Merge branch 'main' into cm/safari-audio-hack

Author: GracefulLemming

.git-hooks/pre-commit

@@ -26,7 +26,7 @@ if git-staged "website/src/graphql/**.graphql" && ! git-staged "website/src/grap
 fi
 
 # Reqire frontend formatting
-if git-staged "website/*" && cd website && yarn prettier -c --config package.json src; then
+if git-staged "website/*" && cd website && ! yarn prettier -c --config package.json src; then
     printf "Frontend code edited but not formatted.\nPlease run 'dev-check' \nor\n'cd website; prettier -w --config package.json src'.\n"
     HOOKS_FAILED=1
 fi

.github/workflows/main.yml

@@ -20,10 +20,10 @@ concurrency:
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     environment: ${{ github.event_name == 'release' && ( github.event.action == 'released' && 'Production' || 'Development') || 'Development' }}
     env:
-      DATABASE_PASSWORD: ${{ secrets.DATABASE_PASSWORD }}
+      DATABASE_PASSWORD: ${{ github.event.action == 'prereleased' && secrets.UAT_DATABASE_PASSWORD || secrets.DATABASE_PASSWORD }}
       GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
       AWS_VPC_ID: ${{ secrets.AWS_VPC_ID }}
       AWS_SUBNET_PRIMARY: ${{ secrets.AWS_SUBNET_PRIMARY }}
@@ -52,7 +52,7 @@ jobs:
           branch: ${{ github.event.action == 'prereleased' && 'uat' || 'release' }}
           force: true
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -88,48 +88,34 @@ jobs:
           pushFilter: "(-dailp$|-dailp-|-terraform-config$|-source$|\\.tar\\.gz$|-output$|-plan$|-apply-now$|-apply$)"
       - name: Build and test project
         # nix -L argument shows the full build log and --impure allows it to access environment variables.
+        env: 
+          BASTION_ID: ${{ (env.TF_STAGE == 'prod' && secrets.EC2_INSTANCE ) || (env.TF_STAGE == 'uat' && secrets.UAT_EC2_INSTANCE) || secrets.DEV_EC2_INSTANCE }}
         run: |
           nix build --impure -L
       - name: Deploy back-end to AWS via terraform
+        env:
+          BASTION_ID: ${{ (env.TF_STAGE == 'prod' && secrets.EC2_INSTANCE ) || (env.TF_STAGE == 'uat' && secrets.UAT_EC2_INSTANCE) || secrets.DEV_EC2_INSTANCE }}
         run: |
           nix run --impure -L .#tf-apply-now
           SECURITY_GROUP_ID=$(nix run --impure .#tf-output access_security_group_id)
           echo "ACCESS_SECURITY_GROUP=$SECURITY_GROUP_ID" >> $GITHUB_ENV
-#      - name: Validate spreadsheets
-#        env:
-#          RUST_LOG: warn
-#        run: nix run --impure -L .#validate-data
-      - name: Allow SSH access to bastion host
-        uses: sohelamin/aws-security-group-add-ip-action@master
-        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-east-1
-          aws-security-group-id: ${{ env.ACCESS_SECURITY_GROUP }}
-          port: 22
-          to-port: 22
-          protocol: tcp
-      - name: Encode documents as TEI and database entries
-        # Sets up port forwarding to remote database on port 5432
+      - name: Update database schema
+        env: 
+          BASTION_IP: ${{ (env.TF_STAGE == 'prod' && secrets.PROD_BASTION_IP ) || (env.TF_STAGE == 'uat' && secrets.UAT_BASTION_IP) || secrets.DEV_BASTION_IP }}
+          BASTION_ID: ${{ (env.TF_STAGE == 'prod' && secrets.EC2_INSTANCE ) || (env.TF_STAGE == 'uat' && secrets.UAT_EC2_INSTANCE) || secrets.DEV_EC2_INSTANCE }}
         run: |
-          echo "Creating SSH key file..."
-          echo "${{secrets.AWS_BASTION_SSH_KEY}}" > dailp-deployment-key.pem
-          chmod 400 ./dailp-deployment-key.pem
           echo "Retrieving terraform outputs..."
-          BASTION_IP=$(nix run --impure .#tf-output bastion_ip)
-          DATABASE_ENDPOINT=$(nix run --impure .#tf-output database_endpoint)
-          echo "Configuring SSH client..."
-          mkdir -p ~/.ssh
-          echo "Still configuring SSH client..."
-          ssh-keyscan -H $BASTION_IP >> ~/.ssh/known_hosts
-          echo "Forwarding port 5432 to remote database $DATABASE_ENDPOINT through $BASTION_IP"
-          ssh -i ./dailp-deployment-key.pem -f -N -L 5432:$DATABASE_ENDPOINT ec2-user@$BASTION_IP
-
+          DATABASE_ADDRESS=$(nix run --impure .#tf-output database_address)
+          echo "Connecting to bastion via SSM..."
+          aws ssm start-session \
+          --target ${{ env.BASTION_ID }} \
+          --document-name AWS-StartPortForwardingSessionToRemoteHost \
+          --parameters '{"host":[ '"\"$DATABASE_ADDRESS\""' ],"portNumber":["5432"], "localPortNumber":["5432"]}' &
+          echo "Updating shell variables..."
           export DAILP_API_URL=$(nix run --impure .#tf-output functions_url)
           export DATABASE_URL=postgres://dailp:$DATABASE_PASSWORD@localhost:5432/dailp
+          echo "Migrating schema..."
           nix run --impure .#migrate-schema
-          export CF_URL=$(nix run --impure .#tf-output cloudfront_distro_url)
-          # nix run --impure .#migrate-data
       - name: Publish website
         run: |
           curl -X POST -d {} "$(nix run --impure .#tf-output amplify_webhook)" -H "Content-Type:application/json"

.github/workflows/migrate-data.yml

@@ -13,10 +13,10 @@ on:
           - Production
 jobs:
   build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     environment: ${{ inputs.applyTo == 'Production' && 'Production' || 'Development'}}
     env:
-      DATABASE_PASSWORD: ${{ secrets.DATABASE_PASSWORD }}
+      DATABASE_PASSWORD: ${{ github.event.action == 'prereleased' && secrets.UAT_DATABASE_PASSWORD || secrets.DATABASE_PASSWORD }}
       GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
       AWS_VPC_ID: ${{ secrets.AWS_VPC_ID }}
       AWS_SUBNET_PRIMARY: ${{ secrets.AWS_SUBNET_PRIMARY }}
@@ -29,6 +29,7 @@ jobs:
       GIT_REPOSITORY_URL: https://github.com/neu-dsg/dailp-encoding
       OAUTH_TOKEN: ${{ secrets.OAUTH_TOKEN }}
       RUST_LOG: info
+      BASTION_IP: ${{ secrets.TEST_BASTION_IP }}
       TF_STAGE: ${{ inputs.applyTo == 'Development' && 'dev' || ( inputs.applyTo == 'Staging/UAT' && 'uat' || 'prod' )}}
     steps:
       - name: Checkout code
@@ -56,36 +57,33 @@ jobs:
           nix run --impure -L .#tf-init
           SECURITY_GROUP_ID=$(nix run --impure .#tf-output access_security_group_id)
           echo "ACCESS_SECURITY_GROUP=$SECURITY_GROUP_ID" >> $GITHUB_ENV
-      # - name: Validate spreadsheets
-      #   run: nix run --impure -L .#validate-data
-      - name: Add public IP to AWS security group
-        uses: sohelamin/aws-security-group-add-ip-action@master
-        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-east-1
-          aws-security-group-id: ${{ env.ACCESS_SECURITY_GROUP }}
-          port: 22
-          to-port: 22
-          protocol: tcp
+      # - name: Add public IP to AWS security group
+      #   uses: sohelamin/aws-security-group-add-ip-action@master
+      #   with:
+      #     aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      #     aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      #     aws-region: us-east-1
+      #     aws-security-group-id: ${{ env.ACCESS_SECURITY_GROUP }}
+      #     port: 22
+      #     to-port: 22
+      #     protocol: tcp
       - name: Migrate from spreadsheets to database
-        # Port forward 5432 to remote database
+        env: 
+          BASTION_IP: ${{ (env.TF_STAGE == 'prod' && secrets.PROD_BASTION_IP ) || (env.TF_STAGE == 'uat' && secrets.UAT_BASTION_IP) || secrets.DEV_BASTION_IP }}
+          BASTION_ID: ${{ (env.TF_STAGE == 'prod' && secrets.EC2_INSTANCE ) || (env.TF_STAGE == 'uat' && secrets.UAT_EC2_INSTANCE) || secrets.DEV_EC2_INSTANCE }}
         run: |
-          echo "Creating SSH key file..."
-          echo "${{secrets.AWS_BASTION_SSH_KEY}}" > dailp-deployment-key.pem
-          chmod 400 dailp-deployment-key.pem
           echo "Retrieving terraform outputs..."
-          BASTION_IP=$(nix run --impure .#tf-output bastion_ip)
-          DATABASE_ENDPOINT=$(nix run --impure .#tf-output database_endpoint)
-          echo "Configuring SSH client..."
-          mkdir -p ~/.ssh
-          ssh-keyscan -H $BASTION_IP >> ~/.ssh/known_hosts
-          echo "Forwarding port 5432 to remote database"
-          ssh -i dailp-deployment-key.pem -f -N -L 5432:$DATABASE_ENDPOINT ec2-user@$BASTION_IP
-
+          DATABASE_ADDRESS=$(nix run --impure .#tf-output database_address)
+          echo "Connecting to bastion via SSM..."
+          aws ssm start-session \
+          --target ${{ env.BASTION_ID }} \
+          --document-name AWS-StartPortForwardingSessionToRemoteHost \
+          --parameters '{"host":[ '"\"$DATABASE_ADDRESS\""' ],"portNumber":["5432"], "localPortNumber":["5432"]}' &
+          echo "Updating shell variables..."
           export DAILP_API_URL=$(nix run --impure .#tf-output functions_url)
           export DATABASE_URL=postgres://dailp:$DATABASE_PASSWORD@localhost:5432/dailp
           export CF_URL=$(nix run --impure .#tf-output cloudfront_distro_url)
+          echo "Updating data..."
           nix run --impure -L .#migrate-data
       - name: Publish website
         run: |

.github/workflows/publish-website.yml

@@ -3,10 +3,10 @@ on:
   workflow_dispatch:
 jobs:
   publish_website:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     environment: ${{ github.ref == 'refs/heads/main' && 'Development' || 'Production' }}
     env:
-      DATABASE_PASSWORD: ${{ secrets.DATABASE_PASSWORD }}
+      DATABASE_PASSWORD: ${{ github.event.action == 'prereleased' && secrets.UAT_DATABASE_PASSWORD || secrets.DATABASE_PASSWORD }}
       GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
       AWS_VPC_ID: ${{ secrets.AWS_VPC_ID }}
       AWS_SUBNET_PRIMARY: ${{ secrets.AWS_SUBNET_PRIMARY }}
@@ -45,7 +45,6 @@ jobs:
         # nix -L argument shows the full build log and --impure allows it to access environment variables.
         run: |
           nix build --impure -L
-          cp -f ./result/config.tf.json ./config.tf.json
       - name: Publish website
         run: |
           nix run --impure -L .#tf-plan

.github/workflows/terraform-plan.yml

@@ -4,9 +4,9 @@ on:
     branches: [main]
 jobs:
   plan:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     env:
-      DATABASE_PASSWORD: ${{ secrets.DATABASE_PASSWORD }}
+      DATABASE_PASSWORD: ${{ github.event.action == 'prereleased' && secrets.UAT_DATABASE_PASSWORD || secrets.DATABASE_PASSWORD }}
       GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
       AWS_VPC_ID: ${{ secrets.AWS_VPC_ID }}
       AWS_SUBNET_PRIMARY: ${{ secrets.AWS_SUBNET_PRIMARY }}

check.sh

@@ -1,47 +1,47 @@
-#!/usr/bin/env bash
-
-cd $PROJECT_ROOT
-
-echo "--- DATABASE ---"
-echo "Checking if SQL queries are prepared..."
-if  [ ! -d "types/.sqlx" ] || [ ! -n "$(ls -A "types/.sqlx")" ]; then
-    echo "Prepared queries not present. run 'dev-generate-types'." 
-    exit 1
-fi
-echo "Checking if SQL types are up to date..."
-if $(cd types && cargo sqlx prepare --check -- -p dailp &>/dev/null); then
-    echo "Generating SQL types..."
-    cd types
-    cargo sqlx prepare -- -p dailp &>/dev/null || exit 1
-    cd $PROJECT_ROOT
-fi
-
-echo "--- SERVER ---"
-echo "Formatting Rust code..."
-cargo fmt &>/dev/null
-echo "Checking back-end for errors..."
-export SQLX_OFFLINE=true
-cargo check &>/dev/null ||
-    (echo "Back-end build failed, run 'cargo check' for details." && exit 1)
-
-echo "Generating GraphQL schema..."
-cargo run --bin dailp-graphql-schema &>/dev/null ||
-    (echo "GraphQL server build failed, run 'cargo check' for details." && exit 1)
-
-echo "--- WEBSITE ---"
-cd website
-echo "Formatting TypeScript code..."
-yarn prettier --write --config package.json src &>/dev/null
-echo "Generating Typescript types for GraphQL queries..."
-yarn generate
-echo "Checking website for errors..."
-yarn tsc || exit 1
-
-echo "--- FINAL CHECKS ---"
-cd $PROJECT_ROOT
-echo "Checking documentation and formatting..."
-./.git-hooks/pre-commit || exit 1
-
-echo
-echo "--- NEXT STEPS ---"
-echo "Please stage relevant automatic changes"
+#!/usr/bin/env bash
+
+cd $PROJECT_ROOT
+
+echo "--- DATABASE ---"
+echo "Checking if SQL queries are prepared..."
+if  [ ! -d "types/.sqlx" ] || [ ! -n "$(ls -A "types/.sqlx")" ]; then
+    echo "Prepared queries not present. run 'dev-generate-types'." 
+    exit 1
+fi
+echo "Checking if SQL types are up to date..."
+if $(cd types && cargo sqlx prepare --check -- -p dailp &>/dev/null); then
+    echo "Generating SQL types..."
+    cd types
+    cargo sqlx prepare -- -p dailp &>/dev/null || exit 1
+    cd $PROJECT_ROOT
+fi
+
+echo "--- SERVER ---"
+echo "Formatting Rust code..."
+cargo fmt &>/dev/null
+echo "Checking back-end for errors..."
+export SQLX_OFFLINE=true
+cargo check &>/dev/null ||
+    (echo "Back-end build failed, run 'cargo check' for details." && exit 1)
+
+echo "Generating GraphQL schema..."
+cargo run --bin dailp-graphql-schema &>/dev/null ||
+    (echo "GraphQL server build failed, run 'cargo check' for details." && exit 1)
+
+echo "--- WEBSITE ---"
+cd website
+echo "Formatting TypeScript code..."
+yarn prettier --write --config package.json src &>/dev/null
+echo "Generating Typescript types for GraphQL queries..."
+yarn generate
+echo "Checking website for errors..."
+yarn tsc || exit 1
+
+echo "--- FINAL CHECKS ---"
+cd $PROJECT_ROOT
+echo "Checking documentation and formatting..."
+./.git-hooks/pre-commit || exit 1
+
+echo
+echo "--- NEXT STEPS ---"
+echo "Please stage relevant automatic changes"