DOP-2764 Invalidating CDN (#606)

* DOP-2674 Cache Invalidation

* 

* DOP-2713: Add environment information to slack notifications to help with troubleshooting (#610)

Co-authored-by: Grace Chong <grace.chong@mongodb.com>

Co-authored-by: Cassidy Schaufele <cassidyschaufele@gmail.com>
Co-authored-by: gjchong25 <gjchong25@gmail.com>
Co-authored-by: Grace Chong <grace.chong@mongodb.com>

Author: 4 people

api/config/custom-environment-variables.json

@@ -19,5 +19,7 @@
       "id": "FASTLY_DOCHUB_SERVICE_ID",
       "token": "FASTLY_DOCHUB_TOKEN"
     }
-  }
+  },
+  "cdnClientID": "CDN_CLIENT_ID",
+  "cdnClientSecret": "CDN_CLIENT_SECRET"
 }

api/config/default.json

@@ -20,7 +20,7 @@
   "maxRetries": 3,
   "retryDelay": 60,
   "commandOverride": ["node", "onDemandApp.js"],
-  "subnets": ["subnet-8c3623f6", "subnet-a4ac73cf", "subnet-9e83fed2"],
+  "subnets": ["subnet-0a142842e8f13a042", "subnet-0fba568cfd3839eee"],
   "parallel": {
     "enabled": true,
     "stg": {
@@ -43,5 +43,22 @@
       "id": "FASTLY_DOCHUB_SERVICE_ID",
       "token": "FASTLY_DOCHUB_TOKEN"
     }
-  }
+  },
+  "prodDeploy": {
+    "restrictedProdDeploy": true,
+    "entitledSlackUsers": [
+      "U0V6H55D2",
+      "U0V2WGRFC",
+      "U01S32X6GJV",
+      "URF5PJS6Q",
+      "U02HJ4P5MJS",
+      "U015S53G8TT",
+      "U01QVEWPL5B",
+      "UKF72EJRF"
+    ]
+  },
+  "cdnInvalidationOauthScope": "mongodbcom-docs",
+  "oauthTokenURL": "https://corp.mongodb.com/oauth2/aus4k4jv00hWjNnps297/v1/token",
+  "grantType": "client_credentials",
+  "oauthTokenPath": "docs/worker_pool/cdn/invalidator/token"
 }

api/controllers/v1/jobs.ts

@@ -166,9 +166,9 @@ async function prepSummaryMessage(
     msg = `Your Job <${jobUrl}${jobId}|Failed>! Please check the build log for any errors.\n- Repo:*${repoName}*\n- Branch:*${fullDocument.payload.branchName}*\n- urlSlug: *${fullDocument.payload.urlSlug}*\n- Env:*${env}*\n Check logs for more errors!!\nSorry  :disappointed:! `;
   } else {
     if (repoName == 'mms-docs') {
-      msg = `Your Job <${jobUrl}${jobId}|Completed>! \n- Repo:*${repoName}*\n- Branch:*${fullDocument.payload.branchName}*\n- urlSlug: *${fullDocument.payload.urlSlug}*\n- Env:*${env}*\n*Urls*\n   *CM*:<${mms_urls[0]}|Cloud Manager> \n   *OPM*:<${mms_urls[1]}|OPS Manager> \nEnjoy  :smile:!`;
+      msg = `Your Job <${jobUrl}${jobId}|Completed>! \n- Repo:*${repoName}*\n- Branch:*${fullDocument.payload.branchName}*\n- urlSlug: *${fullDocument.payload.urlSlug}*\n- Env:*${env}*\n*Urls*\n   *CM*:<${mms_urls[0]}|Cloud Manager> \n   *OPM*:<${mms_urls[1]}|OPS Manager>\n- InvalidationStatus:<${fullDocument.invalidationStatusURL}|Status> \nEnjoy  :smile:!`;
     } else {
-      msg = `Your Job <${jobUrl}${jobId}|Completed>! \n- Repo:*${repoName}*\n- Branch:*${fullDocument.payload.branchName}*\n- urlSlug: *${fullDocument.payload.urlSlug}*\n- Env:*${env}*\n- Url:<${url}|${repoName}> \nEnjoy  :smile:!`;
+      msg = `Your Job <${jobUrl}${jobId}|Completed>! \n- Repo:*${repoName}*\n- Branch:*${fullDocument.payload.branchName}*\n- urlSlug: *${fullDocument.payload.urlSlug}*\n- Env:*${env}*\n- Url:<${url}|${repoName}>\n- InvalidationStatus:<${fullDocument.invalidationStatusURL}|Status> \nEnjoy  :smile:!`;
     }
   }
   // Removes instances of two or more periods
@@ -177,15 +177,16 @@ async function prepSummaryMessage(
 
 function prepProgressMessage(jobUrl: string, jobId: string, jobTitle: string, status: string): string {
   const msg = `Your Job (<${jobUrl}${jobId}|${jobTitle}>) `;
+  const env = c.get<string>('env');
   switch (status) {
     case 'inQueue':
-      return msg + 'has successfully been added to the queue.';
+      return msg + 'has successfully been added to the ' + env + ' queue.';
     case 'inProgress':
       return msg + 'is now being processed.';
     case 'completed':
       return msg + 'has successfully completed.';
     case 'failed':
-      return msg + 'has failed and will not be placed back in the queue.';
+      return msg + 'has failed and will not be placed back in the ' + env + ' queue.';
     default:
       return msg + 'has been updated to an unsupported status.';
   }

api/controllers/v1/slack.ts

@@ -10,6 +10,11 @@ function isUserEntitled(entitlementsObject: any): boolean {
   return (entitlementsObject?.repos?.length ?? 0) > 0;
 }
 
+function isRestrictedToDeploy(userId: string): boolean {
+  const { restrictedProdDeploy, entitledSlackUsers } = c.get<any>('prodDeploy');
+  return restrictedProdDeploy && !entitledSlackUsers.includes(userId);
+}
+
 function prepReponse(statusCode, contentType, body) {
   return {
     statusCode: statusCode,
@@ -61,8 +66,12 @@ export const DisplayRepoOptions = async (event: any = {}, context: any = {}): Pr
   const branchRepository = new BranchRepository(db, c, consoleLogger);
   const key_val = getQSString(event.body);
   const entitlement = await repoEntitlementRepository.getRepoEntitlementsBySlackUserId(key_val['user_id']);
-  if (!isUserEntitled(entitlement)) {
-    return prepReponse(401, 'text/plain', 'User is not entitled!');
+  if (!isUserEntitled(entitlement) || isRestrictedToDeploy(key_val['user_id'])) {
+    const { restrictedProdDeploy } = c.get<any>('prodDeploy');
+    const response = restrictedProdDeploy
+      ? 'Production freeze in place - please notify DOP if seeing this past 3/26'
+      : 'User is not entitled!';
+    return prepReponse(401, 'text/plain', response);
   }
   const entitledBranches = await buildEntitledBranchList(entitlement, branchRepository);
   const resp = await slackConnector.displayRepoOptions(entitledBranches, key_val['trigger_id']);
@@ -78,12 +87,7 @@ export const DisplayRepoOptions = async (event: any = {}, context: any = {}): Pr
   };
 };
 
-async function deployRepo(
-  deployable: Array<any>,
-  logger: ILogger,
-  jobRepository: JobRepository,
-  jobQueueUrl
-) {
+async function deployRepo(deployable: Array<any>, logger: ILogger, jobRepository: JobRepository, jobQueueUrl) {
   try {
     await jobRepository.insertJBulkJobs(deployable, jobQueueUrl);
   } catch (err) {
@@ -92,14 +96,22 @@ async function deployRepo(
 }
 
 // Used solely for adding parallel deploy jobs to another array
-const parallelPrefixDeployHelper = (deployable, payload, jobTitle, jobUserName, jobUserEmail, parallelPrefix = undefined, parallelDeployable = []) => {
+const parallelPrefixDeployHelper = (
+  deployable,
+  payload,
+  jobTitle,
+  jobUserName,
+  jobUserEmail,
+  parallelPrefix = undefined,
+  parallelDeployable = []
+) => {
   deployable.push(createJob({ ...payload }, jobTitle, jobUserName, jobUserEmail));
   if (parallelPrefix) {
     const parallelPayload = { ...payload };
     parallelPayload.prefix = parallelPrefix;
     parallelDeployable.push(createJob(parallelPayload, jobTitle, jobUserName, jobUserEmail));
-  } 
-}
+  }
+};
 
 export const DeployRepo = async (event: any = {}, context: any = {}): Promise<any> => {
   const consoleLogger = new ConsoleLogger();
@@ -185,7 +197,15 @@ export const DeployRepo = async (event: any = {}, context: any = {}): Promise<an
       if (non_versioned) {
         newPayload.urlSlug = '';
       }
-      parallelPrefixDeployHelper(deployable, newPayload, jobTitle, jobUserName, jobUserEmail, parallelPrefix, parallelDeployable);
+      parallelPrefixDeployHelper(
+        deployable,
+        newPayload,
+        jobTitle,
+        jobUserName,
+        jobUserEmail,
+        parallelPrefix,
+        parallelDeployable
+      );
       jobCount += 1;
     }
     //if this is stablebranch, we want autobuilder to know this is unaliased branch and therefore can reindex for search
@@ -202,16 +222,40 @@ export const DeployRepo = async (event: any = {}, context: any = {}): Promise<an
       // we use the primary alias for indexing search, not the original branch name (ie 'master'), for aliased repos
       if (urlSlug) {
         newPayload.urlSlug = urlSlug;
-        parallelPrefixDeployHelper(deployable, newPayload, jobTitle, jobUserName, jobUserEmail, parallelPrefix, parallelDeployable);
+        parallelPrefixDeployHelper(
+          deployable,
+          newPayload,
+          jobTitle,
+          jobUserName,
+          jobUserEmail,
+          parallelPrefix,
+          parallelDeployable
+        );
         jobCount += 1;
       }
       if (non_versioned) {
         newPayload.urlSlug = '';
-        parallelPrefixDeployHelper(deployable, newPayload, jobTitle, jobUserName, jobUserEmail, parallelPrefix, parallelDeployable);
+        parallelPrefixDeployHelper(
+          deployable,
+          newPayload,
+          jobTitle,
+          jobUserName,
+          jobUserEmail,
+          parallelPrefix,
+          parallelDeployable
+        );
         jobCount += 1;
       } else if (publishOriginalBranchName) {
         newPayload.urlSlug = branchName;
-        parallelPrefixDeployHelper(deployable, newPayload, jobTitle, jobUserName, jobUserEmail, parallelPrefix, parallelDeployable);
+        parallelPrefixDeployHelper(
+          deployable,
+          newPayload,
+          jobTitle,
+          jobUserName,
+          jobUserEmail,
+          parallelPrefix,
+          parallelDeployable
+        );
         jobCount += 1;
       }
       aliases.forEach(async (alias) => {
@@ -220,7 +264,15 @@ export const DeployRepo = async (event: any = {}, context: any = {}): Promise<an
           newPayload.stable = '';
           newPayload.urlSlug = alias;
           newPayload.primaryAlias = primaryAlias;
-          parallelPrefixDeployHelper(deployable, newPayload, jobTitle, jobUserName, jobUserEmail, parallelPrefix, parallelDeployable);
+          parallelPrefixDeployHelper(
+            deployable,
+            newPayload,
+            jobTitle,
+            jobUserName,
+            jobUserEmail,
+            parallelPrefix,
+            parallelDeployable
+          );
           jobCount += 1;
         }
       });

config/custom-environment-variables.json

@@ -52,5 +52,8 @@
       "id": "FASTLY_MAIN_SERVICE_ID",
       "token": "FASTLY_MAIN_TOKEN"
     }
-  }
+  },
+  "cdnClientID": "CDN_CLIENT_ID",
+  "cdnClientSecret": "CDN_CLIENT_SECRET",
+  "cdnInvalidatorServiceURL": "CDN_INVALIDATOR_SERVICE_URL"
 }

config/default.json

@@ -78,5 +78,9 @@
       "token": "FASTLY_MAIN_TOKEN"
     }
   },
-  "repo_dir": "repos"
+  "repo_dir": "repos",
+  "cdnInvalidationOauthScope": "mongodbcom-docs",
+  "oauthTokenURL": "https://corp.mongodb.com/oauth2/aus4k4jv00hWjNnps297/v1/token",
+  "grantType": "client_credentials",
+  "oauthTokenPath": "docs/worker_pool/cdn/invalidator/token"
 }

infrastructure/ecs-main/ecs_service.yml

@@ -2,7 +2,7 @@ Resources:
   SecurityGroupVPC:
     Type: 'AWS::EC2::SecurityGroup'
     Properties:
-      VpcId: vpc-781fab13
+      VpcId: vpc-03701c29a3408c714
       GroupDescription: 'Security group to VPC'
 
   ECSCluster:
@@ -102,6 +102,13 @@ Resources:
               Value: ${self:custom.jobsQueueUrl}
             - Name: JOB_UPDATES_QUEUE_URL
               Value: ${self:custom.jobUpdatesQueueUrl}
+            - Name: CDN_CLIENT_ID
+              Value: ${self:custom.cdnClientID}
+            - Name: CDN_CLIENT_SECRET
+              Value: ${self:custom.cdnClientSecret}
+            - Name: CDN_INVALIDATOR_SERVICE_URL
+              Value: ${self:custom.cdnInvalidatorServiceURL.${self:provider.stage}} 
+
           LogConfiguration:
             LogDriver: awslogs
             Options:
@@ -146,4 +153,12 @@ Resources:
                   Resource: 
                     - 'arn:aws:sqs:us-east-2:216656347858:autobuilder-job-updates-queue-${self:provider.stage}'
                     - 'arn:aws:sqs:us-east-2:216656347858:autobuilder-jobs-queue-${self:provider.stage}'
+          - PolicyName: AllowSSMAccess
+            PolicyDocument:
+              Version: '2012-10-17'
+              Statement:
+                - Effect: Allow
+                  Action:
+                    - 'ssm:GetParameter'
+                  Resource: "*"
 

infrastructure/ecs-main/serverless.yml

@@ -12,6 +12,8 @@ provider:
         - "s3:DeleteObject"
         - "s3:PutObject"
         - "sqs:SendMessage"
+        - "ssm:PutParameter"
+        - "ssm:GetParameter"
       Resource:
         - "*"
     - Effect: Allow
@@ -27,9 +29,8 @@ provider:
       - 'Fn::GetAtt':
           - GroupId
     subnetIds:
-      - subnet-8c3623f6
-      - subnet-a4ac73cf
-      - subnet-9e83fed2
+      - subnet-0a142842e8f13a042
+      - subnet-0fba568cfd3839eee
 custom:
   deploymentBucket:
     dev: worker-pool-deployment
@@ -41,17 +42,17 @@ custom:
     port: '80'
     imageUrl: ${self:custom.accountId.${self:provider.stage}}.dkr.ecr.us-east-2.amazonaws.com/${self:service}-${self:provider.stage}:latest
     containerCpu:
-      dev: '4096'
-      stg: '4096'
-      prd: '4096'
-      dotcomstg: '4096'
-      dotcomprd: '4096'
+      dev: '2048'
+      stg: '2048'
+      prd: '2048'
+      dotcomstg: '2048'
+      dotcomprd: '2048'
     containerMemory:
-      dev: '24576'
-      stg: '24576'
-      prd: '24576'
-      dotcomstg: '24576'
-      dotcomprd: '24576'
+      dev: '8192'
+      stg: '8192'
+      prd: '8192'
+      dotcomstg: '8192'
+      dotcomprd: '8192'
     desiredCount:
       dev: '4'
       stg: '4'
@@ -125,14 +126,27 @@ custom:
   entitlementCollection: ${ssm:/env/${self:provider.stage}/docs/worker_pool/atlas/collections/user/entitlements}
   jobsQueueUrl: ${docs-worker-pool-api-${self:provider.stage}.JobsQueueURL}
   jobUpdatesQueueUrl: ${docs-worker-pool-api-${self:provider.stage}.JobsUpdateQueueURL}
+  cdnClientID: ${ssm:/env/${self:provider.stage}/docs/worker_pool/cdn/client/id}
+  cdnClientSecret: ${ssm:/env/${self:provider.stage}/docs/worker_pool/cdn/client/secret}
+  cdnInvalidatorServiceURL: 
+    stg: https://cdnvalidator.devops.staging.corp.mongodb.com/api/v1beta1/distributions/${self:custom.distributionName.${self:provider.stage}}/invalidations
+    prd: https://cdnvalidator.devops.prod.corp.mongodb.com/api/v1beta1/distributions/${self:custom.distributionName.${self:provider.stage}}/invalidations
+    dotcomstg: https://cdnvalidator.devops.staging.corp.mongodb.com/api/v1beta1/distributions/${self:custom.distributionName.${self:provider.stage}}/invalidations
+    dotcomprd: https://cdnvalidator.devops.staging.corp.mongodb.com/api/v1beta1/distributions/${self:custom.distributionName.${self:provider.stage}}/invalidations
+    dev: https://cdnvalidator.devops.staging.corp.mongodb.com/api/v1beta1/distributions/${self:custom.distributionName.${self:provider.stage}}/invalidations
+  distributionName:
+    stg: mongodbcom-staging-docs
+    dotcomstg: mongodbcom-staging-docs
+    dev: mongodbcom-staging-docs
+    dotcomprd: mongodbcom-prod-docs
+    prd: mongodbcom-prod-docs
   env:
     stg: "staging"
     prd: "production"
     dev: "staging"
     dotcomstg: "dotcomstg"
     dotcomprd: "dotcomprd"
 
-
 resources:
   - ${file(./buckets.yml)}
   - ${file(./ecs_service.yml)}