We would like to create a happy init command that will help set up some of the necessary configuration to onboard an application repo to be happy compatible.

NOTE: There is some configuration and automation needed to set up terraform enterprise with the appropriate orgs/teams/workspaces/etc. This is not that. Instead, we focus on the application side for now.

The basic structure for a happy-enabled repo is:

➜  happy-repo tree -a                                                                    ()
.
├── docker-compose.yml
└── .happy
    ├── config.yml
    └── terraform
        ├── envs
        │   ├── dev
        │   ├── prod
        │   └── staging
        └── modules

7 directories, 2 files

Happy init should:

• deduce where the root of the repo is
• make sure we don't already have .happy , etc configured
• create the basic structure (.happy, .happy/terraform, .happy/config.yml, .happy/..., docker-compose.yml)
• populate the happy config and Terraform directories with some standard boilerplate code and configuration
  • we might need to ask the user for input to templatize these

MustParse panics if the semantic version isn't formatted correctly (https://github.com/chanzuckerberg/happy/blame/172d22d7303b7ea790ac54a977755773e05871d3/pkg/util/preconditions.go#L33). I doubt this is the behavior you would want here. When I was testing out CLI usage, I ran happy build and got this:

% happy build
panic: Invalid Semantic Version

goroutine 1 [running]:
github.com/Masterminds/semver/v3.MustParse(...)
        github.com/Masterminds/semver/[email protected]/version.go:214
github.com/chanzuckerberg/happy/pkg/util.ValidateEnvironment({0x2326448, 0xc0000a8000})
        github.com/chanzuckerberg/happy/pkg/util/preconditions.go:33 +0x706
github.com/chanzuckerberg/happy/cmd.glob..func5(0x2dc3ea0, {0x2020dca, 0x0, 0x0})
        github.com/chanzuckerberg/happy/cmd/root.go:39 +0x6c
github.com/spf13/cobra.(*Command).execute(0x2dc3ea0, {0x2dfd0e8, 0x0, 0x0})
        github.com/spf13/[email protected]/command.go:835 +0x52f
github.com/spf13/cobra.(*Command).ExecuteC(0x2dc43a0)
        github.com/spf13/[email protected]/command.go:974 +0x3bc
github.com/spf13/cobra.(*Command).Execute(...)
        github.com/spf13/[email protected]/command.go:902
github.com/chanzuckerberg/happy/cmd.Execute(...)
        github.com/chanzuckerberg/happy/cmd/root.go:46
main.main()
        github.com/chanzuckerberg/happy/main.go:17 +0x68

I understand that I don't have a file set up properly, but I think using an API that allows you to return an error with a meaningful message would be more helpful than a panic. This also seems to happen with commands like checking the happy version:

% happy version
panic: Invalid Semantic Version

goroutine 1 [running]:
github.com/Masterminds/semver/v3.MustParse(...)
        github.com/Masterminds/semver/[email protected]/version.go:214
github.com/chanzuckerberg/happy/pkg/util.ValidateEnvironment({0x2326448, 0xc000034098})
        github.com/chanzuckerberg/happy/pkg/util/preconditions.go:33 +0x706
github.com/chanzuckerberg/happy/cmd.glob..func5(0x2dc34a0, {0x2020dca, 0x0, 0x0})
        github.com/chanzuckerberg/happy/cmd/root.go:39 +0x6c
github.com/spf13/cobra.(*Command).execute(0x2dc34a0, {0x2dfd0e8, 0x0, 0x0})
        github.com/spf13/[email protected]/command.go:835 +0x52f
github.com/spf13/cobra.(*Command).ExecuteC(0x2dc43a0)
        github.com/spf13/[email protected]/command.go:974 +0x3bc
github.com/spf13/cobra.(*Command).Execute(...)
        github.com/spf13/[email protected]/command.go:902
github.com/chanzuckerberg/happy/cmd.Execute(...)
        github.com/chanzuckerberg/happy/cmd/root.go:46
main.main()
        github.com/chanzuckerberg/happy/main.go:17 +0x68

Display non-sensitive data from the integration secret, if stack is provided, list out key AWS resource ARNs or names. If possible, display fully qualified urls to easily access resources in AWS console.

Supporting the equivalent of the create --create-tag option in the update sub-command would allow a stack to be updated without forcing a local image build.

When we kick of TFE ops, we should stream terraform output back to the users

I noticed that happy do not work when there is no active docker agent, is it possible to relief that constraint when I am only doing list (maybe also delete)?

% happy migrate --reset treeids
[INFO]: using task definition arn:aws:ecs:us-west-2:0000000:task-definition/foobar7
[ERROR]: could not get logs for task, could not get logs: ResourceNotFoundException: The specified log stream does not exist.
[INFO]: using task definition arn:aws:ecs:us-west-2:0000000:task-definition/foobar:7
[ERROR]: could not get logs for task, could not get logs: ResourceNotFoundException: The specified log stream does not exist.

happy v0.10.0

The legacy CLI supports --slice/--slice-default-tag string parameters for both update and create operations, and the golang CLI only supports those arguments on update

@danieljhegeman will provide additional details.

Is it possible to set STACK_NAME as an environment variable so that it can be accessed from the Dockerfile, similar to HAPPY_ENV?

Related to #238--what is the intended behavior for when slices are built, tagged, and pushed? If none of the services named in the integration secret belong to the profile defined by the slice, it seems that ECS looks to pull an image for a tag that doesn't get pushed and consequently hangs. Would it make sense to just push all services defined in docker-compose just so ECS at least finds something and doesn't hang?

Right now the happy list output is sorted by ... I'm not sure, maybe creation date? This output should be sorted alphabetically instead.

The Python Happy CLI supports tailing the logs of one-off tasks (migrations, db deletions) as well as services. The golang CLI only supports logs for services:

Expected:

% ./scripts/happy logs daterange migrations --since 2h
2022-04-21T18:53:29.261000+00:00 fargate/db/154c60567bff414cbe750a1b4aa3f300 ALTER TABLE
2022-04-21T18:53:29.331000+00:00 fargate/db/154c60567bff414cbe750a1b4aa3f300 ALTER TABLE
2022-04-21T18:53:29.338000+00:00 fargate/db/154c60567bff414cbe750a1b4aa3f300 ALTER TABLE
2022-04-21T18:53:29.343000+00:00 fargate/db/154c60567bff414cbe750a1b4aa3f300 ALTER TABLE

Actual:

% happy logs daterange migrations --since 2h
[FATAL]: error retrieving tasks for service 'daterange-migrations': cannot retrieve ECS tasks: operation error ECS: ListTasks, https response error StatusCode: 400, RequestID: 71454f50-4cf5-4e4f-b3e1-3f5354991891, ServiceNotFoundException: Service not found.

Here are two examples of namespacing issues for happy applications shared in the same account:

• https://github.com/chanzuckerberg/shared-infra/pull/5078
• https://github.com/chanzuckerberg/shared-infra/pull/5074

We should review the happy-env-ecs module and make sure all resources it creates are properly namespaced by environment so we can avoid created ambiguous resources that we aren't sure what happy application it is attached to. I think this should be as simple as making sure all the unique identifiers for resources follow our conventions of using a combination of env, service, component, owner

what happened:
the deploy-staging github action https://github.com/chanzuckerberg/eng-portal/actions/runs/2424427561/attempts/6 errored out with [FATAL]: failed to get workspace for stack eng-portal: failed to get workspace: could not read workspace staging-eng-portal: resource not found but running the update locally does not result in this error.

the fix:

• create a new TFE team eng-portal-pros with all permissions
• create a new token for the team
• copy the token into github actions secrets

thoughts:
it wasn't clear at which level of abstraction the client failed to find the workspace. perhaps having an output for API client health would have pointed us in the right direction here?

It would be great if the RDS information such as the host, username, and password were in the integration secret. These all need to be consumed by the application code to connect to the database so it makes sense that they would live there. I can contribute this change, just documenting the use case here because as of right now, I had to go to the statefile to see the RDS password and manually copy it into my parameter store.

we do things like (happy --profile="" list | grep -q $STACK_NAME in a couple of places to determine if we should create or update a happy stack.

2 options:

• something like happy get stack <stack_name> will output information about the stack if it exists or an error otherwise.
• happy update allows passing in a flag to create if missing.

Currently the happy path stack supports only running single service.We will be working to support multiple services/applications in a single happy path stack

Think about a way to help facilitate the management of stateful dependencies (s3, sql db, etc) for happy apps. In particular, is there anything nice we can build for rdev (dev,staging,prod have a good handle already via terraform since they don't have to pay the rds bootstrap cost more than once)

If the user has not authenticated with TF Enterprise (recently), then happy commands file. E.g. happy list reports:
failed to get workspace: could not read workspace <stack>: unauthorized.

The CLI could check the user's authentication status and explain that the user needs to (re)authenticate.

This behavior existed in the Happy CLI Python version.

We should check, upfront, that the provided StackNames in {create, delete, migrate, etc} are all compatible with DNS charset and error out immediately if they aren't

https://aws.github.io/aws-sdk-go-v2/docs/migrating/

Oftentimes, happy create stack takes a while, and due to the verbosity of the output, it is not trivial to understand how long does each phase of the run take. It will be beneficial to display a summary at the end of the run, indicating how long did the entire process take, and break it down by each key component. For example:

docker build: 20m
docker push: 1m
terraform: 2m
------------------
total: 23m

Stacks that have not been created successfully (terraform code issues), cannot be deleted through CLI.

We should phase out shelling out to external dependencies and instead directly use Go clients + sdks. One particular example is we have 2 paths for tailing aws logs:

• aws cli --

  happy/pkg/orchestrator/orchestrator.go

  Lines 229 to 255 in bf5541e

  	func (s *Orchestrator) Logs(stackName string, service string, since string) error {
  	// TODO get logs path from ECS instead of generating
  	logPrefix := s.backend.Conf().LogGroupPrefix()
  	logPath := fmt.Sprintf("%s/%s/%s", logPrefix, stackName, service)
  	awsProfile := s.backend.Conf().AwsProfile()
  	regionName := "us-west-2"
  	awsArgs := []string{"aws", "--profile", awsProfile, "--region", regionName, "logs", "tail", "--since", since, "--follow", logPath}
  	awsCmd, err := exec.LookPath("aws")
  	if err != nil {
  	return errors.Wrap(err, "failed to locate the AWS cli")
  	}
  	cmd := &exec.Cmd{
  	Path: awsCmd,
  	Args: awsArgs,
  	Stderr: os.Stderr,
  	Stdout: os.Stdout,
  	}
  	log.Println(cmd)
  	if err := s.executor.Run(cmd); err != nil {
  	return errors.Wrap(err, "failed to get logs from AWS")
  	}
  	return nil
  	}

• go sdk --

  happy/pkg/backend/aws/logs.go

  Lines 1 to 30 in bf5541e

  	package aws
  	import (
  	"context"
  	cwlv2 "github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs"
  	)
  	type GetLogsFunc func(*cwlv2.GetLogEventsOutput, error) error
  	func (b *Backend) getLogs(
  	ctx context.Context,
  	input *cwlv2.GetLogEventsInput,
  	f GetLogsFunc,
  	) error {
  	paginator := cwlv2.NewGetLogEventsPaginator(
  	b.cwlGetLogEventsAPIClient,
  	input,
  	)
  	for paginator.HasMorePages() {
  	err := f(paginator.NextPage(ctx))
  	if isStop(err) {
  	return nil
  	}
  	if err != nil {
  	return err
  	}
  	}
  	return nil
  	}

We should get rid of the aws cli path and replace it with the Go SDK path

We currently error out when the TFE token is expired or dormant and should handle this more gracefully instead.

Need to figure out if:

• terraform login. Required if there is a token that is now permanently unauthorized. Say you deleted the token from the TFE UI.
• or "open browser to refresh token". Can do this when the token is "dormant"

I'm not sure if the client has enough information to distinguish between 2,3 scenarios so we might just have to pick one or the other.

edit:

• terraform login. Required if the token does not exist. this is handled already

Move the confluence documentation to this repo or add a link to the README.md. This will make it easier to 1. know that there is actual documentation, and make it easier to find.

Here is an example workflow for pushing to staging https://github.com/chanzuckerberg/eng-portal/runs/6327429188?check_suite_focus=true. Specifically this line. When happy does a build and push, it uses this command:

/usr/bin/docker compose --file /home/runner/work/eng-portal/eng-portal/docker-compose.yml --profile * build

Looking at my docker-compose file, this means it should build two images: eng-portal-local-dev and eng-portal:

version: "3.8"

services:
  eng-portal-local-dev:
    build:
      context: .
      target: devenv
    restart: always
    ports:
      - 3000:3000
      - 7007:7007
    volumes:
      - ./backstage:/app/backstage
      - /app/backstage/node_modules/
      - /app/backstage/packages/app/node_modules/
      - /app/backstage/packages/backend/node_modules/
    profiles:
      - local-dev
    depends_on:
      - db
    environment:
      - AWS_PROFILE=czi-si-readonly 
      - CHAMBER_SERVICE=happy-ldev-ep
      - AWS_DEFAULT_REGION
      - AWS_DEFAULT_OUTPUT
      - AWS_ACCESS_KEY_ID
      - AWS_SECRET_ACCESS_KEY
      - AWS_SESSION_TOKEN
  db:
    image: postgres
    profiles:
      - local-dev
      - prod-builder
    restart: always
    ports:
      - 5432:5432
    environment:
      - POSTGRES_USER
      - POSTGRES_PASSWORD
  eng-portal:
      build:
        context: .
        target: prodenv
      restart: always
      profiles:
        - prod-builder
      depends_on:
        - db
      ports:
      - 7007:7007
      environment:
        - AWS_PROFILE=czi-si-readonly 
        - CHAMBER_SERVICE=happy-ldev-ep
        - AWS_DEFAULT_REGION
        - AWS_DEFAULT_OUTPUT
        - AWS_ACCESS_KEY_ID
        - AWS_SECRET_ACCESS_KEY
        - AWS_SESSION_TOKEN

And when it pushes, I would expect only the eng-portal service image to make it into ECR. However, looking at this workflow logs, it only builds the eng-portal-local-dev container and pushes that to ECR. Does anyone know why eng-portal-local-dev is making it into ECR? Based on #238 it should only push images that have the same name as the ones defined in the happy environment (in this case "eng-portal").

I was currently using the following code to attach an inline policy to my ECS role:

module "ssm-reader-policy" {
  source = "github.com/chanzuckerberg/cztack//aws-params-reader-policy?ref=v0.43.3"
  #TODO: how to do this in happy? there are no tags
  project   = "happy"
  env       = var.deployment_stage
  service   = local.service_name
  region    = data.aws_region.current.name
  role_name = var.task_role.name
}

However, the role var.task_role.name was a role that was given to me by the integration secret, which means it is shared between all services in the same cluster. I notice that while two or more people are making changes to their stacks, the role's inline policy was changing over time. Sometimes, it would have the policy and sometimes it would not. I think this is because of how the stacks are sharing this ECS role and each stack can have a different branch of the terraform code that is being applied to their stack.

Is there a better way to handle this? I don't know how else I would provide permissions to my stack that wouldn't be altered by other stacks. I also wonder if we should detect these kinds of shared resources and guard against them.

The CLI isn't running db migrations by default after updating a stack, and there's also no CLI option to disable this default action.

I didn't realize until yesterday that when I did a happy push, happy will only push the images that match the same name as the services that are listed in the happy-env-ecr terraform module. This took me a while to debug. The root cause was that I was changing the name of the services in my docker compose without really realizing the implications. If we could add logs to show what services from the docker compose were being built and pushed, I think that would have helped a lot.

I'll also add a minor complaint here even though it doesn't really belong as part of the feature request. It is a little counter-intuitive that happy prepends a docker registry URL even if one doesn't exist in the docker compose file. As part of my debugging of the issue above, I had an image that I thought would only be built locally. It looked something likethis:

services:
  eng-portal:
    image: eng-portal-local-dev

Notice the image attribute doesn't have a ECR repo prepended to it. However, since the service name matches what existed in the happy-env-ecr terraform module, happy built it and pushed it to the service's ECR. The code that adds the prepended URL is here I believe.

Feedback like this doesn't seem to be intuitive.

aspen git:(trunk)$ happy list
[FATAL]: local environment is misconfigured: 1 error occurred:
        * could not find session-manager-plugin in path: exec: "session-manager-plugin": executable file not found in $PATH

Supposedly passing --platform linux/amd64 into docker build and docker run will do.

Conflicts:

• Route 53
• Cloudwatch Log Groups
• Lambda functions

I have repo that currently takes a very long time to build the Docker container due to a large npm install. Whenever I run happy create or happy update, it tries to rebuild the images. Is this by design? Here is the use case where this was frustrating:

1. I create some Terraform
2. I fixed some code
3. I create a stack to test my changes
4. I realize the Terraform is not right, so I make an update to the terraform
5. I run happy update <stack_name>
6. Even though I can use the same image, it rebuilds it