nikki-t
commented
3 months ago I have fully tested adding API keys and am ready to finalize this PR.
However, I wanted to discuss a cycle error I keep running into when deploying the feature/issue-205 branch to SIT and then deploying the develop branch to SIT. Here is the error:
│ Error: Cycle: aws_ssm_parameter.trusted-user-parameter, aws_api_gateway_usage_plan.trusted-user-usage-plan (expand), aws_api_gateway_usage_plan_key.trusted-user-usage-key (expand), aws_api_gateway_usage_plan_key.trusted-user-usage-key, aws_ssm_parameter.default-user-parameter (expand), aws_ssm_parameter.default-user-parameter, aws_api_gateway_api_key.default-user-key, aws_ssm_parameter.hydrocron-api-url (expand), aws_ssm_parameter.hydrocron-api-url, aws_api_gateway_usage_plan.default-user-usage-plan (expand), aws_api_gateway_usage_plan.default-user-usage-plan, aws_api_gateway_deployment.hydrocron-api-gateway-deployment (expand), aws_api_gateway_deployment.hydrocron-api-gateway-deployment, data.aws_iam_policy_document.lambda-invoke-authorizer-policy, data.aws_iam_policy_document.lambda-invoke-authorizer-policy (expand), aws_iam_role.hydrocron-gateway-authorizer-role (expand), aws_lambda_function.hydrocron_lambda_authorizer, aws_api_gateway_rest_api.hydrocron-api-gateway (expand), aws_api_gateway_stage.hydrocron-api-gateway-stage, aws_api_gateway_deployment.hydrocron-api-gateway-deployment (destroy deposed 82d9390d), null_resource.api_key_hash (destroy), aws_iam_role.hydrocron-gateway-authorizer-role, aws_api_gateway_rest_api.hydrocron-api-gateway, aws_api_gateway_stage.hydrocron-api-gateway-stage (expand), aws_api_gateway_usage_plan.trusted-user-usage-planSeen in these logs: https://github.com/podaac/hydrocron/actions/runs/10379628958/job/28738315949
The only way I have found to resolve this is to redeploy feature/issue-205 several times and then develop can be deployed successfully. I can't quite track down where this is occurring. It does seem to happen when I test out adding a new API key and then when the develop Terraform executes and tries to destroy it.
Theoretically, we shouldn't have this issue moving forward from the feature/issue-205 branch but am wondering if this would be an issue if we decided to remove an API key?
@frankinspace and @torimcd - what do you think? Any ideas on how to isolate the cause?
GitHub Issue: #205
Description
Define a usage plan and API key for the Confluence workflow.
Use a single usage plan starting with the following limits:
Implement one API key per trusted partner to help track and isolate usage.
Overview of work done
x-hydrocron-keyheader is in the list. This will return the trusted partner policy and count against the usage plan limits for the provided API key.Overview of verification done
New and existing unit tests pass.
Overview of integration done
Deployed to SIT environment and confirmed creation of API key and update to usage plan limits.
Ran several tests to determine how API keys work when two are assigned to the same usage plans. Confirmed that you can define two API keys and assign them to one usage plan and API requests associated with one key does not impact the limits of the other key.
Ran Lambda authorizer test in the SIT environment and confirmed expected execution for default and trusted keys. Also tested adding an additional key to make sure added API key is detected by Lambda authorizer.
PR checklist:
See Pull Request Review Checklist for pointers on reviewing this pull request