Merge pull request #455 from mageops/rocky-develop

Release
mageops · Feb 14, 2025 · 8adcd4f · 8adcd4f
2 parents 9cff274 + d1e4452
commit 8adcd4f
Show file tree

Hide file tree

Showing 10 changed files with 55 additions and 36 deletions.
diff --git a/roles/cs.aws-create-ami/tasks/main.yml b/roles/cs.aws-create-ami/tasks/main.yml
@@ -15,7 +15,7 @@
     instance_id: "{{ ami_instance_id }}"
     name: "{{ ami_name }}"
     wait: yes
-    wait_timeout: 1800
+    wait_timeout: 3600
     tags: "{{ aws_tags_default | combine(ami_tags, ami_name_tags) }}"
     delete_snapshot: "{{ ami_delete_snapshot | default('yes') }}"
     device_mapping: >-

diff --git a/roles/cs.aws-iam/defaults/main.yml b/roles/cs.aws-iam/defaults/main.yml
@@ -22,6 +22,7 @@ aws_iam_policy_node_coordinator_lambda: "{{ aws_iam_name_prefix }}HandleNodeCoor
 aws_iam_policy_provisioning_1: "{{ aws_iam_name_prefix }}Provisioning_1"
 aws_iam_policy_provisioning_2: "{{ aws_iam_name_prefix }}Provisioning_2"
 aws_iam_policy_provisioning_3: "{{ aws_iam_name_prefix }}Provisioning_3"
+aws_iam_policy_provisioning_4: "{{ aws_iam_name_prefix }}Provisioning_4"
 
 aws_iam_role_basic_lambda_execution: "{{ aws_iam_name_prefix }}BasicLambdaExecution"
 aws_iam_role_autoscaling_event_lambda: "{{ aws_iam_name_prefix }}HandleAutoscalingEventLambdaExecution"
@@ -51,11 +52,13 @@ aws_iam_provisioning_policies:
     - arn:aws:iam::aws:policy/AutoScalingFullAccess
     - arn:aws:iam::aws:policy/AmazonS3FullAccess
     - arn:aws:iam::aws:policy/CloudFrontFullAccess
-    - arn:aws:iam::aws:policy/AmazonVPCFullAccess
   - name: "{{ aws_iam_policy_provisioning_3 }}"
     policies:
     - arn:aws:iam::aws:policy/IAMReadOnlyAccess
     - arn:aws:iam::aws:policy/CloudWatchEventsFullAccess
     - arn:aws:iam::aws:policy/AmazonElasticFileSystemFullAccess
     - arn:aws:iam::aws:policy/AmazonSNSFullAccess
     - arn:aws:iam::aws:policy/AmazonSESFullAccess
+  - name: "{{ aws_iam_policy_provisioning_4 }}"
+    policies:
+    - arn:aws:iam::aws:policy/AmazonVPCFullAccess
diff --git a/roles/cs.aws-iam/tasks/provisioning-role.yml b/roles/cs.aws-iam/tasks/provisioning-role.yml
@@ -14,3 +14,4 @@
     - "arn:aws:iam::{{ aws_account_id }}:policy/{{ aws_iam_policy_provisioning_1 }}"
     - "arn:aws:iam::{{ aws_account_id }}:policy/{{ aws_iam_policy_provisioning_2 }}"
     - "arn:aws:iam::{{ aws_account_id }}:policy/{{ aws_iam_policy_provisioning_3 }}"
+    - "arn:aws:iam::{{ aws_account_id }}:policy/{{ aws_iam_policy_provisioning_4 }}"
diff --git a/roles/cs.magento-configure/tasks/action/flush-cache.yml b/roles/cs.magento-configure/tasks/action/flush-cache.yml
diff --git a/roles/cs.magento-configure/tasks/main.yml b/roles/cs.magento-configure/tasks/main.yml
@@ -25,7 +25,6 @@
         - include_tasks: 080-core-config.yml
         - include_tasks: 110-deploy-static-content.yml
           when: not magento_scd_skip
-        - include_tasks: action/flush-cache.yml
       when: deploy_install_new_release
   become: yes
   become_user: "{{ magento_user }}"

diff --git a/roles/cs.magento-configure/tasks/vagrant.yml b/roles/cs.magento-configure/tasks/vagrant.yml
@@ -18,7 +18,6 @@
         magento_code_directory: "{{ magento_release_dir }}"
     - include_tasks: 050-install-sample-data.yml
       when: magento_install_sample_data
-    - include_tasks: action/flush-cache.yml
     - include_tasks: 070-setup-modules.yml
     - include_tasks: 080-core-config.yml
     - include_tasks: 090-setup-upgrade.yml

diff --git a/roles/cs.magento-configure/templates/magento_logrotate.conf.j2 b/roles/cs.magento-configure/templates/magento_logrotate.conf.j2
@@ -1,8 +1,13 @@
 {{ magento_live_release_dir }}/var/log/*.log {{ magento_live_release_dir }}/var/log/*/*.log {
-    size 20M
     rotate 2
     create 0664 {{ magento_user }} {{ magento_group }}
     su {{ magento_user }} {{ magento_group }}
-    missingok
     notifempty
+    compress
+    compresscmd /usr/bin/zstd
+    uncompresscmd /usr/bin/unzstd
+    compressext .zstd
+    compressoptions -19
+    size 128M
+    missingok
 }
diff --git a/roles/cs.varnish/defaults/main.yml b/roles/cs.varnish/defaults/main.yml
@@ -113,8 +113,8 @@ varnish_throttling: no
 
 # Throttling rules, an array of items, each containing:
 # - `id` (required) - unqiue string used internally for hash computation
-# - `path_pattern` (required) - regex pattern that defined affects request paths
-# - `method` (optional) - match this limit only for specified http method
+# - `path_pattern` (optional*) - regex pattern that defined affects request paths
+# - `method` (optional*) - match this limit only for specified http method
 # - `error_message` (optional) - custom error string returned to client when this rule is triggered
 # - `limit` (required) - number of requests until clien tis throttled
 # - `duration` (required) - time window over which the `limit` requests may be performed
@@ -123,6 +123,9 @@ varnish_throttling: no
 # - `secret` (optional) - default no, if set it will hide headers that expose rate limiting
 # - `whitelisted` (optional) - default no, if set this route will be excluded from throtling (only for varnish_throttling_rules)
 #                              whitelist rules should be listed before any other ones
+# - `user_agent`  (optional*) - regex pattern that defined affects request user agent
+# - `ignore_ip` (optional) - rule is matched based on other criteria than IP (f.ex. user agent)
+# *At leat one of `path_pattern`, `method` or `user_agent` need to be set
 #
 # Note: The rules are evaluated in the order they are defined. First limit that is exceeded
 # will stop any further evaluation. You should order the rules from most specific to the widest.

diff --git a/roles/cs.varnish/templates/vcl/subroutines/recv.vcl.j2 b/roles/cs.varnish/templates/vcl/subroutines/recv.vcl.j2
@@ -173,8 +173,8 @@ if (req.http.X-Blackfire-Query) {
     }
 }
 
-# Bypass shopping cart, checkout and search requests
-if (req.url ~ "/checkout" || req.url ~ "/catalogsearch") {
+# Bypass customer, shopping cart, checkout and search requests
+if (req.url ~ "/customer" || req.url ~ "/checkout" || req.url ~ "/catalogsearch") {
     return (pass);
 }
 

diff --git a/roles/cs.varnish/templates/vcl/subroutines/recv_throttling.vcl.j2 b/roles/cs.varnish/templates/vcl/subroutines/recv_throttling.vcl.j2
@@ -3,32 +3,45 @@
 # for the same reason.
 
 {% macro varnish_rate_limit_rule(rule) -%}
-        {% if rule.whitelisted | default(false, true) -%}
-        ### Whitelist {{ rule.path_pattern }} ###
-        {%- else -%}
-        ### Throttling rule - {{ rule.id }} ###
-        {%- endif %}
+    {% if rule.whitelisted | default(false, true) -%}
+    ### Whitelist {{ rule.path_pattern }} ###
+    {%- else -%}
+    ### Throttling rule - {{ rule.id }} ###
+    {%- endif %}
+
+    {%- set conditions = [] -%}
+
+    {%- if rule.path_pattern | default(false, true) -%}
+    {%- set _ = conditions.append('req.url ~ "' ~ rule.path_pattern ~ '"') -%}
+    {%- endif -%}
+    {%- if rule.user_agent | default(false, true) -%}
+    {%- set _ = conditions.append('req.http.User-Agent ~ "' ~ rule.user_agent ~ '"') -%}
+    {%- endif -%}
+    {%- if rule.method | default(false, true) -%}
+    {%- set _ = conditions.append('req.method == "' ~ rule.method | upper ~ '"') -%}
+    {%- endif -%}
 
-        if ( req.url ~ "{{ rule.path_pattern }}"
-        {%- if rule.method | default(false, true) %} && req.method == "{{ rule.method | upper }}" {% endif -%}
-        ) {
-            {% if not rule.whitelisted | default(false, true) -%}
-            set req.http.X-RateLimit-Identity = req.http.x-real-ip + "{{ rule.id }}";
-            set req.http.X-RateLimit-Remaining = vsthrottle.remaining(req.http.X-RateLimit-Identity, {{ rule.limit }}, {{ rule.duration }}, {{ rule.block | default('0s') }});
-
-            if (vsthrottle.is_denied(req.http.X-RateLimit-Identity, {{ rule.limit }}, {{ rule.duration }}, {{ rule.block | default('0s') }})) {
-                {% if rule.secret | default(false, true) %}
-                unset req.http.X-RateLimit-Identity;
-                unset req.http.X-RateLimit-Remaining;
-                {% endif %}
-                return (synth(429, "{{ rule.error_message | default('Too many requests') }}"));
-            }
+    {% if conditions | length > 0 %}
+
+    if ({{ conditions | join(' && ') }}) {
+        set req.http.X-RateLimit-Identity = {% if rule.ignore_ip | default(false, true) -%} req.http.x-real-ip + {%- endif %} "{{ rule.id }}";
+        {% if not rule.whitelisted | default(false, true) -%}
+        set req.http.X-RateLimit-Remaining = vsthrottle.remaining(req.http.X-RateLimit-Identity, {{ rule.limit }}, {{ rule.duration }}, {{ rule.block | default('0s') }});
+
+        if (vsthrottle.is_denied(req.http.X-RateLimit-Identity, {{ rule.limit }}, {{ rule.duration }}, {{ rule.block | default('0s') }})) {
             {% if rule.secret | default(false, true) %}
-                unset req.http.X-RateLimit-Identity;
-                unset req.http.X-RateLimit-Remaining;
+            unset req.http.X-RateLimit-Identity;
+            unset req.http.X-RateLimit-Remaining;
             {% endif %}
-            {%- endif %}
+            return (synth(429, "{{ rule.error_message | default('Too many requests') }}"));
         }
+        {% if rule.secret | default(false, true) %}
+            unset req.http.X-RateLimit-Identity;
+            unset req.http.X-RateLimit-Remaining;
+        {% endif %}
+        {%- endif %}
+    }
+    {% endif %}
 {%- endmacro %}