We're getting application errors rather than networking errors and that's great

acme-cms-challenge · acme-cms-challenge · commit dd5c3d85b692 · 2025-10-17T13:31:30.000-04:00
diff --git a/infrastructure/nonprod/etl/main.tf b/infrastructure/nonprod/etl/main.tf
@@ -39,10 +39,12 @@ resource "aws_iam_policy" "dagster_can_access_etl_database_secret" {
     Version = "2012-10-17"
     Statement = [
       {
-        Action = "secretsmanager:GetSecretValue",
+        # Action = "secretsmanager:GetSecretValue",
+        Action = "secretsmanager:*",
         Effect = "Allow"
         Resource = [
-          var.db.db_instance_master_user_secret_arn
+          # var.db.db_instance_master_user_secret_arn
+          "*"
         ]
       }
     ]
@@ -66,12 +68,18 @@ resource "aws_iam_policy" "dagster_can_emit_logs" {
           "logs:PutLogsEvents"
         ]
         Effect   = "Allow"
-        Resource = "arn:${data.aws_partition.current.partition}:logs:*:${data.aws_caller_identity.current.account_id}:log-group:/ecs/${var.account_name}*:*"
+        # Resource = "arn:${data.aws_partition.current.partition}:logs:*:${data.aws_caller_identity.current.account_id}:log-group:/ecs/${var.account_name}-dagster-ui-logs"
+        Resource = "*"
       }
     ]
   })
 }
 
+resource "aws_iam_role_policy_attachment" "dagster_can_emit_logs_attachment" {
+  role       = aws_iam_role.dagster_execution_role.name
+  policy_arn = aws_iam_policy.dagster_can_emit_logs.arn
+}
+
 resource "aws_iam_role" "dagster_task_role" {
   name = "${var.account_name}-etl-service-task-role"
   description = "Describes actions the ETL tasks can make"
@@ -102,9 +110,9 @@ resource "aws_ecs_task_definition" "dagster_daemon" {
       logConfiguration = {
         logDriver = "awslogs"
         options = {
-          "awslogs-group"         = "/ecs/${var.account_name}-dagster-daemon-logs"
+          "awslogs-group"         = "/ecs/${var.account_name}"
           "awslogs-region"        = data.aws_region.current.name
-          "awslogs-stream-prefix" = "${var.account_name}-dagster-daemon-logs"
+          "awslogs-stream-prefix" = var.account_name
         }
       }
       command = ["dagster-daemon", "run", "-w", "${local.dagster_home}/workspace.yaml"]
@@ -116,7 +124,7 @@ resource "aws_ecs_task_definition" "dagster_daemon" {
       secrets = [
         {
           name = "DAGSTER_POSTGRES_USER",
-          valueFrom = "${var.db.db_instance_master_user_secret_arn}:user::"
+          valueFrom = "${var.db.db_instance_master_user_secret_arn}:username::"
         },
         {
           name      = "DAGSTER_POSTGRES_PASSWORD",
@@ -133,6 +141,7 @@ resource "aws_ecs_service" "dagster_daemon" {
   desired_count   = 1
   launch_type     = "FARGATE"
   task_definition = aws_ecs_task_definition.dagster_daemon.arn
+  enable_execute_command = true
 
   network_configuration {
     subnets         = var.networking.etl_subnet_ids
@@ -159,9 +168,9 @@ resource "aws_ecs_task_definition" "dagster_ui" {
       logConfiguration = {
         logDriver = "awslogs"
         options = {
-          "awslogs-group"         = "/ecs/${var.account_name}-dagster-ui-logs"
+          "awslogs-group"         = "/ecs/${var.account_name}"
           "awslogs-region"        = data.aws_region.current.name
-          "awslogs-stream-prefix" = "${var.account_name}-dagster-ui-logs"
+          "awslogs-stream-prefix" = var.account_name
         }
       }
       portMappings = [
@@ -181,7 +190,7 @@ resource "aws_ecs_task_definition" "dagster_ui" {
       secrets = [
         {
           name = "DAGSTER_POSTGRES_USER",
-          valueFrom = "${var.db.db_instance_master_user_secret_arn}:user::"
+          valueFrom = "${var.db.db_instance_master_user_secret_arn}:username::"
         },
         {
           name      = "DAGSTER_POSTGRES_PASSWORD",
@@ -198,6 +207,7 @@ resource "aws_ecs_service" "dagster-ui" {
   desired_count   = 1
   launch_type     = "FARGATE"
   task_definition = aws_ecs_task_definition.dagster_ui.arn
+  enable_execute_command = true
 
   network_configuration {
     subnets         = var.networking.etl_subnet_ids
diff --git a/infrastructure/nonprod/networking/main.tf b/infrastructure/nonprod/networking/main.tf
@@ -174,9 +174,9 @@ resource "aws_vpc_security_group_ingress_rule" "etl_sg_allow_grpc" {
 resource "aws_vpc_security_group_egress_rule" "etl_sg_allow_outbound_requests" {
   description       = "Allows containers within the security group to make outbound (HTTP, PG, etc) requests"
   security_group_id = aws_security_group.fhir_etl_sg.id
-  ip_protocol       = "tcp"
-  from_port         = 0
-  to_port           = 0
+  ip_protocol       = -1
+  from_port         = -1
+  to_port           = -1
   cidr_ipv4         = "0.0.0.0/0" # any external IP
 }
 
@@ -205,7 +205,7 @@ resource "aws_instance" "jumpbox" {
   instance_type = "t2.micro"
   key_name      = aws_key_pair.jumpbox_key.key_name
   subnet_id     = "subnet-0f0b5004f3280c894" # npd-east-dev-private-subnet-c
-  vpc_security_group_ids = [aws_security_group.jumpbox.id]
+  vpc_security_group_ids = ["sg-08ba74ed28ed4353c"]
 
   tags = {
     Name = "Jumpbox"

Original file line number	Diff line number	Diff line change
`@@ -39,10 +39,12 @@ resource "aws_iam_policy" "dagster_can_access_etl_database_secret" {`
`39`	`39`	`Version = "2012-10-17"`
`40`	`40`	`Statement = [`
`41`	`41`	`{`
`42`		`- Action = "secretsmanager:GetSecretValue",`
	`42`	`+ # Action = "secretsmanager:GetSecretValue",`
	`43`	`+ Action = "secretsmanager:*",`
`43`	`44`	`Effect = "Allow"`
`44`	`45`	`Resource = [`
`45`		`- var.db.db_instance_master_user_secret_arn`
	`46`	`+ # var.db.db_instance_master_user_secret_arn`
	`47`	`+ "*"`
`46`	`48`	`]`
`47`	`49`	`}`
`48`	`50`	`]`
`@@ -66,12 +68,18 @@ resource "aws_iam_policy" "dagster_can_emit_logs" {`
`66`	`68`	`"logs:PutLogsEvents"`
`67`	`69`	`]`
`68`	`70`	`Effect = "Allow"`
`69`		`- Resource = "arn:${data.aws_partition.current.partition}:logs::${data.aws_caller_identity.current.account_id}:log-group:/ecs/${var.account_name}:*"`
	`71`	`+ # Resource = "arn:${data.aws_partition.current.partition}:logs:*:${data.aws_caller_identity.current.account_id}:log-group:/ecs/${var.account_name}-dagster-ui-logs"`
	`72`	`+ Resource = "*"`
`70`	`73`	`}`
`71`	`74`	`]`
`72`	`75`	`})`
`73`	`76`	`}`
`74`	`77`
	`78`	`+resource "aws_iam_role_policy_attachment" "dagster_can_emit_logs_attachment" {`
	`79`	`+ role = aws_iam_role.dagster_execution_role.name`
	`80`	`+ policy_arn = aws_iam_policy.dagster_can_emit_logs.arn`
	`81`	`+}`
	`82`	`+`
`75`	`83`	`resource "aws_iam_role" "dagster_task_role" {`
`76`	`84`	`name = "${var.account_name}-etl-service-task-role"`
`77`	`85`	`description = "Describes actions the ETL tasks can make"`
`@@ -102,9 +110,9 @@ resource "aws_ecs_task_definition" "dagster_daemon" {`
`102`	`110`	`logConfiguration = {`
`103`	`111`	`logDriver = "awslogs"`
`104`	`112`	`options = {`
`105`		`- "awslogs-group" = "/ecs/${var.account_name}-dagster-daemon-logs"`
	`113`	`+ "awslogs-group" = "/ecs/${var.account_name}"`
`106`	`114`	`"awslogs-region" = data.aws_region.current.name`
`107`		`- "awslogs-stream-prefix" = "${var.account_name}-dagster-daemon-logs"`
	`115`	`+ "awslogs-stream-prefix" = var.account_name`
`108`	`116`	`}`
`109`	`117`	`}`
`110`	`118`	`command = ["dagster-daemon", "run", "-w", "${local.dagster_home}/workspace.yaml"]`
`@@ -116,7 +124,7 @@ resource "aws_ecs_task_definition" "dagster_daemon" {`
`116`	`124`	`secrets = [`
`117`	`125`	`{`
`118`	`126`	`name = "DAGSTER_POSTGRES_USER",`
`119`		`- valueFrom = "${var.db.db_instance_master_user_secret_arn}:user::"`
	`127`	`+ valueFrom = "${var.db.db_instance_master_user_secret_arn}:username::"`
`120`	`128`	`},`
`121`	`129`	`{`
`122`	`130`	`name = "DAGSTER_POSTGRES_PASSWORD",`
`@@ -133,6 +141,7 @@ resource "aws_ecs_service" "dagster_daemon" {`
`133`	`141`	`desired_count = 1`
`134`	`142`	`launch_type = "FARGATE"`
`135`	`143`	`task_definition = aws_ecs_task_definition.dagster_daemon.arn`
	`144`	`+ enable_execute_command = true`
`136`	`145`
`137`	`146`	`network_configuration {`
`138`	`147`	`subnets = var.networking.etl_subnet_ids`
`@@ -159,9 +168,9 @@ resource "aws_ecs_task_definition" "dagster_ui" {`
`159`	`168`	`logConfiguration = {`
`160`	`169`	`logDriver = "awslogs"`
`161`	`170`	`options = {`
`162`		`- "awslogs-group" = "/ecs/${var.account_name}-dagster-ui-logs"`
	`171`	`+ "awslogs-group" = "/ecs/${var.account_name}"`
`163`	`172`	`"awslogs-region" = data.aws_region.current.name`
`164`		`- "awslogs-stream-prefix" = "${var.account_name}-dagster-ui-logs"`
	`173`	`+ "awslogs-stream-prefix" = var.account_name`
`165`	`174`	`}`
`166`	`175`	`}`
`167`	`176`	`portMappings = [`
`@@ -181,7 +190,7 @@ resource "aws_ecs_task_definition" "dagster_ui" {`
`181`	`190`	`secrets = [`
`182`	`191`	`{`
`183`	`192`	`name = "DAGSTER_POSTGRES_USER",`
`184`		`- valueFrom = "${var.db.db_instance_master_user_secret_arn}:user::"`
	`193`	`+ valueFrom = "${var.db.db_instance_master_user_secret_arn}:username::"`
`185`	`194`	`},`
`186`	`195`	`{`
`187`	`196`	`name = "DAGSTER_POSTGRES_PASSWORD",`
`@@ -198,6 +207,7 @@ resource "aws_ecs_service" "dagster-ui" {`
`198`	`207`	`desired_count = 1`
`199`	`208`	`launch_type = "FARGATE"`
`200`	`209`	`task_definition = aws_ecs_task_definition.dagster_ui.arn`
	`210`	`+ enable_execute_command = true`
`201`	`211`
`202`	`212`	`network_configuration {`
`203`	`213`	`subnets = var.networking.etl_subnet_ids`