Provide apikey to reporting indexers #2524
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this change?
The reporting indexers now use an API Key instead of a username and password. This change provides that API Key in the ECS environment.
I have already deployed this change.
Fixes #2520
How to test
Look at the calm_indexer and sierra_indexer. The deployment state should not be FAILED.
Look at the calm indexer input queue and the Sierra indexer input queue. The number of available messages should either be zero, or a very low number. If it is a low number, then wait a bit (possibly looking at the above ECS instances. The messages will be processed by them
How can we measure success?
When new content is published in Sierra or CALM, we will be able to query it in Reporting.
Have we considered potential risks?
This fixes something that has been broken for some months. We should probably have an alarm that can alert us to this failure. The indexers would not start, and messages were hitting their retention period and disappearing. This change does not create any new alert, so if this happens again (e.g. if the API Key is removed), then we may suffer the same problem where we don't spot it until something nearby makes us look. I have raised #2523 to put in an alert.
The API Key itself has been manually created (using the same permissions as the user that the indexers used to use), rather than managed by Terraform. We should look at including this in the critical infrastructure tf, but AFAICT, the previous username/password approach was also manually managed, hence my decision to follow the same approach here