feat(deployment): use organization access tokens (#6613)

Author: n1ru4l

.changeset/sixty-chicken-swim.md

@@ -0,0 +1,11 @@
+---
+'hive': major
+---
+
+Restructure the environment variables used for the Hive Cloud hosting. While this is techincally a breaking change it will not really affect people self-hosting Hive.
+
+**Breaking**: Remove unused environment variable options `HIVE_REPORTING`, `HIVE_REPORTING_ENDPOINT` and `HIVE_USAGE_DATA_RETENTION_PURGE_INTERVAL_MINUTES` from the `server` service.
+
+These environment variables are obsolete since the Hive GraphQL schema is reported via the Hive CLI instead.
+
+**Breaking**: Replace the environment variable option `HIVE` with `HIVE_USAGE`, rename environment variable option `HIVE_API_TOKEN` to `HIVE_USAGE_ACCESS_TOKEN` for the `server` service. Require providing the `HIVE_USAGE_ACCESS_TOKEN` environment variable if `HIVE_USAGE` is set to `1`.

deployment/index.ts

@@ -33,6 +33,7 @@ import { optimizeAzureCluster } from './utils/azure-helpers';
 import { isDefined } from './utils/helpers';
 import { publishAppDeployment } from './utils/publish-app-deployment';
 import { publishGraphQLSchema } from './utils/publish-graphql-schema';
+import { ServiceSecret } from './utils/secrets';
 
 // eslint-disable-next-line no-process-env
 const imagesTag = process.env.DOCKER_IMAGE_TAG as string;
@@ -229,14 +230,17 @@ const graphql = deployGraphQL({
   observability,
 });
 
-const apiConfig = new pulumi.Config('api');
-const apiEnv = apiConfig.requireObject<Record<string, string>>('env');
+const hiveConfig = new pulumi.Config('hive');
+const hiveConfigSecret = new ServiceSecret('hive-config-secret', {
+  usageAccessToken: hiveConfig.requireSecret('cliAccessToken'),
+});
 
 const publishGraphQLSchemaCommand = publishGraphQLSchema({
   graphql,
   registry: {
     endpoint: `https://${environment.appDns}/registry`,
-    accessToken: apiEnv.HIVE_API_TOKEN,
+    accessToken: hiveConfigSecret.raw.usageAccessToken,
+    target: hiveConfig.require('target'),
   },
   version: {
     commit: imagesTag,
@@ -251,7 +255,8 @@ if (hiveAppPersistedDocumentsAbsolutePath) {
     appName: 'hive-app',
     registry: {
       endpoint: `https://${environment.appDns}/registry`,
-      accessToken: apiEnv.HIVE_API_TOKEN,
+      accessToken: hiveConfigSecret.raw.usageAccessToken,
+      target: hiveConfig.require('target'),
     },
     version: {
       commit: imagesTag,

deployment/services/graphql.ts

@@ -82,6 +82,8 @@ export function deployGraphQL({
   const apiConfig = new pulumi.Config('api');
   const apiEnv = apiConfig.requireObject<Record<string, string>>('env');
 
+  const hiveConfig = new pulumi.Config('hive');
+
   const oauthConfig = new pulumi.Config('oauth');
   const githubOAuthSecret = new AppOAuthSecret('oauth-github', {
     clientId: oauthConfig.requireSecret('githubClient'),
@@ -95,6 +97,9 @@ export function deployGraphQL({
   const persistedDocumentsSecret = new ServiceSecret('persisted-documents', {
     cdnAccessKeyId: apiConfig.requireSecret('hivePersistedDocumentsCdnAccessKeyId'),
   });
+  const hiveUsageSecret = new ServiceSecret('hive-usage', {
+    usageAccessToken: hiveConfig.requireSecret('usageAccessToken'),
+  });
 
   return (
     new ServiceDeployment(
@@ -124,15 +129,13 @@ export function deployGraphQL({
           WEBHOOKS_ENDPOINT: serviceLocalEndpoint(webhooks.service),
           SCHEMA_ENDPOINT: serviceLocalEndpoint(schema.service),
           SCHEMA_POLICY_ENDPOINT: serviceLocalEndpoint(schemaPolicy.service),
-          HIVE_USAGE_ENDPOINT: serviceLocalEndpoint(usage.service),
           EMAILS_ENDPOINT: serviceLocalEndpoint(emails.service),
           WEB_APP_URL: `https://${environment.appDns}`,
           GRAPHQL_PUBLIC_ORIGIN: `https://${environment.appDns}`,
           CDN_CF: '1',
-          HIVE: '1',
-          HIVE_REPORTING: '1',
           HIVE_USAGE: '1',
-          HIVE_REPORTING_ENDPOINT: 'http://0.0.0.0:4000/graphql',
+          HIVE_USAGE_TARGET: hiveConfig.require('target'),
+          HIVE_USAGE_ENDPOINT: serviceLocalEndpoint(usage.service),
           HIVE_PERSISTED_DOCUMENTS: '1',
           ZENDESK_SUPPORT: zendesk.enabled ? '1' : '0',
           INTEGRATION_GITHUB: '1',
@@ -206,6 +209,8 @@ export function deployGraphQL({
       .withSecret('AUTH_GITHUB_CLIENT_SECRET', githubOAuthSecret, 'clientSecret')
       .withSecret('AUTH_GOOGLE_CLIENT_ID', googleOAuthSecret, 'clientId')
       .withSecret('AUTH_GOOGLE_CLIENT_SECRET', googleOAuthSecret, 'clientSecret')
+      // Hive Usage Reporting
+      .withSecret('HIVE_USAGE_ACCESS_TOKEN', hiveUsageSecret, 'usageAccessToken')
       // Persisted Documents
       .withSecret(
         'HIVE_PERSISTED_DOCUMENTS_CDN_ACCESS_KEY_ID',

deployment/utils/publish-app-deployment.ts

@@ -1,15 +1,16 @@
 import { local } from '@pulumi/command';
 import { Secret } from '@pulumi/kubernetes/core/v1';
 import { Resource } from '@pulumi/pulumi';
+import * as pulumi from '@pulumi/pulumi';
 import { ClickhouseConnectionSecret } from '../services/clickhouse';
 import { ServiceDeployment } from './service-deployment';
 
-const dockerImage = 'ghcr.io/graphql-hive/cli:0.44.4';
+const dockerImage = 'ghcr.io/graphql-hive/cli:0.49.0';
 
 /** Publish API GraphQL schema to Hive schema registry. */
 export function publishAppDeployment(args: {
   appName: string;
-  registry: { accessToken: string; endpoint: string };
+  registry: { accessToken: pulumi.Output<string>; endpoint: string; target: string };
   version: {
     commit: string;
   };
@@ -49,13 +50,15 @@ export function publishAppDeployment(args: {
   const createCommand = new local.Command(
     `create-app-deployment-${args.appName}`,
     {
-      create:
-        `docker run --name "create-app-deployment-${args.appName}"` +
-        ` --rm -v ${args.persistedDocumentsPath}:/usr/src/app/persisted-documents.json` +
-        ` ${dockerImage}` +
-        ` app:create` +
-        ` --registry.endpoint ${args.registry.endpoint} --registry.accessToken ${args.registry.accessToken}` +
-        ` --name ${args.appName} --version ${args.version.commit} ./persisted-documents.json`,
+      create: args.registry.accessToken.apply(
+        accessToken =>
+          `docker run --name "create-app-deployment-${args.appName}"` +
+          ` --rm -v ${args.persistedDocumentsPath}:/usr/src/app/persisted-documents.json` +
+          ` ${dockerImage}` +
+          ` app:create` +
+          ` --registry.endpoint ${args.registry.endpoint} --registry.accessToken ${accessToken} --target ${args.registry.target}` +
+          ` --name ${args.appName} --version ${args.version.commit} ./persisted-documents.json`,
+      ),
     },
     {
       dependsOn: [wakeupCommandJob, ...(args.dependsOn || [])].filter(v => v !== null),
@@ -66,12 +69,14 @@ export function publishAppDeployment(args: {
   return new local.Command(
     `publish-app-deployment-${args.appName}`,
     {
-      create:
-        `docker run --rm --name "publish-app-deployment-${args.appName}"` +
-        ` ${dockerImage}` +
-        ` app:publish` +
-        ` --registry.endpoint ${args.registry.endpoint} --registry.accessToken ${args.registry.accessToken}` +
-        ` --name ${args.appName} --version ${args.version.commit}`,
+      create: args.registry.accessToken.apply(
+        accessToken =>
+          `docker run --rm --name "publish-app-deployment-${args.appName}"` +
+          ` ${dockerImage}` +
+          ` app:publish` +
+          ` --registry.endpoint ${args.registry.endpoint} --registry.accessToken ${accessToken} --target ${args.registry.target}` +
+          ` --name ${args.appName} --version ${args.version.commit}`,
+      ),
     },
     {
       dependsOn: createCommand,

deployment/utils/publish-graphql-schema.ts

@@ -1,28 +1,31 @@
 import { local } from '@pulumi/command';
+import * as pulumi from '@pulumi/pulumi';
 import type { GraphQL } from '../services/graphql';
 
-const dockerImage = 'ghcr.io/graphql-hive/cli:0.44.4';
+const dockerImage = 'ghcr.io/graphql-hive/cli:0.49.0';
 
 /** Publish API GraphQL schema to Hive schema registry. */
 export function publishGraphQLSchema(args: {
   graphql: GraphQL;
-  registry: { accessToken: string; endpoint: string };
+  registry: { accessToken: pulumi.Output<string>; endpoint: string; target: string };
   version: {
     commit: string;
   };
   schemaPath: string;
 }) {
-  const command =
+  const command = (accessToken: string) =>
     `schema:publish` +
-    ` --registry.endpoint ${args.registry.endpoint} --registry.accessToken ${args.registry.accessToken}` +
+    ` --registry.endpoint ${args.registry.endpoint} --registry.accessToken ${accessToken} --target ${args.registry.target}` +
     ` --commit ${args.version.commit} --author "Hive CD" ./schema.graphqls`;
 
   return new local.Command(
     'publish-graphql-schema',
     {
-      create:
-        `docker run --name "publish-graphql-schema" -v ${args.schemaPath}:/usr/src/app/schema.graphqls ${dockerImage} ` +
-        command,
+      create: args.registry.accessToken.apply(
+        accessToken =>
+          `docker run --name "publish-graphql-schema" -v ${args.schemaPath}:/usr/src/app/schema.graphqls ${dockerImage} ` +
+          command(accessToken),
+      ),
     },
     {
       dependsOn: [args.graphql.deployment, args.graphql.service],

deployment/utils/service-deployment.ts

@@ -62,7 +62,7 @@ export class ServiceDeployment {
         };
       };
       availabilityOnEveryNode?: boolean;
-      command?: string[];
+      command?: pulumi.Input<pulumi.Input<string>[]>;
     },
     protected dependencies?: Array<pulumi.Resource | undefined | null>,
     protected parent?: pulumi.Resource | null,

packages/services/server/README.md

@@ -29,7 +29,7 @@ The GraphQL API for GraphQL Hive.
 | `CLICKHOUSE_REQUEST_TIMEOUT`                | No                                                   | Force a request timeout value for ClickHouse operations (in ms)                                          | `30000`                                              |
 | `REDIS_HOST`                                | **Yes**                                              | The host of your redis instance.                                                                         | `"127.0.0.1"`                                        |
 | `REDIS_PORT`                                | **Yes**                                              | The port of your redis instance.                                                                         | `6379`                                               |
-| `REDIS_PASSWORD`                            | **Yes**                                              | The password of your redis instance.                                                                     | `"apollorocks"`                                      |
+| `REDIS_PASSWORD`                            | **Yes**                                              | The password of your redis instance.                                                                     | `"password"`                                         |
 | `REDIS_TLS_ENABLED`                         | **No**                                               | Enable TLS for redis connection (rediss://).                                                             | `"0"`                                                |
 | `S3_ENDPOINT`                               | **Yes**                                              | The S3 endpoint.                                                                                         | `http://localhost:9000`                              |
 | `S3_ACCESS_KEY_ID`                          | **Yes**                                              | The S3 access key id.                                                                                    | `minioadmin`                                         |
@@ -89,14 +89,12 @@ The GraphQL API for GraphQL Hive.
 If you are self-hosting GraphQL Hive, you can ignore this section. It is only required for the Cloud
 version.
 
-| Name                      | Required                      | Description                            | Example Value                   |
-| ------------------------- | ----------------------------- | -------------------------------------- | ------------------------------- |
-| `COMMERCE_ENDPOINT`       | **Yes**                       | The endpoint of the commerce service.  | `http://127.0.0.1:4012`         |
-| `CDN_CF`                  | No                            | Whether the CDN is enabled.            | `1` (enabled) or `0` (disabled) |
-| `CDN_CF_BASE_URL`         | No (**Yes** if `CDN` is `1`)  | The base URL of the cdn.               | `https://cdn.graphql-hive.com`  |
-| `HIVE`                    | No                            | The internal endpoint key.             | `iliketurtles`                  |
-| `HIVE_API_TOKEN`          | No (**Yes** if `HIVE` is set) | The internal endpoint key.             | `iliketurtles`                  |
-| `HIVE_USAGE`              | No                            | The internal endpoint key.             | `1` (enabled) or `0` (disabled) |
-| `HIVE_USAGE_ENDPOINT`     | No                            | The endpoint used for usage reporting. | `http://127.0.0.1:4001`         |
-| `HIVE_REPORTING`          | No                            | The internal endpoint key.             | `iliketurtles`                  |
-| `HIVE_REPORTING_ENDPOINT` | No                            | The internal endpoint key.             | `http://127.0.0.1:4000/graphql` |
+| Name                      | Required                             | Description                                                    | Example Value                                       |
+| ------------------------- | ------------------------------------ | -------------------------------------------------------------- | --------------------------------------------------- |
+| `COMMERCE_ENDPOINT`       | **Yes**                              | The endpoint of the commerce service.                          | `http://127.0.0.1:4012`                             |
+| `CDN_CF`                  | No                                   | Whether the CDN is enabled.                                    | `1` (enabled) or `0` (disabled)                     |
+| `CDN_CF_BASE_URL`         | No (**Yes** if `CDN` is `1`)         | The base URL of the cdn.                                       | `https://cdn.graphql-hive.com`                      |
+| `HIVE_USAGE`              | No                                   | Whether usage reporting for the GraphQL API to Hive is enabled | `1` (enabled) or `0` (disabled)                     |
+| `HIVE_USAGE_TARGET`       | No (**Yes** if `HIVE` is set to `1`) | The target to which the usage data should be reported          | `the-guild/graphql-hive/development`                |
+| `HIVE_USAGE_ACCESS_TOKEN` | No (**Yes** if `HIVE` is set to `1`) | The internal endpoint key.                                     | `iliketurtles`                                      |
+| `HIVE_USAGE_ENDPOINT`     | No                                   | The endpoint used for usage reporting.                         | `http://app.graphql-hive.com/usage` (default value) |

packages/services/server/src/environment.ts

@@ -132,15 +132,12 @@ const CdnApiModel = zod.union([
 ]);
 
 const HiveModel = zod.union([
-  zod.object({ HIVE: emptyString(zod.literal('0').optional()) }),
+  zod.object({ HIVE_USAGE: emptyString(zod.literal('0').optional()) }),
   zod.object({
-    HIVE: zod.literal('1'),
-    HIVE_API_TOKEN: zod.string(),
-    HIVE_USAGE: zod.union([zod.literal('0'), zod.literal('1')]).optional(),
+    HIVE_USAGE: zod.literal('1'),
     HIVE_USAGE_ENDPOINT: zod.string().url().optional(),
-    HIVE_USAGE_DATA_RETENTION_PURGE_INTERVAL_MINUTES: emptyString(NumberFromString.optional()),
-    HIVE_REPORTING: zod.union([zod.literal('0'), zod.literal('1')]).optional(),
-    HIVE_REPORTING_ENDPOINT: zod.string().url().optional(),
+    HIVE_USAGE_TARGET: zod.string(),
+    HIVE_USAGE_ACCESS_TOKEN: zod.string(),
   }),
 ]);
 
@@ -330,18 +327,12 @@ const zendeskSupport = extractConfig(configs.zendeskSupport);
 const tracing = extractConfig(configs.tracing);
 const hivePersistedDocuments = extractConfig(configs.hivePersistedDocuments);
 
-const hiveConfig =
-  hive.HIVE === '1'
+const hiveUsageConfig =
+  hive.HIVE_USAGE === '1'
     ? {
-        token: hive.HIVE_API_TOKEN,
-        reporting:
-          hive.HIVE_REPORTING === '1' ? { endpoint: hive.HIVE_REPORTING_ENDPOINT ?? null } : null,
-        usage:
-          hive.HIVE_USAGE === '1'
-            ? {
-                endpoint: hive.HIVE_USAGE_ENDPOINT ?? null,
-              }
-            : null,
+        target: hive.HIVE_USAGE_TARGET,
+        token: hive.HIVE_USAGE_ACCESS_TOKEN,
+        endpoint: hive.HIVE_USAGE_ENDPOINT ?? null,
       }
     : null;
 
@@ -353,7 +344,7 @@ const hivePersistedDocumentsConfig =
       }
     : null;
 
-export type HiveConfig = typeof hiveConfig;
+export type HiveUsageConfig = typeof hiveUsageConfig;
 export type HivePersistedDocumentsConfig = typeof hivePersistedDocumentsConfig;
 
 export const env = {
@@ -511,7 +502,7 @@ export const env = {
           port: prometheus.PROMETHEUS_METRICS_PORT ?? 10_254,
         }
       : null,
-  hive: hiveConfig,
+  hive: hiveUsageConfig,
   hivePersistedDocuments: hivePersistedDocumentsConfig,
   graphql: {
     origin: base.GRAPHQL_PUBLIC_ORIGIN,

packages/services/server/src/graphql-handler.ts

@@ -29,7 +29,7 @@ import { cleanRequestId, type TracingInstance } from '@hive/service-common';
 import { runWithAsyncContext } from '@sentry/node';
 import { AuthN, Session } from '../../api/src/modules/auth/lib/authz';
 import { asyncStorage } from './async-storage';
-import type { HiveConfig, HivePersistedDocumentsConfig } from './environment';
+import type { HivePersistedDocumentsConfig, HiveUsageConfig } from './environment';
 import { useArmor } from './use-armor';
 import { extractUserId, useSentryUser } from './use-sentry-user';
 
@@ -49,7 +49,7 @@ export interface GraphQLHandlerOptions {
     apiKey: string;
   };
   isProduction: boolean;
-  hiveConfig: HiveConfig;
+  hiveUsageConfig: HiveUsageConfig;
   hivePersistedDocumentsConfig: HivePersistedDocumentsConfig;
   release: string;
   logger: FastifyBaseLogger;
@@ -167,22 +167,25 @@ export const graphqlHandler = (options: GraphQLHandlerOptions): RouteHandlerMeth
       })),
       useHive({
         debug: true,
-        enabled: !!options.hiveConfig,
-        token: options.hiveConfig?.token ?? '',
-        usage: {
-          endpoint: options.hiveConfig?.usage?.endpoint ?? undefined,
-          clientInfo(ctx: { req: FastifyRequest; reply: FastifyReply }) {
-            const name = ctx.req.headers['graphql-client-name'] as string;
-            const version = (ctx.req.headers['graphql-client-version'] as string) ?? 'missing';
+        enabled: !!options.hiveUsageConfig,
+        token: options.hiveUsageConfig?.token ?? '',
+        usage: options.hiveUsageConfig
+          ? {
+              target: options.hiveUsageConfig.target,
+              endpoint: options.hiveUsageConfig.endpoint ?? undefined,
+              clientInfo(ctx: { req: FastifyRequest; reply: FastifyReply }) {
+                const name = ctx.req.headers['graphql-client-name'] as string;
+                const version = (ctx.req.headers['graphql-client-version'] as string) ?? 'missing';
 
-            if (name) {
-              return { name, version };
-            }
+                if (name) {
+                  return { name, version };
+                }
 
-            return null;
-          },
-          exclude: ['readiness'],
-        },
+                return null;
+              },
+              exclude: ['readiness'],
+            }
+          : false,
         experimental__persistedDocuments: options.hivePersistedDocumentsConfig
           ? {
               cdn: {

packages/services/server/src/index.ts

@@ -445,7 +445,7 @@ export async function main() {
       },
       isProduction: env.environment !== 'development',
       release: env.release,
-      hiveConfig: env.hive,
+      hiveUsageConfig: env.hive,
       hivePersistedDocumentsConfig: env.hivePersistedDocuments,
       tracing,
       logger: logger as any,