Merge branch 'main' of https://github.com/code-dot-org/aiproxy into cat5inthecradle-patch-1

Author: deploy-code-org

.gitignore

@@ -1,2 +1,5 @@
 config.txt
 __pycache__
+
+# Ignore local Ruby config necessary for our custom AWS auth solution
+.ruby-version

Dockerfile

@@ -1,15 +1,13 @@
 FROM python:3.11-slim
 
-RUN pip install Flask
-
 WORKDIR /app
 COPY requirements.txt .
 
-RUN pip install -r requirements.txt
+RUN pip install --no-cache-dir -r requirements.txt
 
 COPY ./test /app/test
 COPY ./lib /app/lib
 COPY ./src /app/src
 
-EXPOSE 5000
-CMD ["waitress-serve", "--host=0.0.0.0", "--port=5000", "--call", "src:create_app"]
+EXPOSE 80
+CMD ["waitress-serve", "--host=0.0.0.0", "--port=80", "--call", "src:create_app"]

ci-build.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -e
+
+if [ -n "$CODEBUILD_BUILD_ID" ]; then
+    # CodeBuild environment
+    IMAGE_TAG=${CODEBUILD_RESOLVED_SOURCE_VERSION:0:7}
+else
+    # Local Git repository
+    IMAGE_TAG=$(git rev-parse --short HEAD)
+fi
+
+IMAGE_NAME=aiproxy
+
+echo "Building Docker Image ${IMAGE_NAME}:${IMAGE_TAG}..."
+docker build -t ${IMAGE_NAME}:${IMAGE_TAG} .

ci-lint.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -e
+
+echo "Validating Cloudformation Templates..."
+cfn-lint cicd/1-setup/*.template.yml
+cfn-lint cicd/2-cicd/*.template.yml
+cfn-lint cicd/3-app/aiproxy/template.yml
+
+echo "Validating Dockerfile..."
+docker run --rm -i hadolint/hadolint < Dockerfile

cicd/1-setup/cicd-dependencies.template.yml

@@ -14,7 +14,7 @@ Resources:
   # the common policy rules required. Since we may want to create multiple
   # codebuild projects for different branches, we can append policies when those
   # stack resources are created (in "2-cicd/cicd.template.yml")
-  AiProxyCodeBuildRole:
+  CodeBuildRole:
     Type: AWS::IAM::Role
     Properties:
       AssumeRolePolicyDocument:
@@ -68,6 +68,11 @@ Resources:
                   - s3:GetObjectVersion
                 Resource:
                   - !Sub arn:aws:s3:::${ArtifactStore}/*
+              # TODO: Scope to specific ECR Repos?
+              - Effect: Allow
+                Action:
+                  - ecr:GetAuthorizationToken
+                Resource: '*'
               - Effect: Allow
                 Action: codestar-connections:UseConnection
                 Resource:
@@ -81,16 +86,59 @@ Resources:
                 Resource:
                   - !Sub arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:cicd/*
 
+  # This would ideally be defined in 3-app/aiproxy/template.yml, but we do
+  # not allow the CloudFormationServiceRole permission to CreateRole, so we
+  # have to define it here. TODO: Tweak permissions for the role used to create
+  # the cloudformation stack.
+  ECSTaskExecutionRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - ecs-tasks.amazonaws.com
+            Action:
+              - sts:AssumeRole
+      Policies:
+        - PolicyName: ECRPolicy
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - ecr:GetAuthorizationToken
+                  - ecr:BatchCheckLayerAvailability
+                  - ecr:GetDownloadUrlForLayer
+                  - ecr:BatchGetImage
+                Resource: "*"
+        - PolicyName: LogsPolicy
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - logs:CreateLogGroup
+                  - logs:CreateLogStream
+                  - logs:PutLogEvents
+                Resource: "*"
+
 Outputs:
-  AiProxyCodeBuildArtifactBucket:
+  CodeBuildArtifactBucket:
     Description: AiProxy CodeBuild Artifact Bucket Name
     Value: !Ref ArtifactStore
     Export: {Name: AiProxyCodeBuildArtifactBucket}
-  AiProxyCodeBuildRoleArn:
+  CodeBuildRoleArn:
     Description: AiProxy CodeBuild Role ARN
-    Value: !GetAtt AiProxyCodeBuildRole.Arn
+    Value: !GetAtt CodeBuildRole.Arn
     Export: {Name: AiProxyCodeBuildRoleArn}
-  AiProxyCodeBuildRoleName:
+  CodeBuildRoleName:
     Description: AiProxy CodeBuild Role Name
-    Value: !Ref AiProxyCodeBuildRole
+    Value: !Ref CodeBuildRole
     Export: {Name: AiProxyCodeBuildRoleName}
+  ECSTaskExecutionRoleArn:
+    Description: AiProxy ECS Task Execution Role ARN
+    Value: !GetAtt ECSTaskExecutionRole.Arn
+    Export: {Name: AiProxyECSTaskExecutionRoleArn}

cicd/2-cicd/cicd.template.yml

@@ -170,6 +170,8 @@ Resources:
             Value: !ImportValue AiProxyCodeBuildArtifactBucket
           - Name: ECR_REPOSITORY
             Value: !GetAtt EcrRepository.RepositoryUri
+          - Name: BRANCH
+            Value: !Ref GitHubBranch
       Source:
         Type: CODEPIPELINE
         BuildSpec: cicd/3-app/aiproxy/buildspec.yml
@@ -306,10 +308,10 @@ Resources:
                   TemplatePath: appBuildResults::packaged-app-template.yml
                   TemplateConfiguration: appBuildResults::cicd/3-app/aiproxy/test.config.json
                   ParameterOverrides: !Join
-                      - ''
-                      - - '{ "SubdomainName": "'
-                        - !If [ TargetsMainBranch, 'aiproxy-test', !Sub 'aiproxy-${GitHubBranch}-test' ]
-                        - '" }'
+                    - ''
+                    - - '{ "SubdomainName": "'
+                      - !If [ TargetsMainBranch, 'aiproxy-test', !Sub 'aiproxy-test-${GitHubBranch}' ]
+                      - '" }'
                   Capabilities: CAPABILITY_AUTO_EXPAND,CAPABILITY_IAM
                   RoleArn: !Sub arn:aws:iam::${AWS::AccountId}:role/admin/CloudFormationService
           - !Ref AWS::NoValue

cicd/3-app/aiproxy/buildspec.yml

@@ -16,39 +16,40 @@ phases:
     commands:
       - echo Logging in to Docker Hub...
       - echo $DOCKER_HUB_PAT | docker login -u $DOCKER_HUB_USERNAME --password-stdin
+
+      - echo "Logging in to AWS ECR..."
+      - ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+      - AWS_REGION=us-east-1
+      - ECR_REGISTRY="${ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
+      - aws ecr get-login-password --region ${AWS_REGION} | docker login --username AWS --password-stdin ${ECR_REGISTRY}
 
   build:
     # This will build and push the docker image to ECR and package the
     # Cloudformation template to be passed as an Artifact to future pipeline
     # steps. It will also run unit tests and linting.
     commands:
       - set -e
-      - BRANCH_NAME=${CODEBUILD_WEBHOOK_HEAD_REF#"refs/heads/"}
+
+      - echo ECR_REPOSITORY=$ECR_REPOSITORY
+      - echo BRANCH=$BRANCH
 
       - cd $CODEBUILD_SRC_DIR
 
-      - echo "Validating Cloudformation Templates..."
-      - cfn-lint cicd/1-setup/*.template.yml
-      - cfn-lint cicd/2-cicd/*.template.yml
-      - cfn-lint cicd/3-app/aiproxy/template.yml
+      - ./ci-lint.sh
+
+      - echo "Running Unit Tests..."
+      - echo "This is where I would run my unit tests"
 
       - echo "Building Docker Image..."
       - IMAGE_NAME=aiproxy
-      - IMAGE_TAG=$(git rev-parse --short HEAD)
+      - IMAGE_TAG=${CODEBUILD_RESOLVED_SOURCE_VERSION:0:7} # short commit hash
       - docker build -t ${IMAGE_NAME}:${IMAGE_TAG} .
 
-      - echo "Running Unit Tests..."
-      - echo "This is where I would run my unit tests"
-
       - echo "Pushing Docker Image to ECR..."
-      - ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
-      - AWS_REGION=$(aws configure get region)
-      - ECR_REGISTRY="${ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
-      - ECR_REPO_NAME="aiproxy-${BRANCH_NAME}"
-      - FULL_IMAGE_NAME="${ECR_REGISTRY}/${ECR_REPO_NAME}:${IMAGE_TAG}"
-      - aws ecr get-login-password --region ${AWS_REGION} | docker login --username AWS --password-stdin ${ECR_REGISTRY}
-      - docker tag ${IMAGE_NAME}:${IMAGE_TAG} ${FULL_IMAGE_NAME}
-      - docker push ${FULL_IMAGE_NAME}
+      - docker tag ${IMAGE_NAME}:${IMAGE_TAG} ${ECR_REPOSITORY}:${IMAGE_TAG}
+      - docker tag ${IMAGE_NAME}:${IMAGE_TAG} ${ECR_REPOSITORY}:latest
+      - docker push ${ECR_REPOSITORY}:${IMAGE_TAG}
+      - docker push ${ECR_REPOSITORY}:latest
 
       - echo "Linting cloudformation..."
       - cd $CODEBUILD_SRC_DIR
@@ -57,6 +58,7 @@ phases:
       - cat template.yml
 
       - echo "Creating environment config..."
+      - IMAGE_URI="${ECR_REPOSITORY}:${IMAGE_TAG}"
       - cicd/3-app/aiproxy/config/create-environment-config.sh
 
       - echo "Packaging Cloudformation Template..."

cicd/3-app/aiproxy/config/create-environment-config.sh

@@ -1,17 +1,24 @@
-#!/bin/sh
+#!/bin/bash
 
 set -e
 
 dir=cicd/3-app/aiproxy
 
+# AMAGE_URI should be set
+if [[ -z "${IMAGE_URI}" ]]; then
+  echo "IMAGE_URI is not set. Please set it to the desired value."
+  exit 1
+fi
+
 # loop over config files
 for i in $(ls "${dir}/config" | egrep -i '.*\.config\.json' ); do
   file="${dir}/config/${i}"
   echo "tranforming ${i}..."
   contents=$(cat $file)
 
   # New value insertion
-  # contents="$(jq '.NewValueDemo = "abcde"' <<< $contents)"
+  contents="$(jq --arg uri "$IMAGE_URI" '.Parameters.AppImageUri = $uri' <<< "$contents")"
+
 
   # Edit existing value
   # if [ "$( jq 'has("TransformDemo")' $file )" == "true" ]; then

cicd/3-app/aiproxy/config/production.config.json

@@ -1,6 +1,7 @@
 {
     "Parameters": {
-        "BaseDomainName": "code.org"
+        "BaseDomainName": "code.org",
+        "BaseDomainNameHostedZonedID": "Z2LCOI49SCXUGU"
     },
     "Tags": {
         "EnvType": "production"

cicd/3-app/aiproxy/config/test.config.json

@@ -1,6 +1,7 @@
 {
     "Parameters": {
-        "BaseDomainName": "code.org"
+        "BaseDomainName": "code.org",
+        "BaseDomainNameHostedZonedID": "Z2LCOI49SCXUGU"
     },
     "Tags": {
         "EnvType": "test"