From 7c42c418e460c2aa2761f74611f635db0e9c1084 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dafydd=20Ll=C5=B7r=20Pearson?= <DafyddLlyr@gmail.com>
Date: Mon, 16 Dec 2024 08:19:45 +0000
Subject: [PATCH] feat: Remove hasura-proxy service

---
 .env.example                                  |  6 ++--
 docker-compose.pizza.yml                      |  7 +----
 docker-compose.yml                            | 30 +++++--------------
 e2e/tests/api-driven/src/client.ts            |  4 +--
 e2e/tests/ui-driven/src/helpers/context.ts    |  4 +--
 e2e/tests/ui-driven/src/utils.ts              |  6 ++--
 hasura.planx.uk/proxy/Caddyfile               | 29 ------------------
 hasura.planx.uk/proxy/Dockerfile              |  2 --
 hasura.planx.uk/proxy/README.md               | 24 ---------------
 hasura.planx.uk/proxy/run-caddy-shell.sh      |  1 -
 infrastructure/application/services/hasura.ts | 17 ++---------
 11 files changed, 20 insertions(+), 110 deletions(-)
 delete mode 100644 hasura.planx.uk/proxy/Caddyfile
 delete mode 100644 hasura.planx.uk/proxy/Dockerfile
 delete mode 100644 hasura.planx.uk/proxy/README.md
 delete mode 100755 hasura.planx.uk/proxy/run-caddy-shell.sh

diff --git a/.env.example b/.env.example
index 759d790a91..5b0b9ffd93 100644
--- a/.env.example
+++ b/.env.example
@@ -40,10 +40,10 @@ EDITOR_URL_EXT=http://localhost:3000
 
 # Hasura
 HASURA_GRAPHQL_ADMIN_SECRET=👻
-HASURA_PROXY_PORT=7100
-HASURA_GRAPHQL_URL=http://localhost:${HASURA_PROXY_PORT}/v1/graphql
+HASURA_GRAPHQL_PORT=7100
+HASURA_GRAPHQL_URL=http://localhost:${HASURA_GRAPHQL_PORT}/v1/graphql
 HASURA_CONSOLE_PORT=9695
-HASURA_GRAPHQL_CORS_DOMAIN="http://localhost:${API_PORT}, http://localhost:${HASURA_CONSOLE_PORT}, http://localhost:3000, http://api:${API_PORT}, http://localhost:${HASURA_PROXY_PORT}/v1/graphql, https://*.planx.uk, https://*.planx.dev, https://*.planx.pizza, https://*.gov.uk"
+HASURA_GRAPHQL_CORS_DOMAIN="http://localhost:${API_PORT}, http://localhost:${HASURA_CONSOLE_PORT}, http://localhost:3000, http://api:${API_PORT}, http://localhost:${HASURA_GRAPHQL_PORT}/v1/graphql, https://*.planx.uk, https://*.planx.dev, https://*.planx.pizza, https://*.gov.uk"
 
 # Hasura Metadata API
 HASURA_PLANX_API_URL=http://api:${API_PORT}
diff --git a/docker-compose.pizza.yml b/docker-compose.pizza.yml
index 82daeb72d6..8dfc583465 100644
--- a/docker-compose.pizza.yml
+++ b/docker-compose.pizza.yml
@@ -13,14 +13,9 @@ services:
       virtual.tls-email: ${TLS_EMAIL}
 
   hasura:
-    labels:
-      virtual.port: 8080
-      virtual.tls-email: ${TLS_EMAIL}
-
-  hasura-proxy:
     labels:
       virtual.host: hasura.${ROOT_DOMAIN}
-      virtual.port: ${HASURA_PROXY_PORT}
+      virtual.port: 8080
       virtual.tls-email: ${TLS_EMAIL}
 
   api:
diff --git a/docker-compose.yml b/docker-compose.yml
index b045c55b3d..0f0388e28b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -47,6 +47,8 @@ services:
   hasura:
     build:
       context: ./hasura.planx.uk
+    ports:
+      - ${HASURA_GRAPHQL_PORT}:8080
     depends_on:
       postgres:
         condition: service_healthy
@@ -77,31 +79,13 @@ services:
       HASURA_PLANX_API_KEY: ${HASURA_PLANX_API_KEY}
       HASURA_PLANX_API_URL: ${HASURA_PLANX_API_URL}
 
-  hasura-proxy:
-    build:
-      context: ./hasura.planx.uk/proxy
-    depends_on:
-      hasura:
-        condition: service_healthy
-    restart: always
-    ports:
-      - ${HASURA_PROXY_PORT}:${HASURA_PROXY_PORT}
-    environment:
-      HASURA_PROXY_PORT: ${HASURA_PROXY_PORT}
-      HASURA_NETWORK_LOCATION: "hasura"
-    healthcheck:
-      test: ["CMD", "wget", "--spider", "--quiet", "localhost:$HASURA_PROXY_PORT/healthz"]
-      interval: 15s
-      timeout: 3s
-      retries: 3
-
   api:
     restart: unless-stopped
     build:
       context: ./api.planx.uk
       target: production
     depends_on:
-      hasura-proxy:
+      hasura:
         condition: service_healthy
     ports:
       - ${API_PORT}:${API_PORT}
@@ -137,10 +121,10 @@ services:
       MICROSOFT_CLIENT_SECRET: ${MICROSOFT_CLIENT_SECRET}
       GOVUK_NOTIFY_API_KEY: ${GOVUK_NOTIFY_API_KEY}
       HASURA_GRAPHQL_ADMIN_SECRET: ${HASURA_GRAPHQL_ADMIN_SECRET}
-      HASURA_GRAPHQL_URL: http://hasura-proxy:${HASURA_PROXY_PORT}/v1/graphql
-      HASURA_METADATA_URL: http://hasura-proxy:${HASURA_PROXY_PORT}/v1/metadata
+      HASURA_GRAPHQL_URL: http://hasura:8080/v1/graphql
+      HASURA_GRAPHQL_ENDPOINT: http://hasura:8080/
       HASURA_PLANX_API_KEY: ${HASURA_PLANX_API_KEY}
-      HASURA_SCHEMA_URL: http://hasura-proxy:${HASURA_PROXY_PORT}/v2/query
+      HASURA_SCHEMA_URL: http://hasura:8080/v2/query
       IDOX_NEXUS_CLIENT: ${IDOX_NEXUS_CLIENT}
       IDOX_NEXUS_SUBMISSION_URL: ${IDOX_NEXUS_SUBMISSION_URL}
       IDOX_NEXUS_TOKEN_URL: ${IDOX_NEXUS_TOKEN_URL}
@@ -174,7 +158,7 @@ services:
       - "./sharedb.planx.uk:/sharedb"
       - "/sharedb/node_modules"
     depends_on:
-      hasura-proxy:
+      hasura:
         condition: service_healthy
     ports:
       - ${SHAREDB_PORT}:8000
diff --git a/e2e/tests/api-driven/src/client.ts b/e2e/tests/api-driven/src/client.ts
index 19513cadf6..f58a9ef0bb 100644
--- a/e2e/tests/api-driven/src/client.ts
+++ b/e2e/tests/api-driven/src/client.ts
@@ -7,8 +7,8 @@ assert(process.env.HASURA_GRAPHQL_ADMIN_SECRET);
 assert(process.env.HASURA_GRAPHQL_URL);
 
 const targetURL = process.env.HASURA_GRAPHQL_URL!.replace(
-  "${HASURA_PROXY_PORT}",
-  process.env.HASURA_PROXY_PORT!,
+  "${HASURA_GRAPHQL_PORT}",
+  process.env.HASURA_GRAPHQL_PORT!,
 );
 
 export const $admin = new CoreDomainClient({
diff --git a/e2e/tests/ui-driven/src/helpers/context.ts b/e2e/tests/ui-driven/src/helpers/context.ts
index 792a99a1ed..8731f64e7e 100644
--- a/e2e/tests/ui-driven/src/helpers/context.ts
+++ b/e2e/tests/ui-driven/src/helpers/context.ts
@@ -105,8 +105,8 @@ export function getCoreDomainClient(): CoreDomainClient {
   assert(process.env.HASURA_GRAPHQL_ADMIN_SECRET);
 
   const API = process.env.HASURA_GRAPHQL_URL!.replace(
-    "${HASURA_PROXY_PORT}",
-    process.env.HASURA_PROXY_PORT!,
+    "${HASURA_GRAPHQL_PORT}",
+    process.env.HASURA_GRAPHQL_PORT!,
   );
   const SECRET = process.env.HASURA_GRAPHQL_ADMIN_SECRET!;
   return new CoreDomainClient({
diff --git a/e2e/tests/ui-driven/src/utils.ts b/e2e/tests/ui-driven/src/utils.ts
index 6e6036fc51..67c6968a4f 100644
--- a/e2e/tests/ui-driven/src/utils.ts
+++ b/e2e/tests/ui-driven/src/utils.ts
@@ -3,17 +3,17 @@ import Axios from "axios";
 
 export const gqlAdmin = async (query, variables = {}) => {
   const HASURA_GRAPHQL_ADMIN_SECRET = process.env.HASURA_GRAPHQL_ADMIN_SECRET;
-  const HASURA_PROXY_PORT = process.env.HASURA_PROXY_PORT;
+  const HASURA_GRAPHQL_PORT = process.env.HASURA_GRAPHQL_PORT;
 
   const response = await Axios(
-    `http://localhost:${HASURA_PROXY_PORT}/v1/graphql`,
+    `http://localhost:${HASURA_GRAPHQL_PORT}/v1/graphql`,
     {
       method: "POST",
       headers: {
         "X-Hasura-Admin-Secret": HASURA_GRAPHQL_ADMIN_SECRET,
       },
       data: { query, variables },
-    },
+    }
   );
   const { data: json } = response;
 
diff --git a/hasura.planx.uk/proxy/Caddyfile b/hasura.planx.uk/proxy/Caddyfile
deleted file mode 100644
index d25c92da50..0000000000
--- a/hasura.planx.uk/proxy/Caddyfile
+++ /dev/null
@@ -1,29 +0,0 @@
-# HASURA_PROXY_PORT - The publicly exposed port through which this service can be accessed
-# HASURA_NETWORK_LOCATION - Either "hasura" in Docker environments, or "localhost" on Fargate
-
-
-# General options
-{
-	# Handle HTTPS redirection in AWS at the LoadBalancer level
-	auto_https off
-}
-
-# Reverse proxy for Hasura GraphQL Engine
-:{$HASURA_PROXY_PORT} {
-	reverse_proxy {$HASURA_NETWORK_LOCATION}:8080
-
-	# Update response headers
-	header {
-		# Enable HSTS
-		Strict-Transport-Security "max-age=15552000; includeSubDomains"
-
-		# Disable clients from sniffing the media type
-		X-Content-Type-Options nosniff
-
-		# Clickjacking protection
-		X-Frame-Options DENY
-
-		# Do not leak server information
-		-Server
-	}
-}
diff --git a/hasura.planx.uk/proxy/Dockerfile b/hasura.planx.uk/proxy/Dockerfile
deleted file mode 100644
index 3e10fb2817..0000000000
--- a/hasura.planx.uk/proxy/Dockerfile
+++ /dev/null
@@ -1,2 +0,0 @@
-FROM caddy:2.6.4-alpine
-COPY Caddyfile /etc/caddy/Caddyfile
\ No newline at end of file
diff --git a/hasura.planx.uk/proxy/README.md b/hasura.planx.uk/proxy/README.md
deleted file mode 100644
index a9030ab1f3..0000000000
--- a/hasura.planx.uk/proxy/README.md
+++ /dev/null
@@ -1,24 +0,0 @@
-## Hasura Server
-
-**Intro**
- - This folder contains config for the proxy server which sites in front of Hasura, allowing us to control security headers
- - `docker-compose.yaml` runs this service on both local dev and Pizza environments
- - Fargate builds this service alongside Hasura for staging and production environments
- - Please see [the ADR which introduced Hasura Server](https://github.com/theopensystemslab/planx-new/blob/main/doc/architecture/decisions/0002-create-reverse-proxy-for-hasura.md) for full details
-
-**Helpful resources and troubleshooting**
-
-The [Caddy CLI](https://caddyserver.com/docs/command-line) can prove helpful if developing in this directory. You can run this interactively through the docker image with `./run-caddy-shell.sh`
-
-After changes to the Caddyfile, you can run `caddy validate` to check your homework, and then `caddy fmt --overwrite` to lint and standardise whitespace changes etc.
-
-`debug` can be added to the general options at the top of the Caddyfile for local testing, or more verbose CloudWatch logging
-
-```
-# General options
-{
-  debug
-	# Handle HTTPS redirection in AWS at the LoadBalancer level
-	auto_https off
-}
-```
\ No newline at end of file
diff --git a/hasura.planx.uk/proxy/run-caddy-shell.sh b/hasura.planx.uk/proxy/run-caddy-shell.sh
deleted file mode 100755
index 38eea85f09..0000000000
--- a/hasura.planx.uk/proxy/run-caddy-shell.sh
+++ /dev/null
@@ -1 +0,0 @@
-docker run --rm -it -v "$(pwd)/Caddyfile:/etc/caddy/Caddyfile" -w /etc/caddy/ $(docker build -q .) /bin/sh
\ No newline at end of file
diff --git a/infrastructure/application/services/hasura.ts b/infrastructure/application/services/hasura.ts
index c4b3f63028..59993ab232 100644
--- a/infrastructure/application/services/hasura.ts
+++ b/infrastructure/application/services/hasura.ts
@@ -29,9 +29,9 @@ export const createHasuraService = async ({
     subnets: networking.requireOutput("publicSubnetIds"),
   });
   // XXX: If you change the port, you'll have to make the security group accept incoming connections on the new port
-  const HASURA_PROXY_PORT = 80;
+  const HASURA_GRAPHQL_PORT = 80;
   const targetHasura = lbHasura.createTargetGroup("hasura", {
-    port: HASURA_PROXY_PORT,
+    port: HASURA_GRAPHQL_PORT,
     protocol: "HTTP",
     healthCheck: {
       path: "/healthz",
@@ -45,9 +45,6 @@ export const createHasuraService = async ({
     domain: DOMAIN,
   });
 
-  // hasuraService is composed of two tightly coupled containers
-  // hasuraProxy is publicly exposed (behind the load balancer) and reverse proxies requests to hasura
-  // hasura has no externally exposed ports, and can only be accessed by hasuraService
   const hasuraService = new awsx.ecs.FargateService("hasura", {
     cluster,
     subnets: networking.requireOutput("publicSubnetIds"),
@@ -57,16 +54,6 @@ export const createHasuraService = async ({
         retentionInDays: 30,
       }),
       containers: {
-        hasuraProxy: {
-          image: repo.buildAndPushImage("../../hasura.planx.uk/proxy"),
-          cpu: config.requireNumber("hasura-proxy-cpu"),
-          memory: config.requireNumber("hasura-proxy-memory"),
-          portMappings: [hasuraListenerHttp],
-          environment: [
-            { name: "HASURA_PROXY_PORT", value: String(HASURA_PROXY_PORT) },
-            { name: "HASURA_NETWORK_LOCATION", value: "localhost" },
-          ],
-        },
         hasura: {
           image: repo.buildAndPushImage("../../hasura.planx.uk"),
           cpu: config.requireNumber("hasura-cpu"),