add dev cloudcasting api module and vars

[braddf]

Pull Request

Description

Adding terraform module for new Cloudcasting API deploy.

N.B. this may be subject to change, and/or we might simplify this module and incorporate some functionality into existing services, e.g. the API elements into the Quartz API.

Checklist:

• My code follows OCF's coding style guidelines
• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works
• I have checked my code and corrected any misspellings

[peterdudfield]

you wont need these things, it will use what IAM role and permission from that

[braddf]

Yeah I was just trying to get deployed with minimal changes to the code for now, this will be better going forward, but is obv different to how Suvan has had to set it up

[peterdudfield]

Yea i see. I would probably still remove them here, and adjust Suvans code a tiny bit. In general the less credientials and secruty things we can do, the better.

Ill leave it up to you on that.

if you do keep this in, please make sure the access key and id are tightly locked down, and only have access to relevant things

[devsjc]

If the code uses boto3 it should fallback to the default connection strategy. I think EB might even set these variables in the environment by default so you might not even need to make any code changes at all - not that I've looked at the code.

[peterdudfield]

as below, you can remove S3_ACCESS_KEY_ID and S3_SECRET_ACCESS_KEY.
There's a small chance we will have to change the code accordindly

[devsjc]

Might need to add the

s3_bucket = [{ bucket_read_policy_arn = module.s3.iam-policy-s3-sat-read.arn }]

when replacing these too.

[peterdudfield]

Looks great, just some small changes, but then it should be all good

[devsjc]

Does the app use any of these variables? If not, I'd remove them from here altogether.

[devsjc]

Just worth checking, this will only work if the container is deployed to docker hub. I suspect it's only being deployed to GHCR, so this will in fact want to be ghcr.io/openclimatefix. In fact, most of these probably want to be changed to that, but that's another task for another day!

[devsjc]

Although from what you're saying it sounds like there isn't a build CI, so maybe it is being manually pushed to docker hub - but in that case I wouldn't expect it to be under the openclimatefix org...

[devsjc]

[1] These don't need to be variables - since they're accessing the sat bucket, we can use the output from the s3 module that creates the bucket:

{ "name" : "S3_BUCKET_NAME", "value" : module.s3.s3-sat-bucket.id }
{ "name" : "S3_REGION_NAME", "value" : var.region }

[devsjc]

These can be removed as per [1]

[devsjc]

If the code uses boto3 it should fallback to the default connection strategy. I think EB might even set these variables in the environment by default so you might not even need to make any code changes at all - not that I've looked at the code.

[devsjc]

Might need to add the

s3_bucket = [{ bucket_read_policy_arn = module.s3.iam-policy-s3-sat-read.arn }]

when replacing these too.

[devsjc]

[2] Do you see these changing often? If not, they might be alright hard coded in the module declaration here, instead of being a variable. Using a var isn't necessarily wrong, but it's just one fewer transient to keep track of. If we do keep them as vars, I'd prefix the s3_download_interval with cloudcasting as well, just so it's clear what it pertains to in the terraform app - it's a bit vague as-is.

[devsjc]

Maybe can be removed as per [2]

[devsjc]

Maybe can be removed as per [2]

[devsjc]

This means it will use the same tag as the (Quartz)API - which I'm assuming isn't what you want? Unless the packaging version of this app is synced to the (Quartz)API?

[peterdudfield]

I hope this is ok @braddf , i changed this to a draft, as I understood you have currently deploy this a different way