Merge pull request #52 from bcgov/ssoteam-2010

Chore: terraform loki
bcgov · Oct 30, 2024 · 66a046d · 66a046d
2 parents 23a5428 + a816086
commit 66a046d
Show file tree

Hide file tree

Showing 33 changed files with 1,490 additions and 188 deletions.
diff --git a/.github/workflows/publish-grafana-image.yaml b/.github/workflows/publish-grafana-image.yaml
@@ -0,0 +1,49 @@
+name: Create and publish SSO Grafana
+
+on:
+  push:
+    branches:
+    - main
+    - dev
+    paths:
+    - grafana-config/*
+    - .github/workflows/publish-grafana-image.yaml
+
+env:
+  GITHUB_REGISTRY: ghcr.io
+  IMAGE_NAME: bcgov/sso-loki
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+    - uses: hmarr/debug-action@v3
+    - uses: actions/checkout@v4
+
+    - name: Log in to the GitHub Container registry
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ env.GITHUB_REGISTRY }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Extract metadata (tags, labels) for Docker
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}
+        tags: |
+          type=ref,event=branch
+          type=sha,format=long
+
+    - name: Build and push Docker image
+      uses: docker/build-push-action@v5
+      with:
+        context: grafana-config
+        push: true
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml
@@ -0,0 +1,94 @@
+name: Terraform
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+    - dev
+    - main
+    paths:
+    - terraform-ecs/**
+    - loki-authorizer/**
+    - .github/**
+
+env:
+  TF_VERSION: 1.9.7
+
+jobs:
+  terraform:
+    permissions: write-all
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: hmarr/debug-action@v3
+    - uses: actions/checkout@v4
+
+    - name: Install asdf
+      uses: asdf-vm/actions/setup@v3
+
+    - name: Cache tools
+      uses: actions/cache@v4
+      with:
+        path: /home/runner/.asdf
+        key: ${{ runner.os }}-${{ hashFiles('**/.tool-versions') }}
+
+    - name: Install required tools
+      run: |
+        cat .tool-versions | cut -f 1 -d ' ' | xargs -n 1 asdf plugin-add || true
+        asdf plugin-update --all
+        asdf install
+        asdf reshim
+      shell: bash
+
+    - name: Set env to development
+      if: (github.ref == 'refs/heads/dev' && github.event_name == 'push')
+      run: |
+        cat >> $GITHUB_ENV <<EOF
+
+        TERRAFORM_DEPLOY_ROLE_ARN=${{ secrets.TERRAFORM_DEPLOY_ROLE_ARN_DEV }}
+        LOKI_AUTH_TOKEN=${{ secrets.LOKI_AUTH_TOKEN_DEV }}
+        LOKI_BUCKET_NAME=${{ vars.LOKI_BUCKET_NAME_DEV }}
+        S3_BACKEND_NAME=${{vars.S3_BACKEND_NAME_DEV}}
+        LOKI_TAG=dev
+
+        EOF
+
+    - name: Set env to production
+      if: (github.ref == 'refs/heads/main' && github.event_name == 'push')
+      run: |
+        cat >> $GITHUB_ENV <<EOF
+
+        TERRAFORM_DEPLOY_ROLE_ARN=${{ secrets.TERRAFORM_DEPLOY_ROLE_ARN_PROD }}
+        LOKI_AUTH_TOKEN=${{ secrets.LOKI_AUTH_TOKEN_PROD }}
+        LOKI_BUCKET_NAME=${{ vars.LOKI_BUCKET_NAME_PROD }}
+        S3_BACKEND_NAME=${{vars.S3_BACKEND_NAME_PROD}}
+        LOKI_TAG=prod
+
+        EOF
+
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ env.TERRAFORM_DEPLOY_ROLE_ARN }}
+        aws-region: ca-central-1
+
+    - name: Build Lambdas
+      working-directory: ./loki-authorizer
+      run: make build
+
+    - name: Terraform Init
+      working-directory: ./terraform-ecs
+      run: |
+        cat <<EOF > backend.hcl
+        bucket = "${{ env.S3_BACKEND_NAME }}"
+        key = "tf-state"
+        region = "ca-central-1"
+        EOF
+        terraform init -backend-config=backend.hcl
+
+    - name: Terraform Plan
+      run: terraform plan -var "auth_secret=${{env.LOKI_AUTH_TOKEN}}" -var "bucket_name=${{ env.LOKI_BUCKET_NAME }}" -var "loki_tag=${{env.LOKI_TAG}}" -no-color
+      working-directory: ./terraform-ecs
+
+    - name: Terraform Apply
+      run: terraform apply -var "auth_secret=${{env.LOKI_AUTH_TOKEN}}" -var "bucket_name=${{ env.LOKI_BUCKET_NAME }}" -var "loki_tag=${{env.LOKI_TAG}}" -auto-approve
+      working-directory: ./terraform-ecs
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,8 @@
 helm/**/charts
 get-pip.py
 **/.env
+node_modules
+.terraform
+*.tfstate
+*.tfstate.backup
+loki-authorizer.zip
diff --git a/.tool-versions b/.tool-versions
@@ -4,3 +4,4 @@ postgres 14.1
 golang 1.21.0
 helm 3.10.2
 loki-logcli 2.9.2
+terraform 1.9.7
diff --git a/README.md b/README.md
@@ -31,19 +31,34 @@ SSO Keycloak dashboard services provide the ability to monitor real-time statist
 
 1. `Promtail` & `Loki`: collect, transform and load raw log data for the designated time period.
 
-1. `Loki` & `MinIO`: provide the Amazon S3 compatible Object Storage to store/read compacted event data by Loki.
+1. `Loki` & `S3`: provide the Amazon S3 compatible Object Storage to store/read compacted event data by Loki.
 
 1. `Promtail` & `Custom Go server`: collect, and upsert the aggreated event historial data in DB.
 
 1. `Grafana`: connect Loki and the aggregation DB to visualize the logs and stats.
 
-   ![SSO Dashboard Architecture Diagram](assets/sso-dashboard-arch.gif)
+   ![SSO Dashboard Architecture Diagram](assets/sso-dashboard.drawio.svg)
+
+1. Loki in AWS breakdown:
+
+   ![SSO Loki on AWS Diagram](assets/sso-dashboard-aws.drawio.svg)
+
+### Loki in AWS ECS Cluster
+
+Loki has a helm chart for deploying in kubernetes. For the deployment in an ECS cluster there are a few changes to note:
+
+- Service discovery can be used in ECS to replace services in k8s. Since we cannot use this in the BCGov AWS, it has been replaced with a network load balancer. This is necessary to allow read and write tasks to communicate on port 7946. If not working, you will see "empty ring" errors.
+- ECS does not support config maps. To replace this a custom image was built with custom configuration files. Configurations that will be changed at runtime can set their values with the syntax ${ENV_VAR:-default}, and environment variables can be used to configure them. Values consistent across environments can be hardcoded.
+- The helm chart includes a deployment "gateway". This is an nginx reverse proxy which provides path-based routing to the read and write services. It has been replaced with listener rules on the application load balancer.
 
 <!-- ![image](https://user-images.githubusercontent.com/36021827/211399712-5bbeaa67-2994-460f-a12b-368b13187cdd.png) -->
 
 ## Deployment
 
-It continuously deploys the resources in the sandbox and the prod environment based on the repository branch (pr's to dev deploys sandbox, pr's to main deploys prod) that has the new changes.
+The helm charts for the promtail instances and grafana dashboard can be installed with make commands. These automate adding environment variables from .env files in their directories. See the directory readmes for more information.
+
+The Loki setup is deployed with terraform into AWS. It deploys automatically on merge to dev/main.
+
 GitHub CD pipeline scripts are triggered based on the directory that has changed; there is a recommended deployment order when deploying the resources for the very first time:
 
 1. `Loki`: deploys the `MinIO` and `Loki` resources, `read`, `write`, and `gateway`.
@@ -64,8 +79,6 @@ The following secrets are set in the GitHub secrets of the repository and can be
 - `SANDBOX_SSO_CLIENT_ID`: the SSO integration credentials, `client id`, to set in `Grafana` and `MinIO` dashboard UI.
 - `SANDBOX_SSO_CLIENT_SECRET`: the SSO integration credentials, `client secret`, to set in `Grafana` and `MinIO` dashboard UI.
   - please find the integration `#4492 SSO Dashboard` via [CSS app](https://bcgov.github.io/sso-requests)
-- `SANDBOX_MINIO_USER`: the username of the initial MinIO admin account.
-- `SANDBOX_MINIO_PASS`: the password of the initial MinIO admin account.
 
 ### Production
 
@@ -76,5 +89,3 @@ The following secrets are set in the GitHub secrets of the repository and can be
 - `PROD_SSO_CLIENT_ID`: the SSO integration credentials, `client id`, to set in `Grafana` and `MinIO` dashboard UI.
 - `PROD_SSO_CLIENT_SECRET`: the SSO integration credentials, `client secret`, to set in `Grafana` and `MinIO` dashboard UI.
   - please find the integration `#4492 SSO Dashboard` via [CSS app](https://bcgov.github.io/sso-requests)
-- `PROD_MINIO_USER`: the username of the initial MinIO admin account.
-- `PROD_MINIO_PASS`: the password of the initial MinIO admin account.
diff --git a/assets/sso-dashboard-aws.drawio.svg b/assets/sso-dashboard-aws.drawio.svg