Skip to main content

Running local backend against production environment

Background​

In some cases we need to run local backend service and have it use production environment resources - Mongo DB, storage buckets, etc.. This is mainly needed to run our dev tool script to perform operations on the production environment, or run one-time scripts on customer data for migrations or fixing data in the DB. These instructions are guidelines on how to enable that access.

For AWS backend​

Note: AWS CLI must be installed and configured to connect to AWS backend. Follow the AWS CLI setup instructions if needed.

  1. Configure the DB to accept connections from local machine
    • Find the ARN of the IAM role used for accessing AWS resources with SSO: In AWS portal go to IAM -> Roles and extract the ARN of the role used for SSO when developing locally. Role name should begin with 'AWSReservedSSO_DeveloperAccess_'
    • Go to the region's project in MongoDB Atlas portal, navigate to 'Database & Network Access' -> 'Database Users' page in the menu and add a database user with the following configuration. It is required to add the user as temporary with a short duration (e.g 6 hours) to avoid leaving it by mistake when done.
      • Authentication Method - AWS IAM
      • AWS IAM Type - IAM Role
      • AWS Role ARN - the role ARN found in AWS
      • Built-in Role - "Read and write to any database"
    • Go to the region's project in MongoDB Atlas portal, navigate to 'Database & Network Access' -> 'IP Access List' page in the menu and add your current IP address to the allowlist. It is required to set an automatic expiration with a short duration (e.g 6 hours) when adding the IP address to avoid leaving it by mistake when done.
  2. Configure local backend service to access the production environment
    • Add the following environment variables to your '.env' file with the values for the right production environment: 
      AWS_REGION=
      S3_BUCKET_NAME=
      MONGO_CONNECTION_URI=
      WORKOS_API_KEY=
      Note: this list may not be extensive. Refer to backend repo readme file for the latest list of required environment variables
    • AWS_REGION can be copied from AWS portal. Example valid value: "us-west-2"
    • S3_BUCKET_NAME can be found by going to 'S3' in AWS portal and copying the name of the bucket matching the required region. Example valid value: "legionscreenshots-us-east-2"
    • MONGO_CONNECTION_URI can be found by going to the region's project in MongoDB Atlas portal, clicking 'Connect' in the overview page, choosing 'Standard connection' as the connection type and 'Drivers' as the application and copying the connection string from the resulting page. Make sure to remove the AWS access key, AWS secret key and authMechanismProperties in the url (which we don't need since we use SSO). Example valid value: "mongodb+srv://backend-us-east-2.nxzna.mongodb.net/?authSource=%24external&authMechanism=MONGODB-AWS&retryWrites=true&w=majority&appName=backend-us-east-2"
    • WORKOS_API_KEY can be found in WorkOS portal for production tenant
  3. Run whatever logic is needed against production environment
  4. Important! - after finishing, make sure to revert your changes and remove the SSO role and your IP address from the MongoDB project

For GCP backend​

Note: GCP CLI must be installed and configured to connect to GCP backend. Follow the GCP CLI setup instructions if needed.

  1. Configure the DB to accept connections from local machine

    • Go to the region's project in MongoDB Atlas portal, navigate to 'Database & Network Access' -> 'IP Access List' page in the menu and add your current IP address to the allowlist. It is required to set an automatic expiration with a short duration (e.g 6 hours) when adding the IP address to avoid leaving it by mistake when done.

  2. Configure local backend service to access the production environment

    • Add the following environment variables to your '.env' file with the values for the right production environment: 
      GCP_REGION=
      GCP_PROJECT_NAME=
      GCP_SCREENSHOTS_BUCKET_NAME=
      GCP_INVESTIGATIONS_BUCKET_NAME=
      MONGO_CONNECTION_URI=
      WORKOS_API_KEY=
      Note: this list may not be extensive. Refer to backend repo readme file for the latest list of required environment variables
    • The values for the environment variables can be copied from the Cloud Run service running in the relevant region:
      • Go to Cloud Run services page in GCP portal in the project for the relevant region and click the service to open its details. For example https://console.cloud.google.com/run?project=backend-us-east4
      • Under 'Revisions' tab make sure the active revision is selected
      • In the panel to the right extract the needed values from 'Environment variables' section.
      • Note that for secret values you can see the secret value by clicking the secret name link, click the vertical 3 dots on the active secret version and click 'View secret value'

  3. Run whatever logic is needed against production environment

  4. Important! - after finishing, make sure to revert your changes and remove the SSO role and your IP address from the MongoDB project