }, + "Overrides" : { + "ContainerOverrides" : [ + { + "Name" : local.container_name, + "Command" : each.value.task_command + } + ] + } + }, + "End" : true + } } + }) + + logging_configuration { + log_destination = "${aws_cloudwatch_log_group.file_upload_jobs[each.key].arn}:*" + include_execution_data = true + level = "ERROR" + } - # When triggering the ECS task, override the command to run in the container to the - # command specified by the file_upload_job config. To do this define an input_template - # that transforms the input S3 event: - # { - # detail: { - # bucket: { name: "mybucket" }, - # object: { key: "uploaded/file/path" } - # } - # } - # to match the Amazon ECS RunTask TaskOverride structure: - # { - # containerOverrides: [{ - # name: "container_name", - # command: ["command", "to", "run"] - # }] - # } - # (see https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-targets.html#targets-specifics-ecs-task - # and https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_TaskOverride.html) - # - # The task command can optionally use the bucket name or the object key in the command - # by including the placeholder values "" or "", e.g. - # { - # containerOverrides: [{ - # name: "container_name", - # command: ["process_file.sh", "--bucket", "", "--object", ""] - # }] - # } - # - # Since jsonencode will cause the string "" to turn into - # "U+003Cbucket_nameU+003E" and "" to turn into "U+003Cobject_keyU+003E", - # we need to replace the unicode characters U+003C and U+003E with < and > to reverse - # the encoding. - # (see https://developer.hashicorp.com/terraform/language/functions/jsonencode and - # https://github.com/hashicorp/terraform/pull/18871) - input_template = replace(replace(jsonencode({ - containerOverrides = [ - { - name = local.container_name, - command = each.value.task_command - } - ] - }), "\\u003c", "<"), "\\u003e", ">") + tracing_configuration { + enabled = true } } + +resource "aws_cloudwatch_log_group" "file_upload_jobs" { + for_each = var.file_upload_jobs + + name_prefix = "/aws/vendedlogs/states/${var.service_name}-${each.key}" + + # Conservatively retain logs for 5 years. + # Looser requirements may allow shorter retention periods + retention_in_days = 1827 + + # TODO(https://github.com/navapbc/template-infra/issues/164) Encrypt with customer managed KMS key + # checkov:skip=CKV_AWS_158:Encrypt service logs with customer key in future work +} diff --git a/infra/modules/service/events_role.tf b/infra/modules/service/events_role.tf index 24573a2e..b91645fe 100644 --- a/infra/modules/service/events_role.tf +++ b/infra/modules/service/events_role.tf @@ -30,27 +30,35 @@ resource "aws_iam_policy" "run_task" { data "aws_iam_policy_document" "run_task" { statement { - effect = "Allow" - actions = ["ecs:RunTask"] - resources = ["${aws_ecs_task_definition.app.arn_without_revision}:*"] - condition { - test = "ArnLike" - variable = "ecs:cluster" - values = [aws_ecs_cluster.cluster.arn] + sid = "StepFunctionsEvents" + actions = [ + "events:PutTargets", + "events:PutRule", + "events:DescribeRule", + ] + resources = ["arn:aws:events:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"] + } + + dynamic "statement" { + for_each = aws_sfn_state_machine.file_upload_jobs + + content { + actions = [ + "states:StartExecution", + ] + resources = [statement.value.arn] } } - statement { - effect = "Allow" - actions = ["iam:PassRole"] - resources = [ - aws_iam_role.task_executor.arn, - aws_iam_role.app_service.arn, - ] - condition { - test = "StringLike" - variable = "iam:PassedToService" - values = ["ecs-tasks.amazonaws.com"] + dynamic "statement" { + for_each = aws_sfn_state_machine.file_upload_jobs + + content { + actions = [ + "states:DescribeExecution", + "states:StopExecution", + ] + resources = ["${statement.value.arn}:*"] } } } From d832a10c978a51c8d797b2807e53ebb94aa0f780 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 13 Sep 2024 08:43:16 -0700 Subject: [PATCH 02/26] try using detail for command --- infra/modules/service/events_jobs.tf | 51 +++++++++++++++++++++++++++- 1 file changed, 50 insertions(+), 1 deletion(-) diff --git a/infra/modules/service/events_jobs.tf b/infra/modules/service/events_jobs.tf index 4a2442be..dfaf7164 100644 --- a/infra/modules/service/events_jobs.tf +++ b/infra/modules/service/events_jobs.tf @@ -42,6 +42,55 @@ resource "aws_cloudwatch_event_target" "document_upload_jobs" { rule = aws_cloudwatch_event_rule.file_upload_jobs[each.key].name arn = aws_sfn_state_machine.file_upload_jobs[each.key].arn role_arn = aws_iam_role.events.arn + + input_transformer { + input_paths = { + bucket_name = "$.detail.bucket.name", + object_key = "$.detail.object.key", + } + + # When triggering the ECS task, override the command to run in the container to the + # command specified by the file_upload_job config. To do this define an input_template + # that transforms the input S3 event: + # { + # detail: { + # bucket: { name: "mybucket" }, + # object: { key: "uploaded/file/path" } + # } + # } + # to match the Amazon ECS RunTask TaskOverride structure: + # { + # containerOverrides: [{ + # name: "container_name", + # command: ["command", "to", "run"] + # }] + # } + # (see https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-targets.html#targets-specifics-ecs-task + # and https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_TaskOverride.html) + # + # The task command can optionally use the bucket name or the object key in the command + # by including the placeholder values "" or "", e.g. + # { + # containerOverrides: [{ + # name: "container_name", + # command: ["process_file.sh", "--bucket", "", "--object", ""] + # }] + # } + # + # Since jsonencode will cause the string "" to turn into + # "U+003Cbucket_nameU+003E" and "" to turn into "U+003Cobject_keyU+003E", + # we need to replace the unicode characters U+003C and U+003E with < and > to reverse + # the encoding. + # (see https://developer.hashicorp.com/terraform/language/functions/jsonencode and + # https://github.com/hashicorp/terraform/pull/18871) + input_template = replace(replace(jsonencode({ + containerOverrides = [ + { + command = each.value.task_command + } + ] + }), "\\u003c", "<"), "\\u003e", ">") + } } resource "aws_sfn_state_machine" "file_upload_jobs" { @@ -71,7 +120,7 @@ resource "aws_sfn_state_machine" "file_upload_jobs" { "ContainerOverrides" : [ { "Name" : local.container_name, - "Command" : each.value.task_command + "Command" : "$.detail.command" } ] } From 1cc47a0d157ff4839054fd53761d30ec222f6307 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 13 Sep 2024 09:40:32 -0700 Subject: [PATCH 03/26] Take 2 --- infra/modules/service/events_jobs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/modules/service/events_jobs.tf b/infra/modules/service/events_jobs.tf index dfaf7164..8c9efbef 100644 --- a/infra/modules/service/events_jobs.tf +++ b/infra/modules/service/events_jobs.tf @@ -120,7 +120,7 @@ resource "aws_sfn_state_machine" "file_upload_jobs" { "ContainerOverrides" : [ { "Name" : local.container_name, - "Command" : "$.detail.command" + "Command" : each.value.task_command } ] } From 7f87e36c8b105df128511ee384fbe9ba5f48df0b Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 13 Sep 2024 10:54:00 -0700 Subject: [PATCH 04/26] use containerOverrides command --- infra/modules/service/events_jobs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/modules/service/events_jobs.tf b/infra/modules/service/events_jobs.tf index 8c9efbef..4de1f9f5 100644 --- a/infra/modules/service/events_jobs.tf +++ b/infra/modules/service/events_jobs.tf @@ -120,7 +120,7 @@ resource "aws_sfn_state_machine" "file_upload_jobs" { "ContainerOverrides" : [ { "Name" : local.container_name, - "Command" : each.value.task_command + "Command" : "$.containerOverrides[0].command" } ] } From 15f623a31c3d60e5d9980bba9ed2eddf7f90bdf3 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 13 Sep 2024 10:59:14 -0700 Subject: [PATCH 05/26] states array --- infra/modules/service/events_jobs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/modules/service/events_jobs.tf b/infra/modules/service/events_jobs.tf index 4de1f9f5..c5c4ef1a 100644 --- a/infra/modules/service/events_jobs.tf +++ b/infra/modules/service/events_jobs.tf @@ -120,7 +120,7 @@ resource "aws_sfn_state_machine" "file_upload_jobs" { "ContainerOverrides" : [ { "Name" : local.container_name, - "Command" : "$.containerOverrides[0].command" + "Command" : "States.Array($.containerOverrides[0].command)" } ] } From 26c8eefd75992ce24763ee9b722ce39ffc163405 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 13 Sep 2024 11:02:16 -0700 Subject: [PATCH 06/26] dollar sign --- infra/modules/service/events_jobs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/modules/service/events_jobs.tf b/infra/modules/service/events_jobs.tf index c5c4ef1a..e15444fd 100644 --- a/infra/modules/service/events_jobs.tf +++ b/infra/modules/service/events_jobs.tf @@ -120,7 +120,7 @@ resource "aws_sfn_state_machine" "file_upload_jobs" { "ContainerOverrides" : [ { "Name" : local.container_name, - "Command" : "States.Array($.containerOverrides[0].command)" + "Command.$" : "States.Array($.containerOverrides[0].command)" } ] } From d32b83f9481f0ca6fbf9847c71a906956b5826b0 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 13 Sep 2024 11:14:09 -0700 Subject: [PATCH 07/26] update command syntax --- infra/modules/service/events_jobs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/modules/service/events_jobs.tf b/infra/modules/service/events_jobs.tf index e15444fd..36d18521 100644 --- a/infra/modules/service/events_jobs.tf +++ b/infra/modules/service/events_jobs.tf @@ -120,7 +120,7 @@ resource "aws_sfn_state_machine" "file_upload_jobs" { "ContainerOverrides" : [ { "Name" : local.container_name, - "Command.$" : "States.Array($.containerOverrides[0].command)" + "Command.$" : "States.Array($.ContainerOverrides[0].Command[0])" } ] } From efce4e4ce00fe8ae955423e9f7a9c3f0bb61e93e Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 13 Sep 2024 11:21:06 -0700 Subject: [PATCH 08/26] update path --- infra/modules/service/events_jobs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/modules/service/events_jobs.tf b/infra/modules/service/events_jobs.tf index 36d18521..667d73cf 100644 --- a/infra/modules/service/events_jobs.tf +++ b/infra/modules/service/events_jobs.tf @@ -120,7 +120,7 @@ resource "aws_sfn_state_machine" "file_upload_jobs" { "ContainerOverrides" : [ { "Name" : local.container_name, - "Command.$" : "States.Array($.ContainerOverrides[0].Command[0])" + "Command.$" : "States.Array($.containerOverrides[0].command[*])" } ] } From 58f8769143f2ab5b7f9dd883ee6b4f31105cc123 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 13 Sep 2024 11:26:10 -0700 Subject: [PATCH 09/26] casing --- infra/modules/service/events_jobs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/modules/service/events_jobs.tf b/infra/modules/service/events_jobs.tf index 667d73cf..b0fe2794 100644 --- a/infra/modules/service/events_jobs.tf +++ b/infra/modules/service/events_jobs.tf @@ -120,7 +120,7 @@ resource "aws_sfn_state_machine" "file_upload_jobs" { "ContainerOverrides" : [ { "Name" : local.container_name, - "Command.$" : "States.Array($.containerOverrides[0].command[*])" + "Command.$" : "States.Array($.ContainerOverrides[0].Command[*])" } ] } From e36eff4c33c10b790f8bb85467815bf39e788e5f Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 13 Sep 2024 11:35:07 -0700 Subject: [PATCH 10/26] take ... 4 or 5 --- infra/modules/service/events_jobs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/modules/service/events_jobs.tf b/infra/modules/service/events_jobs.tf index b0fe2794..b2fd29f9 100644 --- a/infra/modules/service/events_jobs.tf +++ b/infra/modules/service/events_jobs.tf @@ -120,7 +120,7 @@ resource "aws_sfn_state_machine" "file_upload_jobs" { "ContainerOverrides" : [ { "Name" : local.container_name, - "Command.$" : "States.Array($.ContainerOverrides[0].Command[*])" + "Command.$" : "States.Array($.Overrides.ContainerOverrides[0].Command[*])" } ] } From b12eba7ba92c1106f205f4141b73ff6d070b60ec Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 13 Sep 2024 11:39:42 -0700 Subject: [PATCH 11/26] take 6 --- infra/modules/service/events_jobs.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/infra/modules/service/events_jobs.tf b/infra/modules/service/events_jobs.tf index b2fd29f9..1a83195e 100644 --- a/infra/modules/service/events_jobs.tf +++ b/infra/modules/service/events_jobs.tf @@ -84,9 +84,9 @@ resource "aws_cloudwatch_event_target" "document_upload_jobs" { # (see https://developer.hashicorp.com/terraform/language/functions/jsonencode and # https://github.com/hashicorp/terraform/pull/18871) input_template = replace(replace(jsonencode({ - containerOverrides = [ + ContainerOverrides = [ { - command = each.value.task_command + Command = each.value.task_command } ] }), "\\u003c", "<"), "\\u003e", ">") @@ -120,7 +120,7 @@ resource "aws_sfn_state_machine" "file_upload_jobs" { "ContainerOverrides" : [ { "Name" : local.container_name, - "Command.$" : "States.Array($.Overrides.ContainerOverrides[0].Command[*])" + "Command.$" : "$.Overrides.ContainerOverrides[0].Command[*]" } ] } From 08f197f02d9e8dd6b9d5b84fa204fb822b22a826 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 13 Sep 2024 11:47:34 -0700 Subject: [PATCH 12/26] less dollar sign --- infra/modules/service/events_jobs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/modules/service/events_jobs.tf b/infra/modules/service/events_jobs.tf index 1a83195e..adbd3f4a 100644 --- a/infra/modules/service/events_jobs.tf +++ b/infra/modules/service/events_jobs.tf @@ -120,7 +120,7 @@ resource "aws_sfn_state_machine" "file_upload_jobs" { "ContainerOverrides" : [ { "Name" : local.container_name, - "Command.$" : "$.Overrides.ContainerOverrides[0].Command[*]" + "Command" : "$.Overrides.ContainerOverrides[0].Command[*]" } ] } From ee238ed40d2a5b3e3b3e913a4b68396c4fe2282a Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 13 Sep 2024 11:51:22 -0700 Subject: [PATCH 13/26] States.Array --- infra/modules/service/events_jobs.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/infra/modules/service/events_jobs.tf b/infra/modules/service/events_jobs.tf index adbd3f4a..c77b4358 100644 --- a/infra/modules/service/events_jobs.tf +++ b/infra/modules/service/events_jobs.tf @@ -84,9 +84,9 @@ resource "aws_cloudwatch_event_target" "document_upload_jobs" { # (see https://developer.hashicorp.com/terraform/language/functions/jsonencode and # https://github.com/hashicorp/terraform/pull/18871) input_template = replace(replace(jsonencode({ - ContainerOverrides = [ + containerOverrides = [ { - Command = each.value.task_command + command = each.value.task_command } ] }), "\\u003c", "<"), "\\u003e", ">") @@ -120,7 +120,7 @@ resource "aws_sfn_state_machine" "file_upload_jobs" { "ContainerOverrides" : [ { "Name" : local.container_name, - "Command" : "$.Overrides.ContainerOverrides[0].Command[*]" + "Command.$" : "g($.Overrides.ContainerOverrides[0].Command[*])" } ] } From c5e49c046a573800270953555a11343c340baf2f Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 13 Sep 2024 11:53:27 -0700 Subject: [PATCH 14/26] typo --- infra/modules/service/events_jobs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/modules/service/events_jobs.tf b/infra/modules/service/events_jobs.tf index c77b4358..b2fd29f9 100644 --- a/infra/modules/service/events_jobs.tf +++ b/infra/modules/service/events_jobs.tf @@ -120,7 +120,7 @@ resource "aws_sfn_state_machine" "file_upload_jobs" { "ContainerOverrides" : [ { "Name" : local.container_name, - "Command.$" : "g($.Overrides.ContainerOverrides[0].Command[*])" + "Command.$" : "States.Array($.Overrides.ContainerOverrides[0].Command[*])" } ] } From e7e670b5e1b03e0789f022ea71ea16b0b16b946b Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 13 Sep 2024 12:03:51 -0700 Subject: [PATCH 15/26] try with the actual input --- infra/modules/service/events_jobs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/modules/service/events_jobs.tf b/infra/modules/service/events_jobs.tf index b2fd29f9..667d73cf 100644 --- a/infra/modules/service/events_jobs.tf +++ b/infra/modules/service/events_jobs.tf @@ -120,7 +120,7 @@ resource "aws_sfn_state_machine" "file_upload_jobs" { "ContainerOverrides" : [ { "Name" : local.container_name, - "Command.$" : "States.Array($.Overrides.ContainerOverrides[0].Command[*])" + "Command.$" : "States.Array($.containerOverrides[0].command[*])" } ] } From 3071c127d06a8a9ab797381d2baadd6990e8d3c2 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 13 Sep 2024 12:10:30 -0700 Subject: [PATCH 16/26] remove states.array --- infra/modules/service/events_jobs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/modules/service/events_jobs.tf b/infra/modules/service/events_jobs.tf index 667d73cf..a8c9d0e9 100644 --- a/infra/modules/service/events_jobs.tf +++ b/infra/modules/service/events_jobs.tf @@ -120,7 +120,7 @@ resource "aws_sfn_state_machine" "file_upload_jobs" { "ContainerOverrides" : [ { "Name" : local.container_name, - "Command.$" : "States.Array($.containerOverrides[0].command[*])" + "Command.$" : "$.containerOverrides[0].command[*]" } ] } From c069abb51e5d5187e05db3d81c82c2a6ab301ae4 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 13 Sep 2024 14:30:06 -0700 Subject: [PATCH 17/26] docs --- infra/modules/service/events_jobs.tf | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/infra/modules/service/events_jobs.tf b/infra/modules/service/events_jobs.tf index a8c9d0e9..0b056d59 100644 --- a/infra/modules/service/events_jobs.tf +++ b/infra/modules/service/events_jobs.tf @@ -49,9 +49,9 @@ resource "aws_cloudwatch_event_target" "document_upload_jobs" { object_key = "$.detail.object.key", } - # When triggering the ECS task, override the command to run in the container to the - # command specified by the file_upload_job config. To do this define an input_template - # that transforms the input S3 event: + # When triggering the ECS task (via step functions), override the command to run in + # the container to the command specified by the file_upload_job config. To do this + # define an input_template that transforms the input S3 event: # { # detail: { # bucket: { name: "mybucket" }, @@ -119,6 +119,21 @@ resource "aws_sfn_state_machine" "file_upload_jobs" { "Overrides" : { "ContainerOverrides" : [ { + # Pull the task command out of the input data, which is shaped like so: + # + # { + # "containerOverrides": [ + # { + # "command": [ + # "" + # "" + # ... + # ] + # } + # ] + # } + # + # The syntax for parsing the input data comes from JSONPath. "Name" : local.container_name, "Command.$" : "$.containerOverrides[0].command[*]" } From 44f0d9311a9a320abd8e112cad79e8af37ee1361 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Tue, 24 Sep 2024 14:38:38 -0700 Subject: [PATCH 18/26] Simplify via task_command --- infra/modules/service/events_jobs.tf | 33 ++++------------------------ 1 file changed, 4 insertions(+), 29 deletions(-) diff --git a/infra/modules/service/events_jobs.tf b/infra/modules/service/events_jobs.tf index 0b056d59..853f8b66 100644 --- a/infra/modules/service/events_jobs.tf +++ b/infra/modules/service/events_jobs.tf @@ -60,10 +60,7 @@ resource "aws_cloudwatch_event_target" "document_upload_jobs" { # } # to match the Amazon ECS RunTask TaskOverride structure: # { - # containerOverrides: [{ - # name: "container_name", - # command: ["command", "to", "run"] - # }] + # task_command = ["command", "to", "run"] # } # (see https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-targets.html#targets-specifics-ecs-task # and https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_TaskOverride.html) @@ -71,10 +68,7 @@ resource "aws_cloudwatch_event_target" "document_upload_jobs" { # The task command can optionally use the bucket name or the object key in the command # by including the placeholder values "" or "", e.g. # { - # containerOverrides: [{ - # name: "container_name", - # command: ["process_file.sh", "--bucket", "", "--object", ""] - # }] + # task_command: ["process_file.sh", "--bucket", "", "--object", ""] # } # # Since jsonencode will cause the string "" to turn into @@ -84,11 +78,7 @@ resource "aws_cloudwatch_event_target" "document_upload_jobs" { # (see https://developer.hashicorp.com/terraform/language/functions/jsonencode and # https://github.com/hashicorp/terraform/pull/18871) input_template = replace(replace(jsonencode({ - containerOverrides = [ - { - command = each.value.task_command - } - ] + task_command = each.value.task_command }), "\\u003c", "<"), "\\u003e", ">") } } @@ -119,23 +109,8 @@ resource "aws_sfn_state_machine" "file_upload_jobs" { "Overrides" : { "ContainerOverrides" : [ { - # Pull the task command out of the input data, which is shaped like so: - # - # { - # "containerOverrides": [ - # { - # "command": [ - # "" - # "" - # ... - # ] - # } - # ] - # } - # - # The syntax for parsing the input data comes from JSONPath. "Name" : local.container_name, - "Command.$" : "$.containerOverrides[0].command[*]" + "Command.$" : "$.task_command" } ] } From 2c4fabaf525714f646821e13504bb7177009653c Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Tue, 24 Sep 2024 15:13:26 -0700 Subject: [PATCH 19/26] Fix step functions diffs --- infra/modules/service/events_role.tf | 30 +++++++++-------------- infra/modules/service/scheduler_role.tf | 32 ++++++++++--------------- 2 files changed, 24 insertions(+), 38 deletions(-) diff --git a/infra/modules/service/events_role.tf b/infra/modules/service/events_role.tf index b91645fe..445f3faa 100644 --- a/infra/modules/service/events_role.tf +++ b/infra/modules/service/events_role.tf @@ -39,26 +39,18 @@ data "aws_iam_policy_document" "run_task" { resources = ["arn:aws:events:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"] } - dynamic "statement" { - for_each = aws_sfn_state_machine.file_upload_jobs - - content { - actions = [ - "states:StartExecution", - ] - resources = [statement.value.arn] - } + statement { + actions = [ + "states:StartExecution", + ] + resources = [for job in keys(var.file_upload_jobs) : "arn:aws:states:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:stateMachine:${var.service_name}-${job}"] } - dynamic "statement" { - for_each = aws_sfn_state_machine.file_upload_jobs - - content { - actions = [ - "states:DescribeExecution", - "states:StopExecution", - ] - resources = ["${statement.value.arn}:*"] - } + statement { + actions = [ + "states:DescribeExecution", + "states:StopExecution", + ] + resources = [for job in keys(var.file_upload_jobs) : "arn:aws:states:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:stateMachine:${var.service_name}-${job}:*"] } } diff --git a/infra/modules/service/scheduler_role.tf b/infra/modules/service/scheduler_role.tf index 769d7b36..7cc4774c 100644 --- a/infra/modules/service/scheduler_role.tf +++ b/infra/modules/service/scheduler_role.tf @@ -36,26 +36,20 @@ data "aws_iam_policy_document" "scheduler" { resources = ["arn:aws:events:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"] } - dynamic "statement" { - for_each = aws_sfn_state_machine.scheduled_jobs - - content { - actions = [ - "states:StartExecution", - ] - resources = [statement.value.arn] - } + statement { + sid = "StepFunctionsExecution" + actions = [ + "states:StartExecution", + ] + resources = [for job in keys(var.scheduled_jobs) : "arn:aws:states:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:stateMachine:${var.service_name}-${job}"] } - dynamic "statement" { - for_each = aws_sfn_state_machine.scheduled_jobs - - content { - actions = [ - "states:DescribeExecution", - "states:StopExecution", - ] - resources = ["${statement.value.arn}:*"] - } + statement { + sid = "StepFunctionsDescribeStop" + actions = [ + "states:DescribeExecution", + "states:StopExecution", + ] + resources = [for job in keys(var.scheduled_jobs) : "arn:aws:states:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:stateMachine:${var.service_name}-${job}:*"] } } From 916b7334941edf4ea9d3b67c0491bc6341acba61 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Tue, 24 Sep 2024 15:29:51 -0700 Subject: [PATCH 20/26] meaningless commit to trigger CI --- infra/modules/service/events_jobs.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/infra/modules/service/events_jobs.tf b/infra/modules/service/events_jobs.tf index 853f8b66..fe4e2eed 100644 --- a/infra/modules/service/events_jobs.tf +++ b/infra/modules/service/events_jobs.tf @@ -75,6 +75,7 @@ resource "aws_cloudwatch_event_target" "document_upload_jobs" { # "U+003Cbucket_nameU+003E" and "" to turn into "U+003Cobject_keyU+003E", # we need to replace the unicode characters U+003C and U+003E with < and > to reverse # the encoding. + # # (see https://developer.hashicorp.com/terraform/language/functions/jsonencode and # https://github.com/hashicorp/terraform/pull/18871) input_template = replace(replace(jsonencode({ From 4cb68214074eee5919738080c29c88a211d8bfb2 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 27 Sep 2024 12:39:17 -0700 Subject: [PATCH 21/26] Revert "Simplify via task_command" This reverts commit 44f0d9311a9a320abd8e112cad79e8af37ee1361. --- infra/modules/service/events_jobs.tf | 33 ++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/infra/modules/service/events_jobs.tf b/infra/modules/service/events_jobs.tf index fe4e2eed..a7e0426c 100644 --- a/infra/modules/service/events_jobs.tf +++ b/infra/modules/service/events_jobs.tf @@ -60,7 +60,10 @@ resource "aws_cloudwatch_event_target" "document_upload_jobs" { # } # to match the Amazon ECS RunTask TaskOverride structure: # { - # task_command = ["command", "to", "run"] + # containerOverrides: [{ + # name: "container_name", + # command: ["command", "to", "run"] + # }] # } # (see https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-targets.html#targets-specifics-ecs-task # and https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_TaskOverride.html) @@ -68,7 +71,10 @@ resource "aws_cloudwatch_event_target" "document_upload_jobs" { # The task command can optionally use the bucket name or the object key in the command # by including the placeholder values "" or "", e.g. # { - # task_command: ["process_file.sh", "--bucket", "", "--object", ""] + # containerOverrides: [{ + # name: "container_name", + # command: ["process_file.sh", "--bucket", "", "--object", ""] + # }] # } # # Since jsonencode will cause the string "" to turn into @@ -79,7 +85,11 @@ resource "aws_cloudwatch_event_target" "document_upload_jobs" { # (see https://developer.hashicorp.com/terraform/language/functions/jsonencode and # https://github.com/hashicorp/terraform/pull/18871) input_template = replace(replace(jsonencode({ - task_command = each.value.task_command + containerOverrides = [ + { + command = each.value.task_command + } + ] }), "\\u003c", "<"), "\\u003e", ">") } } @@ -110,8 +120,23 @@ resource "aws_sfn_state_machine" "file_upload_jobs" { "Overrides" : { "ContainerOverrides" : [ { + # Pull the task command out of the input data, which is shaped like so: + # + # { + # "containerOverrides": [ + # { + # "command": [ + # "" + # "" + # ... + # ] + # } + # ] + # } + # + # The syntax for parsing the input data comes from JSONPath. "Name" : local.container_name, - "Command.$" : "$.task_command" + "Command.$" : "$.containerOverrides[0].command[*]" } ] } From ed2664da15f109dd8079f765242fb3241eb89cf7 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 27 Sep 2024 12:39:44 -0700 Subject: [PATCH 22/26] Revert "Revert "Simplify via task_command"" This reverts commit 4cb68214074eee5919738080c29c88a211d8bfb2. --- infra/modules/service/events_jobs.tf | 33 ++++------------------------ 1 file changed, 4 insertions(+), 29 deletions(-) diff --git a/infra/modules/service/events_jobs.tf b/infra/modules/service/events_jobs.tf index a7e0426c..fe4e2eed 100644 --- a/infra/modules/service/events_jobs.tf +++ b/infra/modules/service/events_jobs.tf @@ -60,10 +60,7 @@ resource "aws_cloudwatch_event_target" "document_upload_jobs" { # } # to match the Amazon ECS RunTask TaskOverride structure: # { - # containerOverrides: [{ - # name: "container_name", - # command: ["command", "to", "run"] - # }] + # task_command = ["command", "to", "run"] # } # (see https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-targets.html#targets-specifics-ecs-task # and https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_TaskOverride.html) @@ -71,10 +68,7 @@ resource "aws_cloudwatch_event_target" "document_upload_jobs" { # The task command can optionally use the bucket name or the object key in the command # by including the placeholder values "" or "", e.g. # { - # containerOverrides: [{ - # name: "container_name", - # command: ["process_file.sh", "--bucket", "", "--object", ""] - # }] + # task_command: ["process_file.sh", "--bucket", "", "--object", ""] # } # # Since jsonencode will cause the string "" to turn into @@ -85,11 +79,7 @@ resource "aws_cloudwatch_event_target" "document_upload_jobs" { # (see https://developer.hashicorp.com/terraform/language/functions/jsonencode and # https://github.com/hashicorp/terraform/pull/18871) input_template = replace(replace(jsonencode({ - containerOverrides = [ - { - command = each.value.task_command - } - ] + task_command = each.value.task_command }), "\\u003c", "<"), "\\u003e", ">") } } @@ -120,23 +110,8 @@ resource "aws_sfn_state_machine" "file_upload_jobs" { "Overrides" : { "ContainerOverrides" : [ { - # Pull the task command out of the input data, which is shaped like so: - # - # { - # "containerOverrides": [ - # { - # "command": [ - # "" - # "" - # ... - # ] - # } - # ] - # } - # - # The syntax for parsing the input data comes from JSONPath. "Name" : local.container_name, - "Command.$" : "$.containerOverrides[0].command[*]" + "Command.$" : "$.task_command" } ] } From 909da43dfa383da62874240a28ac1fde489d0bb6 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 27 Sep 2024 12:40:07 -0700 Subject: [PATCH 23/26] Revert "Fix step functions diffs" This reverts commit 2c4fabaf525714f646821e13504bb7177009653c. --- infra/modules/service/events_role.tf | 30 ++++++++++++++--------- infra/modules/service/scheduler_role.tf | 32 +++++++++++++++---------- 2 files changed, 38 insertions(+), 24 deletions(-) diff --git a/infra/modules/service/events_role.tf b/infra/modules/service/events_role.tf index 445f3faa..b91645fe 100644 --- a/infra/modules/service/events_role.tf +++ b/infra/modules/service/events_role.tf @@ -39,18 +39,26 @@ data "aws_iam_policy_document" "run_task" { resources = ["arn:aws:events:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"] } - statement { - actions = [ - "states:StartExecution", - ] - resources = [for job in keys(var.file_upload_jobs) : "arn:aws:states:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:stateMachine:${var.service_name}-${job}"] + dynamic "statement" { + for_each = aws_sfn_state_machine.file_upload_jobs + + content { + actions = [ + "states:StartExecution", + ] + resources = [statement.value.arn] + } } - statement { - actions = [ - "states:DescribeExecution", - "states:StopExecution", - ] - resources = [for job in keys(var.file_upload_jobs) : "arn:aws:states:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:stateMachine:${var.service_name}-${job}:*"] + dynamic "statement" { + for_each = aws_sfn_state_machine.file_upload_jobs + + content { + actions = [ + "states:DescribeExecution", + "states:StopExecution", + ] + resources = ["${statement.value.arn}:*"] + } } } diff --git a/infra/modules/service/scheduler_role.tf b/infra/modules/service/scheduler_role.tf index 7cc4774c..769d7b36 100644 --- a/infra/modules/service/scheduler_role.tf +++ b/infra/modules/service/scheduler_role.tf @@ -36,20 +36,26 @@ data "aws_iam_policy_document" "scheduler" { resources = ["arn:aws:events:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"] } - statement { - sid = "StepFunctionsExecution" - actions = [ - "states:StartExecution", - ] - resources = [for job in keys(var.scheduled_jobs) : "arn:aws:states:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:stateMachine:${var.service_name}-${job}"] + dynamic "statement" { + for_each = aws_sfn_state_machine.scheduled_jobs + + content { + actions = [ + "states:StartExecution", + ] + resources = [statement.value.arn] + } } - statement { - sid = "StepFunctionsDescribeStop" - actions = [ - "states:DescribeExecution", - "states:StopExecution", - ] - resources = [for job in keys(var.scheduled_jobs) : "arn:aws:states:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:stateMachine:${var.service_name}-${job}:*"] + dynamic "statement" { + for_each = aws_sfn_state_machine.scheduled_jobs + + content { + actions = [ + "states:DescribeExecution", + "states:StopExecution", + ] + resources = ["${statement.value.arn}:*"] + } } } From 3f581d0f883673f029e100cb71df36e08c9f1943 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 27 Sep 2024 12:42:04 -0700 Subject: [PATCH 24/26] add job type to log group prefix --- infra/modules/service/events_jobs.tf | 2 +- infra/modules/service/scheduled_jobs.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/infra/modules/service/events_jobs.tf b/infra/modules/service/events_jobs.tf index fe4e2eed..af12b13f 100644 --- a/infra/modules/service/events_jobs.tf +++ b/infra/modules/service/events_jobs.tf @@ -135,7 +135,7 @@ resource "aws_sfn_state_machine" "file_upload_jobs" { resource "aws_cloudwatch_log_group" "file_upload_jobs" { for_each = var.file_upload_jobs - name_prefix = "/aws/vendedlogs/states/${var.service_name}-${each.key}" + name_prefix = "/aws/vendedlogs/states/${var.service_name}-${each.key}/file-upload-jobs/" # Conservatively retain logs for 5 years. # Looser requirements may allow shorter retention periods diff --git a/infra/modules/service/scheduled_jobs.tf b/infra/modules/service/scheduled_jobs.tf index 27c7a352..141c28a3 100644 --- a/infra/modules/service/scheduled_jobs.tf +++ b/infra/modules/service/scheduled_jobs.tf @@ -75,7 +75,7 @@ resource "aws_sfn_state_machine" "scheduled_jobs" { resource "aws_cloudwatch_log_group" "scheduled_jobs" { for_each = var.scheduled_jobs - name_prefix = "/aws/vendedlogs/states/${var.service_name}-${each.key}" + name_prefix = "/aws/vendedlogs/states/${var.service_name}-${each.key}/scheduled-jobs/" # Conservatively retain logs for 5 years. # Looser requirements may allow shorter retention periods From 3287f9d5dc10d7519e081547b83706453e9d533c Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 27 Sep 2024 13:28:03 -0700 Subject: [PATCH 25/26] remove dynamic statement --- infra/modules/service/events_role.tf | 31 ++++++++++--------------- infra/modules/service/scheduler_role.tf | 30 +++++++++--------------- 2 files changed, 23 insertions(+), 38 deletions(-) diff --git a/infra/modules/service/events_role.tf b/infra/modules/service/events_role.tf index b91645fe..61c898ef 100644 --- a/infra/modules/service/events_role.tf +++ b/infra/modules/service/events_role.tf @@ -39,26 +39,19 @@ data "aws_iam_policy_document" "run_task" { resources = ["arn:aws:events:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"] } - dynamic "statement" { - for_each = aws_sfn_state_machine.file_upload_jobs - - content { - actions = [ - "states:StartExecution", - ] - resources = [statement.value.arn] - } + statement { + actions = [ + "states:StartExecution", + ] + resources = [for job in aws_sfn_state_machine.file_upload_jobs : "${job.arn}"] } - dynamic "statement" { - for_each = aws_sfn_state_machine.file_upload_jobs - - content { - actions = [ - "states:DescribeExecution", - "states:StopExecution", - ] - resources = ["${statement.value.arn}:*"] - } + statement { + actions = [ + "states:DescribeExecution", + "states:StopExecution", + ] + resources = [for job in aws_sfn_state_machine.file_upload_jobs : "${job.arn}:*"] } + } diff --git a/infra/modules/service/scheduler_role.tf b/infra/modules/service/scheduler_role.tf index 769d7b36..009f057f 100644 --- a/infra/modules/service/scheduler_role.tf +++ b/infra/modules/service/scheduler_role.tf @@ -36,26 +36,18 @@ data "aws_iam_policy_document" "scheduler" { resources = ["arn:aws:events:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"] } - dynamic "statement" { - for_each = aws_sfn_state_machine.scheduled_jobs - - content { - actions = [ - "states:StartExecution", - ] - resources = [statement.value.arn] - } + statement { + actions = [ + "states:StartExecution", + ] + resources = [for job in scheduled_jobs.file_upload_jobs : "${job.arn}"] } - dynamic "statement" { - for_each = aws_sfn_state_machine.scheduled_jobs - - content { - actions = [ - "states:DescribeExecution", - "states:StopExecution", - ] - resources = ["${statement.value.arn}:*"] - } + statement { + actions = [ + "states:DescribeExecution", + "states:StopExecution", + ] + resources = [for job in scheduled_jobs.file_upload_jobs : "${job.arn}:*"] } } From 51350c5f91f3b84ffa411a7cf9c6e8b5ae20ff2e Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 27 Sep 2024 14:33:12 -0700 Subject: [PATCH 26/26] aws_sfn_state_machine typo --- infra/modules/service/scheduler_role.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infra/modules/service/scheduler_role.tf b/infra/modules/service/scheduler_role.tf index 009f057f..fefdd07b 100644 --- a/infra/modules/service/scheduler_role.tf +++ b/infra/modules/service/scheduler_role.tf @@ -40,7 +40,7 @@ data "aws_iam_policy_document" "scheduler" { actions = [ "states:StartExecution", ] - resources = [for job in scheduled_jobs.file_upload_jobs : "${job.arn}"] + resources = [for job in aws_sfn_state_machine.scheduled_jobs : "${job.arn}"] } statement { @@ -48,6 +48,6 @@ data "aws_iam_policy_document" "scheduler" { "states:DescribeExecution", "states:StopExecution", ] - resources = [for job in scheduled_jobs.file_upload_jobs : "${job.arn}:*"] + resources = [for job in aws_sfn_state_machine.scheduled_jobs : "${job.arn}:*"] } }