Merge branch 'main' into feat/manage_resource_view

uw-ssec · Nov 12, 2024 · 69aa695 · 69aa695
2 parents c0fbf29 + 93ca6e7
commit 69aa695
Show file tree

Hide file tree

Showing 71 changed files with 12,552 additions and 2,716 deletions.
diff --git a/.github/workflows/run-dev-server.yml b/.github/workflows/run-dev-server.yml
@@ -0,0 +1,27 @@
+# Runs the dev server with server code that's in the main branch
+name: Run Dev Server
+on:
+  workflow_dispatch:
+  workflow_call:
+env:
+  AWS_REGION : "us-west-2"
+# permission can be added at job level or workflow level
+permissions:
+  id-token: write   # This is required for requesting the JWT
+  contents: read    # This is required for actions/checkout
+jobs:
+  start-dev-server:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Git clone the repository
+        uses: actions/checkout@v4
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
+        with:
+          role-to-assume: arn:aws:iam::871683513797:role/supportsphere-laurelhurst-github-scaling-role
+          role-session-name: github-workflow-run
+          aws-region: ${{ env.AWS_REGION }}
+      - name: Run the server
+        run: |
+          pip3 install boto3
+          python3 ./scripts/run-cloud-server.py --scale-up --github
diff --git a/.github/workflows/webpreview.yaml b/.github/workflows/webpreview.yaml
@@ -6,6 +6,8 @@ on:
   #   types: [labeled, synchronize]
 
 jobs:
+  call-run-server:
+    uses: uw-ssec/post-disaster-comms/.github/workflows/run-dev-server.yml@main
   add-preview:
     runs-on: ubuntu-latest
     # This workflow accesses secrets and checks out a PR, so only run if labelled
@@ -25,7 +27,8 @@ jobs:
       with:
         channel: stable
     - run: flutter pub get
-    - run: flutter build web --web-renderer html
+    # original values are in deployment/values.cloud.yaml
+    - run: flutter build web --web-renderer html --dart-define=SUPABASE_ANON_KEY=${{ secrets.CLOUD_DB_JWT_ANON_KEY}} --dart-define=SUPABASE_URL=${{ secrets.CLOUD_DB_URL}} 
 
     - name: Deploy Website Preview
       if: always()

diff --git a/.readthedocs.yaml b/.readthedocs.yaml
@@ -0,0 +1,13 @@
+ version: 2
+
+ build:
+   os: ubuntu-24.04
+   tools:
+     python: "3"
+
+ python:
+   install:
+     - requirements: docs/requirements.txt
+
+ mkdocs:
+   configuration: mkdocs.yml
diff --git a/README.md b/README.md
@@ -163,7 +163,7 @@ pixi run cloud-destroy
 
 ### Run the development server
 
-Right now, this server does nothing. TODO: fix that as part of these issues ([1](https://github.com/uw-ssec/post-disaster-comms/issues/38) and [2](https://github.com/uw-ssec/post-disaster-comms/issues/40))
+This will start up the development server and populate it with sample data.
 
 ```
 pixi run cloud-server-run

diff --git a/deployment/cloud/aws/account/main.tf b/deployment/cloud/aws/account/main.tf
@@ -49,6 +49,18 @@ resource "aws_s3_bucket_public_access_block" "example" {
   restrict_public_buckets = true
 }
 
+# OIDC provider for GitHub Actions
+
+resource "aws_iam_openid_connect_provider" "this" {
+  url = "https://token.actions.githubusercontent.com"
+
+  client_id_list = ["sts.amazonaws.com"]
+
+  # thumbprint set to all f's because it is unused when OIDC is connecting to IAM
+  # source: https://github.com/aws-actions/configure-aws-credentials?tab=readme-ov-file#configuring-iam-to-trust-github
+  thumbprint_list = ["ffffffffffffffffffffffffffffffffffffffff"]
+}
+
 # deploy role
 resource "aws_iam_role" "deploy" {
   name        = "${var.account_resource_prefix}-deploy"
@@ -76,7 +88,7 @@ resource "aws_iam_role" "deploy" {
   ]
 }
 
-resource "aws_iam_policy" "this" {
+resource "aws_iam_policy" "tf_state_access" {
   name = "${var.account_resource_prefix}-tf-state-access"
   policy = jsonencode({
     Version = "2012-10-17",
@@ -180,7 +192,7 @@ resource "aws_iam_group_policy_attachment" "readonly" {
   policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
 }
 
-resource "aws_iam_group_policy_attachment" "this" {
+resource "aws_iam_group_policy_attachment" "tf_state_access" {
   group      = aws_iam_group.this.name
   policy_arn = aws_iam_policy.tf_state_access.arn
 }
diff --git a/deployment/cloud/aws/infrastructure/main.tf b/deployment/cloud/aws/infrastructure/main.tf
@@ -59,13 +59,21 @@ provider "aws" {
   }
 }
 
+data "aws_iam_openid_connect_provider" "github" {
+  arn = "arn:aws:iam::${var.account_id}:oidc-provider/token.actions.githubusercontent.com"
+}
+
 module "keys" {
   source = "./modules/keys"
 
   resource_prefix = local.resource_prefix
   stage           = var.stage
   ops_group_name  = var.ops_group_name
 
+  github_oidc_provider_arn = data.aws_iam_openid_connect_provider.github.arn
+  github_organization      = var.github_organization
+  github_repo              = var.github_repo
+
   providers = {
     aws      = aws
     aws.east = aws.east
@@ -90,6 +98,10 @@ module "ops-roles" {
   stage                 = var.stage
   ops_group_name        = var.ops_group_name
   autoscaling_group_arn = module.server.autoscaling_group_arn
+
+  github_oidc_provider_arn = data.aws_iam_openid_connect_provider.github.arn
+  github_organization      = var.github_organization
+  github_repo              = var.github_repo
 }
 
 resource "aws_resourcegroups_group" "this" {

diff --git a/deployment/cloud/aws/infrastructure/modules/keys/main.tf b/deployment/cloud/aws/infrastructure/modules/keys/main.tf
@@ -44,9 +44,8 @@ data "aws_iam_group" "this" {
   group_name = var.ops_group_name
 }
 
-resource "aws_iam_group_policy" "this" {
-  name  = "${var.resource_prefix}-kms-key-policy"
-  group = var.ops_group_name
+resource "aws_iam_policy" "this" {
+  name = "${var.resource_prefix}-kms-key-policy"
 
   policy = jsonencode({
     Version = "2012-10-17",
@@ -64,4 +63,38 @@ resource "aws_iam_group_policy" "this" {
       }
     ]
   })
+}
+
+resource "aws_iam_group_policy_attachment" "this" {
+  group      = var.ops_group_name
+  policy_arn = aws_iam_policy.this.arn
+}
+
+resource "aws_iam_role" "this" {
+  name = "${var.resource_prefix}-kms-key-role-github"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Principal = {
+          Federated = var.github_oidc_provider_arn
+        },
+        Action = "sts:AssumeRoleWithWebIdentity",
+        Condition = {
+          StringEquals = {
+            "token.actions.githubusercontent.com:aud" : "sts.amazonaws.com"
+          },
+          StringLike = {
+            "token.actions.githubusercontent.com:sub" : "repo:${var.github_organization}/${var.github_repo}:*"
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "this" {
+  role       = aws_iam_role.this.name
+  policy_arn = aws_iam_policy.this.arn
 }
diff --git a/deployment/cloud/aws/infrastructure/modules/keys/variables.tf b/deployment/cloud/aws/infrastructure/modules/keys/variables.tf
@@ -16,4 +16,19 @@ variable "stage" {
 variable "ops_group_name" {
   description = "The name of the admin group"
   type        = string
+}
+
+variable "github_oidc_provider_arn" {
+  description = "ARN for the OIDC provider for GitHub Actions"
+  type        = string
+}
+
+variable "github_organization" {
+  description = "Organization that the GitHub repo belongs to"
+  type        = string
+}
+
+variable "github_repo" {
+  description = "GitHub repo name that this project lives in"
+  type        = string
 }
diff --git a/deployment/cloud/aws/infrastructure/modules/ops-roles/main.tf b/deployment/cloud/aws/infrastructure/modules/ops-roles/main.tf
@@ -62,6 +62,8 @@ locals {
   }
 }
 
+
+# IAM roles for user operations
 resource "aws_iam_role" "ops_roles" {
   for_each = local.roles_to_create
   name     = "${var.resource_prefix}-${each.key}"
@@ -117,3 +119,37 @@ resource "aws_iam_group_policy" "assume_ops_roles" {
   })
 }
 
+
+# IAM roles for GitHub actions
+resource "aws_iam_role" "github_scaling_role" {
+  name = "${var.resource_prefix}-github-scaling-role"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Principal = {
+          Federated = var.github_oidc_provider_arn
+        },
+        Action = "sts:AssumeRoleWithWebIdentity",
+        Condition = {
+          StringEquals = {
+            "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
+          },
+          StringLike = {
+            "token.actions.githubusercontent.com:sub" = "repo:${var.github_organization}/${var.github_repo}:*"
+          }
+        }
+      }
+    ]
+  })
+
+  inline_policy {
+    name = "${var.resource_prefix}-github-scaling-policy"
+    policy = jsonencode({
+      Version   = "2012-10-17",
+      Statement = local.roles_to_create["scaling-role"].policy_statements
+    })
+  }
+}
+
diff --git a/deployment/cloud/aws/infrastructure/modules/ops-roles/variables.tf b/deployment/cloud/aws/infrastructure/modules/ops-roles/variables.tf
@@ -21,4 +21,19 @@ variable "ops_group_name" {
 variable "autoscaling_group_arn" {
   description = "The ARN of the autoscaling group for the server"
   type        = string
+}
+
+variable "github_oidc_provider_arn" {
+  description = "ARN for the OIDC provider for GitHub Actions"
+  type        = string
+}
+
+variable "github_organization" {
+  description = "Organization that the GitHub repo belongs to"
+  type        = string
+}
+
+variable "github_repo" {
+  description = "GitHub repo name that this project lives in"
+  type        = string
 }
diff --git a/deployment/cloud/aws/infrastructure/variables.tf b/deployment/cloud/aws/infrastructure/variables.tf
@@ -45,4 +45,14 @@ variable "ops_group_name" {
   description = "The name of the admin group"
   type        = string
   default     = "ssec-eng"
+}
+
+variable "github_organization" {
+  description = "Organization that the GitHub repo belongs to"
+  type        = string
+}
+
+variable "github_repo" {
+  description = "GitHub repo name that this project lives in"
+  type        = string
 }
diff --git a/deployment/docker/populate_db.Dockerfile b/deployment/docker/populate_db.Dockerfile
@@ -18,4 +18,4 @@ ENV JWT_ANON_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyAgCiAgICAicm9sZSI6ICJhbm
 RUN pip3 install --no-cache-dir --extra-index-url https://test.pypi.org/simple --only-binary=:all: support_sphere_py
 
 # Command to run the Python script
-ENTRYPOINT ["sh", "-c", "python3 -m support_sphere.tests.resources.scripts.role_based_access_control && python3 -m support_sphere.tests.resources.scripts.update_db_sample_data"]
+ENTRYPOINT ["sh", "-c", "support_sphere execute_sql run-all && support_sphere db_init run-all"]
diff --git a/deployment/docker/populate_db_dev.Dockerfile b/deployment/docker/populate_db_dev.Dockerfile
@@ -22,4 +22,4 @@ ENV JWT_ANON_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyAgCiAgICAicm9sZSI6ICJhbm
 RUN pip install --no-cache-dir ./support_sphere_py
 
 # Command to run the Python script
-ENTRYPOINT ["sh", "-c", "python3 ./support_sphere_py/tests/resources/scripts/role_based_access_control.py && python3 ./support_sphere_py/tests/resources/scripts/update_db_sample_data.py"]
+ENTRYPOINT ["sh", "-c", "support_sphere execute_sql run-all && support_sphere db_init run-all"]
diff --git a/deployment/values.dev.yaml b/deployment/values.dev.yaml
@@ -74,6 +74,7 @@ auth:
     GOTRUE_SMTP_SENDER_NAME: "[email protected]"
     GOTRUE_HOOK_CUSTOM_ACCESS_TOKEN_ENABLED: "true"
     GOTRUE_HOOK_CUSTOM_ACCESS_TOKEN_URI: "pg-functions://postgres/public/custom_access_token"
+    GOTRUE_SMS_AUTOCONFIRM: "true"
 
 rest:
   imagePullSecrets:

diff --git a/docs/deployment/1_deployment_configurations.md b/docs/deployment/1_deployment_configurations.md
@@ -0,0 +1,75 @@
+# **Deployment Configurations**
+
+This directory contains the configurations for deploying the application to a Kubernetes cluster.
+
+## **Prerequisites**
+
+- [minikube](https://minikube.sigs.k8s.io/docs/start/)
+- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
+- [helm](https://helm.sh/docs/intro/install/)
+
+## **Development**
+
+To deploy the supabase backend to a local minikube cluster, run the following commands:
+
+1. Start minikube cluster
+    ```bash
+    minikube start
+    ```
+2. Enable minikube ingress add-on
+    ```bash
+    minikube addons enable ingress
+    ```
+3. Deploy the application with helm
+    ```bash
+    helm install supabase -f values.dev.yaml ../vendors/supabase-kubernetes/charts/supabase
+    ```
+    *Note: Once the deployment is complete, you can run `kubectl get pods` and see the following:
+    ```console
+    NAME                                           READY   STATUS    RESTARTS   AGE
+    supabase-supabase-analytics-749769b6c5-9fwrx   1/1     Running   0          30s
+    supabase-supabase-auth-58c84557cf-57vv7        1/1     Running   0          30s
+    supabase-supabase-db-5f485f8477-njfbv          1/1     Running   0          30s
+    supabase-supabase-functions-85bf447d8f-lj2mk   1/1     Running   0          30s
+    supabase-supabase-imgproxy-86d846cdc4-krplc    1/1     Running   0          30s
+    supabase-supabase-kong-7f9f5d7c8c-tlcz2        1/1     Running   0          30s
+    supabase-supabase-meta-7667c48649-dlsxm        1/1     Running   0          30s
+    supabase-supabase-realtime-5bf9b784f6-4vxm7    1/1     Running   0          30s
+    supabase-supabase-rest-7f5d6d786-6vc5w         1/1     Running   0          30s
+    supabase-supabase-storage-5dfc87696c-hrmpw     1/1     Running   0          30s
+    supabase-supabase-studio-7fb5c6954-g9qcx       1/1     Running   0          30s
+    supabase-supabase-vector-57cfc87f9d-pk2vh      1/1     Running   0          30s
+    ```
+4. Tunnel the minikube ingress controller, see [docs](https://minikube.sigs.k8s.io/docs/handbook/accessing/#loadbalancer-access)
+    for more information. In simple terms, this will allow us to access the services running in the
+    minikube cluster from our local machine at `127.0.0.1`, a.k.a `localhost`.
+    **Note: This command will ask for password and block the terminal, so open a new terminal to run other commands.**
+    ```bash
+    minikube tunnel
+    ```
+5. Everything is set up, now you can access the Supabase Dashboard by going to [http://localhost](http://localhost).
+    A login form will appear, use the following credentials as shown in the [values.dev.yaml](values.dev.yaml) file:
+    ```yaml
+    dashboard:
+        username: supabase
+        password: this_password_is_insecure_and_should_be_updated
+    ```
+
+## **Production**
+
+There are some infrastructure tools that are needed to run supabase in the server.
+
+1. **Docker:** Docker will be the underlying platform for running the container applications for the backend.
+    To install docker in ubuntu, follow the instructions in the [official documentation](https://docs.docker.com/engine/install/ubuntu/).
+
+    **Note: To allow docker to run as non-root user, do `sudo usermod -aG docker ubuntu`**
+
+2. **k3d:** k3d is a lightweight wrapper to run k3s (A certified lightweight Kubernetes distribution) in docker. It is used to run the kubernetes cluster for the backend. To install k3d, follow the instructions in the [official documentation](https://k3d.io/v5.6.3/#installation).
+
+3. **kubectl:** kubectl is the command line tool for interacting with the kubernetes cluster. To install kubectl, follow the instructions in the [official documentation](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#install-kubectl-binary-with-curl-on-linux).
+
+4. **Helm:** Helm is the package manager for kubernetes. To install helm, follow the instructions in the [official documentation](https://helm.sh/docs/intro/install/).
+
+5. **Stern:** Stern is a tool for tailing multiple pods on kubernetes. To install stern, follow the instructions in the [official documentation](https://github.com/stern/stern?tab=readme-ov-file#installation).
+
+**Note: Deployment instructions for production will be available in the future.**