rede5/infracloud
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs: add 2026-02-23 operations log - API Gateway MFE full setup

Browse source 
Document Terraform module, pipeline fixes (S3 credentials, bastion),
DRG attachment, route tables, security lists, LB backend/routing config.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Tiago Ribeiro 2026-02-23 13:03:53 -03:00
parent 80323205a0
commit 277361b50f
1 changed files with 121 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

122
inventcloud/invista/nexus/OPERATIONS.md
View file

@ -4,6 +4,126 @@ Registro de operacoes e incidentes na infraestrutura.
---
## 2026-02-23 - API Gateway MFE: Terraform, Pipeline, Rede e LB
### Contexto
Provisionamento completo do API Gateway MFE para servir micro frontends (Angular SPAs) via OCI Object Storage, incluindo modulo Terraform, correcao de pipeline, conectividade de rede (VCN peering) e configuracao do Load Balancer.
### 1. Modulo Terraform `api_gateway_mfe`
Criado modulo reutilizavel em `tf_oci_clusters/modules/api_gateway_mfe/`:
| Arquivo | Descricao |
|---------|-----------|
| main.tf | Gateway PRIVATE + Deployment com rotas SPA (index.html fallback + static files via Object Storage) |
| variables.tf | Inputs: compartment_id, subnet_id, env_name, mfe_deployments list, endpoint_type |
| outputs.tf | gateway_id, gateway_ip, gateway_hostname, deployment_endpoints |
| versions.tf | oracle/oci ~> 7.0 |
Integracao no ambiente dev:
- `environments/dev/api_gateway_mfe.tf` - module call com mfe-user deployment
- `environments/dev/terraform.ci.tfvars` - `enable_api_gateway_mfe = true`
- `modules/network/main.tf` - subnet `sbn-api-gateway` (10.110.192.0/20, condicional via `enable_api_gateway_subnet`)
### 2. Correcoes de Pipeline
#### S3 Backend - Credenciais desabilitadas
**Builds #5960, #5961**: Erro `UserDisabled` no backend S3.
- **Causa**: Customer Secret Key do `william.dias` estava desabilitada
- **Fix**: Criado novo Customer Secret Key para `danilo.duarte` via OCI CLI
- **Variable Group `oci-terraform` (ID 34)**: Atualizado `TF_STATE_ACCESS_KEY` e `TF_STATE_SECRET_KEY`
#### Propagacao de chave
**Build #5962**: Erro `SignatureDoesNotMatch` (chave ainda propagando). Resolvido aguardando ~2 min.
#### Bastion boot volume
**Build #5963**: Erro no apply - boot volume do bastion (47GB < 50GB minimo OCI).
- **Fix**: Adicionado `boot_volume_size_in_gbs = 50` em `source_details` do `oci_core_instance.bastion`
#### Sucesso
**Build #5964**: Todas as stages passaram (Bootstrap, DEV Plan, DEV Apply).
### 3. Recursos Provisionados
| Recurso | Valor |
|---------|-------|
| API Gateway | `api-gateway-mfe-dev` |
| OCID | `ocid1.apigateway.oc1.sa-saopaulo-1.amaaaaaasks3yliabdiquogy2pqyohas4wjopizv2xzgzrclmsvsh4x7ewea` |
| IP | 10.110.198.250 |
| Hostname | `guhal72tzyekzchzamhhi3lvgi.apigateway.sa-saopaulo-1.oci.customer-oci.com` |
| VCN | vcn-oke (10.110.0.0/16) |
| Subnet | sbn-api-gateway (10.110.192.0/20) |
| Deployment | deploy-mfe-user-dev (rotas / e /{path*}) |
### 4. VCN Peering (DRG)
O LB `Test_Crivo_Dev` esta na VCN-Shared (10.8.0.0/16), API Gateway na vcn-oke dev (10.110.0.0/16).
**Acoes realizadas:**
```bash
# 1. DRG Attachment criado
oci network drg-attachment create \
--drg-id "ocid1.drg.oc1.sa-saopaulo-1.aaaaaaaazuiluiavm3zcrzelqs2f3k3sdy3fka5yytwjua37a2ksn446deza" \
--display-name "ATT-VCN-OKE-DEV" \
--vcn-id "ocid1.vcn.oc1.sa-saopaulo-1.amaaaaaasks3yliapqrmikfzagpgqohuzjqik3hx63w7r2uajiqv5krvxkda"
# OCID: ocid1.drgattachment.oc1.sa-saopaulo-1.aaaaaaaaszldmalgmlnbfab7x7g2v336u64iwfvaiddbf7tea2dekso44kza
# State: ATTACHED
# 2. Route table rt-api-gateway atualizada
# Adicionada rota: 10.8.0.0/16 -> DRG (para retorno do trafego)
# 3. Security list sl-api-gateway atualizada
# Adicionadas regras ingress:
# 10.8.0.0/16 TCP 443 (LB VCN-Shared -> API GW HTTPS)
# 10.8.0.0/16 TCP 80 (LB VCN-Shared -> API GW HTTP)
```
**Nota**: RT-LB-SHARED (VCN-Shared) ja tinha rota `0.0.0.0/0 -> DRG`, portanto nao foi necessario alterar.
### 5. Load Balancer Test_Crivo_Dev
Configuracao adicionada (sem alterar regras existentes do Crivo):
```bash
# Backend set criado
bs-mfe-user-dev -> 10.110.198.250:443 (health check HTTP:443/)
# Routing policy crivo_routes - regra adicionada
mfe_user_dev: host == mfe-user-dev.invista.com.br -> bs-mfe-user-dev
```
**Configuracao final do LB:**
| Backend Set | Backends | Routing Rule |
|-------------|----------|-------------|
| Dev_Crivo_BS_80 | 10.4.0.116:80 | crivo-dev.invista.com.br |
| Dev_Crivo_BS_84 | 10.4.0.116:84 | crivo-dev-adm.invista.com.br |
| bs-mfe-user-dev | 10.110.198.250:443 | mfe-user-dev.invista.com.br |
### 6. Pendencias
- [ ] **DNS Cloudflare**: Criar registro `mfe-user-dev.invista.com.br` - sem acesso ao Cloudflare que gerencia `invista.com.br`
- [ ] **Terraform state**: O DRG attachment, route table e security list foram criados via CLI (fora do Terraform). Considerar importar ou adicionar ao Terraform para manter consistencia.
### Fluxo completo (quando DNS estiver configurado)
```
Browser -> Cloudflare (mfe-user-dev.invista.com.br)
-> LB Test_Crivo_Dev (10.8.4.127, VCN-Shared)
-> DRG-Invista-Shared (ATT-VCN-OKE-DEV)
-> API Gateway MFE (10.110.198.250, vcn-oke dev)
-> Object Storage (nexus-mfe-user-development bucket)
-> index.html / assets Angular SPA
```
---
## 2026-02-18 - Conexao Cluster OCI OKE e Troubleshooting
### Contexto
@ -276,4 +396,4 @@ C:\dev\
---
*Documento atualizado em: 2026-02-18*
*Documento atualizado em: 2026-02-23*