diff --git a/UPGRADING.rst b/UPGRADING.rst index 31a1e5f0e2..0e0190cfb2 100644 --- a/UPGRADING.rst +++ b/UPGRADING.rst @@ -19,16 +19,6 @@ branch that does not have the listed changes, the steps would need to be reverted. This is all fairly informal and loosely defined. Hopefully we won't have too many entries in this file. -#5246 Route SNS notifications through a Lambda function -======================================================= - -Operator -~~~~~~~~ - -Manually deploy the ``shared`` & ``gitlab`` components (in that order) -of any main deployment just before pushing the merge commit to the -GitLab instance in that deployment. - #5612 AWS Inspector fails to post findings to SNS topic ======================================================= diff --git a/src/azul/indexer/notify_service.py b/src/azul/indexer/notify_service.py index f2a371cb8f..615964611e 100644 --- a/src/azul/indexer/notify_service.py +++ b/src/azul/indexer/notify_service.py @@ -28,8 +28,11 @@ def notify_group(self, subject: str, message: str) -> None: else: body = json.dumps(body, indent=4) response = aws.ses.send_email( - FromEmailAddress=f'Azul {config.deployment_stage} Monitoring' - f'', + FromEmailAddress=' '.join(['Azul', + config.deployment_stage, + 'Monitoring', + '' + ]), Destination={ 'ToAddresses': [config.monitoring_email] }, diff --git a/terraform/api_gateway.tf.json.template.py b/terraform/api_gateway.tf.json.template.py index 92bcbdeaa8..c1e460dffa 100644 --- a/terraform/api_gateway.tf.json.template.py +++ b/terraform/api_gateway.tf.json.template.py @@ -136,11 +136,22 @@ def for_domain(cls, domain): 'data': [ { 'aws_route53_zone': { - zone.slug: { - 'name': zone.name, - 'private_zone': False - } - for zone in set(zones_by_domain.values()) + **{ + zone.slug: { + 'name': zone.name, + 'private_zone': False + } + for zone in set(zones_by_domain.values()) + }, + **( + { + 'gitlab': { + 'name': config.domain_name + '.', + 'private_zone': False + } + } if config.enable_monitoring else + {} + ), }, 'aws_vpc': { 'gitlab': { @@ -499,7 +510,20 @@ def for_domain(cls, domain): } }) } for i, domain in enumerate(app.domains) - } + }, + **( + { + 'notify_ses': { + 'zone_id': '${data.aws_route53_zone.gitlab.id}', + # WIP: `config.api_lambda_domain`, name doesn't match + 'name': '_amazonses.' + config.api_lambda_domain('notify'), + 'type': 'TXT', + 'ttl': '600', + 'records': ['${aws_ses_domain_identity.notify.verification_token}'] + } + } if app.name == 'indexer' and config.enable_monitoring else + {} + ) }, 'aws_cloudwatch_log_group': { app.name: { @@ -621,6 +645,42 @@ def for_domain(cls, domain): } ) }, + **( + { + 'aws_ses_domain_identity': { + 'notify': { + 'domain': config.api_lambda_domain('notify') + } + }, + 'aws_ses_identity_policy': { + 'notify': { + 'identity': '${aws_ses_domain_identity.notify.arn}', + 'name': config.qualified_resource_name('notify'), + 'policy': json.dumps({ + 'Version': '2012-10-17', + 'Statement': [ + { + 'Effect': 'Allow', + 'Principal': { + 'AWS': 'arn:aws:sts::' + aws.account + + '/'.join([':assumed-role', + config.qualified_resource_name(app.name), + config.qualified_resource_name(app.name, + '-notify') + ]) + }, + 'Action': [ + 'ses:SendEmail', + 'ses:SendRawEmail' + ], + 'Resource': '${aws_ses_domain_identity.notify.arn}', + } + ] + }) + } + } + } if app.name == 'indexer' and config.enable_monitoring else {} + ), **( { 'aws_lb': { diff --git a/terraform/gitlab/gitlab.tf.json.template.py b/terraform/gitlab/gitlab.tf.json.template.py index 291950f96d..8f27910e91 100644 --- a/terraform/gitlab/gitlab.tf.json.template.py +++ b/terraform/gitlab/gitlab.tf.json.template.py @@ -301,11 +301,6 @@ def qq(*words): 'private_zone': False } }, - 'aws_ses_domain_identity': { - 'notify': { - 'domain': config.domain_name - } - }, 'aws_s3_bucket': { 'logs': { 'bucket': aws.logs_bucket, @@ -1365,13 +1360,6 @@ def qq(*words): 'zone_id': '${aws_lb.gitlab_nlb.zone_id}', 'evaluate_target_health': False } - }, - 'notify_ses': { - 'zone_id': '${data.aws_route53_zone.gitlab.id}', - 'name': f'_amazonses.{config.domain_name}', - 'type': 'TXT', - 'ttl': '600', - 'records': ['${data.aws_ses_domain_identity.notify.verification_token}'] } }, 'aws_network_interface': { diff --git a/terraform/shared/shared.tf.json.template.py b/terraform/shared/shared.tf.json.template.py index 974412ecfb..f0013e3612 100644 --- a/terraform/shared/shared.tf.json.template.py +++ b/terraform/shared/shared.tf.json.template.py @@ -898,34 +898,6 @@ def paren(s: str) -> str: }) } }, - 'aws_ses_domain_identity': { - 'notify': { - 'domain': config.domain_name - } - }, - 'aws_ses_identity_policy': { - 'notify': { - 'identity': '${aws_ses_domain_identity.notify.arn}', - 'name': config.qualified_resource_name('notify'), - 'policy': json.dumps({ - 'Version': '2012-10-17', - 'Statement': [ - { - 'Effect': 'Allow', - 'Principal': { - 'AWS': f'arn:aws:sts::{aws.account}:assumed-role/{config.indexer_name}/' - f'{config.indexer_function_name("notify")}' - }, - 'Action': [ - 'ses:SendEmail', - 'ses:SendRawEmail' - ], - 'Resource': '${aws_ses_domain_identity.notify.arn}', - } - ] - }) - } - }, 'aws_sns_topic_subscription': { 'monitoring': { 'topic_arn': '${aws_sns_topic.monitoring.arn}',