majuna/app/terraform/proxy/cloudfront.py

import json
import re
from datetime import datetime, timezone
from typing import Any, Optional

import boto3
from flask import current_app

from app.extensions import db
from app.models.mirrors import Proxy
from app.terraform.proxy import ProxyAutomation, update_smart_proxy_instance


class ProxyCloudfrontAutomation(ProxyAutomation):
    short_name = "proxy_cloudfront"
    description = "Deploy proxies to AWS CloudFront"
    provider = "cloudfront"
    smart_proxies = True
    cloud_name = "aws"

    template_parameters = [
        "admin_email",
        "aws_access_key",
        "aws_secret_key",
        "smart_zone",
    ]

    template = """
    terraform {
      {{ backend_config }}
      required_providers {
        acme = {
          source = "vancluever/acme"
          version = "~> 2.11.0"
        }
        aws = {
          version = "~> 4.41.0"
        }
      }
    }

    provider "acme" {
      server_url = "https://acme-v02.api.letsencrypt.org/directory"
    }

    provider "aws" {
      access_key = "{{ aws_access_key }}"
      secret_key = "{{ aws_secret_key }}"
      region = "us-east-2"
    }

    locals {
      smart_zone = "{{ smart_zone }}"
    }

    {% for group in groups %}
    module "label_{{ group.id }}" {
      source  = "cloudposse/label/null"
      version = "0.25.0"
      namespace = "{{ global_namespace }}"
      tenant = "{{ group.group_name }}"
      label_order = ["namespace", "tenant", "name", "attributes"]
    }

    module "log_bucket_{{ group.id }}" {
      source = "cloudposse/s3-log-storage/aws"
      version = "0.28.0"
      context = module.label_{{ group.id }}.context
      name = "logs"
      attributes = ["cloudfront"]
      acl                      = "log-delivery-write"
      standard_transition_days = 30
      glacier_transition_days  = 60
      expiration_days          = 90
    }

    resource "aws_sns_topic" "alarms_{{ group.id }}" {
      name = "${module.label_{{ group.id }}.id}-cloudfront-alarms"
    }

    {% for origin in group.origins | selectattr("destroyed", "none") | selectattr("smart") %}
    {% if loop.first %}
    module "smart_proxy_{{ group.id }}" {
      source  = "{{ terraform_modules_path }}/terraform-aws-bc-smart-proxy-instance"
      context = module.label_{{ group.id }}.context
      name = "smart-proxy"
      config_filename = "smart_proxy.{{ group.id }}.conf"
      disable_api_termination = false
      dns_zone = "{{ smart_zone }}"
      letsencrypt_email_address = "{{ admin_email }}"
      max_transfer_per_hour = "13000000000"
    }
    {% endif %}
    {% endfor %}
    {% endfor %}

    {% for proxy in proxies %}
    module "cloudfront_{{ proxy.id }}" {
      source = "{{ terraform_modules_path }}/terraform-aws-bc-proxy"
      {% if proxy.origin.smart %}
      origin_domain = "origin-{{ proxy.origin.id }}.{{ proxy.origin.group.group_name }}.smart.{{ smart_zone[:-1] }}"
      {% else %}
      origin_domain = "{{ proxy.origin.domain_name }}"
      {% endif %}
      logging_bucket = module.log_bucket_{{ proxy.origin.group.id }}.bucket_domain_name
      sns_topic_arn = aws_sns_topic.alarms_{{ proxy.origin.group.id }}.arn
      low_bandwidth_alarm = false
      context = module.label_{{ proxy.origin.group.id }}.context
      name = "proxy"
      attributes = ["{{ proxy.origin.domain_name }}"]
      bypass_token = "{{ bypass_token }}"
    }
    {% endfor %}
    """

    def tf_posthook(self, *, prehook_result: Any = None, logs: Optional[str] = None) -> None:
        self.import_state(self.tf_show())
        failed_ids = []
        for line in logs.strip().split('\n'):
            try:
                log_entry = json.loads(line)
                if log_entry.get("@level") == "error" and "CloudFront Distribution" in log_entry.get("@message", ""):
                    match = re.search(r'CloudFront Distribution (\w+) cannot be deleted', log_entry["@message"])
                    if match:
                        failed_ids.append(match.group(1))
            except json.JSONDecodeError:
                continue
        client = boto3.client(
            'cloudfront',
            aws_access_key_id=current_app.config["AWS_ACCESS_KEY"],
            aws_secret_access_key=current_app.config["AWS_SECRET_KEY"],
            region_name="us-east-1"
        )
        for failed_id in failed_ids:
            response = client.get_distribution_config(Id=failed_id)
            etag = response['ETag']
            client.delete_distribution(Id=failed_id, IfMatch=etag)

    def import_state(self, state: Any) -> None:
        if not isinstance(state, dict):
            raise RuntimeError("The Terraform state object returned was not a dict.")
        if "child_modules" not in state["values"]["root_module"]:
            # There are no CloudFront proxies deployed to import state for
            return
        # CloudFront distributions (proxies)
        for mod in state["values"]["root_module"]["child_modules"]:
            if mod["address"].startswith("module.cloudfront_"):
                for res in mod["resources"]:
                    if res["address"].endswith("aws_cloudfront_distribution.this"):
                        proxy = Proxy.query.filter(
                            Proxy.id == mod["address"][len("module.cloudfront_") :]
                        ).first()
                        proxy.url = "https://" + res["values"]["domain_name"]
                        proxy.slug = res["values"]["id"]
                        proxy.terraform_updated = datetime.now(tz=timezone.utc)
                        break
        # EC2 instances (smart proxies)
        for g in state["values"]["root_module"]["child_modules"]:
            if g["address"].startswith("module.smart_proxy_"):
                group_id = int(g["address"][len("module.smart_proxy_") :])
                for s in g["child_modules"]:
                    if s["address"].endswith(".module.instance"):
                        for x in s["resources"]:
                            if x["address"].endswith(
                                ".module.instance.aws_instance.default[0]"
                            ):
                                update_smart_proxy_instance(
                                    group_id,
                                    self.provider,
                                    "us-east-2a",
                                    x["values"]["id"],
                                )
        db.session.commit()
fix: auto-resolve stuck distribution deletions 2025-04-18 17:03:26 +01:00			`import json`
			`import re`
feat: switch all timezone naive datetimes to timezone aware 2024-12-06 16:08:48 +00:00			`from datetime import datetime, timezone`
fix: auto-resolve stuck distribution deletions 2025-04-18 17:03:26 +01:00			`from typing import Any, Optional`

			`import boto3`
			`from flask import current_app`
Initial import 2022-03-10 14:26:22 +00:00
			`from app.extensions import db`
models: big refactor 2022-04-22 14:01:16 +01:00			`from app.models.mirrors import Proxy`
proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00			`from app.terraform.proxy import ProxyAutomation, update_smart_proxy_instance`
Initial import 2022-03-10 14:26:22 +00:00

			`class ProxyCloudfrontAutomation(ProxyAutomation):`
			`short_name = "proxy_cloudfront"`
automation: establish an automation framework 2022-05-08 17:20:04 +01:00			`description = "Deploy proxies to AWS CloudFront"`
Initial import 2022-03-10 14:26:22 +00:00			`provider = "cloudfront"`
proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00			`smart_proxies = True`
proxy/meta: only create proxies for providers that are enabled 2022-10-23 12:14:29 +01:00			`cloud_name = "aws"`
Initial import 2022-03-10 14:26:22 +00:00
			`template_parameters = [`
feat(proxy): use group name in dns for smart origins 2023-04-26 15:41:43 +01:00			`"admin_email",`
Initial import 2022-03-10 14:26:22 +00:00			`"aws_access_key",`
proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00			`"aws_secret_key",`
lint: reformat python code with black 2024-12-06 18:15:47 +00:00			`"smart_zone",`
Initial import 2022-03-10 14:26:22 +00:00			`]`

			`template = """`
			`terraform {`
terraform: generate conf with http backend 2022-08-30 10:05:12 +01:00			`{{ backend_config }}`
Initial import 2022-03-10 14:26:22 +00:00			`required_providers {`
proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00			`acme = {`
			`source = "vancluever/acme"`
feat(automate): make temporary working dir optional 2022-11-28 19:03:24 +00:00			`version = "~> 2.11.0"`
proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00			`}`
Initial import 2022-03-10 14:26:22 +00:00			`aws = {`
feat(automate): make temporary working dir optional 2022-11-28 19:03:24 +00:00			`version = "~> 4.41.0"`
Initial import 2022-03-10 14:26:22 +00:00			`}`
			`}`
			`}`
ci: add flake8 2022-05-16 13:29:48 +01:00
proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00			`provider "acme" {`
			`server_url = "https://acme-v02.api.letsencrypt.org/directory"`
			`}`

Initial import 2022-03-10 14:26:22 +00:00			`provider "aws" {`
			`access_key = "{{ aws_access_key }}"`
			`secret_key = "{{ aws_secret_key }}"`
proxy/cloudfront: these are in us-east-2 now 2022-04-22 15:12:31 +01:00			`region = "us-east-2"`
Initial import 2022-03-10 14:26:22 +00:00			`}`
ci: add flake8 2022-05-16 13:29:48 +01:00
proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00			`locals {`
			`smart_zone = "{{ smart_zone }}"`
			`}`

Initial import 2022-03-10 14:26:22 +00:00			`{% for group in groups %}`
			`module "label_{{ group.id }}" {`
			`source = "cloudposse/label/null"`
			`version = "0.25.0"`
			`namespace = "{{ global_namespace }}"`
			`tenant = "{{ group.group_name }}"`
			`label_order = ["namespace", "tenant", "name", "attributes"]`
			`}`
ci: add flake8 2022-05-16 13:29:48 +01:00
Initial import 2022-03-10 14:26:22 +00:00			`module "log_bucket_{{ group.id }}" {`
			`source = "cloudposse/s3-log-storage/aws"`
			`version = "0.28.0"`
			`context = module.label_{{ group.id }}.context`
			`name = "logs"`
			`attributes = ["cloudfront"]`
			`acl = "log-delivery-write"`
			`standard_transition_days = 30`
			`glacier_transition_days = 60`
			`expiration_days = 90`
			`}`
ci: add flake8 2022-05-16 13:29:48 +01:00
Initial import 2022-03-10 14:26:22 +00:00			`resource "aws_sns_topic" "alarms_{{ group.id }}" {`
			`name = "${module.label_{{ group.id }}.id}-cloudfront-alarms"`
			`}`
proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00
			`{% for origin in group.origins \| selectattr("destroyed", "none") \| selectattr("smart") %}`
			`{% if loop.first %}`
			`module "smart_proxy_{{ group.id }}" {`
terraform: use git submodules for cloudfront proxy 2022-08-09 14:39:46 +01:00			`source = "{{ terraform_modules_path }}/terraform-aws-bc-smart-proxy-instance"`
proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00			`context = module.label_{{ group.id }}.context`
			`name = "smart-proxy"`
feat(proxy): use route53 for smart proxy dns 2023-03-26 14:45:55 +01:00			`config_filename = "smart_proxy.{{ group.id }}.conf"`
proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00			`disable_api_termination = false`
fix(proxy): don't attempt to use rfc2136 configs 2023-03-26 15:02:59 +01:00			`dns_zone = "{{ smart_zone }}"`
fix(proxy): fix dns and le issues on cloudfront 2023-03-30 13:32:49 +01:00			`letsencrypt_email_address = "{{ admin_email }}"`
fix(proxy): don't attempt to use rfc2136 configs 2023-03-26 15:02:59 +01:00			`max_transfer_per_hour = "13000000000"`
proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00			`}`
fix(proxy): add missing endif in cloudfront template 2023-03-26 15:26:08 +01:00			`{% endif %}`
proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00			`{% endfor %}`
Initial import 2022-03-10 14:26:22 +00:00			`{% endfor %}`
ci: add flake8 2022-05-16 13:29:48 +01:00
Initial import 2022-03-10 14:26:22 +00:00			`{% for proxy in proxies %}`
			`module "cloudfront_{{ proxy.id }}" {`
terraform: use git submodules for cloudfront proxy 2022-08-09 14:39:46 +01:00			`source = "{{ terraform_modules_path }}/terraform-aws-bc-proxy"`
proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00			`{% if proxy.origin.smart %}`
feat(proxy): use group name in dns for smart origins 2023-04-26 15:41:43 +01:00			`origin_domain = "origin-{{ proxy.origin.id }}.{{ proxy.origin.group.group_name }}.smart.{{ smart_zone[:-1] }}"`
proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00			`{% else %}`
Initial import 2022-03-10 14:26:22 +00:00			`origin_domain = "{{ proxy.origin.domain_name }}"`
proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00			`{% endif %}`
Initial import 2022-03-10 14:26:22 +00:00			`logging_bucket = module.log_bucket_{{ proxy.origin.group.id }}.bucket_domain_name`
			`sns_topic_arn = aws_sns_topic.alarms_{{ proxy.origin.group.id }}.arn`
			`low_bandwidth_alarm = false`
			`context = module.label_{{ proxy.origin.group.id }}.context`
			`name = "proxy"`
			`attributes = ["{{ proxy.origin.domain_name }}"]`
proxies: add support for bypass token 2022-04-19 14:32:04 +01:00			`bypass_token = "{{ bypass_token }}"`
Initial import 2022-03-10 14:26:22 +00:00			`}`
			`{% endfor %}`
			`"""`

fix: auto-resolve stuck distribution deletions 2025-04-18 17:03:26 +01:00			`def tf_posthook(self, *, prehook_result: Any = None, logs: Optional[str] = None) -> None:`
			`self.import_state(self.tf_show())`
			`failed_ids = []`
			`for line in logs.strip().split('\n'):`
			`try:`
			`log_entry = json.loads(line)`
			`if log_entry.get("@level") == "error" and "CloudFront Distribution" in log_entry.get("@message", ""):`
			`match = re.search(r'CloudFront Distribution (\w+) cannot be deleted', log_entry["@message"])`
			`if match:`
			`failed_ids.append(match.group(1))`
			`except json.JSONDecodeError:`
			`continue`
			`client = boto3.client(`
			`'cloudfront',`
			`aws_access_key_id=current_app.config["AWS_ACCESS_KEY"],`
			`aws_secret_access_key=current_app.config["AWS_SECRET_KEY"],`
			`region_name="us-east-1"`
			`)`
			`for failed_id in failed_ids:`
			`response = client.get_distribution_config(Id=failed_id)`
			`etag = response['ETag']`
			`client.delete_distribution(Id=failed_id, IfMatch=etag)`

lots of typing fixes 2022-05-16 11:44:03 +01:00			`def import_state(self, state: Any) -> None:`
proxy/cloudfront: transposed isinstance arguments 2022-05-16 13:36:20 +01:00			`if not isinstance(state, dict):`
security: fix all bandit issues 2022-05-16 12:47:40 +01:00			`raise RuntimeError("The Terraform state object returned was not a dict.")`
lint: reformat python code with black 2024-12-06 18:15:47 +00:00			`if "child_modules" not in state["values"]["root_module"]:`
lots of typing fixes 2022-05-16 11:44:03 +01:00			`# There are no CloudFront proxies deployed to import state for`
			`return`
lint: various non-semantic fixes 2022-06-23 12:34:29 +01:00			`# CloudFront distributions (proxies)`
lint: reformat python code with black 2024-12-06 18:15:47 +00:00			`for mod in state["values"]["root_module"]["child_modules"]:`
			`if mod["address"].startswith("module.cloudfront_"):`
			`for res in mod["resources"]:`
			`if res["address"].endswith("aws_cloudfront_distribution.this"):`
			`proxy = Proxy.query.filter(`
			`Proxy.id == mod["address"][len("module.cloudfront_") :]`
			`).first()`
			`proxy.url = "https://" + res["values"]["domain_name"]`
			`proxy.slug = res["values"]["id"]`
feat: switch all timezone naive datetimes to timezone aware 2024-12-06 16:08:48 +00:00			`proxy.terraform_updated = datetime.now(tz=timezone.utc)`
automation: pull up terraform funcs to abstract class see #1 2022-05-08 13:01:15 +01:00			`break`
lint: various non-semantic fixes 2022-06-23 12:34:29 +01:00			`# EC2 instances (smart proxies)`
proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00			`for g in state["values"]["root_module"]["child_modules"]:`
			`if g["address"].startswith("module.smart_proxy_"):`
lint: reformat python code with black 2024-12-06 18:15:47 +00:00			`group_id = int(g["address"][len("module.smart_proxy_") :])`
proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00			`for s in g["child_modules"]:`
			`if s["address"].endswith(".module.instance"):`
			`for x in s["resources"]:`
lint: reformat python code with black 2024-12-06 18:15:47 +00:00			`if x["address"].endswith(`
			`".module.instance.aws_instance.default[0]"`
			`):`
			`update_smart_proxy_instance(`
			`group_id,`
			`self.provider,`
			`"us-east-2a",`
			`x["values"]["id"],`
			`)`
automation: pull up terraform funcs to abstract class see #1 2022-05-08 13:01:15 +01:00			`db.session.commit()`