diff --git a/CHANGELOG.md b/CHANGELOG.md index 60aaa6c..fe154e1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,15 @@ # CHANGELOG -## Unreleased - +## v18.2.0.0 + +* Upgrade to [Cumulus v18.2.0](https://github.com/nasa/cumulus/releases/tag/v18.2.0) +* **NOTE** this version of Cumulus requires changes to the RDS database per +[these instructions](https://nasa.github.io/cumulus/docs/upgrade-notes/upgrade-rds-cluster-tf-postgres-13/) +* upgrade TEA to [v1.3.5](https://github.com/asfadmin/thin-egress-app/releases/tag/tea-release.1.3.5) +* update required terraform version to `>= 1.5` in all CIRRUS modules matching the requirements +from the Cumulus application. +* Add `DAR=YES` tag to terraform state bucket created by `make tf` +* replace deprecated use of terraform `s3_bucket_object` with `s3_object` * expose the TEA lambda timeout value to allow for DAAC customization * add `--platform linux/amd64` to all Docker commands in `Makefile` so `make image` and `make container-shell` work on Apple Silicon machines diff --git a/Makefile b/Makefile index 97c7f53..fb299fd 100644 --- a/Makefile +++ b/Makefile @@ -19,7 +19,7 @@ # PYTHON_VER: python3 or python38 which sets the build target in make file # --------------------------- -DOCKER_TAG := v18.0.0.0 +DOCKER_TAG := v18.2.0.0 export TF_IN_AUTOMATION="true" export TF_VAR_MATURITY=${MATURITY} export TF_VAR_DEPLOY_NAME=${DEPLOY_NAME} diff --git a/cumulus/main.tf b/cumulus/main.tf index 8086fcb..8025014 100644 --- a/cumulus/main.tf +++ b/cumulus/main.tf @@ -1,5 +1,5 @@ module "cumulus" { - source = "https://github.com/nasa/cumulus/releases/download/v18.0.0/terraform-aws-cumulus.zip//tf-modules/cumulus" + source = "https://github.com/nasa/cumulus/releases/download/v18.2.0/terraform-aws-cumulus.zip//tf-modules/cumulus" cumulus_message_adapter_lambda_layer_version_arn = data.terraform_remote_state.daac.outputs.cma_layer_arn @@ -83,7 +83,7 @@ module "cumulus" { orca_lambda_copy_to_archive_arn = local.orca_lambda_copy_to_archive_arn orca_sfn_recovery_workflow_arn = local.orca_sfn_recovery_workflow_arn - orca_api_uri = local.orca_api_uri + orca_api_uri = local.orca_api_uri # must match stage_name variable for thin-egress-app module tea_api_gateway_stage = local.tea_stage_name diff --git a/cumulus/thin-egress.tf b/cumulus/thin-egress.tf index cbe7ea0..31ff93d 100644 --- a/cumulus/thin-egress.tf +++ b/cumulus/thin-egress.tf @@ -1,8 +1,8 @@ module "thin_egress_app" { - source = "s3::https://s3.amazonaws.com/asf.public.code/thin-egress-app/tea-terraform-build.1.3.3.zip" + source = "s3::https://s3.amazonaws.com/asf.public.code/thin-egress-app/tea-terraform-build.1.3.5.zip" auth_base_url = var.urs_url - bucket_map_file = local.bucket_map_key == null ? aws_s3_bucket_object.bucket_map_yaml.id : local.bucket_map_key + bucket_map_file = local.bucket_map_key == null ? aws_s3_object.bucket_map_yaml.id : local.bucket_map_key bucketname_prefix = "" config_bucket = local.system_bucket cookie_domain = var.thin_egress_cookie_domain @@ -40,7 +40,7 @@ resource "aws_secretsmanager_secret_version" "thin_egress_urs_creds" { }) } -resource "aws_s3_bucket_object" "bucket_map_yaml" { +resource "aws_s3_object" "bucket_map_yaml" { bucket = local.system_bucket key = "${local.prefix}/thin-egress-app/${local.prefix}-bucket_map.yaml" content = templatefile("./thin-egress-app/bucket_map.yaml.tmpl", { diff --git a/cumulus/versions.tf b/cumulus/versions.tf index 6b6318d..f5a0ad7 100644 --- a/cumulus/versions.tf +++ b/cumulus/versions.tf @@ -1,3 +1,3 @@ terraform { - required_version = ">= 0.13" + required_version = ">= 1.5" } diff --git a/data-persistence/main.tf b/data-persistence/main.tf index 40c7da8..74fd579 100644 --- a/data-persistence/main.tf +++ b/data-persistence/main.tf @@ -1,5 +1,5 @@ module "data_persistence" { - source = "https://github.com/nasa/cumulus/releases/download/v18.0.0/terraform-aws-cumulus.zip//tf-modules/data-persistence" + source = "https://github.com/nasa/cumulus/releases/download/v18.2.0/terraform-aws-cumulus.zip//tf-modules/data-persistence" prefix = local.prefix subnet_ids = data.aws_subnets.subnet_ids.ids diff --git a/data-persistence/versions.tf b/data-persistence/versions.tf index 6b6318d..f5a0ad7 100644 --- a/data-persistence/versions.tf +++ b/data-persistence/versions.tf @@ -1,3 +1,3 @@ terraform { - required_version = ">= 0.13" + required_version = ">= 1.5" } diff --git a/docs/Resolve_TEA_CloudFormation_Error.md b/docs/Resolve_TEA_CloudFormation_Errors.md similarity index 53% rename from docs/Resolve_TEA_CloudFormation_Error.md rename to docs/Resolve_TEA_CloudFormation_Errors.md index 47e4996..15d7e59 100644 --- a/docs/Resolve_TEA_CloudFormation_Error.md +++ b/docs/Resolve_TEA_CloudFormation_Errors.md @@ -1,13 +1,8 @@ -# Resolve TEA CloudFormation Error +# Resolve TEA CloudFormation Errors -In CIRRUS v17.0.0.3 and all later versions the `cumulus/thin-egress.tf` file was updated -to pass Tags to the thin-egress terraform module. The bulk of the thin-egress application -is deployed via CloudFormation. - -For ORNL, the first time the CloudFormation stack tried to apply these tags, it deleted -the TEA Api Gateway stage and generated an error which could not be automatically -recovered. Maybe other DAAC's will not see this issue but here is what ORNL saw and how -we resolved it. +ORNL has run into Cloudformation issues when deploying TEA via CIRRUS. If your DAAC has +these same issues, here are some instructions that allowed ORNL to recover from this +sitution. As we identify additional scenarios this document will be updated. **It is important to take these steps after the first run of `make cumulus`. If you wait until another `make cumulus` run you may put the CloudFormation stack into a state @@ -17,7 +12,7 @@ to re-associate CloudFront to the new Api Gateway.** ## Deployment error -When deploying `make cumulus` trying to add tags to TEA you may see an error like this: +When deploying `make cumulus` you may see a TEA CloudFormation error like this: ``` Error: updating CloudFormation Stack (arn:aws:cloudformation:us-west-2:343218528358:stack/cxl1-cumulus-cxl-thin-egress-app/67007340-789f-11ee-be75-0a3a3e51928f): ValidationError: Stack:arn:aws:cloudformation:us-west-2:343218528358:stack/cxl1-cumulus-cxl-thin-egress-app/67007340-789f-11ee-be75-0a3a3e51928f is in UPDATE_ROLLBACK_FAILED state and can not be updated. @@ -34,32 +29,50 @@ If your look at the CloudFormation stack you will see something like this: ![CloudFormation Update Rollback Failed](images/cloudformation_update_rollback_failed.png) -And if you click on the stack name and look at the Events tab you will see something -like this: +And if you click on the stack name and look at the Events tab you will see a couple of +possible scenarios. Both have the same root cause `invalid stage identifier` like this: + +![invalid stage identifier](images/invalid_stage_identifier.png) + +Above this error you might see a couple scenarios. `Scenario 1` has update failures +concerning IAM roles like this: ![CloudFormation update events](images/cloudformation_update_events.png) -If you look at the Thin Egress Api Gateway you will see that it no longer has a Stage: +`Scenario 2` mentions failures with lambda functions like this: -![Thin Egress Api Gateway with no Stage](images/tea_api_gateway_no_stage.png) +![errors with lambda functions](images/errors_with_lambda_functions.png) + +The steps to correct the issues vary slightly. + +## How to resolve the errors -## How to resolve the error +Both recoveries start by updating your Thin Egress Api Gateway. You will see that it no +longer has a Stage: + +![Thin Egress Api Gateway with no Stage](images/tea_api_gateway_no_stage.png) ### Add new Api Gateway Stage -First step in resolving the error is to add a Stage to your Api Gateway matching the -`$MATURITY` of your deployment. Click on `Create Stage`. In the new window type in -your MATURITY value and select the latest `Deployment` from the dropdown. All other -values can be left as their default. Like this: +Add a Stage to your Api Gateway matching the `$MATURITY` of your deployment. Click on +`Create Stage`. In the new window type in your MATURITY value and select the latest +`Deployment` from the dropdown. All other values can be left as their default. Like +this: ![Create new Api Gateway Stage](images/create_new_api_gateway_stage.png) ### Rollback Cloudformation using the Advanced option -In the CloudFormation Stack Options select `Continue update rollback` +Both scenarios now require you to roll back the CloudFormation stack so another +`make cumulus` can be run. The senarios differ in the Advanced troubleshooting options +that should be selected when running the rollback. ![Continue update rollback](images/cloudformation_continue_update_rollback.png) +### Scenario 1 roll back + +In the CloudFormation Stack Options select `Continue update rollback` + Select `Advanced troubleshooting` and then select the checkboxes to `skip` all the resources and then the `Continue update rollback` button. @@ -69,6 +82,20 @@ Your stack should now be in the `UPDATE_ROLLBACK_COMPLETE` state ![Update Rollback Complete](images/cloudformation_update_rollback_complete.png) +### Scenario 2 roll back + +In the CloudFormation Stack Options select `Continue update rollback` + +Select `Advanced troubleshooting` and then select the checkboxes to `skip` the Lambda +resources only, don't select the `Express Stage` and then the +`Continue update rollback` button. + +![Skip Lambda resources](images/skip_lamba_resources.png) + +Your stack should now be in the `UPDATE_ROLLBACK_COMPLETE` state + +![Update Rollback Complete](images/cloudformation_update_rollback_complete.png) + ### Re-run `make Cumulus` You should now be able to run `make cumulus` successfully diff --git a/docs/images/errors_with_lambda_functions.png b/docs/images/errors_with_lambda_functions.png new file mode 100644 index 0000000..bf065a1 Binary files /dev/null and b/docs/images/errors_with_lambda_functions.png differ diff --git a/docs/images/invalid_stage_identifier.png b/docs/images/invalid_stage_identifier.png new file mode 100644 index 0000000..27237c6 Binary files /dev/null and b/docs/images/invalid_stage_identifier.png differ diff --git a/docs/images/skip_lamba_resources.png b/docs/images/skip_lamba_resources.png new file mode 100644 index 0000000..6028ec7 Binary files /dev/null and b/docs/images/skip_lamba_resources.png differ diff --git a/tf/locals.tf b/tf/locals.tf index 0ae79ff..376c3d0 100644 --- a/tf/locals.tf +++ b/tf/locals.tf @@ -4,6 +4,7 @@ locals { aws_account_id_last4 = substr(data.aws_caller_identity.current.account_id, -4, 4) default_tags = { - Deployment = local.prefix + Deployment = local.prefix, + DAR = "YES" } } diff --git a/tf/versions.tf b/tf/versions.tf index 6b6318d..f5a0ad7 100644 --- a/tf/versions.tf +++ b/tf/versions.tf @@ -1,3 +1,3 @@ terraform { - required_version = ">= 0.13" + required_version = ">= 1.5" }