Skip to content

Aws fastpath deploy #240

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 56 commits into
base: main
Choose a base branch
from
Open

Aws fastpath deploy #240

wants to merge 56 commits into from

Conversation

LDiazN
Copy link
Contributor

@LDiazN LDiazN commented May 7, 2025
edited
Loading

This PR will add an ansible role to deploy the fastpath as an EC2 isntance using Docker.

The ansible role will:

  • Install all of our standard setup in the EC2 machine (dehydrated, nginx) + Docker
  • Create a fastpath user used to run the fastpath
  • Download the backend repo
  • Build and run the fastpath as a docker container using docker compose

Known issues

For now this setup has an issue with the Docker installation where the docker role will try to reboot the SSH connection to apply docker group settings, but this seems to crash the next command:

TASK [geerlingguy.docker : Reset ssh connection to apply user changes.] **************************************************************************************************************

TASK [fastpath : Flush all handlers] *************************************************************************************************************************************************

TASK [fastpath : Allow traffic on port 9100] *****************************************************************************************************************************************
fatal: [fastpath.dev.ooni.io]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: [email protected]: Permission denied (publickey).", "unreachable": true}

There's also another issue where the Docker deployment fails because it can't create a network for the docker compose. This is fixed by manually rebooting the docker daemon: systemctl restart docker (see https://stackoverflow.com/questions/54380847/failed-to-setup-ip-tables-unable-to-enable-nat-rule)

To solve this issue we have to ensure that docker is rebooted before starting the docker compose

This should be solved by

devops/ansible/roles/fastpath/tasks/main.yml

Line 45 in 4b148c6

- name: Flush all handlers # Required to apply iptables settings before docker runs
but it's not, we need to check why

Update

After the last review I added the following features:

  1. Moved measurement upload from backend to devops, including timers and systemd unit
  2. Add the code pipeline setup to publish the fastpath image to dockerhub
  3. Download fastpath docker image from dockerhub

closes #239

LDiazN added 13 commits May 5, 2025 13:04
@LDiazN
Create machine for fastpath
45823f1
@LDiazN
Merge branch 'main' into aws-fastpath-deploy
4abaeca
@LDiazN
Add domain name for fastpath
19e6da1
@LDiazN
Add domain for fastpath
5a4d72c
@LDiazN
Fixed bad ingress rules
865ab47
@LDiazN
Add roles for fastpath
3084833
@LDiazN
Install docker in the fastpath machine; Clone repo
86fdc2c
@LDiazN
Set up docker in fastpath machine; Install fastpath
4f3d66c
@LDiazN
Deploy fastpath to an EC2 instance with docker
4d5ed92
@LDiazN
Increase capacity of fastpath machine
3264fb4 
This server was running out of memory trying to bring up the fastpath
docker container. I changed the instance type from one with 0.5gb of ram
to one with 1gb of ram
@LDiazN
Allow traffic on fastpath port 8472
96094a6
@LDiazN
Add Ubuntu as part of the docker users
abbe35a 
If you don't the first time you run this notebook it will crash with
"permission required" whenever you try to run a docker command
@LDiazN
Upgrade the fastpath machine, it was running out of memory by staying up
4ba80b5
@LDiazN LDiazN requested a review from hellais May 7, 2025 11:04
@LDiazN LDiazN self-assigned this May 7, 2025
@LDiazN LDiazN added the task Technical implementation task label May 7, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented May 7, 2025
edited
Loading

Terraform Run Output 🤖

Format and Style 🖌failure

Initialization ⚙️success

Validation 🤖success

Validation Output 

$ terraform validate

Warning: Available Write-only Attribute Alternative

  with module.ooni_monitoring.aws_ssm_parameter.ooni_monitoring_access_key,
  on ../../modules/ooni_monitoring/main.tf line 47, in resource "aws_ssm_parameter" "ooni_monitoring_access_key":
  47:   value = aws_iam_access_key.ooni_monitoring.id

The attribute value has a write-only alternative value_wo available. Use the
write-only alternative of the attribute when possible.

(and one more similar warning elsewhere)
Success! The configuration is valid, but there were some validation warnings
as shown above.

Plan 📖success

  • Plan: 5 to add, 1 to change, 5 to destroy.
Show Plan 

$ terraform plan
Acquiring state lock. This may take a few moments...
module.ooni_clickhouse_proxy.data.cloudinit_config.ooni_ec2: Reading...
module.ansible_inventory.local_file.ansible_inventory: Refreshing state... [id=b6de844ed8d384f890fa6f467502390de843f758]
module.ooni_monitoring_proxy.data.cloudinit_config.ooni_ec2: Reading...
module.ooni_fastpath.data.cloudinit_config.ooni_ec2: Reading...
random_id.artifact_id: Refreshing state... [id=8Ujqew]
data.dns_a_record_set.monitoring_host: Reading...
module.adm_iam_roles.tls_private_key.oonidevops: Refreshing state... [id=b49a9fdb9f720320340226016efe24808dd68203]
module.ooni_fastpath.data.cloudinit_config.ooni_ec2: Read complete after 0s [id=2022394177]
module.ooni_clickhouse_proxy.data.cloudinit_config.ooni_ec2: Read complete after 0s [id=2022394177]
module.ooni_monitoring_proxy.data.cloudinit_config.ooni_ec2: Read complete after 0s [id=2022394177]
module.ansible_inventory.null_resource.ansible_update_known_hosts: Refreshing state... [id=236461505953331670]
data.dns_a_record_set.monitoring_host: Read complete after 0s [id=monitoring.ooni.org]
module.ooniapi_ooniauth_deployer.aws_iam_policy.codepipeline: Refreshing state... [id=arn:aws:iam::905418398257:policy/service-role/codepipeline-ooniapi-ooniauth]
module.adm_iam_roles.aws_iam_policy.oonidevops: Refreshing state... [id=arn:aws:iam::905418398257:policy/OONIDevopsPolicy]
module.ooni_monitoring.aws_iam_user.ooni_monitoring: Refreshing state... [id=oonidevops-monitoring]
data.aws_ssm_parameter.clickhouse_readonly_test_url: Reading...
data.aws_ssm_parameter.oonipg_url: Reading...
aws_s3_bucket.ooniprobe_failed_reports: Refreshing state... [id=ooniprobe-failed-reports-eu-central-1]
module.ooniapi_reverseproxy.data.aws_ecs_container_definition.ooniapi_service_current[0]: Reading...
module.fastpath_builder.aws_codebuild_project.ooniapi: Refreshing state... [id=arn:aws:codebuild:eu-central-1:905418398257:project/ooniapi-fastpath]
module.ooniapi_ooniprobe.aws_cloudwatch_log_group.ooniapi_service: Refreshing state... [id=ooni-ecs-group/ooniapi-service-ooniprobe]
module.fastpath_builder.aws_codepipeline.ooniapi: Refreshing state... [id=ooniapi-fastpath]
data.aws_ssm_parameter.prometheus_metrics_password: Reading...
aws_acm_certificate.ooniapi_frontend: Refreshing state... [id=arn:aws:acm:eu-central-1:905418398257:certificate/190205f1-392d-425c-a059-7006ca8c8c46]
module.ooniapi_ooniauth.aws_cloudwatch_log_group.ooniapi_service: Refreshing state... [id=ooni-ecs-group/ooniapi-service-ooniauth]
module.ooniapi_reverseproxy.data.aws_ecs_container_definition.ooniapi_service_current[0]: Read complete after 1s [id=ooniapi-service-reverseproxy-td/ooniapi-service-reverseproxy]
module.ooniapi_user.aws_secretsmanager_secret.aws_secret_access_key: Refreshing state... [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/ooniapi_user/aws_secret_access_key-L0DQDr]
data.aws_ssm_parameter.oonipg_url: Read complete after 1s [id=/oonidevops/secrets/ooni-tier0-postgres/postgresql_write_url]
module.ooniapi_oonirun.aws_cloudwatch_log_group.ooniapi_service: Refreshing state... [id=ooni-ecs-group/ooniapi-service-oonirun]
module.ooniapi_oonimeasurements.aws_cloudwatch_log_group.ooniapi_service: Refreshing state... [id=ooni-ecs-group/ooniapi-service-oonimeasurements]
data.aws_ssm_parameter.clickhouse_readonly_test_url: Read complete after 1s [id=/oonidevops/secrets/clickhouse_readonly_test_url]
module.ooniapi_oonirun.data.aws_ecs_container_definition.ooniapi_service_current[0]: Reading...
data.aws_ssm_parameter.prometheus_metrics_password: Read complete after 0s [id=/oonidevops/ooni_services/prometheus_metrics_password]
module.ooniapi_oonirun.data.aws_ecs_container_definition.ooniapi_service_current[0]: Read complete after 0s [id=ooniapi-service-oonirun-td/ooniapi-service-oonirun]
module.ooniapi_ooniauth.aws_iam_role.ooniapi_service_task: Refreshing state... [id=ooniapi-service-ooniauth-task-role]
module.ooniapi_oonifindings.aws_iam_role.ooniapi_service_task: Refreshing state... [id=ooniapi-service-oonifindings-task-role]
module.ooniapi_ooniauth.data.aws_ecs_container_definition.ooniapi_service_current[0]: Reading...
module.ooniapi_ooniauth_deployer.data.aws_caller_identity.current: Reading...
module.ooniapi_ooniauth.data.aws_ecs_container_definition.ooniapi_service_current[0]: Read complete after 0s [id=ooniapi-service-ooniauth-td/ooniapi-service-ooniauth]
module.ooniapi_oonimeasurements.aws_iam_role.ooniapi_service_task: Refreshing state... [id=ooniapi-service-oonimeasurements-task-role]
module.ooniapi_ooniauth_deployer.data.aws_caller_identity.current: Read complete after 1s [id=905418398257]
data.aws_ssm_parameter.jwt_secret: Reading...
module.ooniapi_ooniprobe_deployer.aws_iam_policy.codepipeline: Refreshing state... [id=arn:aws:iam::905418398257:policy/service-role/codepipeline-ooniapi-ooniprobe]
module.ooniapi_ooniprobe.aws_iam_role.ooniapi_service_task: Refreshing state... [id=ooniapi-service-ooniprobe-task-role]
module.ooniapi_oonifindings.aws_cloudwatch_log_group.ooniapi_service: Refreshing state... [id=ooni-ecs-group/ooniapi-service-oonifindings]
module.adm_iam_roles.data.aws_iam_policy_document.assume_role: Reading...
module.adm_iam_roles.data.aws_iam_policy_document.assume_role: Read complete after 0s [id=367960279]
module.fastpath_builder.aws_iam_policy.codepipeline: Refreshing state... [id=arn:aws:iam::905418398257:policy/service-role/codepipeline-ooniapi-fastpath]
aws_s3_bucket.oonith_codepipeline_bucket: Refreshing state... [id=codepipeline-oonith-eu-central-1-f148ea7b]
data.aws_availability_zones.available: Reading...
data.aws_ssm_parameter.jwt_secret: Read complete after 0s [id=/oonidevops/secrets/ooni_services/jwt_secret]
module.ooniapi_oonirun.aws_iam_role.ooniapi_service_task: Refreshing state... [id=ooniapi-service-oonirun-task-role]
module.ooniapi_reverseproxy.aws_cloudwatch_log_group.ooniapi_service: Refreshing state... [id=ooni-ecs-group/ooniapi-service-reverseproxy]
module.adm_iam_roles.aws_secretsmanager_secret.oonidevops_deploy_key: Refreshing state... [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/deploy_key-2ebqSe]
aws_s3_bucket.ooniapi_codepipeline_bucket: Refreshing state... [id=codepipeline-ooniapi-eu-central-1-f148ea7b]
aws_secretsmanager_secret.oonipg_url: Refreshing state... [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/ooni-tier0-postgres/postgresql_url-w62CTZ]
module.ooni_fastpath.data.aws_ssm_parameter.ubuntu_22_ami: Reading...
data.aws_ssm_parameter.do_token: Reading...
module.ooniapi_ooniprobe_deployer.data.aws_caller_identity.current: Reading...
module.ooni_fastpath.data.aws_ssm_parameter.ubuntu_22_ami: Read complete after 0s [id=/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id]
module.ooniapi_oonifindings.data.aws_ecs_container_definition.ooniapi_service_current[0]: Reading...
module.ooniapi_reverseproxy_deployer.data.aws_caller_identity.current: Reading...
module.ooniapi_ooniprobe_deployer.data.aws_caller_identity.current: Read complete after 0s [id=905418398257]
module.ooniapi_oonifindings_deployer.data.aws_caller_identity.current: Reading...
data.aws_ssm_parameter.do_token: Read complete after 0s [id=/oonidevops/secrets/digitalocean_access_token]
module.ooniapi_reverseproxy_deployer.aws_iam_policy.codepipeline: Refreshing state... [id=arn:aws:iam::905418398257:policy/service-role/codepipeline-ooniapi-reverseproxy]
module.ooniapi_oonifindings.data.aws_ecs_container_definition.ooniapi_service_current[0]: Read complete after 0s [id=ooniapi-service-oonifindings-td/ooniapi-service-oonifindings]
module.ooniapi_cluster.data.aws_ssm_parameter.ecs_optimized_ami: Reading...
data.aws_ssm_parameter.clickhouse_readonly_url: Reading...
module.ooniapi_reverseproxy_deployer.data.aws_caller_identity.current: Read complete after 0s [id=905418398257]
module.adm_iam_roles.aws_key_pair.oonidevops: Refreshing state... [id=oonidevops]
data.aws_availability_zones.available: Read complete after 0s [id=eu-central-1]
module.ooniapi_cluster.aws_iam_role.container_host: Refreshing state... [id=ooniapi-ecs-cluster-container-host-role]
module.ooni_clickhouse_proxy.data.aws_ssm_parameter.ubuntu_22_ami: Reading...
module.ooniapi_cluster.data.aws_ssm_parameter.ecs_optimized_ami: Read complete after 1s [id=/aws/service/ecs/optimized-ami/amazon-linux-2/recommended]
module.ooniapi_oonifindings_deployer.aws_iam_policy.codepipeline: Refreshing state... [id=arn:aws:iam::905418398257:policy/service-role/codepipeline-ooniapi-oonifindings]
module.oonidevops_github_user.aws_iam_policy.oonidevops_github: Refreshing state... [id=arn:aws:iam::905418398257:policy/oonidevops-github-policy]
data.aws_ssm_parameter.clickhouse_readonly_url: Read complete after 1s [id=/oonidevops/secrets/clickhouse_readonly_url]
module.oonidevops_github_user.aws_iam_user.oonidevops_github: Refreshing state... [id=oonidevops-github]
module.ooniapi_oonifindings_deployer.data.aws_caller_identity.current: Read complete after 1s [id=905418398257]
module.ooniapi_user.aws_ses_email_identity.ooniapi: Refreshing state... [[email protected]]
module.ooni_clickhouse_proxy.data.aws_ssm_parameter.ubuntu_22_ami: Read complete after 0s [id=/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id]
module.ooniapi_oonimeasurements_deployer.aws_iam_policy.codepipeline: Refreshing state... [id=arn:aws:iam::905418398257:policy/service-role/codepipeline-ooniapi-oonimeasurements]
module.ooniapi_oonirun_deployer.data.aws_caller_identity.current: Reading...
data.aws_ssm_parameter.jwt_secret_legacy: Reading...
module.ooniapi_user.aws_iam_user.ooniapi: Refreshing state... [id=oonidevops-ooniapi]
module.ooni_monitoring_proxy.data.aws_ssm_parameter.ubuntu_22_ami: Reading...
module.ooniapi_oonirun_deployer.aws_iam_policy.codepipeline: Refreshing state... [id=arn:aws:iam::905418398257:policy/service-role/codepipeline-ooniapi-oonirun]
module.ooniapi_oonirun_deployer.data.aws_caller_identity.current: Read complete after 0s [id=905418398257]
module.ooniapi_reverseproxy.aws_iam_role.ooniapi_service_task: Refreshing state... [id=ooniapi-service-reverseproxy-task-role]
module.oonidevops_github_user.aws_secretsmanager_secret.oonidevops_github: Refreshing state... [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/github_user/access_key_json-9JTJgd]
data.aws_ssm_parameter.jwt_secret_legacy: Read complete after 0s [id=/oonidevops/secrets/ooni_services/jwt_secret_legacy]
module.fastpath_builder.data.aws_caller_identity.current: Reading...
module.ooni_monitoring_proxy.data.aws_ssm_parameter.ubuntu_22_ami: Read complete after 0s [id=/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id]
module.ooniapi_cluster.aws_cloudwatch_log_group.ooniapi_services: Refreshing state... [id=ooni-ecs-group/ooniapi-ecs-cluster]
module.ooniapi_ooniprobe.data.aws_ecs_container_definition.ooniapi_service_current[0]: Reading...
module.ooniapi_oonimeasurements_deployer.data.aws_caller_identity.current: Reading...
module.fastpath_builder.data.aws_caller_identity.current: Read complete after 0s [id=905418398257]
module.ooniapi_user.aws_secretsmanager_secret.aws_access_key_id: Refreshing state... [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/ooniapi_user/aws_access_key_id-EcXOBx]
module.ooni_monitoring.aws_iam_access_key.ooni_monitoring: Refreshing state... [id=AKIA5FTZELIYWULOT65S]
module.ooniapi_ooniprobe.data.aws_ecs_container_definition.ooniapi_service_current[0]: Read complete after 0s [id=ooniapi-service-ooniprobe-td/ooniapi-service-ooniprobe]
module.ooni_monitoring.aws_iam_user_policy.ooni_monitoring: Refreshing state... [id=oonidevops-monitoring:oonidevops-monitoring-policy]
module.ooniapi_oonimeasurements_deployer.data.aws_caller_identity.current: Read complete after 0s [id=905418398257]
module.ooniapi_ooniauth_deployer.aws_iam_role.codepipeline: Refreshing state... [id=codepipeline-ooniapi-ooniauth]
aws_route53_record.ooniapi_frontend_cert_validation["api.dev.ooni.io"]: Refreshing state... [id=Z055356431RGCLK3JXZDL__cd4729fc0c282e771d056e719a7bdf4f.api.dev.ooni.io._CNAME]
aws_route53_record.ooniapi_frontend_cert_validation["ooniprobe.dev.ooni.io"]: Refreshing state... [id=Z055356431RGCLK3JXZDL__a064be8aa084a037ff9fa5e3e541c87d.ooniprobe.dev.ooni.io._CNAME]
aws_route53_record.ooniapi_frontend_cert_validation["oonirun.dev.ooni.io"]: Refreshing state... [id=Z055356431RGCLK3JXZDL__05c891caeb4509d4cd7f9c24d8b6dbd0.oonirun.dev.ooni.io._CNAME]
aws_route53_record.ooniapi_frontend_cert_validation["ooniauth.dev.ooni.io"]: Refreshing state... [id=Z055356431RGCLK3JXZDL__48cd4e71cee9930614228176b7deefb9.ooniauth.dev.ooni.io._CNAME]
aws_route53_record.ooniapi_frontend_cert_validation["8.th.dev.ooni.io"]: Refreshing state... [id=Z055356431RGCLK3JXZDL__ef17825e5fd9713f596344bdd9626f5e.8.th.dev.ooni.io._CNAME]
module.ooniapi_oonifindings.aws_iam_role_policy.ooniapi_service_task: Refreshing state... [id=ooniapi-service-oonifindings-task-role:ooniapi-service-oonifindings-task-role]
module.ooniapi_ooniauth.aws_iam_role_policy.ooniapi_service_task: Refreshing state... [id=ooniapi-service-ooniauth-task-role:ooniapi-service-ooniauth-task-role]
module.adm_iam_roles.aws_iam_role.oonidevops: Refreshing state... [id=oonidevops]
module.ooniapi_ooniprobe_deployer.aws_iam_role.codepipeline: Refreshing state... [id=codepipeline-ooniapi-ooniprobe]
module.ooniapi_oonimeasurements.aws_iam_role_policy.ooniapi_service_task: Refreshing state... [id=ooniapi-service-oonimeasurements-task-role:ooniapi-service-oonimeasurements-task-role]
module.fastpath_builder.aws_iam_role.codepipeline: Refreshing state... [id=codepipeline-ooniapi-fastpath]
module.ooniapi_ooniprobe.aws_iam_role_policy.ooniapi_service_task: Refreshing state... [id=ooniapi-service-ooniprobe-task-role:ooniapi-service-ooniprobe-task-role]
module.ooniapi_oonirun.aws_iam_role_policy.ooniapi_service_task: Refreshing state... [id=ooniapi-service-oonirun-task-role:ooniapi-service-oonirun-task-role]
module.adm_iam_roles.aws_secretsmanager_secret_version.oonidevops_deploy_key: Refreshing state... [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/deploy_key-2ebqSe|terraform-20240925140131946100000002]
module.ooniapi_reverseproxy_deployer.aws_iam_role.codepipeline: Refreshing state... [id=codepipeline-ooniapi-reverseproxy]
module.oonidevops_github_user.aws_iam_access_key.oonidevops_github: Refreshing state... [id=AKIA5FTZELIYXDN55SMS]
module.oonidevops_github_user.aws_iam_user_policy_attachment.oonidevops_github: Refreshing state... [id=oonidevops-github-20240313195612421500000001]
module.ooniapi_oonifindings_deployer.aws_iam_role.codepipeline: Refreshing state... [id=codepipeline-ooniapi-oonifindings]
module.ooniapi_user.aws_iam_user_policy.ooniapi: Refreshing state... [id=oonidevops-ooniapi:oonidevops-ooniapi-policy]
module.ooniapi_user.aws_iam_access_key.ooniapi: Refreshing state... [id=AKIA5FTZELIYSK2XEVOT]
module.ooniapi_oonimeasurements_deployer.aws_iam_role.codepipeline: Refreshing state... [id=codepipeline-ooniapi-oonimeasurements]
module.ooniapi_cluster.aws_iam_role_policy.container_host: Refreshing state... [id=ooniapi-ecs-cluster-container-host-role:ooniapi-ecs-cluster-instance-role-policy]
module.ooniapi_cluster.aws_iam_instance_profile.container_host: Refreshing state... [id=ooniapi-ecs-cluster]
module.ooniapi_oonirun_deployer.aws_iam_role.codepipeline: Refreshing state... [id=codepipeline-ooniapi-oonirun]
module.ooniapi_reverseproxy.aws_ecs_task_definition.ooniapi_service: Refreshing state... [id=ooniapi-service-reverseproxy-td]
module.ooniapi_reverseproxy.aws_iam_role_policy.ooniapi_service_task: Refreshing state... [id=ooniapi-service-reverseproxy-task-role:ooniapi-service-reverseproxy-task-role]
module.ooni_monitoring.aws_ssm_parameter.ooni_monitoring_secret_key: Refreshing state... [id=/oonidevops/secrets/ooni_monitoring/secret_key]
module.ooni_monitoring.aws_ssm_parameter.ooni_monitoring_access_key: Refreshing state... [id=/oonidevops/secrets/ooni_monitoring/access_key]
module.ooniapi_cluster.aws_ecs_cluster.main: Refreshing state... [id=arn:aws:ecs:eu-central-1:905418398257:cluster/ooniapi-ecs-cluster]
module.ooniapi_oonirun.aws_ecs_task_definition.ooniapi_service: Refreshing state... [id=ooniapi-service-oonirun-td]
aws_acm_certificate_validation.ooniapi_frontend: Refreshing state... [id=0001-01-01 00:00:00 +0000 UTC]
module.ooniapi_oonifindings.aws_ecs_task_definition.ooniapi_service: Refreshing state... [id=ooniapi-service-oonifindings-td]
module.ooniapi_oonimeasurements.aws_ecs_task_definition.ooniapi_service: Refreshing state... [id=ooniapi-service-oonimeasurements-td]
module.oonidevops_github_user.aws_secretsmanager_secret_version.oonidevops_github: Refreshing state... [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/github_user/access_key_json-9JTJgd|terraform-20240519071250187000000004]
aws_iam_role_policy.ooniprobe_role: Refreshing state... [id=ooniapi-ecs-cluster-container-host-role:oonidevops-dev-task-role]
module.ooniapi_user.aws_secretsmanager_secret_version.aws_secret_access_key: Refreshing state... [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/ooniapi_user/aws_secret_access_key-L0DQDr|terraform-20240314200140914600000006]
module.ooniapi_user.aws_secretsmanager_secret_version.aws_access_key_id: Refreshing state... [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/ooniapi_user/aws_access_key_id-EcXOBx|terraform-20240314200140918400000007]
module.ooniapi_ooniprobe.aws_ecs_task_definition.ooniapi_service: Refreshing state... [id=ooniapi-service-ooniprobe-td]
module.ooniapi_ooniauth.aws_ecs_task_definition.ooniapi_service: Refreshing state... [id=ooniapi-service-ooniauth-td]
data.aws_secretsmanager_secret_version.deploy_key: Reading...
aws_codestarconnections_connection.oonidevops: Refreshing state... [id=arn:aws:codestar-connections:eu-central-1:905418398257:connection/6bd492f6-c11d-43ec-92b0-24c47700d528]
module.terraform_state_backend.data.aws_region.current: Reading...
module.terraform_state_backend.data.aws_region.current: Read complete after 0s [id=eu-central-1]
module.network.aws_vpc.main: Refreshing state... [id=vpc-0e382f3ad89286de9]
module.terraform_state_backend.aws_s3_bucket.default[0]: Refreshing state... [id=oonidevops-dev-terraform-state]
module.terraform_state_backend.data.aws_iam_policy_document.bucket_policy[0]: Reading...
module.terraform_state_backend.data.aws_iam_policy_document.bucket_policy[0]: Read complete after 0s [id=2666303363]
module.terraform_state_backend.data.aws_iam_policy_document.aggregated_policy[0]: Reading...
module.terraform_state_backend.data.aws_iam_policy_document.aggregated_policy[0]: Read complete after 0s [id=2666303363]
module.terraform_state_backend.aws_dynamodb_table.with_server_side_encryption[0]: Refreshing state... [id=oonidevops-dev-terraform-state-lock]
data.aws_secretsmanager_secret_version.deploy_key: Read complete after 0s [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/deploy_key-2ebqSe|AWSCURRENT]
module.ooni_th_droplet.data.cloudinit_config.ooni_th_docker: Reading...
module.ooni_th_droplet.data.cloudinit_config.ooni_th_docker: Read complete after 0s [id=1194028725]
module.ooni_th_droplet.digitalocean_droplet.ooni_th_docker[0]: Refreshing state... [id=459912318]
module.ooniapi_oonifindings_deployer.aws_iam_policy.codebuild: Refreshing state... [id=arn:aws:iam::905418398257:policy/service-role/codebuild-oonifindings-eu-central-1]
module.fastpath_builder.aws_iam_policy.codebuild: Refreshing state... [id=arn:aws:iam::905418398257:policy/service-role/codebuild-fastpath-eu-central-1]
module.ooniapi_oonirun_deployer.aws_iam_policy.codebuild: Refreshing state... [id=arn:aws:iam::905418398257:policy/service-role/codebuild-oonirun-eu-central-1]
module.ooniapi_reverseproxy_deployer.aws_iam_policy.codebuild: Refreshing state... [id=arn:aws:iam::905418398257:policy/service-role/codebuild-reverseproxy-eu-central-1]
module.ooniapi_ooniprobe_deployer.aws_iam_policy.codebuild: Refreshing state... [id=arn:aws:iam::905418398257:policy/service-role/codebuild-ooniprobe-eu-central-1]
module.ooniapi_ooniauth_deployer.aws_iam_policy.codebuild: Refreshing state... [id=arn:aws:iam::905418398257:policy/service-role/codebuild-ooniauth-eu-central-1]
module.ooniapi_oonimeasurements_deployer.aws_iam_policy.codebuild: Refreshing state... [id=arn:aws:iam::905418398257:policy/service-role/codebuild-oonimeasurements-eu-central-1]
module.fastpath_builder.aws_iam_role.codebuild: Refreshing state... [id=codebuild-ooniapi-fastpath]
module.ooni_th_droplet.aws_route53_record.ooni_th["0"]: Refreshing state... [id=Z055356431RGCLK3JXZDL_0.do.th.dev.ooni.io_A]
module.ooniapi_oonirun_deployer.aws_iam_role.codebuild: Refreshing state... [id=codebuild-ooniapi-oonirun]
module.ooniapi_ooniauth_deployer.aws_iam_role.codebuild: Refreshing state... [id=codebuild-ooniapi-ooniauth]
module.ooniapi_ooniprobe_deployer.aws_iam_role.codebuild: Refreshing state... [id=codebuild-ooniapi-ooniprobe]
module.ooniapi_oonifindings_deployer.aws_iam_role.codebuild: Refreshing state... [id=codebuild-ooniapi-oonifindings]
module.ooniapi_reverseproxy_deployer.aws_iam_role.codebuild: Refreshing state... [id=codebuild-ooniapi-reverseproxy]
module.ooniapi_oonimeasurements_deployer.aws_iam_role.codebuild: Refreshing state... [id=codebuild-ooniapi-oonimeasurements]
module.ooniapi_ooniprobe_deployer.aws_codebuild_project.ooniapi: Refreshing state... [id=arn:aws:codebuild:eu-central-1:905418398257:project/ooniapi-ooniprobe]
module.ooniapi_oonirun_deployer.aws_codebuild_project.ooniapi: Refreshing state... [id=arn:aws:codebuild:eu-central-1:905418398257:project/ooniapi-oonirun]
module.ooniapi_ooniauth_deployer.aws_codebuild_project.ooniapi: Refreshing state... [id=arn:aws:codebuild:eu-central-1:905418398257:project/ooniapi-ooniauth]
module.ooniapi_oonifindings_deployer.aws_codebuild_project.ooniapi: Refreshing state... [id=arn:aws:codebuild:eu-central-1:905418398257:project/ooniapi-oonifindings]
module.ooniapi_reverseproxy_deployer.aws_codebuild_project.ooniapi: Refreshing state... [id=arn:aws:codebuild:eu-central-1:905418398257:project/ooniapi-reverseproxy]
module.ooniapi_oonimeasurements_deployer.aws_codebuild_project.ooniapi: Refreshing state... [id=arn:aws:codebuild:eu-central-1:905418398257:project/ooniapi-oonimeasurements]
module.network.aws_internet_gateway.gw: Refreshing state... [id=igw-0c080e9b235ed29d1]
module.ooni_monitoring_proxy.aws_alb_target_group.ooni_ec2: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:targetgroup/oomnpr20250423083217708600000002/90babad6f0c8b903]
module.ooniapi_ooniauth.aws_alb_target_group.ooniapi_service: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:targetgroup/OautM-20250115122624347200000004/6e746a968782a49f]
module.ooniapi_oonirun.aws_alb_target_group.ooniapi_service: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:targetgroup/OrunM-20250115122624347100000003/17e1664b99b708a5]
module.ooniapi_oonifindings.aws_alb_target_group.ooniapi_service: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:targetgroup/OfinM-20250115122624350600000005/ad715c6e26dd616c]
module.ooniapi_cluster.aws_security_group.web: Refreshing state... [id=sg-0187eedfe39538357]
module.ooni_clickhouse_proxy.aws_alb_target_group.ooni_ec2: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:targetgroup/oockpr20250116192249626700000002/2e9dada4dd22c268]
module.ooniapi_ooniprobe.aws_alb_target_group.ooniapi_service: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:targetgroup/OproM-20250115122624346700000001/9f9264a4e53931d3]
module.ooni_clickhouse_proxy.aws_security_group.ec2_sg: Refreshing state... [id=sg-0903c108a44c922a5]
module.ooni_monitoring_proxy.aws_security_group.ec2_sg: Refreshing state... [id=sg-00c4199ae6a658579]
module.ooniapi_oonimeasurements.aws_alb_target_group.ooniapi_service: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:targetgroup/OmeaM-20250116160254864500000001/4d88cb32eb2f381c]
module.ooniapi_reverseproxy.aws_alb_target_group.ooniapi_service: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:targetgroup/OrevM-20250115122624347000000002/32c2f9b4e4d3b8c4]
module.ooni_fastpath.aws_security_group.ec2_sg: Refreshing state... [id=sg-0854c5725d3529ff7]
module.ooni_fastpath.aws_alb_target_group.ooni_ec2: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:targetgroup/oofstp20250718074924525300000001/d7da8bc733496b02]
module.network.aws_route_table.public: Refreshing state... [id=rtb-0ccb0852e6a365a95]
module.network.aws_subnet.private[0]: Refreshing state... [id=subnet-09314a43ec89d6331]
module.network.aws_subnet.private[1]: Refreshing state... [id=subnet-0b899a7ad10406d06]
module.network.aws_subnet.public[1]: Refreshing state... [id=subnet-0b18966cccfc9d5ef]
module.network.aws_subnet.public[0]: Refreshing state... [id=subnet-0e7a4478be988463f]
module.network.aws_route_table.private: Refreshing state... [id=rtb-011463437da96c77b]
module.ooni_clickhouse_proxy.aws_security_group_rule.ec2_sg_egress[1]: Refreshing state... [id=sgrule-1281654482]
module.ooni_clickhouse_proxy.aws_security_group_rule.ec2_sg_egress[0]: Refreshing state... [id=sgrule-1099643652]
module.ooni_monitoring_proxy.aws_security_group_rule.ec2_sg_egress[0]: Refreshing state... [id=sgrule-4288788045]
module.ooni_monitoring_proxy.aws_security_group_rule.ec2_sg_egress[1]: Refreshing state... [id=sgrule-3806784481]
module.ooni_monitoring_proxy.aws_security_group_rule.ec2_sg_ingress[0]: Refreshing state... [id=sgrule-2756751855]
module.ooni_monitoring_proxy.aws_security_group_rule.ec2_sg_ingress[2]: Refreshing state... [id=sgrule-2383513485]
module.ooni_monitoring_proxy.aws_security_group_rule.ec2_sg_ingress[1]: Refreshing state... [id=sgrule-316337242]
module.ooni_fastpath.aws_security_group_rule.ec2_sg_egress[0]: Refreshing state... [id=sgrule-2637037541]
module.ooni_fastpath.aws_security_group_rule.ec2_sg_egress[1]: Refreshing state... [id=sgrule-1642775862]
module.terraform_state_backend.aws_s3_bucket_versioning.default[0]: Refreshing state... [id=oonidevops-dev-terraform-state]
module.terraform_state_backend.aws_s3_bucket_server_side_encryption_configuration.default[0]: Refreshing state... [id=oonidevops-dev-terraform-state]
module.terraform_state_backend.aws_s3_bucket_public_access_block.default[0]: Refreshing state... [id=oonidevops-dev-terraform-state]
module.ooniapi_oonifindings.aws_ecs_service.ooniapi_service: Refreshing state... [id=arn:aws:ecs:eu-central-1:905418398257:service/ooniapi-ecs-cluster/ooniapi-service-oonifindings]
module.ooniapi_ooniauth.aws_ecs_service.ooniapi_service: Refreshing state... [id=arn:aws:ecs:eu-central-1:905418398257:service/ooniapi-ecs-cluster/ooniapi-service-ooniauth]
module.ooniapi_oonirun.aws_ecs_service.ooniapi_service: Refreshing state... [id=arn:aws:ecs:eu-central-1:905418398257:service/ooniapi-ecs-cluster/ooniapi-service-oonirun]
module.ooniapi_ooniprobe.aws_ecs_service.ooniapi_service: Refreshing state... [id=arn:aws:ecs:eu-central-1:905418398257:service/ooniapi-ecs-cluster/ooniapi-service-ooniprobe]
module.ooniapi_reverseproxy.aws_ecs_service.ooniapi_service: Refreshing state... [id=arn:aws:ecs:eu-central-1:905418398257:service/ooniapi-ecs-cluster/ooniapi-service-reverseproxy]
module.ooniapi_oonimeasurements.aws_ecs_service.ooniapi_service: Refreshing state... [id=arn:aws:ecs:eu-central-1:905418398257:service/ooniapi-ecs-cluster/ooniapi-service-oonimeasurements]
module.network.aws_route_table_association.private[0]: Refreshing state... [id=rtbassoc-0e7933e6b804ff2c1]
module.network.aws_route_table_association.private[1]: Refreshing state... [id=rtbassoc-0c9cc0f117ef15fe7]
module.network.aws_route_table_association.public[1]: Refreshing state... [id=rtbassoc-08ab18165bf481054]
module.network.aws_route_table_association.public[0]: Refreshing state... [id=rtbassoc-0dbd7fb16801ee049]
module.ooniapi_cluster.aws_security_group.container_host: Refreshing state... [id=sg-0aa6a97400b619de3]
module.terraform_state_backend.aws_s3_bucket_policy.default[0]: Refreshing state... [id=oonidevops-dev-terraform-state]
module.oonipg.aws_security_group.pg: Refreshing state... [id=sg-005ca579eb9c08cda]
module.ooni_fastpath.aws_launch_template.ooni_ec2: Refreshing state... [id=lt-0ac59dcc340e85588]
module.oonipg.aws_db_subnet_group.pg: Refreshing state... [id=ooni-tier0-postgres-dbsng]
module.ooniapi_frontend.aws_alb.ooniapi: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:loadbalancer/app/ooni-api-frontend/4a50f3dd46584390]
module.ooni_monitoring_proxy.aws_launch_template.ooni_ec2: Refreshing state... [id=lt-0c9dddb576a4f71a3]
module.ooni_clickhouse_proxy.aws_launch_template.ooni_ec2: Refreshing state... [id=lt-0855bc6373ff4c75b]
module.ooniapi_oonifindings_deployer.aws_codepipeline.ooniapi: Refreshing state... [id=ooniapi-oonifindings]
module.ooniapi_ooniauth_deployer.aws_codepipeline.ooniapi: Refreshing state... [id=ooniapi-ooniauth]
module.ooniapi_cluster.aws_launch_template.container_host: Refreshing state... [id=lt-0e328a8671f870c64]
module.ooniapi_ooniprobe_deployer.aws_codepipeline.ooniapi: Refreshing state... [id=ooniapi-ooniprobe]
module.ooniapi_oonirun_deployer.aws_codepipeline.ooniapi: Refreshing state... [id=ooniapi-oonirun]
module.ooniapi_oonimeasurements_deployer.aws_codepipeline.ooniapi: Refreshing state... [id=ooniapi-oonimeasurements]
module.ooniapi_reverseproxy_deployer.aws_codepipeline.ooniapi: Refreshing state... [id=ooniapi-reverseproxy]
module.terraform_state_backend.time_sleep.wait_for_aws_s3_bucket_settings[0]: Refreshing state... [id=2024-03-10T15:06:17Z]
module.ooni_fastpath.aws_instance.ooni_ec2: Refreshing state... [id=i-0b4380b70f67afa0e]
module.ooni_monitoring_proxy.aws_instance.ooni_ec2: Refreshing state... [id=i-067b337ada2d9cc00]
module.ooni_clickhouse_proxy.aws_instance.ooni_ec2: Refreshing state... [id=i-0f308c94682614973]
module.ooniapi_cluster.aws_autoscaling_group.container_host: Refreshing state... [id=ooniapi-ecs-cluster20240310192644083800000003]
module.terraform_state_backend.aws_s3_bucket_ownership_controls.default[0]: Refreshing state... [id=oonidevops-dev-terraform-state]
module.ooniapi_frontend.aws_alb_listener.ooniapi_listener_https: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener/app/ooni-api-frontend/4a50f3dd46584390/9ef650e256f41d45]
module.ooniapi_frontend.aws_alb_listener.ooniapi_listener_http: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener/app/ooni-api-frontend/4a50f3dd46584390/664a34cfb30f72e8]
module.oonipg.aws_db_instance.pg: Refreshing state... [id=db-27N7Q6XIBNASFCOXN4N7C762L4]
aws_route53_record.ooniapi_frontend_main: Refreshing state... [id=Z055356431RGCLK3JXZDL_api.dev.ooni.io_A]
aws_route53_record.ooniapi_frontend_alt["ooniprobe.dev.ooni.io"]: Refreshing state... [id=Z055356431RGCLK3JXZDL_ooniprobe.dev.ooni.io_A]
aws_route53_record.ooniapi_frontend_alt["oonirun.dev.ooni.io"]: Refreshing state... [id=Z055356431RGCLK3JXZDL_oonirun.dev.ooni.io_A]
aws_route53_record.ooniapi_frontend_alt["8.th.dev.ooni.io"]: Refreshing state... [id=Z055356431RGCLK3JXZDL_8.th.dev.ooni.io_A]
aws_route53_record.ooniapi_frontend_alt["ooniauth.dev.ooni.io"]: Refreshing state... [id=Z055356431RGCLK3JXZDL_ooniauth.dev.ooni.io_A]
aws_route53_record.postgres_dns: Refreshing state... [id=Z091407123AEJO90Z3H6D_postgres.dev.ooni.nu_CNAME]
data.aws_secretsmanager_secret_version.pg_login: Reading...
module.ooniapi_frontend.aws_lb_listener_rule.ooniapi_oonirun_rule_host: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener-rule/app/ooni-api-frontend/4a50f3dd46584390/9ef650e256f41d45/9af03e886f8803f2]
module.ooniapi_frontend.aws_lb_listener_rule.ooniapi_ooniauth_rule_host: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener-rule/app/ooni-api-frontend/4a50f3dd46584390/9ef650e256f41d45/f4bf91203c7ca76e]
module.ooniapi_frontend.aws_lb_listener_rule.ooniapi_oonirun_rule: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener-rule/app/ooni-api-frontend/4a50f3dd46584390/9ef650e256f41d45/cc29701b6ed6aa2e]
module.ooniapi_frontend.aws_lb_listener_rule.ooniapi_ooniauth_rule: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener-rule/app/ooni-api-frontend/4a50f3dd46584390/9ef650e256f41d45/178511e1b6ae89c5]
data.aws_secretsmanager_secret_version.pg_login: Read complete after 0s [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:rds!db-5fe27151-3a37-44e0-a5bd-3517363fa2e8-BDI0KI|AWSCURRENT]
module.ooniapi_frontend.aws_lb_listener_rule.ooniapi_ooniprobe_rule_host: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener-rule/app/ooni-api-frontend/4a50f3dd46584390/9ef650e256f41d45/583471b0bdc1c388]
module.ooniapi_frontend.aws_alb_listener_rule.ooniapi_th: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener-rule/app/ooni-api-frontend/4a50f3dd46584390/9ef650e256f41d45/775cd6d0dc062fd3]
module.ooniapi_frontend.aws_lb_listener_rule.ooniapi_oonimeasurements_rule_2[0]: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener-rule/app/ooni-api-frontend/4a50f3dd46584390/9ef650e256f41d45/e6dbe09be108b001]
module.ooniapi_frontend.aws_lb_listener_rule.ooniapi_oonifindings_rule: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener-rule/app/ooni-api-frontend/4a50f3dd46584390/9ef650e256f41d45/36d49e835c0b81c5]
module.ooniapi_frontend.aws_lb_listener_rule.ooniapi_oonifindings_rule_host: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener-rule/app/ooni-api-frontend/4a50f3dd46584390/9ef650e256f41d45/54cda6e694a0103f]
module.ooniapi_frontend.aws_lb_listener_rule.ooniapi_oonimeasurements_rule_host[0]: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener-rule/app/ooni-api-frontend/4a50f3dd46584390/9ef650e256f41d45/f3d75d5d93fd6903]
module.ooniapi_frontend.aws_lb_listener_rule.ooniapi_oonimeasurements_rule_1[0]: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener-rule/app/ooni-api-frontend/4a50f3dd46584390/9ef650e256f41d45/1cf3d6a7a694eec9]
module.ooniapi_frontend.aws_lb_listener_rule.ooniapi_ooniprobe_rule: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener-rule/app/ooni-api-frontend/4a50f3dd46584390/9ef650e256f41d45/82069bb29bca6af1]
aws_secretsmanager_secret_version.oonipg_url: Refreshing state... [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/ooni-tier0-postgres/postgresql_url-w62CTZ|terraform-20250718075233005800000001]
module.ooni_monitoring_proxy.aws_lb_target_group_attachment.oonibackend_proxy: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:targetgroup/oomnpr20250423083217708600000002/90babad6f0c8b903-20250423083239704200000006]
aws_route53_record.monitoring_proxy_alias: Refreshing state... [id=Z055356431RGCLK3JXZDL_monitoringproxy.dev.ooni.io_CNAME]
module.ooni_fastpath.aws_security_group_rule.ec2_sg_ingress[0]: Refreshing state... [id=sgrule-2263584242]
module.ooni_fastpath.aws_security_group_rule.ec2_sg_ingress[2]: Refreshing state... [id=sgrule-2442009361]
module.ooni_fastpath.aws_security_group_rule.ec2_sg_ingress[1]: Refreshing state... [id=sgrule-3714318590]
module.ooni_fastpath.aws_lb_target_group_attachment.oonibackend_proxy: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:targetgroup/oofstp20250718074924525300000001/d7da8bc733496b02-20250718074947410500000009]
aws_route53_record.fastpath_alias: Refreshing state... [id=Z055356431RGCLK3JXZDL_fastpath.dev.ooni.io_CNAME]
module.ooni_clickhouse_proxy.aws_security_group_rule.ec2_sg_ingress[0]: Refreshing state... [id=sgrule-1921217342]
module.ooni_clickhouse_proxy.aws_security_group_rule.ec2_sg_ingress[2]: Refreshing state... [id=sgrule-308035203]
module.ooni_clickhouse_proxy.aws_security_group_rule.ec2_sg_ingress[4]: Refreshing state... [id=sgrule-3520426823]
module.ooni_clickhouse_proxy.aws_security_group_rule.ec2_sg_ingress[3]: Refreshing state... [id=sgrule-3953292375]
module.ooni_clickhouse_proxy.aws_security_group_rule.ec2_sg_ingress[1]: Refreshing state... [id=sgrule-3288936075]
module.ooni_clickhouse_proxy.aws_lb_target_group_attachment.oonibackend_proxy: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:targetgroup/oockpr20250116192249626700000002/2e9dada4dd22c268-20250423080341595800000003]
aws_route53_record.clickhouse_proxy_alias: Refreshing state... [id=Z055356431RGCLK3JXZDL_clickhouseproxy.dev.ooni.io_CNAME]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.fastpath_builder.aws_codebuild_project.ooniapi will be destroyed
  # (because aws_codebuild_project.ooniapi is not in configuration)
  - resource "aws_codebuild_project" "ooniapi" {
      - arn                    = "arn:aws:codebuild:eu-central-1:905418398257:project/ooniapi-fastpath" -> null
      - badge_enabled          = false -> null
      - build_timeout          = 60 -> null
      - concurrent_build_limit = 1 -> null
      - encryption_key         = "arn:aws:kms:eu-central-1:905418398257:alias/aws/s3" -> null
      - id                     = "arn:aws:codebuild:eu-central-1:905418398257:project/ooniapi-fastpath" -> null
      - name                   = "ooniapi-fastpath" -> null
      - project_visibility     = "PRIVATE" -> null
      - queued_timeout         = 480 -> null
      - service_role           = "arn:aws:iam::905418398257:role/service-role/codebuild-ooniapi-fastpath" -> null
      - tags                   = {} -> null
      - tags_all               = {} -> null
        # (5 unchanged attributes hidden)

      - artifacts {
          - encryption_disabled    = false -> null
            name                   = null
          - override_artifact_name = false -> null
          - type                   = "NO_ARTIFACTS" -> null
            # (6 unchanged attributes hidden)
        }

      - cache {
          - modes    = [] -> null
          - type     = "NO_CACHE" -> null
            # (1 unchanged attribute hidden)
        }

      - environment {
          - compute_type                = "BUILD_GENERAL1_SMALL" -> null
          - image                       = "aws/codebuild/standard:7.0" -> null
          - image_pull_credentials_type = "CODEBUILD" -> null
          - privileged_mode             = true -> null
          - type                        = "LINUX_CONTAINER" -> null
            # (1 unchanged attribute hidden)
        }

      - logs_config {
          - cloudwatch_logs {
              - status      = "ENABLED" -> null
                # (2 unchanged attributes hidden)
            }
          - s3_logs {
              - encryption_disabled = false -> null
              - status              = "DISABLED" -> null
                # (2 unchanged attributes hidden)
            }
        }

      - source {
          - buildspec           = "fastpath/buildspec.yml" -> null
          - git_clone_depth     = 1 -> null
          - insecure_ssl        = false -> null
          - location            = "https://github.com/ooni/backend.git" -> null
          - report_build_status = false -> null
          - type                = "GITHUB" -> null

          - git_submodules_config {
              - fetch_submodules = false -> null
            }
        }
    }

  # module.fastpath_builder.aws_codebuild_project.oonidkr will be created
  + resource "aws_codebuild_project" "oonidkr" {
      + arn                    = (known after apply)
      + badge_enabled          = false
      + badge_url              = (known after apply)
      + build_timeout          = 60
      + concurrent_build_limit = 1
      + description            = (known after apply)
      + encryption_key         = "arn:aws:kms:eu-central-1:905418398257:alias/aws/s3"
      + id                     = (known after apply)
      + name                   = "oonidkr-fastpath"
      + project_visibility     = "PRIVATE"
      + public_project_alias   = (known after apply)
      + queued_timeout         = 480
      + service_role           = (known after apply)
      + tags_all               = (known after apply)

      + artifacts {
          + encryption_disabled    = false
          + override_artifact_name = false
          + type                   = "NO_ARTIFACTS"
        }

      + cache {
          + type = "NO_CACHE"
        }

      + environment {
          + compute_type                = "BUILD_GENERAL1_SMALL"
          + image                       = "aws/codebuild/standard:7.0"
          + image_pull_credentials_type = "CODEBUILD"
          + privileged_mode             = true
          + type                        = "LINUX_CONTAINER"
        }

      + logs_config {
          + cloudwatch_logs {
              + status = "ENABLED"
            }
          + s3_logs {
              + encryption_disabled = false
              + status              = "DISABLED"
            }
        }

      + source {
          + buildspec           = "fastpath/buildspec.yml"
          + git_clone_depth     = 1
          + insecure_ssl        = false
          + location            = "https://github.com/ooni/backend.git"
          + report_build_status = false
          + type                = "GITHUB"

          + git_submodules_config {
              + fetch_submodules = false
            }
        }
    }

  # module.fastpath_builder.aws_codepipeline.ooniapi will be destroyed
  # (because aws_codepipeline.ooniapi is not in configuration)
  - resource "aws_codepipeline" "ooniapi" {
      - arn            = "arn:aws:codepipeline:eu-central-1:905418398257:ooniapi-fastpath" -> null
      - execution_mode = "SUPERSEDED" -> null
      - id             = "ooniapi-fastpath" -> null
      - name           = "ooniapi-fastpath" -> null
      - pipeline_type  = "V2" -> null
      - role_arn       = "arn:aws:iam::905418398257:role/service-role/codepipeline-ooniapi-fastpath" -> null
      - tags           = {} -> null
      - tags_all       = {} -> null

      - artifact_store {
          - location = "codepipeline-ooniapi-eu-central-1-f148ea7b" -> null
          - type     = "S3" -> null
            # (1 unchanged attribute hidden)
        }

      - stage {
          - name = "Source" -> null

          - action {
              - category           = "Source" -> null
              - configuration      = {
                  - "BranchName"           = "fastpath-writes-to-disk"
                  - "ConnectionArn"        = "arn:aws:codestar-connections:eu-central-1:905418398257:connection/6bd492f6-c11d-43ec-92b0-24c47700d528"
                  - "DetectChanges"        = "true"
                  - "FullRepositoryId"     = "ooni/backend"
                  - "OutputArtifactFormat" = "CODEBUILD_CLONE_REF"
                } -> null
              - input_artifacts    = [] -> null
              - name               = "Source" -> null
              - namespace          = "SourceVariables" -> null
              - output_artifacts   = [
                  - "SourceArtifact",
                ] -> null
              - owner              = "AWS" -> null
              - provider           = "CodeStarSourceConnection" -> null
              - region             = "eu-central-1" -> null
              - run_order          = 1 -> null
              - timeout_in_minutes = 0 -> null
              - version            = "1" -> null
                # (1 unchanged attribute hidden)
            }
        }
      - stage {
          - name = "Build" -> null

          - action {
              - category           = "Build" -> null
              - configuration      = {
                  - "ProjectName" = "ooniapi-fastpath"
                } -> null
              - input_artifacts    = [
                  - "SourceArtifact",
                ] -> null
              - name               = "Build" -> null
              - namespace          = "BuildVariables" -> null
              - output_artifacts   = [
                  - "BuildArtifact",
                ] -> null
              - owner              = "AWS" -> null
              - provider           = "CodeBuild" -> null
              - region             = "eu-central-1" -> null
              - run_order          = 1 -> null
              - timeout_in_minutes = 0 -> null
              - version            = "1" -> null
                # (1 unchanged attribute hidden)
            }
        }

      - trigger {
          - provider_type = "CodeStarSourceConnection" -> null

          - git_configuration {
              - source_action_name = "Source" -> null

              - push {
                  - branches {
                      - excludes = [] -> null
                      - includes = [
                          - "fastpath-writes-to-disk",
                        ] -> null
                    }
                  - file_paths {
                      - excludes = [
                          - "**/README.md",
                        ] -> null
                      - includes = [
                          - "fastpath/**",
                        ] -> null
                    }
                }
            }
        }
    }

  # module.fastpath_builder.aws_codepipeline.oonidkr will be created
  + resource "aws_codepipeline" "oonidkr" {
      + arn            = (known after apply)
      + execution_mode = "SUPERSEDED"
      + id             = (known after apply)
      + name           = "oonidkr-fastpath"
      + pipeline_type  = "V2"
      + role_arn       = (known after apply)
      + tags_all       = (known after apply)

      + artifact_store {
          + location = "codepipeline-ooniapi-eu-central-1-f148ea7b"
          + type     = "S3"
            # (1 unchanged attribute hidden)
        }

      + stage {
          + name = "Source"

          + action {
              + category         = "Source"
              + configuration    = {
                  + "BranchName"           = "fastpath-writes-to-disk"
                  + "ConnectionArn"        = "arn:aws:codestar-connections:eu-central-1:905418398257:connection/6bd492f6-c11d-43ec-92b0-24c47700d528"
                  + "DetectChanges"        = "true"
                  + "FullRepositoryId"     = "ooni/backend"
                  + "OutputArtifactFormat" = "CODEBUILD_CLONE_REF"
                }
              + name             = "Source"
              + namespace        = "SourceVariables"
              + output_artifacts = [
                  + "SourceArtifact",
                ]
              + owner            = "AWS"
              + provider         = "CodeStarSourceConnection"
              + region           = "eu-central-1"
              + run_order        = 1
              + version          = "1"
            }
        }
      + stage {
          + name = "Build"

          + action {
              + category         = "Build"
              + configuration    = {
                  + "ProjectName" = "oonidkr-fastpath"
                }
              + input_artifacts  = [
                  + "SourceArtifact",
                ]
              + name             = "Build"
              + namespace        = "BuildVariables"
              + output_artifacts = [
                  + "BuildArtifact",
                ]
              + owner            = "AWS"
              + provider         = "CodeBuild"
              + region           = "eu-central-1"
              + run_order        = 1
              + version          = "1"
            }
        }

      + trigger {
          + provider_type = "CodeStarSourceConnection"

          + git_configuration {
              + source_action_name = "Source"

              + push {
                  + branches {
                      + includes = [
                          + "fastpath-writes-to-disk",
                        ]
                    }
                  + file_paths {
                      + excludes = [
                          + "**/README.md",
                        ]
                      + includes = [
                          + "fastpath/**",
                        ]
                    }
                }
            }
        }
    }

  # module.fastpath_builder.aws_iam_policy.codebuild will be updated in-place
  ~ resource "aws_iam_policy" "codebuild" {
        id               = "arn:aws:iam::905418398257:policy/service-role/codebuild-fastpath-eu-central-1"
        name             = "codebuild-fastpath-eu-central-1"
      ~ policy           = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Resource = [
                          ~ "arn:aws:logs:eu-central-1:905418398257:log-group:/aws/codebuild/ooniapi-fastpath" -> "arn:aws:logs:eu-central-1:905418398257:log-group:/aws/codebuild/oonidkr-fastpath",
                          ~ "arn:aws:logs:eu-central-1:905418398257:log-group:/aws/codebuild/ooniapi-fastpath:*" -> "arn:aws:logs:eu-central-1:905418398257:log-group:/aws/codebuild/oonidkr-fastpath:*",
                        ]
                        # (2 unchanged attributes hidden)
                    },
                    {
                        Action   = [
                            "s3:PutObject",
                            "s3:GetObject",
                            "s3:GetObjectVersion",
                            "s3:GetBucketAcl",
                            "s3:GetBucketLocation",
                        ]
                        Effect   = "Allow"
                        Resource = [
                            "arn:aws:s3:::codepipeline-ooniapi-eu-central-1-*",
                        ]
                    },
                    {
                        Action   = [
                            "ssmmessages:CreateControlChannel",
                            "ssmmessages:CreateDataChannel",
                            "ssmmessages:OpenControlChannel",
                            "ssmmessages:OpenDataChannel",
                        ]
                        Effect   = "Allow"
                        Resource = "*"
                    },
                  ~ {
                      ~ Resource = [
                          ~ "arn:aws:codebuild:eu-central-1:905418398257:report-group/ooniapi-fastpath-*" -> "arn:aws:codebuild:eu-central-1:905418398257:report-group/oonidkr-fastpath-*",
                        ]
                        # (2 unchanged attributes hidden)
                    },
                    {
                        Action   = "codestar-connections:UseConnection"
                        Effect   = "Allow"
                        Resource = "arn:aws:codestar-connections:eu-central-1:905418398257:connection/6bd492f6-c11d-43ec-92b0-24c47700d528"
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        tags             = {}
        # (7 unchanged attributes hidden)
    }

  # module.fastpath_builder.aws_iam_policy.codepipeline must be replaced
-/+ resource "aws_iam_policy" "codepipeline" {
      ~ arn              = "arn:aws:iam::905418398257:policy/service-role/codepipeline-ooniapi-fastpath" -> (known after apply)
      ~ attachment_count = 1 -> (known after apply)
      ~ id               = "arn:aws:iam::905418398257:policy/service-role/codepipeline-ooniapi-fastpath" -> (known after apply)
      ~ name             = "codepipeline-ooniapi-fastpath" -> "codepipeline-oonidkr-fastpath" # forces replacement
      + name_prefix      = (known after apply)
      ~ policy_id        = "ANPA5FTZELIYRPDXC4CYQ" -> (known after apply)
      - tags             = {} -> null
      ~ tags_all         = {} -> (known after apply)
        # (3 unchanged attributes hidden)
    }

  # module.fastpath_builder.aws_iam_role.codebuild must be replaced
-/+ resource "aws_iam_role" "codebuild" {
      ~ arn                   = "arn:aws:iam::905418398257:role/service-role/codebuild-ooniapi-fastpath" -> (known after apply)
      ~ create_date           = "2025-07-21T11:29:17Z" -> (known after apply)
      ~ id                    = "codebuild-ooniapi-fastpath" -> (known after apply)
      ~ name                  = "codebuild-ooniapi-fastpath" -> "codebuild-oonidkr-fastpath" # forces replacement
      + name_prefix           = (known after apply)
      - tags                  = {} -> null
      ~ tags_all              = {} -> (known after apply)
      ~ unique_id             = "AROA5FTZELIY76R3CAQPY" -> (known after apply)
        # (7 unchanged attributes hidden)

      ~ inline_policy (known after apply)
    }

  # module.fastpath_builder.aws_iam_role.codepipeline must be replaced
-/+ resource "aws_iam_role" "codepipeline" {
      ~ arn                   = "arn:aws:iam::905418398257:role/service-role/codepipeline-ooniapi-fastpath" -> (known after apply)
      ~ create_date           = "2025-07-21T11:29:17Z" -> (known after apply)
      ~ id                    = "codepipeline-ooniapi-fastpath" -> (known after apply)
      ~ managed_policy_arns   = [
          - "arn:aws:iam::905418398257:policy/service-role/codepipeline-ooniapi-fastpath",
        ] -> (known after apply)
      ~ name                  = "codepipeline-ooniapi-fastpath" -> "codepipeline-oonidkr-fastpath" # forces replacement
      + name_prefix           = (known after apply)
      - tags                  = {} -> null
      ~ tags_all              = {} -> (known after apply)
      ~ unique_id             = "AROA5FTZELIY3QAPJ2MYB" -> (known after apply)
        # (6 unchanged attributes hidden)

      ~ inline_policy (known after apply)
    }

Plan: 5 to add, 1 to change, 5 to destroy.

Warning: Argument is deprecated

  with module.adm_iam_roles.aws_iam_role.oonidevops,
  on ../../modules/adm_iam_roles/main.tf line 67, in resource "aws_iam_role" "oonidevops":
  67:   managed_policy_arns = [aws_iam_policy.oonidevops.arn]

The managed_policy_arns argument is deprecated. Use the
aws_iam_role_policy_attachment resource instead. If Terraform should
exclusively manage all managed policy attachments (the current behavior of
this argument), use the aws_iam_role_policy_attachments_exclusive resource as
well.

(and 3 more similar warnings elsewhere)

Warning: Available Write-only Attribute Alternative

  with module.ooni_monitoring.aws_ssm_parameter.ooni_monitoring_access_key,
  on ../../modules/ooni_monitoring/main.tf line 47, in resource "aws_ssm_parameter" "ooni_monitoring_access_key":
  47:   value = aws_iam_access_key.ooni_monitoring.id

The attribute value has a write-only alternative value_wo available. Use the
write-only alternative of the attribute when possible.

(and one more similar warning elsewhere)

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.
Pusher @LDiazN
Action pull_request
Environment dev
Workflow .github/workflows/check_terraform.yml
Last updated Tue, 22 Jul 2025 07:33:04 GMT

@github-actions GitHub Actions
Copy link

github-actions bot commented May 7, 2025
edited
Loading

Ansible Run Output 🤖

Ansible Playbook Recap 🔍

Ansible playbook output 📖success

Show Execution 

$ ansible-playbook playbook.yml --check --diff -i ../tf/modules/ansible_inventory/inventories/inventory-dev.ini
[WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'
[WARNING]: Could not match supplied host pattern, ignoring: monitoring.ooni.org
[WARNING]: Could not match supplied host pattern, ignoring: backend-
hel.ooni.org
[WARNING]: Could not match supplied host pattern, ignoring:
clickhouseproxy.dev.ooni.io
[WARNING]: Could not match supplied host pattern, ignoring:
clickhouseproxy.prod.ooni.io
[WARNING]: Could not match supplied host pattern, ignoring: notebook1.htz-
fsn.prod.ooni.nu
[WARNING]: Could not match supplied host pattern, ignoring: data1.htz-
fsn.prod.ooni.nu
[WARNING]: Could not match supplied host pattern, ignoring: data3.htz-
fsn.prod.ooni.nu
[WARNING]: Could not match supplied host pattern, ignoring: openvpn-
server1.ooni.io

PLAY [Ensure all hosts are bootstrapped correctly] *****************************
skipping: no hosts matched

PLAY [Deploy monitoring host] **************************************************
skipping: no hosts matched

PLAY [Update monitoring config] ************************************************
skipping: no hosts matched

PLAY [Deploy ooni backend services] ********************************************
skipping: no hosts matched

PLAY [Deploy clickhouse proxy] *************************************************
skipping: no hosts matched

PLAY [Deploy oonidata clickhouse hosts] ****************************************
skipping: no hosts matched

PLAY [Deploy airflow frontend host] ********************************************
skipping: no hosts matched

PLAY [Setup OpenVPN server] ****************************************************
skipping: no hosts matched

PLAY [Deploy notebook host] ****************************************************
skipping: no hosts matched

PLAY RECAP *********************************************************************
Pusher @LDiazN
Action pull_request
Working Directory
Workflow .github/workflows/check_ansible.yml
Last updated Tue, 22 Jul 2025 07:33:26 GMT

hellais
hellais reviewed Jun 27, 2025
View reviewed changes
ansible/roles/fastpath/tasks/main.yml Outdated
dest: "/opt/{{fastpath_user}}/backend"
# TODO Change to `master` when https://github.com/ooni/backend/pull/935 is merged
version: support-deploying-fastpath-as-docker-container
force: yes
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be ideal if we did this using the same pattern as the reset of the services. That would be building the docker image upon each commit in backend automatically and then we do the deploy using the tag.

It otherwise makes it harder to test something in dev and then deploy it inside of prod.

What we would ideally like to do is make a build, tag a version, test it in dev and then when the test passes we can deploy it to prod.

Can you make changes to run this as part of the CD pipeline?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure!

@hellais
Copy link
Member

hellais commented Jun 27, 2025

We are also missing another piece to get fastpath fully working and that is handling measurement upload. It's necessary to extract the api-uploader systemd unit and component over to fastpath (see: https://github.com/ooni/backend/blob/master/api/debian/ooni-api-uploader.timer).

Other relevant docs are for these pieces are here: https://docs.ooni.org/backend/systemd-timers/#ooni-api-uploader-timer
https://docs.ooni.org/backend/measurement-uploader/

I guess we have 2 options on how to handle this:

  1. We change how this works and move it over to the airflow host doing something like sshing into the fastpath EC2 host and doing the copy to s3 from there
  2. We install this systemd unit as part of ansible or similar to run from the EC2 container host

@LDiazN
Copy link
Contributor Author

LDiazN commented Jun 27, 2025

I will probably go with 2, but I will address it in a follow up PR with that and setting up the access to s3 and clickhouse

@hellais hellais mentioned this pull request Jul 3, 2025
Open
hellais
hellais reviewed Jul 17, 2025
View reviewed changes
ansible/host_vars/fastpath.dev.ooni.io/vault Outdated
@@ -0,0 +1,9 @@
$ANSIBLE_VAULT;1.1;AES256
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What are we storing in the vault? Can we put this into aws_ssm instead?

hellais
hellais reviewed Jul 17, 2025
View reviewed changes
ansible/roles/fastpath/defaults/main.yml Outdated

# Fastpath settings
# TODO Update this to the actual clickhouse host when we have migrated it
clickhouse_url: "clickhouse://default:default@clickhouse-server:9000"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have migrated it, should we then update it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, actually the fastpath is taking configurations from its the ansible/host_vars/fastpath.dev.ooni.io/vars.yml file but I will update the default one to be the same

hellais
hellais reviewed Jul 17, 2025
View reviewed changes
ansible/roles/fastpath/tasks/main.yml Outdated
- name: Ensure fastpath is running
community.docker.docker_container:
name: fastpath
image: ooni/fastpath:latest
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we place a specific version tag in here and make it as variable so we ensure we have the correct tested version?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I will this one that has the changes with the fastpath writing to disk:
https://hub.docker.com/layers/ooni/fastpath/v0.87/images/sha256-60b2d4e55fa4ba0a9aeb1e821e901e49f78141619eefa6ce45fd4ef251145ee0

hellais
hellais reviewed Jul 17, 2025
View reviewed changes
ansible/roles/fastpath/tasks/main.yml Outdated
- name: Install Statsd
tags: uploader
apt:
name: python3-statsd
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's probably cleaner to use the pkg list here instead, like so:

- name: Install dependencies for uploader
  tags: uploader
  apt:
    pkg: 
    - python3-statsd
    - python3-boto3
    ... etc

hellais
hellais reviewed Jul 17, 2025
View reviewed changes
ansible/roles/fastpath/templates/api-uploader.conf
[DEFAULT]
# arn:aws:iam::676739448697:user/ooni-pipeline, AWS: OONI Open Data
aws_access_key_id = AKIAJURD7T4DTN5JMJ5Q
aws_secret_access_key = {{ s3_ooni_open_data_access_key }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this might have been placed in the vault. I suggest we move it instead into parameter store

Copy link
Contributor Author

@LDiazN LDiazN Jul 18, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will do that, I was using that pattern because it was used in other places for the same key:

devops/ansible/host_vars/backend-hel.ooni.org/vars.yml

Line 1 in 366b653

s3_ooni_open_data_access_key: "{{ vault_s3_ooni_open_data_access_key }}"

Should we update those places as well?

hellais
hellais reviewed Jul 17, 2025
View reviewed changes
ansible/roles/fastpath/templates/ooni_api_uploader.py Outdated
f"raw/{tstamp[:8]}/{tstamp[8:10]}/{cc}/{testname}/{jsonlf.name}"
)
if conf.get("run_mode", "") == "DESTROY_DATA":
log.info("Testbed mode: Destroying postcans!")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This mode of operation scares me a bit. I would suggest we maybe remove it to avoid mistakes.

hellais
hellais reviewed Jul 17, 2025
View reviewed changes
tf/environments/dev/main.tf Outdated
from_port = 80,
to_port = 80,
protocol = "tcp",
cidr_blocks = ["0.0.0.0/0"],
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it actually need permission to be accessed on port 80 from anywhere on the internet?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not actually, I will remove it

hellais
hellais reviewed Jul 17, 2025
View reviewed changes
tf/environments/dev/main.tf
}

module "fastpath_builder" {
source = "../../modules/ooni_docker_build"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really need a new module for this? I see that the only thing that changes between ooni_docker_build and ooniapi_service_deployer/ is that we are skipping the final Deploy stage. Could we just pass that as an optional flag to it and avoid duplicating all the module code?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it's too tricky though we can skip it

LDiazN added 17 commits July 18, 2025 12:05
@LDiazN
Change branch for fastpath builder
fb8d87f
@LDiazN
Update branch for ooniprobe service
ebfee13
@LDiazN
Change python packages installation style
ddd5771
@LDiazN
Point default clickhouse_url to the clickhouse proxy
45f1bf7
@LDiazN
Pin fastpath version
366b653
@LDiazN
Remove vault-stored parameter
7a22d75
@LDiazN
Add measurement spool dir to fastpath
c285e51
@LDiazN
remove 80 port from ingress rules
5ef1f28
@LDiazN
Merge branch 'main' of https://github.com/ooni/devops
079b748
@LDiazN
merge conflict
50ba1c0
@LDiazN
Add collector id parameter to ooniprobe
0d35f73
@LDiazN
Remove option to delete data without uploading to s3
67d84d0
@LDiazN
Reuse ooniapi deployer for fastpath
1687422
@LDiazN
Remove unused module
3eae3ef
@LDiazN
Fix access from fastpath to clickhouse proxy
afdb097
@LDiazN
Revert "Remove unused module"
e123d7d 
This reverts commit 3eae3ef.
@LDiazN
Revert "Reuse ooniapi deployer for fastpath"
f3e7e19 
This reverts commit 1687422.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hellais hellais hellais left review comments

Assignees

@LDiazN LDiazN

Labels
task Technical implementation task
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Create a role to deploy fastpath to AWS
2 participants
@LDiazN @hellais