feat: write artifacts and persisted documents to s3 mirror (#5538)

Co-authored-by: Kamil Kisiela <[email protected]>

Author: n1ru4l

deployment/index.ts

@@ -19,7 +19,7 @@ import { deployPostgres } from './services/postgres';
 import { deployProxy } from './services/proxy';
 import { deployRateLimit } from './services/rate-limit';
 import { deployRedis } from './services/redis';
-import { deployS3 } from './services/s3';
+import { deployS3, deployS3Mirror } from './services/s3';
 import { deploySchema } from './services/schema';
 import { configureSentry } from './services/sentry';
 import { deploySentryEventsMonitor } from './services/sentry-events';
@@ -80,6 +80,7 @@ const postgres = deployPostgres();
 const redis = deployRedis({ environment });
 const kafka = deployKafka();
 const s3 = deployS3();
+const s3Mirror = deployS3Mirror();
 
 const cdn = deployCFCDN({
   s3,
@@ -240,6 +241,7 @@ const graphql = deployGraphQL({
   emails,
   supertokens,
   s3,
+  s3Mirror,
   zendesk,
   githubApp,
   sentry,

deployment/services/graphql.ts

@@ -50,6 +50,7 @@ export function deployGraphQL({
   emails,
   supertokens,
   s3,
+  s3Mirror,
   zendesk,
   docker,
   postgres,
@@ -70,6 +71,7 @@ export function deployGraphQL({
   redis: Redis;
   cdn: CDN;
   s3: S3;
+  s3Mirror: S3;
   usage: Usage;
   usageEstimator: UsageEstimator;
   dbMigrations: DbMigrations;
@@ -151,6 +153,7 @@ export function deployGraphQL({
             observability.enabled && observability.tracingEndpoint
               ? observability.tracingEndpoint
               : '',
+          S3_MIRROR: '1',
         },
         exposesMetrics: true,
         port: 4000,
@@ -193,6 +196,11 @@ export function deployGraphQL({
       .withSecret('S3_SECRET_ACCESS_KEY', s3.secret, 'secretAccessKey')
       .withSecret('S3_BUCKET_NAME', s3.secret, 'bucket')
       .withSecret('S3_ENDPOINT', s3.secret, 'endpoint')
+      // S3 Mirror
+      .withSecret('S3_MIRROR_ACCESS_KEY_ID', s3Mirror.secret, 'accessKeyId')
+      .withSecret('S3_MIRROR_SECRET_ACCESS_KEY', s3Mirror.secret, 'secretAccessKey')
+      .withSecret('S3_MIRROR_BUCKET_NAME', s3Mirror.secret, 'bucket')
+      .withSecret('S3_MIRROR_ENDPOINT', s3Mirror.secret, 'endpoint')
       // Auth
       .withSecret('SUPERTOKENS_API_KEY', supertokens.secret, 'apiKey')
       .withSecret('AUTH_GITHUB_CLIENT_ID', githubOAuthSecret, 'clientId')

deployment/services/s3.ts

@@ -21,4 +21,17 @@ export function deployS3() {
   return { secret };
 }
 
+export function deployS3Mirror() {
+  const s3Config = new pulumi.Config('s3');
+
+  const secret = new S3Secret('aws-s3', {
+    endpoint: s3Config.require('endpoint'),
+    bucket: s3Config.require('bucketName'),
+    accessKeyId: s3Config.requireSecret('accessKeyId'),
+    secretAccessKey: s3Config.requireSecret('secretAccessKey'),
+  });
+
+  return { secret };
+}
+
 export type S3 = ReturnType<typeof deployS3>;

packages/services/api/src/create.ts

@@ -107,6 +107,7 @@ export function createRegistry({
   githubApp,
   cdn,
   s3,
+  s3Mirror,
   encryptionSecret,
   feedback,
   billing,
@@ -135,6 +136,13 @@ export function createRegistry({
     secretAccessKeyId: string;
     sessionToken?: string;
   };
+  s3Mirror: {
+    bucketName: string;
+    endpoint: string;
+    accessKeyId: string;
+    secretAccessKeyId: string;
+    sessionToken?: string;
+  } | null;
   encryptionSecret: string;
   feedback: {
     token: string;
@@ -150,16 +158,31 @@ export function createRegistry({
   organizationOIDC: boolean;
   pubSub: HivePubSub;
 }) {
-  const s3Config: S3Config = {
-    client: new AwsClient({
-      accessKeyId: s3.accessKeyId,
-      secretAccessKey: s3.secretAccessKeyId,
-      sessionToken: s3.sessionToken,
-      service: 's3',
-    }),
-    bucket: s3.bucketName,
-    endpoint: s3.endpoint,
-  };
+  const s3Config: S3Config = [
+    {
+      client: new AwsClient({
+        accessKeyId: s3.accessKeyId,
+        secretAccessKey: s3.secretAccessKeyId,
+        sessionToken: s3.sessionToken,
+        service: 's3',
+      }),
+      bucket: s3.bucketName,
+      endpoint: s3.endpoint,
+    },
+  ];
+
+  if (s3Mirror) {
+    s3Config.push({
+      client: new AwsClient({
+        accessKeyId: s3Mirror.accessKeyId,
+        secretAccessKey: s3Mirror.secretAccessKeyId,
+        sessionToken: s3Mirror.sessionToken,
+        service: 's3',
+      }),
+      bucket: s3Mirror.bucketName,
+      endpoint: s3Mirror.endpoint,
+    });
+  }
 
   const artifactStorageWriter = new ArtifactStorageWriter(s3Config, logger);
 

packages/services/api/src/modules/app-deployments/providers/app-deployments.ts

@@ -388,30 +388,32 @@ export class AppDeployments {
       };
     }
 
-    const result = await this.s3.client.fetch(
-      [
-        this.s3.endpoint,
-        this.s3.bucket,
-        buildAppDeploymentIsEnabledKey(
-          appDeployment.targetId,
-          appDeployment.name,
-          appDeployment.version,
-        ),
-      ].join('/'),
-      {
-        method: 'PUT',
-        body: '1',
-        headers: {
-          'content-type': 'text/plain',
-        },
-        aws: {
-          signQuery: true,
+    for (const s3 of this.s3) {
+      const result = await s3.client.fetch(
+        [
+          s3.endpoint,
+          s3.bucket,
+          buildAppDeploymentIsEnabledKey(
+            appDeployment.targetId,
+            appDeployment.name,
+            appDeployment.version,
+          ),
+        ].join('/'),
+        {
+          method: 'PUT',
+          body: '1',
+          headers: {
+            'content-type': 'text/plain',
+          },
+          aws: {
+            signQuery: true,
+          },
         },
-      },
-    );
+      );
 
-    if (result.statusCode !== 200) {
-      throw new Error(`Failed to enable app deployment: ${result.statusMessage}`);
+      if (result.statusCode !== 200) {
+        throw new Error(`Failed to enable app deployment: ${result.statusMessage}`);
+      }
     }
 
     const updatedAppDeployment = await this.pool
@@ -527,36 +529,38 @@ export class AppDeployments {
       };
     }
 
-    const result = await this.s3.client.fetch(
-      [
-        this.s3.endpoint,
-        this.s3.bucket,
-        buildAppDeploymentIsEnabledKey(
-          appDeployment.targetId,
-          appDeployment.name,
-          appDeployment.version,
-        ),
-      ].join('/'),
-      {
-        method: 'DELETE',
-        aws: {
-          signQuery: true,
+    for (const s3 of this.s3) {
+      const result = await s3.client.fetch(
+        [
+          s3.endpoint,
+          s3.bucket,
+          buildAppDeploymentIsEnabledKey(
+            appDeployment.targetId,
+            appDeployment.name,
+            appDeployment.version,
+          ),
+        ].join('/'),
+        {
+          method: 'DELETE',
+          aws: {
+            signQuery: true,
+          },
         },
-      },
-    );
-
-    /** We receive a 204 status code if the DELETE operation was successful */
-    if (result.statusCode !== 204) {
-      this.logger.error(
-        'Failed to disable app deployment (organizationId=%s, targetId=%s, appDeploymentId=%s, statusCode=%s)',
-        args.organizationId,
-        args.targetId,
-        appDeployment.id,
-        result.statusCode,
-      );
-      throw new Error(
-        `Failed to disable app deployment. Request failed with status code "${result.statusMessage}".`,
       );
+
+      /** We receive a 204 status code if the DELETE operation was successful */
+      if (result.statusCode !== 204) {
+        this.logger.error(
+          'Failed to disable app deployment (organizationId=%s, targetId=%s, appDeploymentId=%s, statusCode=%s)',
+          args.organizationId,
+          args.targetId,
+          appDeployment.id,
+          result.statusCode,
+        );
+        throw new Error(
+          `Failed to disable app deployment. Request failed with status code "${result.statusMessage}".`,
+        );
+      }
     }
 
     await this.clickhouse.query({

packages/services/api/src/modules/app-deployments/providers/persisted-document-ingester.ts

@@ -305,9 +305,8 @@ export class PersistedDocumentIngester {
 
       tasks.push(
         this.promiseQueue.add(async () => {
-          const response = await this.s3.client.fetch(
-            [this.s3.endpoint, this.s3.bucket, s3Key].join('/'),
-            {
+          for (const s3 of this.s3) {
+            const response = await s3.client.fetch([s3.endpoint, s3.bucket, s3Key].join('/'), {
               method: 'PUT',
               headers: {
                 'content-type': 'text/plain',
@@ -317,13 +316,13 @@ export class PersistedDocumentIngester {
                 // This boolean makes Google Cloud Storage & AWS happy.
                 signQuery: true,
               },
-            },
-          );
+            });
 
-          if (response.statusCode !== 200) {
-            throw new Error(
-              `Failed to upload operation to S3: [${response.statusCode}] ${response.statusMessage}`,
-            );
+            if (response.statusCode !== 200) {
+              throw new Error(
+                `Failed to upload operation to S3: [${response.statusCode}] ${response.statusMessage}`,
+              );
+            }
           }
         }),
       );

packages/services/api/src/modules/app-deployments/worker/persisted-documents-worker.ts

@@ -27,6 +27,15 @@ export function createWorker(
         readonly sessionToken: string | undefined;
       };
     };
+    s3Mirror: {
+      readonly bucketName: string;
+      readonly endpoint: string;
+      readonly credentials: {
+        readonly accessKeyId: string;
+        readonly secretAccessKey: string;
+        readonly sessionToken: string | undefined;
+      };
+    } | null;
     clickhouse: {
       readonly host: string;
       readonly port: number;
@@ -36,16 +45,31 @@ export function createWorker(
     };
   },
 ) {
-  const s3Config: S3Config = {
-    client: new AwsClient({
-      accessKeyId: env.s3.credentials.accessKeyId,
-      secretAccessKey: env.s3.credentials.secretAccessKey,
-      sessionToken: env.s3.credentials.sessionToken,
-      service: 's3',
-    }),
-    bucket: env.s3.bucketName,
-    endpoint: env.s3.endpoint,
-  };
+  const s3Config: S3Config = [
+    {
+      client: new AwsClient({
+        accessKeyId: env.s3.credentials.accessKeyId,
+        secretAccessKey: env.s3.credentials.secretAccessKey,
+        sessionToken: env.s3.credentials.sessionToken,
+        service: 's3',
+      }),
+      bucket: env.s3.bucketName,
+      endpoint: env.s3.endpoint,
+    },
+  ];
+
+  if (env.s3Mirror) {
+    s3Config.push({
+      client: new AwsClient({
+        accessKeyId: env.s3Mirror.credentials.accessKeyId,
+        secretAccessKey: env.s3Mirror.credentials.secretAccessKey,
+        sessionToken: env.s3Mirror.credentials.sessionToken,
+        service: 's3',
+      }),
+      bucket: env.s3Mirror.bucketName,
+      endpoint: env.s3Mirror.endpoint,
+    });
+  }
 
   const logger = baseLogger.child({
     source: 'PersistedDocumentsWorker',