From b14a122efacdfb900be605e1c98ef5e5989cbd69 Mon Sep 17 00:00:00 2001
From: DecFox <33030671+DecFox@users.noreply.github.com>
Date: Fri, 6 Sep 2024 02:54:58 +0530
Subject: [PATCH 1/3] refactor: remove individual load balancers from services
 (#97)

This diff removes individual load balancers from the ooniapi services
and only allows a single load balancer for routing based on api paths.
---
 tf/modules/ooniapi_service/main.tf    | 88 ---------------------------
 tf/modules/ooniapi_service/outputs.tf |  8 ---
 2 files changed, 96 deletions(-)

diff --git a/tf/modules/ooniapi_service/main.tf b/tf/modules/ooniapi_service/main.tf
index 34cfc70e..eb49cf1f 100644
--- a/tf/modules/ooniapi_service/main.tf
+++ b/tf/modules/ooniapi_service/main.tf
@@ -131,10 +131,6 @@ resource "aws_ecs_service" "ooniapi_service" {
     container_port   = "80"
   }
 
-  depends_on = [
-    aws_alb_listener.ooniapi_service_http,
-  ]
-
   force_new_deployment = true
 
   tags = var.tags
@@ -169,87 +165,3 @@ resource "aws_alb_target_group" "ooniapi_service_mapped" {
 
   tags = var.tags
 }
-
-resource "aws_alb" "ooniapi_service" {
-  name            = local.name
-  subnets         = var.public_subnet_ids
-  security_groups = var.ooniapi_service_security_groups
-
-  tags = var.tags
-}
-
-resource "aws_alb_listener" "ooniapi_service_http" {
-  load_balancer_arn = aws_alb.ooniapi_service.id
-  port              = "80"
-  protocol          = "HTTP"
-
-  default_action {
-    target_group_arn = aws_alb_target_group.ooniapi_service_direct.id
-    type             = "forward"
-  }
-
-  tags = var.tags
-}
-
-resource "aws_alb_listener" "front_end_https" {
-  load_balancer_arn = aws_alb.ooniapi_service.id
-  port              = "443"
-  protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-2016-08"
-  certificate_arn   = aws_acm_certificate.ooniapi_service.arn
-
-  default_action {
-    target_group_arn = aws_alb_target_group.ooniapi_service_direct.id
-    type             = "forward"
-  }
-
-  tags = var.tags
-}
-
-resource "aws_route53_record" "ooniapi_service" {
-  zone_id = var.dns_zone_ooni_io
-  name    = "${var.service_name}.api.${var.stage}.ooni.io"
-  type    = "A"
-
-  alias {
-    name                   = aws_alb.ooniapi_service.dns_name
-    zone_id                = aws_alb.ooniapi_service.zone_id
-    evaluate_target_health = true
-  }
-}
-
-resource "aws_acm_certificate" "ooniapi_service" {
-  domain_name       = "${var.service_name}.api.${var.stage}.ooni.io"
-  validation_method = "DNS"
-
-  tags = var.tags
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
-resource "aws_route53_record" "ooniapi_service_validation" {
-  for_each = {
-    for dvo in aws_acm_certificate.ooniapi_service.domain_validation_options : dvo.domain_name => {
-      name   = dvo.resource_record_name
-      record = dvo.resource_record_value
-      type   = dvo.resource_record_type
-    }
-  }
-
-  allow_overwrite = true
-  name            = each.value.name
-  records         = [each.value.record]
-  ttl             = 60
-  type            = each.value.type
-  zone_id         = var.dns_zone_ooni_io
-}
-
-resource "aws_acm_certificate_validation" "ooniapi_service" {
-  certificate_arn         = aws_acm_certificate.ooniapi_service.arn
-  validation_record_fqdns = [for record in aws_route53_record.ooniapi_service_validation : record.fqdn]
-  depends_on = [
-    aws_route53_record.ooniapi_service
-  ]
-}
diff --git a/tf/modules/ooniapi_service/outputs.tf b/tf/modules/ooniapi_service/outputs.tf
index 90fcabd2..e035171d 100644
--- a/tf/modules/ooniapi_service/outputs.tf
+++ b/tf/modules/ooniapi_service/outputs.tf
@@ -1,11 +1,3 @@
-output "ooni_io_fqdn" {
-  value = aws_route53_record.ooniapi_service.name
-}
-
-output "dns_name" {
-  value = aws_alb.ooniapi_service.dns_name
-}
-
 output "ecs_service_name" {
   value = aws_ecs_service.ooniapi_service.name
 }

From 8edde89dca47e52906a1fc038fd294a5234280db Mon Sep 17 00:00:00 2001
From: DecFox <33030671+DecFox@users.noreply.github.com>
Date: Fri, 6 Sep 2024 18:57:48 +0530
Subject: [PATCH 2/3] fix: remove microservice hosts from alerts (#98)

This diff removes the microservice hosts from the prometheus alerts.
Part of https://github.com/ooni/devops/issues/93
---
 ansible/roles/prometheus/templates/prometheus.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/ansible/roles/prometheus/templates/prometheus.yml b/ansible/roles/prometheus/templates/prometheus.yml
index ee19e61a..6ad9cfd9 100755
--- a/ansible/roles/prometheus/templates/prometheus.yml
+++ b/ansible/roles/prometheus/templates/prometheus.yml
@@ -99,9 +99,6 @@ scrape_configs:
       password: '{{ prometheus_metrics_password_dev }}'
     static_configs:
       - targets:
-        - ooniauth.api.dev.ooni.io
-        - oonirun.api.dev.ooni.io
-        - ooniprobe.api.dev.ooni.io
         - oohelperd.th.dev.ooni.io
 
   - job_name: 'ooniapi-services-prod'

From 99cd52ddc82ed9c5bc8fa5a44f4ff28eea63940d Mon Sep 17 00:00:00 2001
From: DecFox <33030671+DecFox@users.noreply.github.com>
Date: Sun, 8 Sep 2024 01:30:25 +0530
Subject: [PATCH 3/3] feat: add clickhouse proxy instance (#100)

This diff adds a clickhouse proxy server config to the existing
oonibackend proxy to establish the connection between AWS and the
clickhouse DB.
Part of #95
---
 tf/environments/dev/main.tf                   |  8 +++-
 tf/modules/ooni_backendproxy/main.tf          | 45 +++++++++++--------
 tf/modules/ooni_backendproxy/outputs.tf       |  5 ++-
 .../templates/setup-backend-proxy.sh          | 19 ++++++++
 tf/modules/ooni_backendproxy/variables.tf     | 27 +++++++++--
 5 files changed, 80 insertions(+), 24 deletions(-)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index 6c809f9d..c0f896a7 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -251,13 +251,19 @@ moved {
 module "ooni_backendproxy" {
   source = "../../modules/ooni_backendproxy"
 
+  stage = local.environment
+
   vpc_id     = module.network.vpc_id
-  subnet_ids = module.network.vpc_subnet_public[*].id
+  subnet_id = module.network.vpc_subnet_public[0].id
+  private_subnet_cidr = module.network.vpc_subnet_private[*].cidr_block 
+  dns_zone_ooni_io = local.dns_zone_ooni_io
 
   key_name      = module.adm_iam_roles.oonidevops_key_name
   instance_type = "t2.micro"
 
   backend_url = "https://backend-hel.ooni.org/"
+  clickhouse_url = "backend-fsn.ooni.org"
+  clickhouse_port = "9000"
 
   tags = merge(
     local.tags,
diff --git a/tf/modules/ooni_backendproxy/main.tf b/tf/modules/ooni_backendproxy/main.tf
index 2f933ceb..4689efc0 100644
--- a/tf/modules/ooni_backendproxy/main.tf
+++ b/tf/modules/ooni_backendproxy/main.tf
@@ -17,6 +17,13 @@ resource "aws_security_group" "nginx_sg" {
     cidr_blocks = ["0.0.0.0/0"]
   }
 
+  ingress { 
+    protocol    = "tcp"
+    from_port   = 9000
+    to_port     = 9000
+    cidr_blocks = var.private_subnet_cidr
+  }
+
   ingress {
     protocol    = "tcp"
     from_port   = 22
@@ -55,7 +62,9 @@ resource "aws_launch_template" "ooni_backendproxy" {
   key_name      = var.key_name
 
   user_data = base64encode(templatefile("${path.module}/templates/setup-backend-proxy.sh", {
-    backend_url = var.backend_url
+    backend_url = var.backend_url,
+    clickhouse_url = var.clickhouse_url,
+    clickhouse_port = var.clickhouse_port
   }))
 
   lifecycle {
@@ -65,6 +74,7 @@ resource "aws_launch_template" "ooni_backendproxy" {
   network_interfaces {
     delete_on_termination       = true
     associate_public_ip_address = true
+    subnet_id = var.subnet_id
     security_groups = [
       aws_security_group.nginx_sg.id,
     ]
@@ -76,7 +86,7 @@ resource "aws_launch_template" "ooni_backendproxy" {
   }
 }
 
-resource "aws_autoscaling_group" "oonibackend_proxy" {
+resource "aws_instance" "oonibackend_proxy" {
   launch_template {
     id      = aws_launch_template.ooni_backendproxy.id
     version = "$Latest"
@@ -86,19 +96,7 @@ resource "aws_autoscaling_group" "oonibackend_proxy" {
     create_before_destroy = true
   }
 
-  name_prefix = "${var.name}-asg-"
-
-  min_size            = 1
-  max_size            = 2
-  desired_capacity    = 1
-  vpc_zone_identifier = var.subnet_ids
-
-  instance_refresh {
-    strategy = "Rolling"
-    preferences {
-      min_healthy_percentage = 50
-    }
-  }
+  tags = var.tags
 }
 
 resource "aws_alb_target_group" "oonibackend_proxy" {
@@ -114,7 +112,18 @@ resource "aws_alb_target_group" "oonibackend_proxy" {
   tags = var.tags
 }
 
-resource "aws_autoscaling_attachment" "oonibackend_proxy" {
-  autoscaling_group_name = aws_autoscaling_group.oonibackend_proxy.id
-  lb_target_group_arn    = aws_alb_target_group.oonibackend_proxy.arn
+resource "aws_lb_target_group_attachment" "oonibackend_proxy" {
+  target_id = aws_instance.oonibackend_proxy.id
+  target_group_arn    = aws_alb_target_group.oonibackend_proxy.arn
+}
+
+resource "aws_route53_record" "clickhouse_proxy_alias" {
+  zone_id = var.dns_zone_ooni_io
+  name    = "clickhouse.${var.stage}.ooni.io"
+  type    = "CNAME"
+  ttl     = 300
+
+  records = [
+    aws_instance.oonibackend_proxy.public_dns
+  ]
 }
diff --git a/tf/modules/ooni_backendproxy/outputs.tf b/tf/modules/ooni_backendproxy/outputs.tf
index 54295fae..792e6958 100644
--- a/tf/modules/ooni_backendproxy/outputs.tf
+++ b/tf/modules/ooni_backendproxy/outputs.tf
@@ -1,6 +1,7 @@
-output "autoscaling_group_id" {
-  value = aws_autoscaling_group.oonibackend_proxy.id
+output "aws_instance_id" {
+  value = aws_instance.oonibackend_proxy.id
 }
+
 output "alb_target_group_id" {
   value = aws_alb_target_group.oonibackend_proxy.id
 }
diff --git a/tf/modules/ooni_backendproxy/templates/setup-backend-proxy.sh b/tf/modules/ooni_backendproxy/templates/setup-backend-proxy.sh
index 30e8a274..c32b3c68 100644
--- a/tf/modules/ooni_backendproxy/templates/setup-backend-proxy.sh
+++ b/tf/modules/ooni_backendproxy/templates/setup-backend-proxy.sh
@@ -22,5 +22,24 @@ server {
 EOF
 sudo mv $tmpfile /etc/nginx/sites-available/default
 
+
+tmpfile_stream=$(mktemp /tmp/nginx-stream-config.XXXXXX)
+cat > $tmpfile_stream <<EOF
+stream {
+    upstream clickhouse_backend {
+        server ${clickhouse_url}:${clickhouse_port};
+    }
+
+    server {
+        listen 9000;
+
+       proxy_pass clickhouse_backend; 
+    }
+
+    error_log /var/log/nginx/error.log;
+}
+EOF
+sudo mv $tmpfile_stream /etc/nginx/modules-enabled/stream.conf
+
 sudo nginx -t
 sudo systemctl reload nginx
diff --git a/tf/modules/ooni_backendproxy/variables.tf b/tf/modules/ooni_backendproxy/variables.tf
index 181337e6..02f5e6d6 100644
--- a/tf/modules/ooni_backendproxy/variables.tf
+++ b/tf/modules/ooni_backendproxy/variables.tf
@@ -2,8 +2,12 @@ variable "vpc_id" {
   description = "the id of the VPC to deploy the instance into"
 }
 
-variable "subnet_ids" {
-  description = "the ids of the subnet of the subnets to deploy the instance into"
+variable "subnet_id" {
+  description = "the ids of the subnet to deploy the instance into"
+}
+
+variable "private_subnet_cidr" {
+  description = "the cidr block of the private subnet to allow traffic from for the clickhouse proxy"
 }
 
 variable "tags" {
@@ -28,4 +32,21 @@ variable "instance_type" {
 variable "backend_url" {
   type = string
   default = "https://backend-fsn.ooni.org/"
-}
\ No newline at end of file
+}
+
+variable "stage" {
+  default = "one of dev, stage, test, prod"
+}
+
+variable "dns_zone_ooni_io" {
+  description = "id of the DNS zone for ooni_io"
+}
+
+variable "clickhouse_url" {
+  description = "clickhouse url to proxy requests to"
+  default = "backend-fsn.ooni.org" 
+}
+
+variable "clickhouse_port" {
+  description = "clickhouse port for the backend"
+}