🧱 Restore batch jobs until updated permissions

Author: shnizzedy

CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## 1.10.2
+
+### Changed
+
+- Restored minute-by-minute jobs pending AWS permission update.
+
 ## 1.10.1
 
 ### Added

VERSION

@@ -1 +1 @@
-1.10.1
+1.10.2

infrastructure/main.tf

@@ -2,134 +2,71 @@ terraform {
   required_version = ">= 1.0"
 
   required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "~> 5.0"
-    }
     local = {
       source  = "hashicorp/local"
       version = "~> 2.4"
     }
   }
 }
 
-provider "aws" {
-  region = var.aws_region
-
-  default_tags {
-    tags = {
-      Project     = "HBN Migration"
-      Environment = var.environment
-      ManagedBy   = "Terraform"
-    }
-  }
+locals {
+  workspace = terraform.workspace
 }
 
-# EC2 Instance
-resource "aws_instance" "hbn_migration" {
-  ami           = var.ami_id
-  instance_type = var.instance_type
-  key_name      = var.key_name
-  ebs_optimized = true
-  monitoring    = true
-
-  vpc_security_group_ids = [aws_security_group.hbn_migration.id]
-  subnet_id              = var.subnet_id
-
-  metadata_options {
-    http_endpoint = "enabled"
-    http_tokens   = "required"
-  }
-
-  root_block_device {
-    encrypted = true
-  }
-
-  user_data = templatefile("${path.module}/user_data.sh", {
-    github_repo       = var.github_repo
-    github_branch     = var.github_branch
-    working_directory = var.working_directory
-    python_venv       = var.python_venv
+# Webhook services (long-running uvicorn servers)
+resource "local_file" "redcap_to_redcap_service" {
+  content = templatefile("${path.module}/services/redcap-to-redcap.service.tpl", {
     service_user      = var.service_user
     service_group     = var.service_group
+    working_directory = var.working_directory
+    python_venv       = var.python_venv
   })
-
-  tags = {
-    Name = "hbn-migration-${var.environment}"
-  }
-
-  lifecycle {
-    create_before_destroy = true
-  }
+  filename = "${path.module}/generated/redcap-to-redcap.service"
 }
 
-# Security Group
-resource "aws_security_group" "hbn_migration" {
-  name        = "hbn-migration-${var.environment}"
-  description = "Security group for HBN migration webhook services"
-  vpc_id      = var.vpc_id
-
-  # SSH access (conditional - only if CIDRs specified)
-  dynamic "ingress" {
-    for_each = length(var.ssh_allowed_cidrs) > 0 ? [1] : []
-    content {
-      from_port   = 22
-      to_port     = 22
-      protocol    = "tcp"
-      cidr_blocks = var.ssh_allowed_cidrs
-      description = "SSH access"
-    }
-  }
-
-  # REDCap to REDCap webhook
-  ingress {
-    from_port   = 8001
-    to_port     = 8001
-    protocol    = "tcp"
-    cidr_blocks = var.webhook_allowed_cidrs
-    description = "REDCap to Intake webhook"
-  }
-
-  # REDCap to Curious webhook
-  ingress {
-    from_port   = 8002
-    to_port     = 8002
-    protocol    = "tcp"
-    cidr_blocks = var.webhook_allowed_cidrs
-    description = "REDCap to Curious webhook"
-  }
-
-  # Outbound traffic (required for apt, pip, API calls to REDCap/Curious)
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-    description = "All outbound traffic (required for updates and API calls)"
-  }
-
-  tags = {
-    Name = "hbn-migration-${var.environment}"
-  }
+resource "local_file" "redcap_to_curious_service" {
+  content = templatefile("${path.module}/services/redcap-to-curious.service.tpl", {
+    service_user      = var.service_user
+    service_group     = var.service_group
+    working_directory = var.working_directory
+    python_venv       = var.python_venv
+  })
+  filename = "${path.module}/generated/redcap-to-curious.service"
 }
 
-# Generate systemd service files
-resource "local_file" "redcap_to_redcap_service" {
-  content = templatefile("${path.module}/services/redcap-to-redcap.service.tpl", {
+# Batch services (oneshot, triggered by timer)
+resource "local_file" "redcap_to_redcap_batch_service" {
+  content = templatefile("${path.module}/services/redcap-to-redcap-batch.service.tpl", {
     service_user      = var.service_user
     service_group     = var.service_group
     working_directory = var.working_directory
     python_venv       = var.python_venv
   })
-  filename = "${path.module}/generated/redcap-to-redcap.service"
+  filename = "${path.module}/generated/redcap-to-redcap-batch.service"
 }
 
-resource "local_file" "redcap_to_curious_service" {
-  content = templatefile("${path.module}/services/redcap-to-curious.service.tpl", {
+resource "local_file" "redcap_to_curious_batch_service" {
+  content = templatefile("${path.module}/services/redcap-to-curious-batch.service.tpl", {
     service_user      = var.service_user
     service_group     = var.service_group
     working_directory = var.working_directory
     python_venv       = var.python_venv
   })
-  filename = "${path.module}/generated/redcap-to-curious.service"
+  filename = "${path.module}/generated/redcap-to-curious-batch.service"
+}
+
+# Timer and sync target
+resource "local_file" "hbn_sync_service" {
+  content = templatefile("${path.module}/services/hbn-sync.service.tpl", {
+    workspace = local.workspace
+  })
+  filename = "${path.module}/generated/hbn-sync.service"
+}
+
+resource "local_file" "hbn_sync_timer" {
+  content = templatefile("${path.module}/services/hbn-sync.timer.tpl", {
+    workspace             = local.workspace
+    sync_interval_minutes = var.sync_interval_minutes
+  })
+  filename = "${path.module}/generated/hbn-sync.timer"
 }

infrastructure/outputs.tf

@@ -1,42 +1,46 @@
-output "instance_id" {
-  description = "EC2 instance ID"
-  value       = aws_instance.hbn_migration.id
+output "redcap_to_intake_webhook_path" {
+  description = "Webhook path for REDCap to Intake (configure in REDCap Data Entry Trigger)"
+  value       = "/webhook/redcap-to-intake (port 8001)"
 }
 
-output "instance_public_ip" {
-  description = "Public IP of EC2 instance"
-  value       = aws_instance.hbn_migration.public_ip
+output "redcap_to_curious_webhook_path" {
+  description = "Webhook path for REDCap to Curious (configure in REDCap Data Entry Trigger)"
+  value       = "/webhook/redcap-to-curious (port 8002)"
 }
 
-output "instance_private_ip" {
-  description = "Private IP of EC2 instance"
-  value       = aws_instance.hbn_migration.private_ip
-}
-
-output "redcap_to_intake_webhook_url" {
-  description = "Webhook URL for REDCap to Intake (configure in REDCap Data Entry Trigger)"
-  value       = "http://${aws_instance.hbn_migration.public_ip}:8001/webhook/redcap-to-intake"
-}
-
-output "redcap_to_curious_webhook_url" {
-  description = "Webhook URL for REDCap to Curious (configure in REDCap Data Entry Trigger)"
-  value       = "http://${aws_instance.hbn_migration.public_ip}:8002/webhook/redcap-to-curious"
+output "service_commands" {
+  description = "Commands to manage services (run on the VM)"
+  value = {
+    install_webhooks = "sudo cp generated/redcap-to-redcap.service generated/redcap-to-curious.service /etc/systemd/system/ && sudo systemctl daemon-reload"
+    install_timer    = "sudo cp generated/hbn-sync.service generated/hbn-sync.timer /etc/systemd/system/ && sudo systemctl daemon-reload"
+    enable_webhooks  = "sudo systemctl enable --now redcap-to-redcap.service redcap-to-curious.service"
+    enable_timer     = "sudo systemctl enable --now hbn-sync.timer"
+    disable_timer    = "sudo systemctl disable --now hbn-sync.timer"
+    status           = "sudo systemctl status redcap-to-redcap.service redcap-to-curious.service hbn-sync.timer"
+    logs             = "sudo journalctl -u redcap-to-redcap.service -u redcap-to-curious.service -f"
+  }
 }
 
-output "ssh_command" {
-  description = "SSH command to connect"
-  value       = "ssh -i /path/to/${var.key_name}.pem ubuntu@${aws_instance.hbn_migration.public_ip}"
+output "health_check_commands" {
+  description = "Commands to check service health (run on the VM)"
+  value = {
+    redcap_to_intake  = "curl http://localhost:8001/health"
+    redcap_to_curious = "curl http://localhost:8002/health"
+  }
 }
 
-output "security_group_id" {
-  description = "Security group ID"
-  value       = aws_security_group.hbn_migration.id
+output "migration_note" {
+  description = "Steps to migrate from timer to webhooks"
+  value       = <<-EOT
+    Once security group rules are in place for ports 8001/8002:
+    1. Enable webhooks: sudo systemctl enable --now redcap-to-redcap.service redcap-to-curious.service
+    2. Configure REDCap Data Entry Triggers
+    3. Test webhooks: curl http://localhost:8001/health
+    4. Disable timer: sudo systemctl disable --now hbn-sync.timer
+  EOT
 }
 
-output "health_check_commands" {
-  description = "Commands to check service health"
-  value = {
-    redcap_to_intake  = "curl http://${aws_instance.hbn_migration.public_ip}:8001/health"
-    redcap_to_curious = "curl http://${aws_instance.hbn_migration.public_ip}:8002/health"
-  }
+output "security_group_note" {
+  description = "Manual step required for webhooks"
+  value       = "Ask AWS admin to add inbound rules for ports 8001 and 8002 (TCP) from your REDCap server IP(s)"
 }

infrastructure/services/hbn-sync.service.tpl

@@ -1,7 +1,7 @@
 [Unit]
 Description=HBN Sync Service - Runs All Sync Services [${workspace}]
 After=network.target
-Wants=ripple-to-redcap.service redcap-to-redcap.service redcap-to-curious.service curious-accounts-to-redcap.service curious-data-to-redcap.service
+Wants=ripple-to-redcap.service redcap-to-redcap-batch.service redcap-to-curious-batch.service curious-accounts-to-redcap.service curious-data-to-redcap.service
 
 [Service]
 Type=oneshot

infrastructure/services/redcap-to-curious-batch.service.tpl

@@ -0,0 +1,18 @@
+[Unit]
+Description=REDCap to Curious Batch Sync
+After=network.target
+
+[Service]
+Type=oneshot
+User=${service_user}
+Group=${service_group}
+WorkingDirectory=${working_directory}
+Environment="PATH=${python_venv}/bin:/usr/local/bin:/usr/bin:/bin"
+Environment="PYTHONPATH=${working_directory}/python_jobs/src"
+ExecStart=${python_venv}/bin/redcap-to-curious
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=redcap-to-curious-batch
+
+[Install]
+WantedBy=multi-user.target

infrastructure/services/redcap-to-redcap-batch.service.tpl

@@ -0,0 +1,18 @@
+[Unit]
+Description=REDCap to REDCap Batch Sync
+After=network.target
+
+[Service]
+Type=oneshot
+User=${service_user}
+Group=${service_group}
+WorkingDirectory=${working_directory}
+Environment="PATH=${python_venv}/bin:/usr/local/bin:/usr/bin:/bin"
+Environment="PYTHONPATH=${working_directory}/python_jobs/src"
+ExecStart=${python_venv}/bin/redcap-to-redcap
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=redcap-to-redcap-batch
+
+[Install]
+WantedBy=multi-user.target

infrastructure/tests/.checkov.yaml

@@ -1,15 +1,8 @@
 branch: main
 compact: true
 quiet: false
-skip-check:
-  # SSH ingress - controlled by ssh_allowed_cidrs variable, conditional rule only
-  # created when CIDRs are specified. Checkov can't evaluate dynamic blocks.
-  - CKV_AWS_24
-
-  # Egress to 0.0.0.0/0 - required for outbound API calls to REDCap, Curious,
-  # and MindLogger, plus apt and pip for system/package updates.
-  - CKV_AWS_382
 
+# No AWS resources to scan - only local file generation
 framework:
   - terraform
 

infrastructure/tests/.tflint.hcl

@@ -3,12 +3,6 @@ plugin "terraform" {
   preset  = "recommended"
 }
 
-plugin "aws" {
-  enabled = true
-  version = "0.29.0"
-  source  = "github.com/terraform-linters/tflint-ruleset-aws"
-}
-
 rule "terraform_naming_convention" {
   enabled = true
   format  = "snake_case"
@@ -37,7 +31,3 @@ rule "terraform_required_version" {
 rule "terraform_required_providers" {
   enabled = true
 }
-
-rule "aws_instance_invalid_type" {
-  enabled = true
-}

infrastructure/tests/test-terraform.sh

@@ -46,16 +46,7 @@ run_test "Terraform init" "terraform init -backend=false"
 # Test 3: Validation
 run_test "Terraform validate" "terraform validate"
 
-# Test 4: Security scan with Checkov (if installed)
-if command -v checkov &> /dev/null; then
-    run_test "Security scan (Checkov)" "checkov -d . --quiet --compact --config-file tests/.checkov.yaml"
-else
-    echo -e "${YELLOW}⊘ SKIPPED: Security scan (Checkov not installed)${NC}"
-    echo "  Install with: pip install checkov"
-    echo ""
-fi
-
-# Test 5: Lint with tflint (if installed)
+# Test 4: Lint with tflint (if installed)
 if command -v tflint &> /dev/null; then
     run_test "Terraform lint (tflint)" "tflint --config tests/.tflint.hcl --init && tflint --config tests/.tflint.hcl"
 else
@@ -64,16 +55,19 @@ else
     echo ""
 fi
 
-# Test 6: Check required files exist
+# Test 5: Check required files exist
 run_test "Required files exist" "test -f main.tf && test -f variables.tf && test -f outputs.tf"
 
-# Test 7: Check service templates exist
-run_test "Service templates exist" "test -f services/redcap-to-redcap.service.tpl && test -f services/redcap-to-curious.service.tpl"
-
-# Test 8: Check user_data script exists
-run_test "User data script exists" "test -f user_data.sh"
+# Test 6: Check service templates exist
+run_test "Service templates exist" \
+    "test -f services/redcap-to-redcap.service.tpl && \
+     test -f services/redcap-to-curious.service.tpl && \
+     test -f services/redcap-to-redcap-batch.service.tpl && \
+     test -f services/redcap-to-curious-batch.service.tpl && \
+     test -f services/hbn-sync.service.tpl && \
+     test -f services/hbn-sync.timer.tpl"
 
-# Test 9: Check for common issues
+# Test 7: Check for common issues
 echo -e "${YELLOW}Running: Common issues check${NC}"
 issues_found=0