conan: Enable separate dynamoDB for DEV (#25)

* conan: Enable separate dynamoDB for DEV To be able to cleanup the dev database, we need to pass the AWS profile to use for any dynamodb communication. This change, if appliced, introduce a new environment variable 'dynamodb_profile' to be able to specify the AWS profile to use. By default, it's the same as the AWS profile to manage all the accounts and to assume role inside the accounts (prod). For DEV, a different AWS account will be passed, as the DB is in a different AWS account. Also add a variable for the name of the instance. Update the conan-dev.service systemd service unit. * Separate workdir from PROD Add a new variable 'workdir'. * Add variable to specify vault secret DEV and PROD have a different encryption key.
rhpds · Jun 28, 2023 · 731fdd2 · 731fdd2
1 parent 284aeeb
commit 731fdd2
Show file tree

Hide file tree

Showing 8 changed files with 48 additions and 21 deletions.
diff --git a/conan/conan-dev.rc b/conan/conan-dev.rc
@@ -1,5 +1,6 @@
 export threads=2
-export aws_profile=pool-manager-dev
+export aws_profile=pool-manager
+export dynamodb_profile=pool-manager-dev
 export dynamodb_table=accounts-dev
 export dynamodb_region=us-east-1
 export aws_nuke_binary_path=/bin/true

diff --git a/conan/conan-dev.service b/conan/conan-dev.service
@@ -5,16 +5,22 @@ Documentation=https://github.com/rhpds/sandbox/tree/main/conan
 
 [Service]
 Environment=threads=2
-Environment=aws_profile=pool-manager-dev
+Environment=conan_instance=conan-dev1
+Environment=aws_profile=pool-manager
+Environment=dynamodb_profile=pool-manager-dev
 Environment=dynamodb_table=accounts-dev
 Environment=dynamodb_region=us-east-1
-Environment=aws_nuke_binary_path=/bin/true
-Environment=noop=true
+Environment=workdir=/home/opentlc-mgr/pool_management_dev
+Environment=VENV=/home/opentlc-mgr/pool_management_dev/python_virtualenv
+Environment=vault_file=/home/opentlc-mgr/secrets/infra-sandbox-vault-dev
+# Uncomment the following to enable noop mode
+#Environment=aws_nuke_binary_path=/bin/true
+#Environment=noop=true
 
 User=opentlc-mgr
 Group=opentlc-mgr
 Type=simple
-ExecStart=/bin/bash /home/opentlc-mgr/pool_management/sandbox/conan/conan.sh
+ExecStart=/bin/bash /home/opentlc-mgr/pool_management_dev/sandbox/conan/conan.sh
 Restart=on-failure
 StartLimitBurst=3
 StartLimitInterval=60s

diff --git a/conan/conan.sh b/conan/conan.sh
@@ -13,6 +13,7 @@ threads="${threads:-12}"
 aws_profile="${aws_profile:-pool-manager}"
 
 # DynamoDB
+dynamodb_profile="${dynamodb_profile:-pool-manager}"
 dynamodb_table="${dynamodb_table:-accounts}"
 dynamodb_region="${dynamodb_region:-us-east-1}"
 
@@ -28,6 +29,14 @@ noop=${noop:-false}
 # python virtualenv
 VENV=${VENV:-~/pool_management/python_virtualenv}
 
+# Conan instance: the name of the host running the cleanup
+conan_instance=${conan_instance:-$(hostname)}
+
+# Workdir
+workdir=${workdir:-~/pool_management}
+
+# Vault file
+vault_file=${vault_file:-~/secrets/infra-sandbox-vault}
 
 # Lock timeout:  the number of hours after which a lock on a sandbox expires.
 # For ex: '2': a conan process will have 2h to cleanup the sandbox before another
@@ -40,19 +49,23 @@ lock_timeout=${lock_timeout:-2}
 
 export threads
 export aws_profile
+export dynamodb_profile
 export dynamodb_table
 export dynamodb_region
 export poll_interval
 export aws_nuke_binary_path
 export noop
 export VENV
 export lock_timeout
+export conan_instance
+export workdir
+export vault_file
 
 ORIG="$(cd "$(dirname "$0")" || exit; pwd)"
 
 
 prepare_workdir() {
-    mkdir -p ~/pool_management
+    mkdir -p "${workdir}"
 
     if [ ! -d "${VENV}" ]; then
         set -e
@@ -77,7 +90,7 @@ pre_checks() {
             exit 5
         fi
     done
-    if ! AWS_PROFILE=${aws_profile} \
+    if ! AWS_PROFILE=${dynamodb_profile} \
         AWS_REGION=${dynamodb_region} \
         dynamodb_table=${dynamodb_table} \
         sandbox-list --to-cleanup --no-headers &> /dev/null
@@ -89,6 +102,7 @@ pre_checks() {
 }
 
 echo "AWS profile: ${aws_profile}"
+echo "DynamoDB profile: ${dynamodb_profile}"
 echo "DynamoDB table: ${dynamodb_table}"
 
 pre_checks
@@ -99,7 +113,7 @@ cd "${ORIG}"
 while true; do
 
     (
-        export AWS_PROFILE=${aws_profile}
+        export AWS_PROFILE=${dynamodb_profile}
         export AWS_REGION=${dynamodb_region}
         export dynamodb_table=${dynamodb_table}
         sandbox-list --to-cleanup --no-headers

diff --git a/conan/wipe_sandbox.sh b/conan/wipe_sandbox.sh
@@ -9,6 +9,7 @@ TTL_EVENTLOG=$((3600*24))
 
 
 # Mandatory ENV variables
+: "${dynamodb_profile:?"dynamodb_profile is unset or null"}"
 : "${dynamodb_table:?"dynamodb_table is unset or null"}"
 : "${dynamodb_region:?"dynamodb_region is unset or null"}"
 : "${noop:?"noop is unset or empty"}"
@@ -38,7 +39,7 @@ sandbox_unlock() {
   }
 EOM
 
-    "$VENV/bin/aws" --profile "${aws_profile}" \
+    "$VENV/bin/aws" --profile "${dynamodb_profile}" \
         --region "${dynamodb_region}" \
         dynamodb update-item \
         --table-name "${dynamodb_table}" \
@@ -55,19 +56,20 @@ _on_exit() {
 
 sandbox_lock() {
     local sandbox=$1
+    conan_instance=${conan_instance:-$(hostname)}
     read -r -d '' data << EOM
   {
         ":av": {"BOOL": false},
         ":st": {"S": "cleanup in progress"},
         ":timestamp": {"S": "$(date -uIs)"},
         ":old": {"S": "$(date -uIs -d "now - ${lock_timeout} hour")"},
-        ":host": {"S": "$(hostname)"}
+        ":host": {"S": "${conan_instance}"}
   }
 EOM
 
     errlog=$(mktemp)
 
-    if ! "$VENV/bin/aws" --profile "${aws_profile}" \
+    if ! "$VENV/bin/aws" --profile "${dynamodb_profile}" \
         --region "${dynamodb_region}" \
         dynamodb update-item \
         --table-name "${dynamodb_table}" \
@@ -99,9 +101,9 @@ EOM
 
 sandbox_reset() {
     local s=${1##sandbox}
-    local prevlogfile=~/pool_management/reset_${sandbox}.log.1
-    local logfile=~/pool_management/reset_${sandbox}.log
-    local eventlog=~/pool_management/reset_${sandbox}.events.log
+    local prevlogfile=${workdir}/reset_${sandbox}.log.1
+    local logfile=${workdir}/reset_${sandbox}.log
+    local eventlog=${workdir}/reset_${sandbox}.events.log
     cd "${ORIG}/../playbooks" || exit
 
     # Keep previous log to help troubleshooting
@@ -121,7 +123,7 @@ sandbox_reset() {
     fi
 
 
-    echo "$(date -uIs) reset sandbox${s}" >> ~/pool_management/reset.log
+    echo "$(date -uIs) reset sandbox${s}" >> ${workdir}/reset.log
     echo "$(date -uIs) reset sandbox${s}" >> "${eventlog}"
 
     echo "$(date -uIs) ${sandbox} reset starting..."
@@ -138,9 +140,12 @@ sandbox_reset() {
     "${VENV}/bin/ansible-playbook" -i localhost, \
                      -e _account_num="${s}" \
                      -e aws_master_profile="${aws_profile}" \
+                     -e dynamodb_profile="${dynamodb_profile}" \
                      -e dynamodb_table="${dynamodb_table}" \
                      -e dynamodb_region="${dynamodb_region}" \
                      -e aws_nuke_binary_path="${aws_nuke_binary_path}" \
+                     -e output_dir="${workdir}/output_dir_sandbox" \
+                     -e vault_file="${vault_file}" \
                      reset_single.yml > "${logfile}"
 
     if [ $? = 0 ]; then

diff --git a/playbooks/roles/infra-aws-sandbox/defaults/main.yml b/playbooks/roles/infra-aws-sandbox/defaults/main.yml
@@ -138,6 +138,7 @@ aws_nuke_filters_default:
 # POOL management
 ##############################
 
+dynamodb_profile: "{{ aws_master_profile }}"
 dynamodb_table: accounts
 dynamodb_region: us-east-1
 

diff --git a/playbooks/roles/infra-aws-sandbox/tasks/account.yml b/playbooks/roles/infra-aws-sandbox/tasks/account.yml
@@ -5,7 +5,7 @@
       name:
         S: "{{ account_name }}"
   command: >-
-    aws --profile {{ aws_master_profile }}
+    aws --profile {{ dynamodb_profile }}
     --region {{ dynamodb_region }}
     dynamodb get-item
     --table-name {{ dynamodb_table }}

diff --git a/playbooks/roles/infra-aws-sandbox/tasks/pool.yml b/playbooks/roles/infra-aws-sandbox/tasks/pool.yml
@@ -5,7 +5,7 @@
       name:
         S: "{{ account_name }}"
   command: >-
-    aws --profile {{ aws_master_profile }} --region {{ dynamodb_region }}
+    aws --profile {{ dynamodb_profile }} --region {{ dynamodb_region }}
     dynamodb get-item
     --table-name {{ dynamodb_table }}
     --key '{{ _data | to_json }}'
@@ -32,7 +32,7 @@
       zone:
         S: "{{ account_name }}{{subdomain_base}}"
   command: >-
-    aws --profile {{ aws_master_profile }} --region {{ dynamodb_region }}
+    aws --profile {{ dynamodb_profile }} --region {{ dynamodb_region }}
     dynamodb put-item
     --table-name {{ dynamodb_table }}
     --item '{{ _data | to_json }}'
@@ -62,7 +62,7 @@
           zone:
             S: "{{ account_name }}{{subdomain_base}}"
       command: >-
-        aws --profile {{ aws_master_profile }}
+        aws --profile {{ dynamodb_profile }}
         --region {{ dynamodb_region }}
         dynamodb put-item
         --table-name {{ dynamodb_table }}
@@ -89,7 +89,7 @@
           zone:
             S: "{{ account_name }}{{subdomain_base}}"
       command: >-
-        aws --profile {{ aws_master_profile }}
+        aws --profile {{ dynamodb_profile }}
         --region {{ dynamodb_region }}
         dynamodb put-item
         --table-name {{ dynamodb_table }}

diff --git a/playbooks/roles/infra-aws-sandbox/tasks/validate.yaml b/playbooks/roles/infra-aws-sandbox/tasks/validate.yaml
@@ -8,7 +8,7 @@
       name:
         S: "{{ account_name }}"
   command: >-
-    aws --profile {{ aws_master_profile }} --region {{ dynamodb_region }}
+    aws --profile {{ dynamodb_profile }} --region {{ dynamodb_region }}
     dynamodb get-item
     --table-name {{ dynamodb_table }}
     --key '{{ _data | to_json }}'