Conversation
mikebeeby
changed the title
mikebeeby
force-pushed
the
OJ-3625
branch
4 times, most recently
from
648438b to
499f456
Compare
We need to add OAuthCommon and the suppport OAuthCommon SSM parameters to ready us migrating from common-lambdas. This will ensure the tables exist, and the table names and CMK ID can be retrieved by common-lambdas so we can then enable the stream. Note: The SSM parameters have hardcoded paths so they can only be deployed once per account, hence the IsNotLocalDevEnvironment condition.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
OAuth Migration Guide
This PR is only a guide and should not be merged
Step Overview
Although some of the steps are included in this single PR, this is only an example. Each step below requires a deploy to either
common-lambdasor the CRI API stack.Step 1 - Ensure Common Lambdas is up-to-date
Ensure you have the most recent common-lambdas deployed, with this PR in particular: govuk-one-login/ipv-cri-common-lambdas#645
At this point, the
EnableDynamoDbStreammapping should be set tofalsefor your CRI. The stream lambda will not be deployed at this point.Step 2 - Add OAuthCommon to the CRI API stack
Add OAuthCommon to your CRI API stack, but do not yet use. This is to ensure the new tables are created so we can migrate to them.
You also need to output the Session table name, Person Identity table name and CMK key ID to the SSM parameter paths below.
/common-cri/oauth-common/OAuthSessionTableName/common-cri/oauth-common/OAuthPersonIdentityTableName/common-cri/oauth-common/OAuthCustomerManagedKeyId*Important: The SSM parameters have hardcoded paths so they can only be deployed once per account, hence the
IsNotLocalDevEnvironmentcondition. Unfortunatelycommon-lambdasdoes not know much about the application stack using it, so configuring it to look for dynamic parameters was not possible.Changes will need to be made to the action that deploys pre-merge stacks also:
govuk-one-login/github-actions/samto4c76410195b5fcb1804fc7c183ed20704252830f(or more recent).stack-name-prefix:may also need shortening, due to the OAuth lambda names getting too long.Pipelines - At time of writing, deploying through the pipelines is currently not working. The tickets below are tracking this, there may be additional work prior to completing this step to ensure the pipelines deploy
https://govukverify.atlassian.net/browse/PSREDEV-3425 & https://govukverify.atlassian.net/browse/LIME-2144
Example: See the first commit on this PR for this step in practice: 56ba3b6
*If you do not want to use a CustomerManagedKey for the OAuthCommon databases, and are going to overwrite the parameter
DbCustomerManagedKeytofalse. You'll need to make a slight change to the Stream lambda in common-lambdas to wrap theKMSDecryptPolicyin aifcondition. (This has been done for the existingcommon-lambdasCMK so can be easily copied)Before proceeding to Step 3, ensure the nested OAuthCommon stack exists in all accounts, and the SSM parameters are populated with the correct names and ID.
Step 3 - Enable the DynamoDB stream in Common Lambdas (lower envs only)
We now want to enable the stream from the common-lambdas tables to the OAuthCommon tables. To do so, set
EnableDynamoDbStreamtotrueincommon-lambdasI would recommend only doing this is
dev&buildinitially. We can then conduct some testing in build.Validate this is working correctly, by running a through journeys and checking the
OAuthCommontables mirror thecommon-lambdastables.Step 4 - Migrate CRI API stack to use OAuthCommon (lower envs only)
WIP
Start perf tests -> Wait TTL (optional) -> Migrate OAuthCommon -> Check no errors
Migrate the CRI API stack to using OAuthCommon. See the second commit on this repo:
Step 5 - Enable the DynamoDB stream in Common Lambdas (all envs)
Set
EnableDynamoDbStreamtotrueincommon-lambdasin all environments.As this now includes
prodwe need to ensure all sessions are in theOAuthCommontables. This time we need to wait longer than the TTL before proceeding to the next step (usually 2 hrs, some CRIs may differ).Then, validate the
OAuthCommontables mirror thecommon-lambdastables.Step 6 - Migrate CRI API stack to use OAuthCommon (all envs)
WIP
Step 7 - Remove Common Lambdas
WIP
Issue tracking