Merge pull request #273 from strongdm/feat/add-healthcheck-endpoint

Add health check endpoint
strongdm · Aug 19, 2022 · bac5e48 · bac5e48
2 parents d1d66c6 + fef53e0
commit bac5e48
Show file tree

Hide file tree

Showing 16 changed files with 141 additions and 103 deletions.
diff --git a/README.md b/README.md
@@ -78,8 +78,8 @@ docker compose up -d
 ```
 
 Then, the bot should start running in the background. If you want to check the logs you can run the following command: 
-```
-docker logs accessbot_accessbot_1
+```bash
+$ docker logs accessbot_accessbot_1
 ```
 
 #### Without Docker

diff --git a/docs/CONFIGURE_LOCAL_ENV.md b/docs/CONFIGURE_LOCAL_ENV.md
@@ -2,43 +2,43 @@
 
 ## Environment configuration
 The installation of grpcio can be challenging, for that reason you might want to use [conda](https://docs.conda.io/en/latest/). In that case, just go through the following steps
-```
-conda create --prefix venv
-conda install --prefix venv pip
-conda activate venv/
-pip install -r requirements/dev.txt
+```bash
+$ conda create --prefix venv
+$ conda install --prefix venv pip
+$ conda activate venv/
+$ pip install -r requirements/dev.txt
 ```
 
 ## Variables configuration
-```
-export SDM_API_ACCESS_KEY=api-access-key
-export SDM_API_SECRET_KEY=api-secret-key
-export SDM_ADMINS=@admin1 # if multiple, use: @admin1 @admin2
+```bash
+$ export SDM_API_ACCESS_KEY=api-access-key
+$ export SDM_API_SECRET_KEY=api-secret-key
+$ export SDM_ADMINS=@admin1 # if multiple, use: @admin1 @admin2
 ```
 
 ### BOT PLATFORM variables configuration
 
 See the subsessions about SDM_BOT_PLATFORM specific variables:
 
 #### SDM_BOT_PLATFORM is `slack`
-```
-export SLACK_APP_TOKEN=slack-app-token
-export SLACK_BOT_TOKEN=slack-bot-token
+```bash
+$ export SLACK_APP_TOKEN=slack-app-token
+$ export SLACK_BOT_TOKEN=slack-bot-token
 ```
 
 See [Configure Slack](slack/CONFIGURE_SLACK.md)
 
 #### SDM_BOT_PLATFORM is `slack-classic`
-```
-export SLACK_TOKEN=slack-token
+```bash
+$ export SLACK_TOKEN=slack-token
 ```
 
 See [Configure Slack Classic Bot](slack/CONFIGURE_SLACK_CLASSIC.md)
 
 #### SDM_BOT_PLATFORM is `ms-teams`:
-```
-export AZURE_APP_ID=app-id
-export AZURE_APP_PASSWORD=app-password
+```bash
+$ export AZURE_APP_ID=app-id
+$ export AZURE_APP_PASSWORD=app-password
 ```
 
 See [Configure Microsoft Teams](teams/CONFIGURE_MS_TEAMS.md)
@@ -48,20 +48,20 @@ See [Configure Microsoft Teams](teams/CONFIGURE_MS_TEAMS.md)
 Before initialize errbot, you also need to [Configure SDM](configure_accessbot/CONFIGURE_SDM.md).
 
 ## Initialize errbot
-```
-mv config.py config.py.back
-pip install errbot[slack]
-mv config.py.back config.py
+```bash
+$ mv config.py config.py.back
+$ pip install errbot[slack]
+$ mv config.py.back config.py
 ```
 
 ## Update submodules
-```
-git submodule init
-git submodule update
+```bash
+$ git submodule init
+$ git submodule update
 ```
 
 ## Run the bot
-```
-pytest # run tests
-errbot # starts bot
+```bash
+$ pytest # run tests
+$ errbot # starts bot
 ```
diff --git a/docs/TROUBLESHOOTING.md b/docs/TROUBLESHOOTING.md
@@ -14,16 +14,16 @@ Finally, open the link and scroll to the bottom of the page to find your usernam
 Another option is to use [this Python script](../tools/get-slack-handle.py), which will output your Slack username.
 
 ## Getting logs
-```
+```bash
 # Getting logs
-docker logs accessbot_accessbot_1 
+$ docker logs accessbot_accessbot_1 
 # Following logs
-docker logs -f accessbot_accessbot_1
+$ docker logs -f accessbot_accessbot_1
 ```
 
 ## Changing log level
 The default logging level is set to `INFO`. In case you want to get more information, you could add the following env variable:
-```
+```yaml
 version: "3.9"
 services:
   accessbot:
@@ -34,6 +34,6 @@ services:
 ```
 
 For getting specific AccessBot logs, you could use:
-```
-docker logs -f accessbot_accessbot_1 2>&1 | grep "##SDM##"
+```bash
+$ docker logs -f accessbot_accessbot_1 2>&1 | grep "##SDM##"
 ```
diff --git a/docs/configure_accessbot/ACCESS_CONFIGURATION.md b/docs/configure_accessbot/ACCESS_CONFIGURATION.md
@@ -45,7 +45,7 @@ Different workflows (permutations) can be configured using the flags mentioned a
 
 ## Using tags
 Following some sample commands you can use for configuring tags (e.g. `SDM_AUTO_APPROVE_TAG=auto-approve`):
-```
+```bash
 $ sdm admin datasources list -e
 Datasource ID           Name                 Type          ...         Tags
 rs-4c29d3006066e7ef     snowflake-test-1     snowflake     ...

diff --git a/docs/configure_accessbot/CONFIGURE_ACCESSBOT.md b/docs/configure_accessbot/CONFIGURE_ACCESSBOT.md
@@ -83,7 +83,7 @@ NOTE: In the whoami command, the email field will show you the email that will b
 A snippet that might help:
 
 #### Allow Resource
-```
+```bash
 $ sdm admin ssh list
 Server ID               Name
 rs-xxxxxxxxxxxxxxx     public-key-ssh
@@ -99,7 +99,7 @@ changed 1 out of 1 matching datasource
 Basically, you need to get the resource id and then add a tag with the name you've configured in `SDM_ALLOW_RESOURCE_TAG`. In the example above, we're assuming that `SDM_ALLOW_RESOURCE_TAG=allow-resource`. When this tag is configured only the resources with the tag value set to `true` will be displayed. In order to hide the resource, just delete the tag from it.
 
 #### Hide Resource
-```
+```bash
 $ sdm admin ssh list
 Server ID               Name
 rs-xxxxxxxxxxxxxxx     public-key-ssh
@@ -117,7 +117,7 @@ Basically, you need to get the resource id and then add a tag with the name you'
 From [AccessBot v1.0.3](https://github.com/strongdm/accessbot/releases/tag/1.0.3) the value of the tag is interpreted (see [here](https://github.com/strongdm/accessbot/issues/83)). You could use: `hide-resource=false` instead of deleting the tag. For more information about using tags please refer to the [documentation](https://www.strongdm.com/docs/automation/getting-started/tags).
 
 #### User Roles
-```
+```bash
 $ sdm admin users list
 User ID                First Name     Last Name     Email                            Tags
 a-xxx                  Firstname1     Lastname1     [email protected]
@@ -131,7 +131,7 @@ $ sdm admin users update --email [email protected] --delete-tags 'sdm-roles'
 ```
 
 #### Allow Roles
-```
+```bash
 $ sdm admin roles list
 Role ID                Name             Composite     Tags
 r-xxxxxxxxxxxxxxx      my-role          false         

diff --git a/docs/slack/Accessform.md b/docs/slack/Accessform.md
@@ -34,8 +34,8 @@ In order to configure the form, you'd need to create a new Slack App, take a loo
 
         - SDM_ACCESS_FORM_BOT_NICKNAME: obtained by executing the following command in a terminal inside the root folder of the `accessbot` project (remember to be inside the accessbot project virtual environment and to export the necessary environment variables, otherwise an error will occur) :
 
-            ```shell
-            python tools/get-slack-handle.py -d "AccessForm"
+            ```bash
+            $ python tools/get-slack-handle.py -d "AccessForm"
             ```
             > By default this nickname is `@accessform`.
 

diff --git a/docs/slack/CONFIGURE_ACCESSBOT_FORM.md b/docs/slack/CONFIGURE_ACCESSBOT_FORM.md
@@ -13,8 +13,8 @@ To request access to a StrongDM resource through AccessBot using a form set the
 
 To know the value you should put in the environment variable, run the following command in the terminal (in the project root):
 
-```
-python3 tools/get-slack-handle.py -d "AccessBot Form" 
+```bash
+$ python3 tools/get-slack-handle.py -d "AccessBot Form" 
 ```
 After running this command, you should be able to see something like this in the terminal:
 

diff --git a/docs/teams/CONFIGURE_MS_TEAMS.md b/docs/teams/CONFIGURE_MS_TEAMS.md
@@ -78,7 +78,7 @@ SDM_GRANT_TIMEOUT=90
 10. Install docker-compose
 11. Create the docker-compose.yaml
 
-```jsx
+```yaml
 version: "3.9"
 services:
    accessbot:
@@ -99,14 +99,13 @@ services:
 14. Copy default file in /etc/nginx/sites-enabled to have a backup, then modify default site to have this configuration.
 15. Note: after making changes to the config file restart the nginx service
 
-```jsx
+```conf
 server {
     server_name yourDNSNameorIPhere.com;
 
     location / {
             proxy_pass http://127.0.0.1:3141;
     }
-
 }
 ```
 
@@ -118,7 +117,7 @@ server {
 
 17. Create an App ID via online tool like [UUID Gen](https://www.uuidgenerator.net/version1)
 
-```bash
+```
 47799de2-98f6-11ec-b909-0242ac120002
 ```
 

diff --git a/k8s-descriptor.yaml b/k8s-descriptor.yaml
@@ -25,30 +25,46 @@ spec:
         app: accessbot
     spec:
       containers:
-      - name: accessbot
-        image: public.ecr.aws/strongdm/accessbot:latest
-        env:
-        - name: SDM_ADMINS
-          value: "@nickname1 @nickname2"
-        - name: SDM_API_ACCESS_KEY
-          valueFrom:
-            secretKeyRef:
-              name: accessbot-secret
-              key: SDM_API_ACCESS_KEY
-        - name: SDM_API_SECRET_KEY
-          valueFrom:
-            secretKeyRef:
-              name: accessbot-secret
-              key: SDM_API_SECRET_KEY
-        - name: SDM_BOT_PLATFORM
-          value: "slack"
-        - name: SLACK_APP_TOKEN
-          valueFrom:
-            secretKeyRef:
-              name: accessbot-secret
-              key: SLACK_APP_TOKEN
-        - name: SLACK_BOT_TOKEN
-          valueFrom:
-            secretKeyRef:
-              name: accessbot-secret
-              key: SLACK_BOT_TOKEN
+        - name: accessbot
+          image: public.ecr.aws/strongdm/accessbot:latest
+          startupProbe:
+            httpGet:
+              host: localhost
+              port: 3141
+              path: /health-check
+            failureThreshold: 30
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              host: localhost
+              port: 3141
+              path: /health-check
+            periodSeconds: 5
+          ports:
+            - containerPort: 3141
+              hostPort: 3141
+          env:
+            - name: SDM_ADMINS
+              value: "@nickname1 @nickname2"
+            - name: SDM_API_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: accessbot-secret
+                  key: SDM_API_ACCESS_KEY
+            - name: SDM_API_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: accessbot-secret
+                  key: SDM_API_SECRET_KEY
+            - name: SDM_BOT_PLATFORM
+              value: "slack"
+            - name: SLACK_APP_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: accessbot-secret
+                  key: SLACK_APP_TOKEN
+            - name: SLACK_BOT_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: accessbot-secret
+                  key: SLACK_BOT_TOKEN
diff --git a/plugins/sdm/accessbot.plug b/plugins/sdm/accessbot.plug
@@ -1,7 +1,7 @@
 [Core]
 name = AccessBot
 module = accessbot
-DependsOn = Webserver,Utils
+DependsOn = Webserver,Utils,Health
 
 [Documentation]
 description = Grants access to strongDM resources

diff --git a/plugins/sdm/accessbot.py b/plugins/sdm/accessbot.py
@@ -1,16 +1,15 @@
 import os
 import re
 from itertools import chain
-
-from errbot import BotPlugin, re_botcmd, Message
+from errbot import BotPlugin, re_botcmd, Message, webhook
 from errbot.core import ErrBot
 from slack_sdk.errors import SlackApiError
 
 import config_template
 from lib import ApproveHelper, create_sdm_service, MSTeamsPlatform, PollerHelper, \
     ShowResourcesHelper, ShowRolesHelper, SlackBoltPlatform, SlackRTMPlatform, \
     ResourceGrantHelper, RoleGrantHelper, DenyHelper, CommandAliasHelper, ArgumentsHelper, \
-    GrantRequestHelper, WhoamiHelper, MetricsHelper
+    GrantRequestHelper, WhoamiHelper, MetricsHelper, HealthCheckHelper
 from lib.util import normalize_utf8
 from grant_request_type import GrantRequestType
 
@@ -71,7 +70,12 @@ def activate(self):
         poller_helper = self.get_poller_helper()
         self.start_poller(FIVE_SECONDS, poller_helper.stale_grant_requests_cleaner)
         self.start_poller(ONE_MINUTE, poller_helper.stale_max_auto_approve_cleaner)
-        self._platform.activate()
+        self.__activate_webserver()
+
+    def __activate_webserver(self):
+        webserver = self.get_plugin('Webserver')
+        webserver.configure(webserver.get_configuration_template())
+        webserver.activate()
         # TODO Extend this check to the rest of the method
         # If something doesn't need to be "instantiated" again we shouldn't be doing it
         if self.__grant_requests_helper is None:
@@ -89,7 +93,7 @@ def _hide_utils_whoami_command(self):
         utils.activate()
 
     def deactivate(self):
-        self._platform.deactivate()
+        self.get_plugin('Webserver').deactivate()
         super().deactivate()
 
     def init_access_form_bot(self):
@@ -256,6 +260,10 @@ def whoami(self, message, _):
     def match_alias(self, message, _):
         yield from self.get_command_alias_helper().execute(message)
 
+    @webhook('/health-check')
+    def _health_check(self, _):
+        return self.get_health_check_helper().execute()
+
     @staticmethod
     def get_admins():
         return os.getenv("SDM_ADMINS", "").split(" ")
@@ -301,6 +309,9 @@ def get_arguments_helper(self):
     def get_whoami_helper(self):
         return WhoamiHelper(self)
 
+    def get_health_check_helper(self):
+        return HealthCheckHelper(self)
+
     def get_metrics_helper(self):
         return self.__metrics_helper
 

diff --git a/plugins/sdm/lib/helper/__init__.py b/plugins/sdm/lib/helper/__init__.py
@@ -12,3 +12,4 @@
 from .grant_request_helper import *
 from .whoami_helper import *
 from .metrics_helper import *
+from .health_check_helper import *