Add fixes from manual local testing

[forstmeier]

Overview

Changes

• fix/reorder various infrastructure resources
• include "bootstrap" logic for initial local runs
• update secret values
• various tweaks

Context

I'll reactivate the GitHub infrastructure workflows and test those as well.

Summary by CodeRabbit

• Infrastructure & Configuration

  • Rotated secret values for improved security.
  • Enhanced secret management handling in infrastructure setup.
  • Added bootstrap option for stack operations.
  • Refined IAM roles and policy attachments.
  • Updated S3 encryption configuration.

• Chores

  • Reorganized workflow job naming for clarity.
  • Added descriptive comments to workflow scheduling.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR refactors infrastructure code across AWS IAM, Pulumi configuration, and GitHub Actions workflows. Changes include renaming workflow jobs, rotating secrets, refactoring IAM roles and policies (particularly GitHub OIDC integration and SageMaker execution), updating S3 encryption configuration, introducing bootstrap logic, and aligning container definitions and test assertions with new resource structures.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows .github/workflows/launch_infrastructure.yaml, .github/workflows/teardown_infrastructure.yaml	Renamed top-level workflow jobs (build_and_push → build_and_push_images, deploy → launch_infrastructure, trigger_sync → trigger_data_sync) and updated job dependencies; added descriptive comments to schedule blocks.
Pulumi Configuration infrastructure/Pulumi.production.yaml	Rotated secret values for datamanagerSecretName, portfoliomanagerSecretName, and sharedSecretName in secure fields.
Core Infrastructure infrastructure/__main__.py	Major refactoring: changed budgetAlertEmailAddresses from require_secret_object to require_object; added recovery_window_in_days=0 to Secret resources; replaced BucketServerSideEncryptionConfigurationV2 with BucketServerSideEncryptionConfiguration; refactored GitHub Actions IAM role to use OpenID Connect with managed policies; introduced dedicated sagemaker_execution_policy and restructured sagemaker_execution_role; updated ECS task roles and container definitions to reference new bucket ARNs and environment variable mappings; fixed fund_base_url configuration; added protect=True semantics to publicly exposed resources.
Infrastructure Tests libraries/python/tests/test_infrastructure_configuration.py	Updated assertion expectations in two tests: github_actions_infrastructure_policy assertion now expects managed_policy_arns reference, and OIDC provider Resource assertion updated to use args indexing.
Bootstrap Workflow maskfile.md	Added bootstrap option to stack up workflow that imports existing AWS resources (GitHub Actions IAM role, SageMaker execution role/policy) into Pulumi state and configures GitHub Actions environment secrets via GitHub CLI.
Utility Scripts tools/download_model_artifacts.py	Renamed environment variable from AWS_S3_ARTIFACTS_BUCKET_NAME to AWS_S3_MODEL_ARTIFACTS_BUCKET_NAME in artifact retrieval and validation logic.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• infra cleanups #754: Modifies infrastructure/main.py with overlapping GitHub OIDC/Actions role and IAM policy changes, Pulumi secret configuration, and infrastructure test assertions.
• Model rebuild #637: Updates .github/workflows/launch_infrastructure.yaml and infrastructure/main.py with Pulumi IAM role, policy, and resource refactoring changes.
• Parallelize launch infrastructure steps and cleanup comments #642: Renames top-level jobs in .github/workflows/launch_infrastructure.yaml and restructures job dependencies.

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title "Add fixes from manual local testing" is vague and generic, using non-descriptive language that does not convey what specific changes or problems are being addressed.	Provide a more specific title that describes the primary change, such as "Refactor IAM roles and policies for GitHub Actions" or "Update infrastructure configuration and add bootstrap logic."

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch infrastructure-definitions-fixes

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR consolidates infrastructure fixes from manual local testing, focusing on resource ordering, IAM policy refactoring, and bootstrap tooling.

Key Changes

• Infrastructure resource reordering: Moved GitHub Actions policy before role definition to fix dependency ordering; moved SageMaker policy before role
• IAM policy consolidation: Refactored to use managed_policy_arns field instead of separate RolePolicyAttachment resources for GitHub Actions and SageMaker roles
• S3 encryption API update: Changed from BucketServerSideEncryptionConfigurationV2 to BucketServerSideEncryptionConfiguration (non-V2 version)
• Secrets Manager configuration: Added recovery_window_in_days=0 to all secrets for immediate deletion on teardown
• Resource protection: Added protect=True flags to critical IAM resources (GitHub Actions role/policy, SageMaker policy)
• Array indexing fixes: Corrected multiple pulumi.Output.all() array index references throughout task definitions and policies
• Bootstrap tooling: Added --bootstrap flag to mask infrastructure stack up for initial setup with Pulumi import and GitHub secret configuration
• Environment variable rename: Changed AWS_S3_ARTIFACTS_BUCKET_NAME to AWS_S3_MODEL_ARTIFACTS_BUCKET_NAME for consistency
• Workflow improvements: Renamed GitHub Actions jobs for clarity and added cron schedule documentation

Issues Found

• Logic error with budgetAlertEmailAddresses configuration validation (line 73)

Confidence Score: 4/5

• Safe to merge after fixing the budgetAlertEmailAddresses validation inconsistency
• Most changes are infrastructure refactoring and fixes from manual testing, which is good practice. The resource reordering, IAM policy consolidation, and array index fixes address real bugs. The bootstrap tooling is well-structured. However, there's one logic error where budgetAlertEmailAddresses validation checks for a secret but the code uses require_object instead of require_secret_object. This inconsistency should be resolved before merging.
• Pay close attention to infrastructure/__main__.py line 73 - fix the budgetAlertEmailAddresses secret configuration inconsistency

Important Files Changed

Filename	Overview
infrastructure/Pulumi.production.yaml	Removed document separator and rotated encrypted secret values
infrastructure/main.py	Reordered resources, consolidated IAM policies, fixed array indexing bugs, changed encryption API, added recovery_window_in_days, and added protect flags
maskfile.md	Added bootstrap flag with resource import and GitHub environment secret configuration
tools/download_model_artifacts.py	Renamed environment variable from AWS_S3_ARTIFACTS_BUCKET_NAME to AWS_S3_MODEL_ARTIFACTS_BUCKET_NAME

_{Last reviewed commit: 473c8f3}

[greptile-apps]

_{7 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[Copilot]

Pull request overview

This PR contains infrastructure fixes discovered during manual local testing, focusing on correcting resource references, reordering resource creation, adding bootstrap logic, and updating secret configurations.

Changes:

• Fixed environment variable naming from AWS_S3_ARTIFACTS_BUCKET_NAME to AWS_S3_MODEL_ARTIFACTS_BUCKET_NAME for consistency
• Refactored IAM role/policy structure to use managed_policy_arns instead of separate RolePolicyAttachment resources
• Added bootstrap functionality for initial local setup, including resource import and GitHub Actions secret configuration
• Fixed bugs in ECS task definitions and IAM policies where account_id was incorrectly used instead of proper resource ARNs
• Added resource protection flags to critical IAM resources
• Updated secret recovery windows and reverted S3 encryption API to non-V2 variants

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
tools/download_model_artifacts.py	Renamed environment variable to AWS_S3_MODEL_ARTIFACTS_BUCKET_NAME for consistency
maskfile.md	Added bootstrap flag and logic for importing existing resources and configuring GitHub secrets
libraries/python/tests/test_infrastructure_configuration.py	Updated tests to match new managed_policy_arns pattern and args indexing
infrastructure/main.py	Major refactoring: reordered role/policy creation, fixed ARN bugs, added protect flags, changed to managed_policy_arns pattern, set recovery windows, reverted to non-V2 S3 encryption API
infrastructure/Pulumi.production.yaml	Updated encrypted secret values and removed invalid YAML separator
.github/workflows/teardown_infrastructure.yaml	Added explanatory comments about cron schedule timing
.github/workflows/launch_infrastructure.yaml	Renamed jobs for clarity and added explanatory comments

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coveralls]

coverage: 86.212%. remained the same
when pulling 473c8f3 on infrastructure-definitions-fixes
into 0a0a2ef on master.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@infrastructure/__main__.py`:
- Around line 135-154: The three Secret resources datamanager_secret,
portfoliomanager_secret, and shared_secret are created with
recovery_window_in_days=0 which permanently disables recovery; change these to a
non-zero recovery window (e.g., recovery_window_in_days=7) or add resource
protection by passing opts=pulumi.ResourceOptions(protect=True) to each
aws.secretsmanager.Secret (or do both) so production secrets are not
irreversibly deleted accidentally.

In `@maskfile.md`:
- Around line 198-220: The pulumi import commands (e.g., the
github_actions_infrastructure_role, github_actions_infrastructure_policy via
GITHUB_POLICY_ARN, sagemaker_execution_role, and sagemaker_execution_policy via
SAGEMAKER_POLICY_ARN) are currently silencing all errors with `2>/dev/null ||
true`; change these to detect and log failures instead: run each `pulumi import`
and capture its exit status and stderr, print a clear message including the
resource identifier and the captured error when non-zero, and only suppress the
specific "resource does not exist" case if you detect that exact condition;
apply this pattern for all imports inside the BOOTSTRAP block so import outcomes
are visible for debugging.