Merge pull request #37 from GNS-Science/deploy-test

Promote DEPLOY-TEST to PROD

new THS 1.4.2 (Parquet) removes DynamoDB dependency

Author: chrisbc

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.3.1
+current_version = 0.4.0
 commit = True
 tag = False
 

.env.tests

@@ -1,2 +1,3 @@
-DATASET_AGGR_ENABLED=FALSE
-DATASET_AGGR_URI=
+THS_DATASET_AGGR_ENABLED=FALSE
+THS_DATASET_AGGR_URI=
+THS_DATASET_GRIDDED_URI=

.github/workflows/deploy-to-aws.yaml

@@ -10,12 +10,35 @@ on:
   workflow_dispatch:
 
 jobs:
+  verify-aws-account:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-east-1
+
+      - name: Verify target AWS account
+        run: |
+          ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+          echo "AWS Account ID: $ACCOUNT_ID"
+          EXPECTED_ACCOUNT="461564345538"
+          if [ "$ACCOUNT_ID" != "$EXPECTED_ACCOUNT" ]; then
+            echo "::error::Deploying to wrong AWS account: $ACCOUNT_ID (expected $EXPECTED_ACCOUNT)"
+            exit 1
+          fi
+          echo "✓ Verified correct AWS account"
+  
   call-test-workflow:
     uses: ./.github/workflows/dev.yml
     secrets: inherit
 
   call-deploy-workflow:
-    needs: call-test-workflow
+    needs: 
+      - verify-aws-account
+      - call-test-workflow
     uses: GNS-Science/nshm-github-actions/.github/workflows/deploy-to-aws.yml@main
     with:
       python-version: '3.12'

.github/workflows/release.yml

@@ -121,3 +121,15 @@ ENV/
 
 # mkdocs build dir
 site/
+
+# LLM session files (ephemeral)
+.llm/.session
+
+# Yarn Berry cache
+.yarn/
+
+# Local config
+.safety-project.ini
+
+# Old/archived files
+.github/old_policy.json

.gitignore

@@ -0,0 +1,5 @@
+{"timestamp":"2026-02-24T11:30:00Z","session_start":"2026-02-23T00:00:00Z","project_name":"nshm-hazard-graphql-api","project_root":"nshm-hazard-graphql-api","model":"glm-5:cloud","tool":"opencode","duration_min":90,"tokens_in":85000,"tokens_out":25000,"commits":["5057d4c"],"files":{"read":["nshm_hazard_graphql_api/schema/toshi_hazard/gridded_hazard.py","tests/conftest.py","tests/test_gridded_hazard.py","tests/test_gridded_hazard_with_nulls.py","tests/test_gridded_hazard_fix_issue_79.py","tests/test_gridded_hazard_helpers.py","tests/test_hazard_curve_migration.py"],"created":["tests/fixtures/gridded_hazard/DS/"],"modified":["nshm_hazard_graphql_api/schema/toshi_hazard/gridded_hazard.py","tests/conftest.py","tests/test_gridded_hazard.py","tests/test_gridded_hazard_with_nulls.py","tests/test_gridded_hazard_fix_issue_79.py","tests/test_gridded_hazard_helpers.py","tests/test_hazard_curve_migration.py"]},"summary":"Update gridded_hazard for THS 1.4.0: replaced deprecated get_one_gridded_hazard with get_gridded_hazard, updated model attributes (aggr, accel_levels), refactored tests from unittest to pytest style with parquet fixtures","user_notes":"new THS library version"}
+{"timestamp":"2026-02-25T21:04:56Z","session_start":"2026-02-25T20:22:11Z","project_name":"nshm-hazard-graphql-api","project_root":"nshm-hazard-graphql-api","model":"claude-sonnet-4-6","tool":"opencode","duration_min":43,"tokens_in":0,"tokens_out":0,"commits":["732d6d5","67fb25a","bda10e9"],"files":{"read":["package.json","serverless.yml","pyproject.toml",".env",".env.tests","DEVELOPMENT.md","setup.cfg"],"created":["CLAUDE.md",".yarnrc.yml"],"modified":["DEVELOPMENT.md","serverless.yml",".env.tests","setup.cfg"]},"summary":"Fixed Yarn Berry PnP issue for serverless-wsgi local dev; corrected THS env var names (DATASET_AGGR_ENABLED->THS_DATASET_AGGR_ENABLED); added THS_DATASET_GRIDDED_URI; updated DEVELOPMENT.md with full config reference; removed redundant tox build env","user_notes":"fix env variable, and docs, and remove redundant tox step (build). Tested with graphql locally."}
+{"timestamp":"2026-03-02T00:15:00Z","session_start":"2026-03-02T00:00:00Z","project_name":"nshm-hazard-graphql-api","project_root":"nshm-hazard-graphql-api","model":"claude-sonnet-4","tool":"claude-code","duration_min":15,"tokens_in":8500,"tokens_out":1800,"commits":[],"files":{"read":["CHANGELOG.md",".llm/.session"],"created":[],"modified":["CHANGELOG.md"]},"summary":"Updated CHANGELOG.md with version 0.4.0 entry for THS 1.4.2 upgrade and configuration changes","user_notes":"complete missing changelog, memory config"}
+{"timestamp":"2026-03-02T00:20:00Z","session_start":"2026-03-02T00:00:00Z","project_name":"nshm-hazard-graphql-api","project_root":"nshm-hazard-graphql-api","model":"claude-sonnet-4","tool":"claude-code","duration_min":20,"tokens_in":9000,"tokens_out":2000,"commits":[],"files":{"read":[],"created":[],"modified":[]},"summary":"Session completed; CHANGELOG.md updated for v0.4.0","user_notes":"that was done"}
+{"timestamp":"2026-03-02T00:55:00Z","session_start":"2026-03-02T00:25:00Z","project_name":"nshm-hazard-graphql-api","project_root":"nshm-hazard-graphql-api","model":"claude-sonnet-4","tool":"claude-code","duration_min":30,"tokens_in":28000,"tokens_out":7500,"commits":[],"files":{"read":["serverless.yml",".github/workflows/dev.yml",".github/workflows/release.yml",".github/old_policy.json",".llm/.session"],"created":["AWS_GHOST_ACCOUNT_DEPLOYMENT_ISSUE.md"],"modified":[]},"summary":"Investigated AWS ghost account deployment issue. Analyzed serverless.yml and CI/CD workflows. Documented how AWS credentials work, possible causes, and fix options (restore credentials vs migrate to OIDC). Created AWS_GHOST_ACCOUNT_DEPLOYMENT_ISSUE.md with full analysis and recommendations.","user_notes":"diagnose AWS ghost account issue"}

.llm/log.jsonl

@@ -0,0 +1 @@
+nodeLinker: node-modules

.yarnrc.yml

@@ -0,0 +1,220 @@
+# AWS Ghost Account Deployment Issue
+
+## Summary
+
+The nshm-hazard-graphql-api service was deployed to an unintended AWS account (a recently created account) instead of the expected account `461564345538`.
+
+**Root cause (confirmed)**: A default AWS Provider configured via the Serverless Dashboard Web UI was pointing at the wrong AWS account. The Serverless Framework CLI used this Provider's credentials in preference to the GitHub Actions secrets, silently deploying to the wrong account. The GitHub secrets themselves were never changed or rotated incorrectly.
+
+## Background
+
+### Deployment Configuration
+
+- **Framework**: Serverless Framework v4
+- **CI/CD**: GitHub Actions using reusable workflows from `GNS-Science/nshm-github-actions`
+- **Target Account**: `461564345538` (referenced in serverless.yml IAM policies for DynamoDB, S3, ECR access)
+- **Authentication**: GitHub Secrets (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`)
+
+### GitHub Secrets
+
+| Secret | Purpose | Age |
+|--------|---------|-----|
+| `AWS_ACCESS_KEY_ID` | AWS authentication | ~3 years |
+| `AWS_SECRET_ACCESS_KEY` | AWS authentication | ~3 years |
+| `SERVERLESS_ACCESS_KEY` | Serverless Framework Dashboard metrics | 3 years |
+
+## Analysis
+
+### How AWS Credentials Work
+
+AWS access keys are **tied to exactly one AWS account**. When keys are created, they are generated within a specific AWS account and can only authenticate to that account. Therefore:
+
+- If deployment landed in a different account, **the credentials must belong to that account**
+- Credentials cannot "accidentally" authenticate to a different account
+
+### Possible Causes
+
+1. **Silent Credential Rotation**
+   - The GitHub secrets may have been updated with credentials from the new account
+   - This could have happened during key rotation without clear documentation
+
+2. **Key Regeneration in Wrong Account**
+   - During a scheduled key rotation, new keys were created in the new account
+   - The old keys from `461564345538` were deactivated or deleted
+
+3. **Multiple Maintainers**
+   - Another team member may have updated secrets without communication
+
+### What We Know
+
+- GitHub secrets have existed for ~3 years (claimed)
+- Deployment landed in a recently created AWS account
+- The service was expected to deploy to account `461564345538`
+- No explicit OIDC configuration exists in this repository (using static access keys)
+
+## Diagnostic Steps
+
+To confirm which account the current GitHub secrets belong to:
+
+```bash
+# Run locally or in GitHub Actions:
+AWS_ACCESS_KEY_ID=<secret_value> \
+AWS_SECRET_ACCESS_KEY=<secret_value> \
+aws sts get-caller-identity
+```
+
+Expected output:
+```json
+{
+  "UserId": "AIDAI...",
+  "Account": "123456789012",  // <-- This will reveal the actual account
+  "Arn": "arn:aws:iam::123456789012:user/..."
+}
+```
+
+## Fix Options
+
+### Option A: Restore Credentials from Target Account
+
+**Quick fix using existing access key pattern.**
+
+#### Steps
+
+1. Log into AWS Account `461564345538` (expected target)
+2. Navigate to IAM → Users → Find the deployment user
+3. Create new access keys if needed, or locate existing active keys
+4. Update GitHub repository secrets:
+   - `AWS_ACCESS_KEY_ID` → new key ID from account `461564345538`
+   - `AWS_SECRET_ACCESS_KEY` → new secret from account `461564345538`
+5. Re-run deployment workflow
+6. Verify deployment lands in correct account
+
+#### Pros
+- Quick to implement
+- No infrastructure changes required
+- Familiar pattern for team
+
+#### Cons
+- Long-lived credentials remain a security risk
+- Keys can be leaked via logs, code, or credential exposure
+- Requires periodic rotation
+- No audit trail for which GitHub workflow used credentials
+
+---
+
+### Option B: Migrate to OIDC Authentication (Recommended)
+
+**Secure, credential-less authentication using GitHub OIDC.**
+
+#### Steps
+
+1. **Create IAM OIDC Provider in Account `461564345538`**
+   ```bash
+   # If not already exists
+   aws iam create-open-id-connect-provider \
+     --url https://token.actions.githubusercontent.com \
+     --client-id-list sts.amazonaws.com \
+     --thumbprint-list 6938fd4d98bab03faadb97b34396831e3780aea1
+   ```
+
+2. **Create IAM Role for GitHub Actions**
+   ```json
+   {
+     "Version": "2012-10-17",
+     "Statement": [
+       {
+         "Effect": "Allow",
+         "Principal": {
+           "Federated": "arn:aws:iam::461564345538:oidc-provider/token.actions.githubusercontent.com"
+         },
+         "Action": "sts:AssumeRoleWithWebIdentity",
+         "Condition": {
+           "StringEquals": {
+             "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+           },
+           "StringLike": {
+             "token.actions.githubusercontent.com:sub": "repo:GNS-Science/nshm-hazard-graphql-api:*"
+           }
+         }
+       }
+     ]
+   }
+   ```
+
+3. **Attach Required Policies to the Role**
+   - Include all permissions from `.github/old_policy.json`
+   - Include Serverless Framework deployment permissions
+
+4. **Update GitHub Secrets**
+   - Remove `AWS_ACCESS_KEY_ID`
+   - Remove `AWS_SECRET_ACCESS_KEY`
+   - Add `AWS_ROLE_ARN` = `arn:aws:iam::461564345538:role/GitHubActionsDeployRole`
+
+5. **Update Reusable Workflow** (in `nshm-github-actions` repository)
+   ```yaml
+   - name: Configure AWS credentials
+     uses: aws-actions/configure-aws-credentials@v4
+     with:
+       role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+       aws-region: us-east-1
+   ```
+
+6. **Test and Deploy**
+   - Re-run workflow
+   - Verify deployment lands in correct account
+
+#### Pros
+- No long-lived credentials in GitHub
+- Automatic credential expiration (1 hour tokens)
+- Fine-grained access control per repository/branch
+- Full audit trail in AWS CloudTrail
+- Cannot be leaked via code or logs
+
+#### Cons
+- More complex initial setup
+- Requires changes to shared workflow repository
+- May need coordination with other teams using the reusable workflow
+
+---
+
+### Option C: Verify and Rotate Existing Keys
+
+**If credentials haven't changed, verify they're correct.**
+
+#### Steps
+
+1. Run diagnostic command to identify account for current secrets
+2. If secrets belong to wrong account → proceed to Option A
+3. If secrets belong to correct account → investigate other causes:
+   - Serverless Framework Dashboard settings
+   - `--stage` or `--region` overrides
+   - Multiple CloudFormation stacks with similar names
+
+## Recommendation
+
+1. **Immediate**: Run diagnostic to confirm which account the secrets belong to
+2. **Short-term**: If wrong account, restore correct credentials (Option A)
+3. **Long-term**: Migrate to OIDC (Option B) to prevent future credential-related issues
+
+## Prevention Measures
+
+- Add deployment account verification step to CI/CD workflow:
+  ```yaml
+  - name: Verify target account
+    run: |
+      ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+      if [ "$ACCOUNT_ID" != "461564345538" ]; then
+        echo "ERROR: Deploying to wrong account: $ACCOUNT_ID"
+        exit 1
+      fi
+  ```
+
+- Document credential ownership and rotation schedule
+- Consider migrating all repositories to OIDC for consistency
+
+## References
+
+- [GitHub Actions OIDC with AWS](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)
+- [Serverless Framework AWS Credentials](https://www.serverless.com/framework/docs/providers/aws/guide/credentials)
+- `.github/old_policy.json` - IAM policy for deployment permissions
+- `serverless.yml:110-111` - DynamoDB references to account `461564345538`

AWS_GHOST_ACCOUNT_DEPLOYMENT_ISSUE.md

@@ -1,5 +1,23 @@
 # Changelog
 
+## [0.4.0] - 2026-03-02
+
+### Changed
+- Update to toshi-hazard-store 1.4.2 with new gridded API (replaces deprecated get_one_gridded_hazard)
+- Rename DATASET_AGGR_* env vars to THS_DATASET_AGGR_* for consistency
+- Add THS_DATASET_GRIDDED_URI configuration
+- Refactor tests from unittest to pytest with parquet fixtures
+- Remove mock-based testing in favor of fixture data
+
+### Added
+- .yarnrc.yml with node-modules linker (fixes serverless-wsgi local dev)
+- CLAUDE.md for AI assistant context
+- LLM session logging to .llm/log.jsonl
+
+### Removed
+- tox build environment (not needed for serverless deployment)
+- test_gridded_hazard_moto.py (no longer needed)
+
 ## [0.3.1] - 2025-11-25
 
 ### Changed