search

GeoSurge / teachosm

Test site for teachosm
Apache License 2.0
3 stars 3 forks source link

need to transfer infrastructure to OpenStreetMap US #111

Open d3netxer opened 5 years ago

d3netxer commented 5 years ago

Description

The goal is to transfer the backend infrastructure to OpenStreetMap US.

d3netxer commented 5 years ago

Requesting to OpenStreetMap US (@iandees) to implement the following:

Create the following two buckets in US-East:

These two buckets will have ‘Block all public access’ turned off, in the Access control list for the ‘everyone’ group all boxes will be unchecked, and the following will be entered and saved for the CORS configuration:

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
    <AllowedOrigin>*</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <AllowedMethod>PUT</AllowedMethod>
    <AllowedMethod>POST</AllowedMethod>
    <AllowedMethod>HEAD</AllowedMethod>
    <AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>

Also create the following two buckets in US-East:

These three buckets will have ‘Block all public access’ turned off, in the Access control list for the ‘everyone’ group all boxes will be unchecked, and the default CORS configuration can be left as is.

iandees commented 5 years ago

I created the following buckets:

And disabled block all public access. The first two have CORS configurations added.

Remaining when we're farther along:

d3netxer commented 5 years ago

I tested deploying today, but need some additional adjustments from @iandees :

1) use this advanced permissions template for reference (https://serverless-stack.com/chapters/customize-the-serverless-iam-policy.html) and for the cloudformation policies adjust the resource to this: arn:aws:cloudformation:us-east-1:509553493608:stack/imageUploadDemo-dev/*

2) create the following two new deployment buckets in us-east-1:

These two buckets will have ‘Block all public access’ turned off, in the Access control list for the ‘everyone’ group all boxes will be unchecked, and the default CORS configuration can be left as is.

iandees commented 5 years ago
  1. I added arn:aws:cloudformation:us-east-1:509553493608:stack/imageUploadDemo-dev/* to the list of cloudformation resources in the existing policy on your account.
  2. Added S3 bucket convert-post-request-to-yaml-deploy. Bucket serverlessS3Upload-deploy is not possible because bucket names can only have lower case letters.
d3netxer commented 5 years ago

ok, for item 2, please create this bucket instead: teachosm-serverless-s3upload-deploy

Also, I am having trouble with the permissions for the convert-post-request-to-yaml-deploy bucket. The Serverless Error is saying: "Could not locate deployment bucket. Error: Access Denied".

I will get with you offline about this.

iandees commented 5 years ago

As a reminder, your account has access to do anything to buckets with the prefix teachosm-geosurge-. You should be able to create buckets, list them, etc. as long as they have that prefix.

In the meantime, I created the teachosm-serverless-s3upload-deploy bucket and added convert-post-request-to-yaml-deploy to the list of buckets you can write to.

d3netxer commented 5 years ago

Thanks, noted about access using the prefix.

I just keep on moving forward using the teachosm-serverless-s3upload-deploy and "convert-post-request-to-yaml-deploy" buckets.

I ran the deploy command again and I was allowed to move forward. However, a new error now appears that says my user is not allowed to perform apigateway:PATCH on resource.

I think this can be resolved with another edit to the permissions. In the existing permissions, there should be a block like this:

{
      "Effect": "Allow",
      "Action": [
        "apigateway:GET",
        "apigateway:POST",
        "apigateway:PUT",
        "apigateway:DELETE"
      ],
      "Resource": [
        "arn:aws:apigateway:<region>::/restapis"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "apigateway:GET",
        "apigateway:POST",
        "apigateway:PUT",
        "apigateway:DELETE"
      ],
      "Resource": [
        "arn:aws:apigateway:<region>::/restapis/*"
      ]
    },

Please make sure that the is 'us-east-1'. Also add the "apigateway:PATCH" to the Actions.

iandees commented 5 years ago

I added PATCH to the list of Actions.

d3netxer commented 5 years ago

Thanks, the convert-post-request-to-yaml lambda function deployed successfully.

I am now getting a new error for the serverlessS3Upload function related to permissions for the cloudformation:DescribeStacks. Can you make adjustments to the permissions to the block that looks like this:

{
      "Effect": "Allow",
      "Action": [
        "cloudformation:Describe*",
        "cloudformation:List*",
        "cloudformation:Get*",
        "cloudformation:CreateStack",
        "cloudformation:UpdateStack",
        "cloudformation:DeleteStack"
      ],
      "Resource": "arn:aws:cloudformation:<region>:<account_no>:stack/<service_name>*/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "cloudformation:ValidateTemplate"
      ],
      "Resource": "*"
    },

I'm assuming the correct region and account_no are already inserted here. For the service name, you can input 'image-upload-prod'.

iandees commented 5 years ago

image-upload-prod is now in the CloudFormation list.

d3netxer commented 5 years ago

Thanks, it got past this step now.

The next permissions error is related to an Error for IamRoleLambdaExecution - API: iam:GetRole on on resource: role image-upload-prod-us-east-1-lambdaRole. Can you modify this block of the permissions:

{
      "Effect": "Allow",
      "Action": [
        "iam:GetRole",
        "iam:PassRole",
        "iam:CreateRole",
        "iam:DeleteRole",
        "iam:DetachRolePolicy",
        "iam:PutRolePolicy",
        "iam:AttachRolePolicy",
        "iam:DeleteRolePolicy"
      ],
      "Resource": [
        "arn:aws:iam::<account_no>:role/<service_name>*-lambdaRole"
      ]
    },

and insert 'image-upload-prod' for the ?

iandees commented 5 years ago

Done!

d3netxer commented 5 years ago

Excellent. This worked, so these 2 lambdas are deployed: serverlessS3Upload and convert-post-request-to-yaml. There is a final one libreoffice-convert-to-pdf that I need to deploy, but I don't have a serverless script for this. My plan is begin trying next week to deploy using AWS CLI.

d3netxer commented 5 years ago

I have started trying to deploy the final function, using Serverless. Similar to the previous function, I got a cloudformation:DescribeStacks error. Can you make an adjustment in this block:

{
      "Effect": "Allow",
      "Action": [
        "cloudformation:Describe*",
        "cloudformation:List*",
        "cloudformation:Get*",
        "cloudformation:CreateStack",
        "cloudformation:UpdateStack",
        "cloudformation:DeleteStack"
      ],
      "Resource": "arn:aws:cloudformation:<region>:<account_no>:stack/<service_name>*/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "cloudformation:ValidateTemplate"
      ],
      "Resource": "*"
    },

You can add another resource by adding a comma followed by a second item. In the second item can you add 'geosurge-libreoffice-convert-to-pdf*' for the ?

Also, let's modify the AWS role permissions as well. Looking at this block:

{
      "Effect": "Allow",
      "Action": [
        "iam:GetRole",
        "iam:PassRole",
        "iam:CreateRole",
        "iam:DeleteRole",
        "iam:DetachRolePolicy",
        "iam:PutRolePolicy",
        "iam:AttachRolePolicy",
        "iam:DeleteRolePolicy"
      ],
      "Resource": [
        "arn:aws:iam::<account_no>:role/<service_name>*-lambdaRole"
      ]
    },

Can you add another resource item and again add 'geosurge-libreoffice-convert-to-pdf*' for the ?

Thanks

iandees commented 5 years ago

Done!

d3netxer commented 5 years ago

I'm getting this error, maybe to do with formatting. This link may help: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html

Error --------------------------------------------------

  The CloudFormation template is invalid: Template format error: At least one Resources member must be defined.
d3netxer commented 4 years ago

@iandees I spent sometime making improvements and testing a whole re-deployment of all the lambdas on another AWS account. I have a new IAM policy that I hope will take care of all the permission issues here: https://gist.github.com/d3netxer/b1d1a4012d6bf20b910c22d02ee43a80

Can you try replacing the policy with this one? You just need to replace the and wherever needed. Thanks

iandees commented 4 years ago

Change is made. It looks like you've been deploying to us-east-1, so I replaced <region> with that, too.

d3netxer commented 4 years ago

Excellent. All of the functions deployed successfully. A few modifications are left to complete the deployment on the live site.

One of the Lambda functions makes a pull request to the Github repo. For this I believe we need to post as a user who has admin access to the repo, along with a personal access token. @iandees you can either create a new Github user or use an existing one. The pull requests will be posted as that user.

iandees commented 4 years ago

This is done. The user is teachosm-bot. I shared the access token privately.

d3netxer commented 4 years ago

thanks. I am getting close, today I switched out the backends, including copying the files between s3 buckets. I need to look at the libreoffice converter a little bit more because it isn't converting pdfs to pdfs. It probably shouldn't do this, if the file doesn't need to be converted, it should just be copied from the contents upload folder to the contents folder instead; so adding an if statement should fix this issue most likely. Right now 2 project download links are broken because of this. I will try to continue fixing this and doing more tests within the next few days.