Merge pull request #197 from datakind/aws-migration

AWS Colandr 2.0 Migration

Author: mrmaloof

colandr/app.py

@@ -5,6 +5,7 @@
 import apiflask as af
 import flask
 import flask.logging
+from werkzeug.middleware.proxy_fix import ProxyFix
 
 from colandr import cli, config, extensions
 from colandr.api import v1
@@ -29,6 +30,20 @@ def _create_app_v1_1(
     if config_overrides:
         app.config.update(config_overrides)
 
+    # Trust X-Forwarded-Proto/Host only when the sole client is our reverse proxy.
+    # See docs/proxy-security.md: never expose port 5000 to the public.
+    app.wsgi_app = t.cast(t.Any, ProxyFix(app.wsgi_app, x_proto=1, x_host=1))
+
+    @app.before_request
+    def set_openapi_servers_from_request() -> None:
+        # Ensure Swagger "Try it out" uses the current host+scheme.
+        #
+        # In production behind nginx, ProxyFix (above) + X-Forwarded-* headers
+        # make `request.url_root` resolve to `https://api.colandrapp.com/`.
+        if flask.request.endpoint in ("openapi.docs", "openapi.spec"):
+            url_root = flask.request.url_root.rstrip("/")
+            app.config["SERVERS"] = [{"url": url_root, "description": "API"}]
+
     _configure_logging(app)
     _register_extensions(app)
     v1.register_api_blueprints(app)

compose.prod.yaml

@@ -0,0 +1,103 @@
+# compose.prod.yaml
+#
+# Standalone production Docker Compose file
+# Only includes services needed for production: api, worker, broker
+#
+# Usage:
+#   docker compose -f compose.prod.yaml up -d
+
+services:
+  # API service
+  api:
+    container_name: colandr-api
+    build:
+      context: "."
+      dockerfile: Dockerfile.api
+      target: prod
+    platform: linux/amd64
+    depends_on:
+      - broker
+      - worker
+    stop_signal: SIGINT
+    healthcheck:
+      test: [ "CMD", "curl", "--fail", "--silent", "localhost:5000/api/health" ]
+      interval: "30s"
+      timeout: "5s"
+      start_period: "15s"
+      retries: 3
+    env_file: ".env"
+    environment:
+      - FLASK_APP=colandr.app:create_app()
+      - BUILD_TARGET=prod
+      - FLASK_ENV=production
+    ports:
+      # Bind to localhost only so only the reverse proxy (e.g. nginx on this host)
+      # can reach the API. Required for ProxyFix security (see docs/proxy-security.md).
+      - "127.0.0.1:5000:5000"
+    restart: unless-stopped
+    volumes:
+      - ${COLANDR_DATA_DIR:-./colandr_data}:${COLANDR_FILESYSTEM_ROOT_DIR:-/app/data}
+      - ./scripts:/app/scripts
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+  # Worker service
+  worker:
+    container_name: colandr-worker
+    build:
+      context: "."
+      dockerfile: Dockerfile.worker
+      target: prod
+    platform: linux/amd64
+    depends_on:
+      - broker
+    stop_signal: SIGINT
+    healthcheck:
+      test: ["CMD-SHELL", "celery --app=make_celery.celery_app inspect ping --destination celery@$$HOSTNAME"]
+      interval: "30s"
+      timeout: "10s"
+      retries: 3
+    env_file: ".env"
+    environment:
+      - BUILD_TARGET=prod
+      - FLASK_ENV=production
+    restart: unless-stopped
+    volumes:
+      - ${COLANDR_DATA_DIR:-./colandr_data}:${COLANDR_FILESYSTEM_ROOT_DIR:-/app/data}
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+  # Broker (Redis)
+  broker:
+    container_name: colandr-broker
+    image: "redis:8.0"
+    restart: unless-stopped
+    stop_grace_period: 5s
+    volumes:
+      - broker-data:/data
+    healthcheck:
+      test: "redis-cli ping"
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+volumes:
+  broker-data:
+    driver: local
+  frontend-storage:
+    driver: local
+
+networks:
+  default:
+    name: "colandr-back"

compose.yml compose.yamlcompose.yml renamed to compose.yaml

@@ -126,7 +126,7 @@ services:
       - broker
     stop_signal: SIGINT
     healthcheck:
-      test: ["CMD-SHELL", "celery", "--app=make_celery.celery_app", "inspect", "ping", "--destination celery@$$HOSTNAME"]
+      test: ["CMD-SHELL", "celery --app=make_celery.celery_app inspect ping --destination celery@$$HOSTNAME"]
       interval: "30s"
       timeout: "10s"
       retries: 3