@hasna/uptime 0.1.4 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,107 @@
1
+ # AWS Deployment Runbook
2
+
3
+ This runbook is for the `hasna-xyz-infra` AWS account target. It is intentionally
4
+ dry-run first: the local generator produces a plan and command list, but it does
5
+ not call AWS or mutate infrastructure.
6
+
7
+ ## Generate The Plan
8
+
9
+ ```bash
10
+ uptime cloud plan --json > open-uptime-aws-plan.json
11
+ uptime cloud spark01-config --probe-id prb_spark01 --env > spark01-uptime.env
12
+ ```
13
+
14
+ Defaults come from the current design inventory:
15
+
16
+ - account/profile label: `hasna-xyz-infra`
17
+ - region: `us-east-1`
18
+ - VPC: `vpc-04c7f7abc1d3c3f56`
19
+ - RDS instance: `hasna-xyz-infra-apps-prod-postgres`
20
+ - hostname: `uptime.hasna.xyz`
21
+ - workspace id: `wks_2tyysw05cwap`
22
+
23
+ Override these with CLI flags if the infra owner chooses a different value.
24
+
25
+ The generated AWS plan currently returns `status: "blocked"` and
26
+ `canApply: false`. The generated Spark01 config returns `status: "blocked"` and
27
+ `canStart: false`. Treat both as review/preflight artifacts until the blockers
28
+ and required evidence in the JSON output are resolved.
29
+
30
+ The app repo includes a hosted runtime `Dockerfile` and Terraform/OpenTofu
31
+ starter files in `infra/aws`. The plan output points to these files and keeps
32
+ `applyAllowed: false`.
33
+
34
+ `uptime cloud spark01-config --env` requires a real `--probe-id`; it will not
35
+ write a sourceable env file with a placeholder probe identity.
36
+
37
+ ## Preflight
38
+
39
+ 1. Locate the real `hasna-xyz-infra` infrastructure repository or create the
40
+ change in the approved owner repository.
41
+ 2. Confirm the AWS caller identity:
42
+
43
+ ```bash
44
+ aws sts get-caller-identity --profile hasna-xyz-infra
45
+ ```
46
+
47
+ 3. Confirm the target VPC and RDS instance still match the plan.
48
+ 4. Confirm Route53/edge ownership for the chosen hostname.
49
+ 5. Confirm the deployment role uses short-lived credentials or OIDC, not copied
50
+ access keys.
51
+
52
+ ## Required Resources
53
+
54
+ The plan expects:
55
+
56
+ - ECR repository for the Open Uptime image.
57
+ - ECS/Fargate cluster with separate services for web, scheduler, public probe,
58
+ reporter, and one-off migrations.
59
+ - ALB, TLS certificate, target group, and security groups.
60
+ - Existing private Postgres instance with dedicated Uptime roles or database.
61
+ - S3 bucket for redacted browser evidence and generated report artifacts.
62
+ - Secrets Manager or SSM refs for database, app env, probe config, and
63
+ reporting channel refs.
64
+ - CloudWatch log groups for every component plus initial web 5xx/unhealthy
65
+ alarms. Scheduler-stall, stale-probe, and report-delivery alarms remain
66
+ blocked until those workers emit cloud metrics.
67
+
68
+ Provision these through the approved infrastructure repository and reviewed
69
+ plan/apply flow. The local `uptime cloud plan` output intentionally avoids
70
+ copy-pastable AWS mutation commands.
71
+
72
+ Plan the included Terraform/OpenTofu starter without a backend:
73
+
74
+ ```bash
75
+ terraform -chdir=infra/aws fmt -check
76
+ terraform -chdir=infra/aws init -backend=false
77
+ terraform -chdir=infra/aws validate
78
+ terraform -chdir=infra/aws plan -out open-uptime.tfplan
79
+ ```
80
+
81
+ ## Spark01
82
+
83
+ Spark01 should be a private probe/operator machine, not the hosted source of
84
+ truth. The generated env file points Spark01 at hosted `/api/v1` state and
85
+ references a local private-key file path. It does not include private key or
86
+ token contents.
87
+
88
+ The private probe service should not be enabled until hosted probe claim/submit
89
+ routes are backed by cloud check jobs and cloud audit rows.
90
+
91
+ ## Safety Rules
92
+
93
+ - Do not deploy hosted mode with `HASNA_UPTIME_ALLOW_HOSTED_LOCAL_STORE=1`.
94
+ - Do not inline AWS keys, hosted tokens, Mailery keys, Open Logs tokens, database
95
+ URLs, or probe private keys in task definitions. Use ECS `secrets.valueFrom`
96
+ refs such as `HASNA_UPTIME_DATABASE_URL` and `HASNA_UPTIME_HOSTED_TOKEN`.
97
+ - Do not run public probe workers against private targets.
98
+ - Do not expose dashboard/API routes without hosted auth and workspace checks.
99
+ - Do not treat local SQLite, local project DBs, or Spark01 local state as cloud
100
+ authority after cutover.
101
+
102
+ ## Rollback
103
+
104
+ Before each service update, record the previous task definition ARN. Roll back
105
+ by disabling scheduler/reporter work first, then restoring the previous web or
106
+ worker task definition. RDS snapshot restore requires separate operator approval
107
+ and an audit event.
@@ -0,0 +1,25 @@
1
+ # This file is maintained automatically by "terraform init".
2
+ # Manual edits may be lost in future updates.
3
+
4
+ provider "registry.terraform.io/hashicorp/aws" {
5
+ version = "5.100.0"
6
+ constraints = "~> 5.0"
7
+ hashes = [
8
+ "h1:wOhTPz6apLBuF7/FYZuCoXRK/MLgrNprZ3vXmq83g5k=",
9
+ "zh:054b8dd49f0549c9a7cc27d159e45327b7b65cf404da5e5a20da154b90b8a644",
10
+ "zh:0b97bf8d5e03d15d83cc40b0530a1f84b459354939ba6f135a0086c20ebbe6b2",
11
+ "zh:1589a2266af699cbd5d80737a0fe02e54ec9cf2ca54e7e00ac51c7359056f274",
12
+ "zh:6330766f1d85f01ae6ea90d1b214b8b74cc8c1badc4696b165b36ddd4cc15f7b",
13
+ "zh:7c8c2e30d8e55291b86fcb64bdf6c25489d538688545eb48fd74ad622e5d3862",
14
+ "zh:99b1003bd9bd32ee323544da897148f46a527f622dc3971af63ea3e251596342",
15
+ "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
16
+ "zh:9f8b909d3ec50ade83c8062290378b1ec553edef6a447c56dadc01a99f4eaa93",
17
+ "zh:aaef921ff9aabaf8b1869a86d692ebd24fbd4e12c21205034bb679b9caf883a2",
18
+ "zh:ac882313207aba00dd5a76dbd572a0ddc818bb9cbf5c9d61b28fe30efaec951e",
19
+ "zh:bb64e8aff37becab373a1a0cc1080990785304141af42ed6aa3dd4913b000421",
20
+ "zh:dfe495f6621df5540d9c92ad40b8067376350b005c637ea6efac5dc15028add4",
21
+ "zh:f0ddf0eaf052766cfe09dea8200a946519f653c384ab4336e2a4a64fdd6310e9",
22
+ "zh:f1b7e684f4c7ae1eed272b6de7d2049bb87a0275cb04dbb7cda6636f600699c9",
23
+ "zh:ff461571e3f233699bf690db319dfe46aec75e58726636a0d97dd9ac6e32fb70",
24
+ ]
25
+ }
@@ -0,0 +1,32 @@
1
+ # Open Uptime AWS Infra
2
+
3
+ This directory is a reviewable Terraform/OpenTofu starting point for deploying
4
+ Open Uptime in the `hasna-xyz-infra` AWS account. It is intentionally
5
+ plan-first. Do not apply it directly from this app repo unless the infrastructure
6
+ owner has approved this directory as the source of truth or has copied it into
7
+ the approved infra repository.
8
+
9
+ ## Expected Flow
10
+
11
+ ```bash
12
+ terraform -chdir=infra/aws fmt -check
13
+ terraform -chdir=infra/aws init -backend=false
14
+ terraform -chdir=infra/aws validate
15
+ terraform -chdir=infra/aws plan -out open-uptime.tfplan
16
+ ```
17
+
18
+ Required inputs are declared in `variables.tf` and illustrated in
19
+ `terraform.tfvars.example`. Secrets are passed as Secrets Manager/SSM ARNs only;
20
+ never place plaintext tokens, database URLs, private keys, or channel
21
+ credentials in `.tfvars` files.
22
+
23
+ ## Current Blockers
24
+
25
+ - Hosted Postgres adapter and migrations are not implemented in the app yet.
26
+ - Hosted production auth/RBAC still needs scoped, revocable credentials.
27
+ - Public probe runtime still needs execution-time DNS/redirect/rebinding SSRF
28
+ enforcement.
29
+ - Spark01 hosted private-probe enrollment/heartbeat/revocation is still
30
+ fail-closed.
31
+
32
+ Keep `desired_count` at `0` or plan-only until those blockers are closed.