Make cargohold use amazonka instead of aws #1157
Conversation
mheinzel
force-pushed
the
mheinzel/cargohold-use-amazonka
branch
2 times, most recently
from
19a002c
to
c25d4ba
Compare
mheinzel
changed the title
mheinzel
force-pushed
the
mheinzel/cargohold-use-amazonka
branch
from
338b372
to
f9abcc5
Compare
There was a problem hiding this comment.
Did some early review with @fisx - we did not manage to review the resumable uploads but already have some feedback and wanted to leave them here already... in general looks great!
services/cargohold/src/Main.hs
Outdated
| main = withOpenSSL $ do | ||
| options <- getOptions desc Nothing defaultPath | ||
| run options | ||
| main = do |
There was a problem hiding this comment.
I remember we had a chat about it and mentioned we should probably keep using openSSL but then it was removed in the PR anyway; was it easier to remove it or what was the reason for the change?
There was a problem hiding this comment.
@franziskuskiefer do you have an opinion on openssl vs. http://hackage.haskell.org/package/tls?
We had this a while back, and after struggling for a while between "In Haskell with a few good habits, many mistakes cannot be expressed in the language" and "openssl has had so many bugs closed, how many more can there be?", we stuck with openssl.
There was a problem hiding this comment.
Ah, I undid the changes removing OpenSSL, but must have missed this one. Interestingly, the code using OpenSSL still worked without the initialization here. Good catch!
For this PR I think it makes sense to stick with OpenSSL for consistency with the rest of the codebase, but yeah, we should think about which library we want to use in general.
| instance AWS.MonadAWS Amazon where | ||
| liftAWS a = view amazonkaEnv >>= flip AWS.runAWS a | ||
|
|
||
| mkEnv :: |
There was a problem hiding this comment.
For future reference, pretty much all our services have a nearly identical copy of this AWS monad (except for the mkEnv), would be nice to at some point generalize it.
| signed <- | ||
| AWS.execute (AWS.useDownloadEndpoint e) $ | ||
| presignURL now (Seconds (fromIntegral ttl)) req | ||
| return =<< toUri signed |
There was a problem hiding this comment.
| return =<< toUri signed | |
| toUri signed |
There was a problem hiding this comment.
as part of 877c9a9
| return $ statusIsServerError s | ||
| ] | ||
| parseMIMEType :: Text -> Maybe MIME.Type | ||
| parseMIMEType = MIME.parseMIMEType |
There was a problem hiding this comment.
Is it worth having this as it's just an alias?
There was a problem hiding this comment.
No, will inline it. Same for encodeMIMEType.
| execCatch :: | ||
| (AWSRequest a, AWS.HasEnv r, MonadUnliftIO m, MonadCatch m, MonadThrow m) => | ||
| r -> | ||
| a -> | ||
| m (Either AWS.Error (Rs a)) | ||
| execCatch e cmd = | ||
| runResourceT . AWST.runAWST e | ||
| $ AWST.trying AWS._Error | ||
| $ AWST.send cmd | ||
|
|
||
| exec :: | ||
| (AWSRequest a, AWS.HasEnv r, MonadUnliftIO m, MonadCatch m, MonadThrow m) => | ||
| r -> | ||
| a -> | ||
| m (Rs a) | ||
| exec e cmd = execCatch e cmd >>= either (throwM . GeneralError) return |
There was a problem hiding this comment.
These are not used and have functions with the same name on the S3 module; perhaps move those functions here since they are generic and can be used in other modules (although they are not)
There was a problem hiding this comment.
It was not quite as easy as copying them, because of the module dependencies (Cargohold.AWS doesn't know about App and Env), but here it is: 959adbc
services/cargohold/package.yaml
Outdated
| - byteable >=0.1 | ||
| - base16-bytestring >=0.1 | ||
| - blaze-builder >=0.3 | ||
| - binary >=0.8 |
There was a problem hiding this comment.
Nit-pick: I think the only thing used from binary is toLazyByteString, which I think is just a re-export from bytestring.
There was a problem hiding this comment.
Good spot. We also do this in a few other places, so I cleaned them up, too.
0bfad02
There was a problem hiding this comment.
Given that the resume functionality (which is not used by any client btw) is somewhat covered in the test suite, I'll take your word for that the changes are valid.
But does the V3 in the tests stand for the signature version, and do we need to cover V4 as well? I am missing a lot of context here. :)
services/cargohold/src/Main.hs
Outdated
| main = withOpenSSL $ do | ||
| options <- getOptions desc Nothing defaultPath | ||
| run options | ||
| main = do |
There was a problem hiding this comment.
@franziskuskiefer do you have an opinion on openssl vs. http://hackage.haskell.org/package/tls?
We had this a while back, and after struggling for a while between "In Haskell with a few good habits, many mistakes cannot be expressed in the language" and "openssl has had so many bugs closed, how many more can there be?", we stuck with openssl.
V3 is the Cargohold API version, nothing to do with signatures |
I generally prefer not using openssl for multiple reasons. But that haskell package doesn't appear to be used a lot, which is crucial for a TLS lib (most errors are found while using it). |
* just takes all amazonka packages from the pinned fork. they depend on core, so need to be rebuilt anyways. * also drops elb, redshift, route53
mheinzel
force-pushed
the
mheinzel/cargohold-use-amazonka
branch
from
959adbc
to
0ecdbfe
Compare
|
I addressed all comments and now rebased to resolve conflicts. Looking forward to more feedback! |
tiago-loureiro
force-pushed
the
mheinzel/cargohold-use-amazonka
branch
from
4a5a869
to
bde835d
Compare
There was a problem hiding this comment.
Small note: I added an extra commit with a little comment a few extra config options explaining how you could test with cloudfront too and updated the file on S3
* provide AWS_REGION variable to cargohold Now with cargohold using V4 signatures (wireapp/wire-server#1157), the region is part of the Authorization header and needs to configured correctly. We already do that for the other services, so I just copied the code from there. * provide AWS env vars to cargohold integration We do this for all the other servers, too, but I'm actually not sure why. The integration tests themselves don't call AWS. We should probably just remove it (+ from the other services).
* squash #483 * remove all usages of aws * support s3DownloadEndpoint config * stack.yaml: pin updated fork of amazonka The update to stack.yaml just takes all amazonka packages from the pinned fork. They depend on core, so need to be rebuilt anyways. We also drop elb, redshift, route53 * depend on OpenSSL again This is mostly done for consistency with the other services. If we want to change it, we should change it everywhere. * remove unnecessary dependencies on binary and blaze-builder * Add comment on how to use cloudfront Co-authored-by: Tiago Loureiro <[email protected]>
Fixes #876.
Also see https://github.com/zinfra/backend-issues/issues/1481.
This revives #483 with a more recent version of amazonka. Everything seems to work without performance regressions
except for problems against Minio with the pre-signed download URLs we generate (more docs). This still needs to be investigated.edit: I found the issue in amazonka and made a fix
Before merging:
s3DownloadEndpoint, which is currently ignoredhttp-client-tlshere (and if not, revert that part)