wip: adding new domain for api & django admin (#695)

* wip: adding new domain for api & django admin

* fix: specification of infra-libs version in package.json

* wip: changes to deploy to new domain

* feat: changes to host API on passport.xyz domain as well

* fix: removing unused file

---------

Co-authored-by: Gerald Iakobinyi-Pich <[email protected]>

api/.env-sample

@@ -8,7 +8,6 @@ DATA_MODEL_DATABASE_URL=sqlite:///db_data_model.sqlite3
 # DATABASE_URL_FOR_DOCKER=postgres://passport_scorer:passport_scorer_pwd@postgres:5432/passport_scorer
 ALLOWED_HOSTS='[]'
 TEST_MNEMONIC=test val is here ...
-UI_DOMAINS=[localhost:3000, www.localhost:3000]
 
 CELERY_BROKER_URL=redis://localhost:6379/0
 

api/scorer/settings/base.py

@@ -29,8 +29,6 @@
 
 CERAMIC_CACHE_API_KEY = env("CERAMIC_CACHE_API_KEY", default="")
 
-UI_DOMAINS = env("UI_DOMAINS", default=["localhost:3000", "www.localhost:3000"])
-
 SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = env("GOOGLE_OAUTH_CLIENT_ID", default="")
 SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = env("GOOGLE_CLIENT_SECRET", default="")
 

infra/aws/index.ts

@@ -25,8 +25,6 @@ import { createVerifierService } from "./verifier";
 import { createS3InitiatedECSTask } from "../lib/scorer/s3_initiated_ecs_task";
 import { stack, defaultTags, StackType } from "../lib/tags";
 
-// The following vars are not allowed to be undefined, hence the `${...}` magic
-
 //////////////////////////////////////////////////////////////
 // Loading environment variables
 //////////////////////////////////////////////////////////////
@@ -44,19 +42,21 @@ const route53ZoneForPublicData = op.read.parse(
   `op://DevOps/passport-scorer-${stack}-env/ci/ROUTE_53_ZONE_FOR_PUBLIC_DATA`
 );
 
-const rootDomain = op.read.parse(
+const legacyRootDomain = op.read.parse(
   `op://DevOps/passport-scorer-${stack}-env/ci/ROOT_DOMAIN`
 );
 
-const domain =
+const legacyDomain =
   stack == "production"
-    ? `api.scorer.${rootDomain}`
-    : `api.${stack}.scorer.${rootDomain}`;
+    ? `api.scorer.${legacyRootDomain}`
+    : `api.${stack}.scorer.${legacyRootDomain}`;
 
+// We only need the publicDataDomain for the legacyRootDomain
+// as we hope to be able to drop that before finalizing the mirgation to the new domain
 const publicDataDomain =
   stack == "production"
-    ? `public.scorer.${rootDomain}`
-    : `public.${stack}.scorer.${rootDomain}`;
+    ? `public.scorer.${legacyRootDomain}`
+    : `public.${stack}.scorer.${legacyRootDomain}`;
 
 const current = aws.getCallerIdentity({});
 const regionData = aws.getRegion({});
@@ -126,6 +126,14 @@ const vpcID = coreInfraStack.getOutput("vpcId");
 const vpcPrivateSubnetIds = coreInfraStack.getOutput("privateSubnetIds");
 const vpcPublicSubnetIds = coreInfraStack.getOutput("publicSubnetIds");
 
+const passportXyzDomainName = coreInfraStack.getOutput("passportXyzDomainName");
+const passportXyzHostedZoneId = coreInfraStack.getOutput(
+  "passportXyzHostedZoneId"
+);
+const passportXyzCertificateArn = coreInfraStack.getOutput(
+  "passportXyzCertificateArn"
+);
+
 const vpcPublicSubnetId1 = vpcPublicSubnetIds.apply((values) => values[0]);
 
 const vpcPublicSubnetId2 = vpcPublicSubnetIds.apply((values) => values[1]);
@@ -449,7 +457,7 @@ const httpsListener = HTTPS_ALB_CERT_ARN.apply(
 // Create a DNS record for the load balancer
 const www = new aws.route53.Record("scorer", {
   zoneId: route53Zone,
-  name: domain,
+  name: legacyDomain,
   type: "A",
   aliases: [
     {
@@ -665,7 +673,12 @@ const apiEnvironment = [
   },
   {
     name: "CSRF_TRUSTED_ORIGINS",
-    value: JSON.stringify([`https://${domain}`]),
+    value: passportXyzDomainName.apply((passportXyzDomainNameStr) =>
+      JSON.stringify([
+        `https://${legacyDomain}`,
+        `https://${passportXyzDomainNameStr}`,
+      ])
+    ),
   },
   {
     name: "CERAMIC_CACHE_CACAO_VALIDATION_URL",
@@ -691,13 +704,12 @@ const apiEnvironment = [
     name: "RESCORE_QUEUE_URL",
     value: rescoreQueue.url,
   },
-  {
-    name: "UI_DOMAINS",
-    value: JSON.stringify(["scorer." + rootDomain, "www.scorer." + rootDomain]),
-  },
   {
     name: "ALLOWED_HOSTS",
-    value: JSON.stringify([domain, "*"]),
+    value: passportXyzDomainName.apply((passportXyzDomainNameStr) =>
+      // TODO: geri: investigate if using '*' here is a security risk
+      JSON.stringify([legacyDomain, passportXyzDomainNameStr, "*"])
+    ),
   },
   {
     name: "VERIFIER_URL",
@@ -1266,7 +1278,7 @@ const redashHttpsListener = HTTPS_ALB_CERT_ARN.apply(
 
 const redashRecord = new aws.route53.Record("redash", {
   zoneId: route53Zone,
-  name: "redash." + domain,
+  name: "redash." + legacyDomain,
   type: "A",
   aliases: [
     {
@@ -1913,3 +1925,38 @@ const amplifyAppInfo = coreInfraStack
   });
 
 export const amplifyAppHookUrl = pulumi.secret(amplifyAppInfo.webHook.url);
+
+// Create a DNS record for the load balancer
+pulumi.all([passportXyzDomainName]).apply((passportXyzDomainNameStr) => {
+  const apiDomain = `api.${passportXyzDomainNameStr}`;
+  const apiDomainRecord = new aws.route53.Record(apiDomain, {
+    zoneId: passportXyzHostedZoneId,
+    name: "api",
+    type: "CNAME",
+    ttl: 300,
+    records: [alb.dnsName],
+  });
+
+  const redashDomain = `redash.${passportXyzDomainNameStr}`;
+  const redashRecord = new aws.route53.Record(redashDomain, {
+    zoneId: passportXyzHostedZoneId,
+    name: "redash",
+    type: "A",
+    aliases: [
+      {
+        name: redashAlb.dnsName,
+        zoneId: redashAlb.zoneId,
+        evaluateTargetHealth: true,
+      },
+    ],
+  });
+});
+
+const coreAlbPassportXyz = new aws.lb.ListenerCertificate(
+  "core-alb-passport-xyz",
+  {
+    listenerArn: httpsListener.arn,
+    certificateArn: passportXyzCertificateArn,
+  },
+  {}
+);

infra/lib/scorer/new_service.ts

@@ -45,7 +45,7 @@ export function createTargetGroup(
   vpcId: Input<string>
 ): TargetGroup {
   return new TargetGroup(name, {
-    tags: { 
+    tags: {
       ...defaultTags,
       Name: name },
     port: 80,
@@ -68,7 +68,7 @@ export function createScorerECSService({
   environment: secretsManager.EnvironmentVar[];
   secrets: pulumi.Output<secretsManager.SecretRef[]>;
   loadBalancerAlarmThresholds: AlarmConfigurations;
-}): awsx.ecs.FargateService {
+}): awsx.ecs.FargateService | undefined {
   //////////////////////////////////////////////////////////////
   // Create target group and load balancer rules
   //////////////////////////////////////////////////////////////
@@ -128,6 +128,7 @@ export function createScorerECSService({
   };
 
   const service = new awsx.ecs.FargateService(name, {
+    name: name,
     propagateTags: "TASK_DEFINITION",
     tags: { ...defaultTags, Name: name },
     cluster: config.cluster.arn,
@@ -144,7 +145,7 @@ export function createScorerECSService({
       },
     ],
     taskDefinitionArgs: {
-      tags: { name: name },
+      tags: { ...defaultTags, Name: name },
       logGroup: {
         existing: config.logGroup,
       },
@@ -914,15 +915,15 @@ export function buildHttpLambdaFn(
     function: lambdaFunction.name,
     principal: "elasticloadbalancing.amazonaws.com",
     sourceArn: lambdaTargetGroup.arn,
-    
+
   });
 
   const lambdaTargetGroupAttachment = new aws.lb.TargetGroupAttachment(
     `lambdaTargetGroupAttachment-${name}`,
     {
       targetGroupArn: lambdaTargetGroup.arn,
       targetId: lambdaFunction.arn,
-      
+
     },
     {
       dependsOn: [withLb],

infra/package.json

@@ -13,6 +13,6 @@
     "@pulumi/awsx": "^1.0.5",
     "@pulumi/command": "^0.10.0",
     "@pulumi/pulumi": "^3.79.0",
-    "infra-libs": "passportxyz/infra-libs#semver:^1.2.1"
+    "infra-libs": "passportxyz/infra-libs#semver:1.2.1"
   }
 }

infra/yarn.lock

@@ -1673,7 +1673,7 @@ inflight@^1.0.4:
     once "^1.3.0"
     wrappy "1"
 
-"infra-libs@passportxyz/infra-libs#semver:^1.2.1":
+"infra-libs@passportxyz/infra-libs#semver:1.2.1":
   version "1.0.0"
   resolved "https://codeload.github.com/passportxyz/infra-libs/tar.gz/8170b9d4286cad3ad0809c252f65fc0d36776dae"
   dependencies: