From dfa076835df279c6496c359d01c9efb4a20b6eb0 Mon Sep 17 00:00:00 2001 From: Simon Kelly Date: Fri, 8 Sep 2023 16:28:01 +0200 Subject: [PATCH 1/8] use DNS names instead of IP address which change --- deploy/config/deploy.yml | 4 ++-- deploy/inventory.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/deploy/config/deploy.yml b/deploy/config/deploy.yml index cbcc713b..14c30385 100644 --- a/deploy/config/deploy.yml +++ b/deploy/config/deploy.yml @@ -5,13 +5,13 @@ image: commcare-connect servers: web: hosts: - - 3.90.216.194 + - ec2-3-90-216-194.compute-1.amazonaws.com options: # create by ansible env-file: '/home/connect/www/commcare-connect/docker.env' celery: hosts: - - 3.90.216.194 + - ec2-3-90-216-194.compute-1.amazonaws.com options: # create by ansible env-file: '/home/connect/www/commcare-connect/docker.env' diff --git a/deploy/inventory.yml b/deploy/inventory.yml index a26d36a2..7eb97475 100644 --- a/deploy/inventory.yml +++ b/deploy/inventory.yml @@ -2,4 +2,4 @@ webservers: hosts: web0: ansible_user: ubuntu - ansible_host: 3.90.216.194 + ansible_host: ec2-3-90-216-194.compute-1.amazonaws.com From b5d6ffacedd133301f680a016342c975a8a08696 Mon Sep 17 00:00:00 2001 From: Simon Kelly Date: Fri, 8 Sep 2023 16:47:29 +0200 Subject: [PATCH 2/8] store all secrets in 1password instead of vault --- deploy/play.yml | 2 ++ deploy/vault.yml | 65 ---------------------------------------- deploy/vault_password.sh | 7 ----- 3 files changed, 2 insertions(+), 72 deletions(-) delete mode 100644 deploy/vault.yml delete mode 100755 deploy/vault_password.sh diff --git a/deploy/play.yml b/deploy/play.yml index a232cd2d..e19c7e5d 100644 --- a/deploy/play.yml +++ b/deploy/play.yml @@ -1,5 +1,7 @@ - hosts: web0 become: true strategy: free + vars: + - secrets: "{{ lookup('community.general.onepassword', 'Ansible Secrets', subdomain='dimagi', vault='CommCare Connect', field='secrets_yaml') | from_yaml }}" roles: - role: connect diff --git a/deploy/vault.yml b/deploy/vault.yml deleted file mode 100644 index 7020b65b..00000000 --- a/deploy/vault.yml +++ /dev/null @@ -1,65 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -38376131396136623061366664383333316235376537356130663033633164363437373765303339 -3031333837653834363566393436653261633137663864610a663766323761366531326538336239 -62623361316464353761363063393665366166393962346333346239383462616337623736623662 -3065643265643136350a646266633964313738623966363338333332333636646235356136386534 -37383433653138363132376361653261366430356138643431363432316633666639343336323339 -37636330343565323934366534613366363265313137643733393430353335663338333632386434 -31323362623632393333343363643765313662333566656239663461393337383930633538636431 -66393561316639623661393362613432356233636631313736663862616166366239653538366566 -39633934643239656431323437653862363062303464636364376538373337393034393630633632 -37636439633034616564616332663631336563336430633935613666636265373438383665656330 -66373736643539376538333265376462396633323130343838306631393266396634353736326661 -32653738636536346231313966363133343763386466396365363730653763383238653039316239 -35633532653861643336306362636134326566616661653232346436626531353963613838376466 -31626462616235386531643438303961623138333737643361383564623365633131366661626262 -64343231396130386131383035316264356332653137633830303031633630396561343730646365 -39366436643835393638333261396663313439373437643538346664643162383262316333373836 -32636139396537653930626131613734656464653735656632353339376261363830383234623635 -36316632383136623263386137643162353965343561616136313262663839626661306236303461 -32356666316439346530646265343839643735356433396463343438363161643339643630623066 -61656531326538353337613230383334313036633436303935366439626333323937376162653238 -66353635633161626630613334363839306464383066336462636665373731323966663435656330 -62303566343462343434636433393730646465366461633934323639323435326664663563396430 -30653334633562376330636335336630326462396236356337353232323930346339343630333635 -65303936643432323938343536653133383039393237303030346635366162666462336362363863 -34653165613863663338343834326263653031333033636139313864353333363431636663336664 -61613763333062613737373034396131663363636366336231616637336662316461613535383730 -64366535323030656335303064656536326438656533386663326332356330623561356564616163 -31363734386638343962393736343739336164386665366331353935633665623962636430333237 -62333537616366666564356537353339363536383361623266336538393064313439356562313638 -39653538633535323234656664303333353135366434346565373565663065383866326138323732 -39323230346337623664373639623966373465393463663439323136366130626530396437333430 -30366634653766616431326562663033306636336266353062656437393763363765386163663130 -32636434386562373064353663653036353030643037313036333930386261633037656335633034 -62303466326665646264646561393163343138653833616532333263613865333366653537326435 -61646565616363383961613235316661623336306561343964663037303834343063373563643765 -37346632613533353731613239613364656534616639373465336561626265393536393235316635 -36393938306339316138326134396537373061326563306339363762376335626666366564356331 -33636437313661663937313765633563353466666538353931383836366335623164613233616236 -38313232323861356662336636626437373839376561623034343936623263653137376434306563 -34626639636562663866313539666431323063383365326138306363306537636162333161346465 -31363864326265386364336635316566313934386461313939343363343837393239303361333962 -37653439386534643266653731343764663036383035326362356130616462313964316237373334 -36643634343032363965323366623638653831346333356438616661313866313237666536343531 -39303332386532343963663734303433376566376564373934343235386334613964613166656239 -37343832633064323734356363313737663637376233333334613964343735633962316465656261 -65626666353866363038656664376531386462623238383061633566656264333830623435653335 -65383136636363333161323238343261363765313336333965323032626436633432383164346564 -30396438366364626235353763313565346564376364646133353639373662343539326638666136 -37316132373034623363326237353537633839633233636135633331653361616462313461383066 -61326537313435353334626439383531323066303938616230353761306332623763333364363563 -35383030303162653766646165623034393036333061333633303961366433303431616239623037 -65613432623036396434316331336531633239343334383838653339326632656437623430643665 -64363734386161623738643938613762346164376230656230653134636561636532376532393635 -30306337386433373134366362373665363964346130396132343136326337636564376637346630 -31306134663836613163383835616435393764393638323461313763323065623762393033363464 -33366639656535643633386461343661333930336536306531316163386566383532386535613163 -62396136366161393832663365646437663632313230373165343463383136663766366435363436 -63373434363163613464653733393430626234653565656430336530323765333163346532343264 -36393865636435623661643561613238303638653731623033393430343139356237306539306137 -65376365326366666138313337363264623030373062663662643634336661623736623732633434 -31366535633330613130323938623038383237313336623237336231623030313632643866386332 -61666130343738393433633633616163363134373730383961303938336635373261646361306266 -35363735333961633162333365333363333266386466313534663664663731636565643561646161 -32303132353739613836 diff --git a/deploy/vault_password.sh b/deploy/vault_password.sh deleted file mode 100755 index d23d3a4f..00000000 --- a/deploy/vault_password.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash -# This script is used by Ansible to retrieve the Ansible Vault password from 1Password. -# Use it by passing `--vault-password-file=vault_password.sh` to Ansible. - -VAULT_ID="CommCare Connect" -VAULT_ANSIBLE_NAME="Ansible Vault" -op item get --vault="$VAULT_ID" "$VAULT_ANSIBLE_NAME" --fields password From 543601fb96882f1a70fbc7ae5a8bf6bb4c7a437e Mon Sep 17 00:00:00 2001 From: Simon Kelly Date: Fri, 8 Sep 2023 16:47:34 +0200 Subject: [PATCH 3/8] use a list --- deploy/roles/connect/templates/docker.env.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/roles/connect/templates/docker.env.j2 b/deploy/roles/connect/templates/docker.env.j2 index 19db2bcc..1920e601 100644 --- a/deploy/roles/connect/templates/docker.env.j2 +++ b/deploy/roles/connect/templates/docker.env.j2 @@ -7,7 +7,7 @@ SENTRY_ENVIRONMENT={{ sentry_environment }} # Secrets CELERY_BROKER_URL={{ secrets.celery_broker_url }} -CSRF_TRUSTED_ORIGINS={{ secrets.csrf_trusted_origins }} +CSRF_TRUSTED_ORIGINS={{ secrets.csrf_trusted_origins|join(",") }} cid_client_secret={{ secrets.cid_client_secret }} cid_client_id={{ secrets.cid_client_id }} DJANGO_ALLOWED_HOSTS={{ secrets.django_allowed_hosts|join(",") }} From 41e5a463b06bf506fc4bb6e3daa014c7ccbe3873 Mon Sep 17 00:00:00 2001 From: Simon Kelly Date: Fri, 8 Sep 2023 16:47:41 +0200 Subject: [PATCH 4/8] update readme --- deploy/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/README.md b/deploy/README.md index fa0008e3..aef853e4 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -79,8 +79,8 @@ Note: If you used a different profile name you will need to set the `AWS_PROFILE ## Updating Django Settings The Django settings are configured using the `deploy/roles/connect/templates/docker.env.j2` file. The plain text -settings values are in the `deploy/roles/connect/vars/main.yml` file. Secrets are stored in the Ansible vault file -`deploy/vault.yml`. +settings values are in the `deploy/roles/connect/vars/main.yml` file. Secrets are stored in the 1Password under the +`Ansible Secrets` entry. To update the Django settings: From 1a65605be79b5bdd25e4dd1c20c41222b242e94a Mon Sep 17 00:00:00 2001 From: Simon Kelly Date: Fri, 8 Sep 2023 16:47:50 +0200 Subject: [PATCH 5/8] update workflow --- deploy/utils.yml | 12 ------------ tasks.py | 6 +++--- 2 files changed, 3 insertions(+), 15 deletions(-) delete mode 100644 deploy/utils.yml diff --git a/deploy/utils.yml b/deploy/utils.yml deleted file mode 100644 index d6312865..00000000 --- a/deploy/utils.yml +++ /dev/null @@ -1,12 +0,0 @@ -- hosts: web0 - become: true - serial: 1 - gather_facts: False - vars_files: - - roles/connect/defaults/main.yml - - tasks: - - name: Restart Docker Containers - shell: 'docker restart $(docker ps --filter label=service={{ project_name }} --filter label=role=web -q)' - tags: - - restart diff --git a/tasks.py b/tasks.py index 3ef3220d..2d4a74ac 100644 --- a/tasks.py +++ b/tasks.py @@ -67,10 +67,10 @@ def build_js(c: Context, watch=False, prod=False): def django_settings(c: Context, verbose=False, diff=False): """Update the Django settings file on prod servers""" run_ansible(c, tags="django_settings", verbose=verbose, diff=diff) - - val = input("Do you want to restart the Django services? [y/N] ") + print("\nSettings updated. A re-deploy is required to have the services use the new settings.") + val = input("Do you want to re-deploy the Django services? [y/N] ") if val.lower() == "y": - restart_django(c, verbose=verbose, diff=diff) + deploy(c) @task From 06a642aed59435c848f3db34c619e05b726c7593 Mon Sep 17 00:00:00 2001 From: Simon Kelly Date: Fri, 8 Sep 2023 16:51:15 +0200 Subject: [PATCH 6/8] do sso login if necessary --- deploy/registry_password.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/deploy/registry_password.sh b/deploy/registry_password.sh index 213bf476..84457af6 100755 --- a/deploy/registry_password.sh +++ b/deploy/registry_password.sh @@ -10,4 +10,10 @@ if [ -z "$CI" ]; then # if not in github actions, specify the profile PROFILE_ARG=" --profile ${AWS_PROFILE:-commcare-connect}" fi + +aws sts get-caller-identity $PROFILE_ARG &> /dev/null +EXIT_CODE="$?" # $? is the exit code of the last statement +if [ $EXIT_CODE != 0 ]; then + aws sso login $PROFILE_ARG +fi aws ecr get-login-password --region=$REGION $PROFILE_ARG From cfedc62ef44be89aeb27b7ae7ceb131334841e24 Mon Sep 17 00:00:00 2001 From: Simon Kelly Date: Fri, 8 Sep 2023 16:54:02 +0200 Subject: [PATCH 7/8] remove reference to vault file --- tasks.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks.py b/tasks.py index 2d4a74ac..5c24cc1a 100644 --- a/tasks.py +++ b/tasks.py @@ -80,7 +80,7 @@ def restart_django(c: Context, verbose=False, diff=False): def run_ansible(c: Context, play="play.yml", tags=None, verbose=False, diff=False): - ansible_cmd = f"ansible-playbook {play} -i inventory.yml -e @vault.yml --vault-password-file=vault_password.sh" + ansible_cmd = f"ansible-playbook {play} -i inventory.yml" if tags: ansible_cmd += f" --tags {tags}" if verbose: From f02065f44a60e8ec3ea28b20c07e2e2632cfcea0 Mon Sep 17 00:00:00 2001 From: Simon Kelly Date: Wed, 20 Sep 2023 17:29:03 +0200 Subject: [PATCH 8/8] Revert "use DNS names instead of IP address which change" This reverts commit dfa076835df279c6496c359d01c9efb4a20b6eb0. --- deploy/config/deploy.yml | 4 ++-- deploy/inventory.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/deploy/config/deploy.yml b/deploy/config/deploy.yml index 14c30385..cbcc713b 100644 --- a/deploy/config/deploy.yml +++ b/deploy/config/deploy.yml @@ -5,13 +5,13 @@ image: commcare-connect servers: web: hosts: - - ec2-3-90-216-194.compute-1.amazonaws.com + - 3.90.216.194 options: # create by ansible env-file: '/home/connect/www/commcare-connect/docker.env' celery: hosts: - - ec2-3-90-216-194.compute-1.amazonaws.com + - 3.90.216.194 options: # create by ansible env-file: '/home/connect/www/commcare-connect/docker.env' diff --git a/deploy/inventory.yml b/deploy/inventory.yml index 7eb97475..a26d36a2 100644 --- a/deploy/inventory.yml +++ b/deploy/inventory.yml @@ -2,4 +2,4 @@ webservers: hosts: web0: ansible_user: ubuntu - ansible_host: ec2-3-90-216-194.compute-1.amazonaws.com + ansible_host: 3.90.216.194