production test drive

sorah · sorah · commit 1cab653b9abc · 2021-09-07T20:19:28.000+09:00
diff --git a/config/conference.jsonnet b/config/conference.jsonnet
@@ -1,4 +1,4 @@
 {
   development: import './conference/development.libsonnet',
-  production: import './conference/development.libsonnet',  // TODO: fix with production
+  production: import './conference/production.libsonnet',
 }
diff --git a/config/conference/production.libsonnet b/config/conference/production.libsonnet
@@ -0,0 +1,46 @@
+local interpret_ivs = { arn: 'arn:aws:ivs:us-west-2:005216166247:channel/BqJ6JEV7iJUt', url: 'https://73c1ba2ff7fa.us-west-2.playback.live-video.net/api/video/v1/us-west-2.005216166247.channel.BqJ6JEV7iJUt.m3u8' };
+
+{
+  default_track: 'a',
+  track_order: ['a'],  //, 'b'],
+  tracks: {
+    a: {
+      name: '#rubykaigiA',
+      slug: 'a',
+      ivs: {
+        main: {
+          arn: 'arn:aws:ivs:us-west-2:005216166247:channel/VvM44QACk0cP',
+          url: 'https://73c1ba2ff7fa.us-west-2.playback.live-video.net/api/video/v1/us-west-2.005216166247.channel.VvM44QACk0cP.m3u8',
+        },
+        interpretation: interpret_ivs,
+      },
+      chime: {
+        channel_arn: 'arn:aws:chime:us-east-1:005216166247:app-instance/11029a8c-c09e-47c2-aff6-db9515482395/channel/392944572afa3858efaf634bc12b511a01a7d3aa1388aa9ab1508dbc9628e693',
+        caption_channel_arn: 'arn:aws:chime:us-east-1:005216166247:app-instance/11029a8c-c09e-47c2-aff6-db9515482395/channel/f785f9f8f243e58d3566b52958534b87ceeeedae11d4b1906e956e375b538ca5',
+      },
+    },
+    // b: {
+    //   name: '#rubykaigiB',
+    //   slug: 'b',
+    //   ivs: {
+    //     main: {
+    //       arn: 'arn:aws:ivs:us-west-2:005216166247:channel/lxVf1pHuVdbU',
+    //       url: 'https://73c1ba2ff7fa.us-west-2.playback.live-video.net/api/video/v1/us-west-2.005216166247.channel.lxVf1pHuVdbU.m3u8',
+    //     },
+    //     interpretation: interpret_ivs,
+    //   },
+    //   chime: {
+    //     channel_arn: 'arn:aws:chime:us-east-1:005216166247:app-instance/11029a8c-c09e-47c2-aff6-db9515482395/channel/d9542baf3d0c8a6aa3a045ca710f1a301bdbdb82dd456f8f84c7f9166a84db9b',
+    //     caption_channel_arn: 'arn:aws:chime:us-east-1:005216166247:app-instance/11029a8c-c09e-47c2-aff6-db9515482395/channel/9b908e352f5e98f9c2992c3fcf02e2fc78faebbda8db39ded97ecd71092191c6',
+    //   },
+    // },
+  },
+
+  chime: {
+    app_arn: 'arn:aws:chime:us-east-1:005216166247:app-instance/11029a8c-c09e-47c2-aff6-db9515482395',
+    app_user_arn: 'arn:aws:chime:us-east-1:005216166247:app-instance/11029a8c-c09e-47c2-aff6-db9515482395/user/app',
+  },
+  ivs: {
+    region: 'us-west-2',
+  },
+}
diff --git a/tf/iam_TakeoutUser.tf b/tf/iam_TakeoutUser.tf
@@ -32,7 +32,7 @@ data "aws_iam_policy_document" "TakeoutUser" {
   statement {
     effect = "Allow"
     actions = [
-      "chime:SendChannelMessage",
+      #"chime:SendChannelMessage",
       "chime:ListChannelMessages",
       #"chime:CreateChannelMembership",
       #"chime:ListChannelMemberships",
@@ -44,8 +44,8 @@ data "aws_iam_policy_document" "TakeoutUser" {
       "chime:DescribeChannel",
       "chime:ListChannels",
       #"chime:DeleteChannel",
-      "chime:RedactChannelMessage",
-      "chime:UpdateChannelMessage",
+      #"chime:RedactChannelMessage",
+      #"chime:UpdateChannelMessage",
       "chime:Connect",
       "chime:ListChannelBans",
       #"chime:CreateChannelBan",
@@ -55,8 +55,38 @@ data "aws_iam_policy_document" "TakeoutUser" {
 
     resources = [
       // rk_takeout_user_id is expected to be given on sts:AssumeRole
+      "arn:aws:chime:us-east-1:005216166247:app-instance/11029a8c-c09e-47c2-aff6-db9515482395/user/$${aws:PrincipalTag/rk_takeout_user_id}",
+      "arn:aws:chime:us-east-1:005216166247:app-instance/11029a8c-c09e-47c2-aff6-db9515482395/channel/*",
+    ]
+  }
+  # chat channel
+  statement {
+    effect = "Allow"
+    actions = [
+      "chime:SendChannelMessage",
+      "chime:RedactChannelMessage",
+      "chime:UpdateChannelMessage",
+    ]
+
+    resources = [
+      "arn:aws:chime:us-east-1:005216166247:app-instance/11029a8c-c09e-47c2-aff6-db9515482395/user/$${aws:PrincipalTag/rk_takeout_user_id}",
+      "arn:aws:chime:us-east-1:005216166247:app-instance/11029a8c-c09e-47c2-aff6-db9515482395/channel/392944572afa3858efaf634bc12b511a01a7d3aa1388aa9ab1508dbc9628e693",
+      "arn:aws:chime:us-east-1:005216166247:app-instance/11029a8c-c09e-47c2-aff6-db9515482395/channel/d9542baf3d0c8a6aa3a045ca710f1a301bdbdb82dd456f8f84c7f9166a84db9b",
+    ]
+  }
+
+  # caption channel
+  statement {
+    effect = "Allow"
+    actions = [
+      "chime:CreateChannelMembership",
+      "chime:DeleteChannelMembership",
+    ]
+
+    resources = [
       "arn:aws:chime:us-east-1:${local.aws_account_id}:app-instance/0e09042d-8e87-4b2f-a25b-d71a0e604443/user/$${aws:PrincipalTag/rk_takeout_user_id}",
-      "arn:aws:chime:us-east-1:005216166247:app-instance/0e09042d-8e87-4b2f-a25b-d71a0e604443/channel/*",
+      "arn:aws:chime:us-east-1:005216166247:app-instance/11029a8c-c09e-47c2-aff6-db9515482395/channel/f785f9f8f243e58d3566b52958534b87ceeeedae11d4b1906e956e375b538ca5",
+      "arn:aws:chime:us-east-1:005216166247:app-instance/11029a8c-c09e-47c2-aff6-db9515482395/channel/9b908e352f5e98f9c2992c3fcf02e2fc78faebbda8db39ded97ecd71092191c6",
     ]
   }
 }
diff --git a/tf/iam_heroku-takeout-prd.tf b/tf/iam_heroku-takeout-prd.tf
@@ -2,7 +2,7 @@ resource "aws_iam_user" "heroku-takeout-prd" {
   name = "heroku-takeout-prd"
 }
 
-data "aws_iam_policy_document" "heroku-takeout-prd" {
+data "aws_iam_policy_document" "takeout-prd" {
   statement {
     effect = "Allow"
     actions = [
@@ -70,6 +70,7 @@ data "aws_iam_policy_document" "heroku-takeout-prd" {
 
     resources = [
       "arn:aws:chime:us-east-1:${local.aws_account_id}:app-instance/0e09042d-8e87-4b2f-a25b-d71a0e604443/*", #dev
+      "arn:aws:chime:us-east-1:005216166247:app-instance/11029a8c-c09e-47c2-aff6-db9515482395/*",            #prd
     ]
   }
 
@@ -79,7 +80,11 @@ data "aws_iam_policy_document" "heroku-takeout-prd" {
       "ivs:PutMetadata",
     ]
     resources = [
-      "arn:aws:ivs:us-west-2:005216166247:channel/oTssPyKzhjoS",
+      "arn:aws:ivs:us-west-2:005216166247:channel/oTssPyKzhjoS", # dev
+
+      "arn:aws:ivs:us-west-2:005216166247:channel/VvM44QACk0cP", # prd a
+      "arn:aws:ivs:us-west-2:005216166247:channel/lxVf1pHuVdbU", # prd b
+      "arn:aws:ivs:us-west-2:005216166247:channel/BqJ6JEV7iJUt", # prd interpret
     ]
   }
 
@@ -105,7 +110,12 @@ data "aws_iam_policy_document" "heroku-takeout-prd" {
 
 }
 
-resource "aws_iam_user_policy" "heroku-takeout-prd" {
-  user   = aws_iam_user.heroku-takeout-prd.name
-  policy = data.aws_iam_policy_document.heroku-takeout-prd.json
+resource "aws_iam_policy" "heroku-takeout-prd" {
+  name   = "takeout-prd"
+  policy = data.aws_iam_policy_document.takeout-prd.json
+}
+
+resource "aws_iam_user_policy_attachment" "heroku-takeout-prd" {
+  user       = aws_iam_user.heroku-takeout-prd.name
+  policy_arn = aws_iam_policy.heroku-takeout-prd.arn
 }
diff --git a/tf/s3.tf b/tf/s3.tf
@@ -25,6 +25,7 @@ data "aws_iam_policy_document" "s3-rk-takeout-app" {
       "${aws_s3_bucket.rk-takeout-app.arn}/prd/packs/*",
       "${aws_s3_bucket.rk-takeout-app.arn}/dev/assets/*",
       "${aws_s3_bucket.rk-takeout-app.arn}/prd/assets/*",
+      "${aws_s3_bucket.rk-takeout-app.arn}/tmp/*",
     ]
     principals {
       type = "AWS"

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`	`1`	`{`
`2`	`2`	`development: import './conference/development.libsonnet',`
`3`		`- production: import './conference/development.libsonnet', // TODO: fix with production`
	`3`	`+ production: import './conference/production.libsonnet',`
`4`	`4`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@ resource "aws_iam_user" "heroku-takeout-prd" {`
`2`	`2`	`name = "heroku-takeout-prd"`
`3`	`3`	`}`
`4`	`4`
`5`		`-data "aws_iam_policy_document" "heroku-takeout-prd" {`
	`5`	`+data "aws_iam_policy_document" "takeout-prd" {`
`6`	`6`	`statement {`
`7`	`7`	`effect = "Allow"`
`8`	`8`	`actions = [`
`@@ -70,6 +70,7 @@ data "aws_iam_policy_document" "heroku-takeout-prd" {`
`70`	`70`
`71`	`71`	`resources = [`
`72`	`72`	`"arn:aws:chime:us-east-1:${local.aws_account_id}:app-instance/0e09042d-8e87-4b2f-a25b-d71a0e604443/*", #dev`
	`73`	`+ "arn:aws:chime:us-east-1:005216166247:app-instance/11029a8c-c09e-47c2-aff6-db9515482395/*", #prd`
`73`	`74`	`]`
`74`	`75`	`}`
`75`	`76`
`@@ -79,7 +80,11 @@ data "aws_iam_policy_document" "heroku-takeout-prd" {`
`79`	`80`	`"ivs:PutMetadata",`
`80`	`81`	`]`
`81`	`82`	`resources = [`
`82`		`- "arn:aws:ivs:us-west-2:005216166247:channel/oTssPyKzhjoS",`
	`83`	`+ "arn:aws:ivs:us-west-2:005216166247:channel/oTssPyKzhjoS", # dev`
	`84`	`+`
	`85`	`+ "arn:aws:ivs:us-west-2:005216166247:channel/VvM44QACk0cP", # prd a`
	`86`	`+ "arn:aws:ivs:us-west-2:005216166247:channel/lxVf1pHuVdbU", # prd b`
	`87`	`+ "arn:aws:ivs:us-west-2:005216166247:channel/BqJ6JEV7iJUt", # prd interpret`
`83`	`88`	`]`
`84`	`89`	`}`
`85`	`90`
`@@ -105,7 +110,12 @@ data "aws_iam_policy_document" "heroku-takeout-prd" {`
`105`	`110`
`106`	`111`	`}`
`107`	`112`
`108`		`-resource "aws_iam_user_policy" "heroku-takeout-prd" {`
`109`		`- user = aws_iam_user.heroku-takeout-prd.name`
`110`		`- policy = data.aws_iam_policy_document.heroku-takeout-prd.json`
	`113`	`+resource "aws_iam_policy" "heroku-takeout-prd" {`
	`114`	`+ name = "takeout-prd"`
	`115`	`+ policy = data.aws_iam_policy_document.takeout-prd.json`
	`116`	`+}`
	`117`	`+`
	`118`	`+resource "aws_iam_user_policy_attachment" "heroku-takeout-prd" {`
	`119`	`+ user = aws_iam_user.heroku-takeout-prd.name`
	`120`	`+ policy_arn = aws_iam_policy.heroku-takeout-prd.arn`
`111`	`121`	`}`
Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,7 @@ data "aws_iam_policy_document" "s3-rk-takeout-app" {`
`25`	`25`	`"${aws_s3_bucket.rk-takeout-app.arn}/prd/packs/*",`
`26`	`26`	`"${aws_s3_bucket.rk-takeout-app.arn}/dev/assets/*",`
`27`	`27`	`"${aws_s3_bucket.rk-takeout-app.arn}/prd/assets/*",`
	`28`	`+ "${aws_s3_bucket.rk-takeout-app.arn}/tmp/*",`
`28`	`29`	`]`
`29`	`30`	`principals {`
`30`	`31`	`type = "AWS"`