diff --git a/.platform/hooks/postdeploy/01_fetch_ssm_parameters.sh b/.platform/hooks/postdeploy/01_fetch_ssm_parameters.sh deleted file mode 100644 index 3bdc40fa8..000000000 --- a/.platform/hooks/postdeploy/01_fetch_ssm_parameters.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash - -ENV_TYPE=$(/opt/elasticbeanstalk/bin/get-config environment -k SSM_PREFIX) -ENV_VARS=("SGID_CLIENT_ID" "SGID_CLIENT_SECRET" "SGID_PRIVATE_KEY" "SGID_REDIRECT_URI") # Add any additional env vars to this array - -echo "Set AWS region" -aws configure set default.region ap-southeast-1 - -for ENV_VAR in "${ENV_VARS[@]}"; do - echo "Fetching ${ENV_VAR} from SSM" - VALUE=$(aws ssm get-parameter --name "${ENV_TYPE}_${ENV_VAR}" --with-decryption --query "Parameter.Value" --output text) - echo "${ENV_VAR}=${VALUE}" >> /opt/elasticbeanstalk/deployment/env - echo "Saved ${ENV_VAR}" -done diff --git a/.platform/hooks/predeploy/06_fetch_ssm_parameters.sh b/.platform/hooks/predeploy/06_fetch_ssm_parameters.sh new file mode 100644 index 000000000..31cebd0b0 --- /dev/null +++ b/.platform/hooks/predeploy/06_fetch_ssm_parameters.sh @@ -0,0 +1,129 @@ +#!/bin/bash + +# Exit on first error +set -e + +# Make sure the local directory exists +mkdir -p /tmp/isomer + +# If the temp .isomer.env file exists, remove it +if [ -f "/tmp/isomer/.isomer.env" ]; then + rm /tmp/isomer/.isomer.env +fi + +# Create EFS directory if it does not exist +if [ ! -d "/efs/isomer" ]; then + mkdir -p /efs/isomer + chown webapp:webapp /efs/isomer +fi + +ENV_TYPE=$(/opt/elasticbeanstalk/bin/get-config environment -k SSM_PREFIX) +TIMESTAMP=$(date '+%Y-%m-%d %H:%M:%S') + +echo "Timestamp: $TIMESTAMP - ENV TYPE: $ENV_TYPE" > /tmp/ssm-type.txt + +# List of all env vars to fetch +ENV_VARS=( + "AUTH_TOKEN_EXPIRY_DURATION_IN_MILLISECONDS" + "AWS_BACKEND_EB_ENV_NAME" + "AWS_REGION" + "CLIENT_ID" + "CLIENT_SECRET" + "CLOUDMERSIVE_API_KEY" + "COOKIE_DOMAIN" + "DB_ACQUIRE" + "DB_MAX_POOL" + "DB_MIN_POOL" + "DB_TIMEOUT" + "DB_URI" + "DD_AGENT_MAJOR_VERSION" + "DD_ENV" + "DD_LOGS_INJECTION" + "DD_SERVICE" + "DD_TAGS" + "DD_TRACE_STARTUP_LOGS" + "E2E_TEST_GH_TOKEN" + "E2E_TEST_REPO" + "E2E_TEST_SECRET" + "EFS_VOL_PATH" + "ENCRYPTION_SECRET" + "FF_DEPRECATE_SITE_QUEUES" + "FRONTEND_URL" + "GGS_EXPERIMENTAL_TRACKING_SITES" + "GITHUB_BUILD_ORG_NAME" + "GITHUB_BUILD_REPO_NAME" + "GITHUB_ORG_NAME" + "GROWTHBOOK_CLIENT_KEY" + "INCOMING_QUEUE_URL" + "ISOMERPAGES_REPO_PAGE_COUNT" + "JWT_SECRET" + "MAX_NUM_OTP_ATTEMPTS" + "MOCK_AMPLIFY_DOMAIN_ASSOCIATION_CALLS" + "MUTEX_TABLE_NAME" + "NETLIFY_ACCESS_TOKEN" + "NODE_ENV" + "OTP_EXPIRY" + "OTP_SECRET" + "OUTGOING_QUEUE_URL" + "POSTMAN_API_KEY" + "POSTMAN_SMS_CRED_NAME" + "REDIRECT_URI" + "SESSION_SECRET" + "SGID_CLIENT_ID" + "SGID_CLIENT_SECRET" + "SGID_PRIVATE_KEY" + "SGID_REDIRECT_URI" + "SITE_CREATE_FORM_KEY" + "SITE_LAUNCH_DYNAMO_DB_TABLE_NAME" + "SITE_LAUNCH_FORM_KEY" + "SITE_PASSWORD_SECRET_KEY" + "SSM_PREFIX" + "STEP_FUNCTIONS_ARN" + "SYSTEM_GITHUB_TOKEN" +) + +echo "Set AWS region" +aws configure set default.region ap-southeast-1 + +set +e # Do not exit if a command fails + +for ENV_VAR in "${ENV_VARS[@]}"; do + echo "Fetching ${ENV_VAR} from SSM" + + VALUE=$(aws ssm get-parameter --name "${ENV_TYPE}_${ENV_VAR}" --with-decryption --query "Parameter.Value" --output text 2>/dev/null) + STATUS=$? # Capture exit status of the aws ssm command + + if [ $STATUS -ne 0 ]; then + echo "Failed to fetch ${ENV_VAR}. Skipping." + continue + fi + + echo "${ENV_VAR}=${VALUE}" >> /tmp/isomer/.isomer.env + echo "Saved ${ENV_VAR}" +done + +set -e # Exit on command failure from this point onwards + +# Use flock to ensure that the EFS file is locked during the copy operation +( + flock -n 200 || exit 1 + + # Copy the local file to EFS + echo "Copying local env file to EFS" + cp /tmp/isomer/.isomer.env /efs/isomer/.isomer.env + + # Ensure the file on EFS is owned by webapp so it has access + chown webapp:webapp /efs/isomer/.isomer.env + +) 200>/efs/isomer/.isomer.lock + +# Check the exit code of the last command (flock in this case) +if [ $? != 1 ]; then + echo "Lock acquired and data copied successfully." + # Remove the temp file + rm /tmp/isomer/.isomer.env +else + echo "Couldn't acquire the lock. Another instance might be writing to the file." +fi + +echo "Operation completed." \ No newline at end of file diff --git a/package-lock.json b/package-lock.json index 3b4ce2acf..ac1917c47 100644 --- a/package-lock.json +++ b/package-lock.json @@ -37,6 +37,7 @@ "crypto-js": "^4.1.1", "dd-trace": "^4.7.0", "debug": "~2.6.9", + "dotenv": "^16.3.1", "eventsource": "^2.0.2", "exponential-backoff": "^3.1.0", "express": "~4.17.3", @@ -6910,6 +6911,17 @@ "node": ">=8" } }, + "node_modules/dotenv": { + "version": "16.3.1", + "resolved": "https://registry.npmjs.org/dotenv/-/dotenv-16.3.1.tgz", + "integrity": "sha512-IPzF4w4/Rd94bA9imS68tZBaYyBWSCE47V1RGuMrB94iyTOIEwRmVL2x/4An+6mETpLrKJ5hQkB8W4kFAadeIQ==", + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/motdotla/dotenv?sponsor=1" + } + }, "node_modules/dottie": { "version": "2.0.6", "resolved": "https://registry.npmjs.org/dottie/-/dottie-2.0.6.tgz", diff --git a/package.json b/package.json index 2ebf652d7..eb2361794 100644 --- a/package.json +++ b/package.json @@ -4,7 +4,7 @@ "private": true, "scripts": { "build": "tsc -p tsconfig.build.json", - "start": "node --unhandled-rejections=warn -r ts-node/register/transpile-only -r tsconfig-paths/register build/server.js", + "start": "node --unhandled-rejections=warn -r ts-node/register/transpile-only -r tsconfig-paths/register -r dotenv/config build/server.js dotenv_config_path=/efs/isomer/.isomer.env", "dev:services": "docker compose up -d", "dev:server": "source .env && ts-node-dev --unhandled-rejections=warn --respawn src/server.js", "dev": "npm run dev:services && npm run dev:server", @@ -53,6 +53,7 @@ "crypto-js": "^4.1.1", "dd-trace": "^4.7.0", "debug": "~2.6.9", + "dotenv": "^16.3.1", "eventsource": "^2.0.2", "exponential-backoff": "^3.1.0", "express": "~4.17.3",