Manage cors headers in terraform

[asteel-gsa]

Based on discussion with @sambodeme we are kind of leaning towards it being safe to apply this config every time terraform runs.

Note: I did jsonencode() the cors.json like we have done in other places, but it didn't exactly like the string, so opted for files containing the json. All of this is self contained in the shared/modules/cors/ module, called by shared/env/cors.tf

Based on this preview deployment, everything looks like it is working and CORS Tester on preview appears to match CORS Tester on dev

Debugging Information

As far as I can tell.. I ran this back to back multiple times.
Run 1 Passed as expected
Run 2 Failed

module.preview.module.cors.null_resource.cors_script (local-exec): Creating service key fac-public-s3-key for service instance fac-public-s3 as ***...
module.preview.module.cors.null_resource.cors_script: Still creating... [10s elapsed]
module.preview.module.cors.null_resource.cors_script (local-exec): OK
module.preview.module.cors.null_resource.cors_script (local-exec): Bucket: cg-fb529fd2-75cc-4c07-8a90-893f443a2a67
module.preview.module.cors.null_resource.cors_script (local-exec): INFO: Putting CORS config in bucket...
module.preview.module.cors.null_resource.cors_script (local-exec): An error occurred (InvalidAccessKeyId) when calling the PutBucketCors operation: The AWS Access Key Id you provided does not exist in our records.
module.preview.module.cors.null_resource.cors_script (local-exec): INFO: aws s3api get-bucket-cors output...
module.preview.module.cors.null_resource.cors_script (local-exec): An error occurred (InvalidAccessKeyId) when calling the GetBucketCors operation: The AWS Access Key Id you provided does not exist in our records.
module.preview.module.cors.null_resource.cors_script (local-exec): Deleting key fac-public-s3-key for service instance fac-public-s3 as ***...
module.preview.module.cors.null_resource.cors_script: Still creating... [20s elapsed]
module.preview.module.cors.null_resource.cors_script (local-exec): OK

Run 3 Failed.

And then I waited a few minutes and Run 4 Passed. This time, I added a sleep 10 after the creation of the service key, for the CF api.

Finally, I ran Run 5 and immediately ran Run 6 and Both Passed.

Lesson to be gained, since we are dealing with mutliple APIs, the cf api being a little delayed on responses, it was running too quickly, so the sleep 10 gave the api enough time to process and register the creation/deletion of the service keys rapidly.

---

PR checklist: submitters

• Link to an issue if possible. If there’s no issue, describe what your branch does. Even if there is an issue, a brief description in the PR is still useful.
• List any special steps reviewers have to follow to test the PR. For example, adding a local environment variable, creating a local test file, etc.
• For extra credit, submit a screen recording like this one.
• Make sure you’ve merged main into your branch shortly before creating the PR. (You should also be merging main into your branch regularly during development.)
• Make sure you’ve accounted for any migrations. When you’re about to create the PR, bring up the application locally and then run git status | grep migrations. If there are any results, you probably need to add them to the branch for the PR. Your PR should have only one new migration file for each of the component apps, except in rare circumstances; you may need to delete some and re-run python manage.py makemigrations to reduce the number to one. (Also, unless in exceptional circumstances, your PR should not delete any migration files.)
• Make sure that whatever feature you’re adding has tests that cover the feature. This includes test coverage to make sure that the previous workflow still works, if applicable.
• Make sure the full-submission.cy.js Cypress test passes, if applicable.
• Do manual testing locally. Our tests are not good enough yet to allow us to skip this step. If that’s not applicable for some reason, check this box.
• Verify that no Git surgery was necessary, or, if it was necessary at any point, repeat the testing after it’s finished.
• Once a PR is merged, keep an eye on it until it’s deployed to dev, and do enough testing on dev to verify that it deployed successfully, the feature works as expected, and the happy path for the broad feature area (such as submission) still works.

PR checklist: reviewers

• Pull the branch to your local environment and run make docker-clean; make docker-first-run && docker compose up; then run docker compose exec web /bin/bash -c "python manage.py test"
• Manually test out the changes locally, or check this box to verify that it wasn’t applicable in this case.
• Check that the PR has appropriate tests. Look out for changes in HTML/JS/JSON Schema logic that may need to be captured in Python tests even though the logic isn’t in Python.
• Verify that no Git surgery is necessary at any point (such as during a merge party), or, if it was, repeat the testing after it’s finished.

The larger the PR, the stricter we should be about these points.

[github-actions]

Terraform plan for meta

No changes. Your infrastructure matches the configuration.

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

Warning: Argument is deprecated

  with module.s3-backups.cloudfoundry_service_instance.bucket,
  on /tmp/terraform-data-dir/modules/s3-backups/s3/main.tf line 14, in resource "cloudfoundry_service_instance" "bucket":
  14:   recursive_delete = var.recursive_delete

Since CF API v3, recursive delete is always done on the cloudcontroller side.
This will be removed in future releases

✅ Plan applied in Deploy to Development and Management Environment #749

[github-actions]

Terraform plan for dev

Plan: 1 to add, 0 to change, 0 to destroy.

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+   create

Terraform will perform the following actions:

  # module.dev.module.cors.null_resource.cors_header will be created
+   resource "null_resource" "cors_header" {
+       id       = (known after apply)
+       triggers = {
+           "always_run" = (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Warning: Argument is deprecated

  with module.dev-backups-bucket.cloudfoundry_service_instance.bucket,
  on /tmp/terraform-data-dir/modules/dev-backups-bucket/s3/main.tf line 14, in resource "cloudfoundry_service_instance" "bucket":
  14:   recursive_delete = var.recursive_delete

Since CF API v3, recursive delete is always done on the cloudcontroller side.
This will be removed in future releases

(and 6 more similar warnings elsewhere)

✅ Plan applied in Deploy to Development and Management Environment #749

[asteel-gsa]

Closing PR for a bit, want to do a bit more testing

[github-actions]

☂️ Python Coverage

current status: ✅

Overall Coverage

Lines	Covered	Coverage	Threshold	Status
18026	16473	91%	0%	🟢

New Files

No new covered files...

Modified Files

No covered modified files...

updated for commit: 4b99623 by action🐍

[sambodeme]

Tested here

[asteel-gsa]

Tested here

Cheers. Going to give @danswick a bit to review, just for awareness.

[danswick]

This looks reasonable to me. I compared to Tadhg and Bret's discussion on the original ticket, as well as the docs you linked inline, and this looks like a good approach. Let's make sure we manually test the headers once it's on staging as well 👍