Locking; add Terraform config for DynamoDB table

gorilla-co · May 19, 2021 · d88e82a · d88e82a
1 parent 27d5d5f
commit d88e82a
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,7 +10,8 @@ and this project adheres to [PEP 440](https://www.python.org/dev/peps/pep-0440/)
 
 ### Added
 
-- `--lock-indexes` option to lock index objects in S3 using a DynamoDB table.
+- Terraform config for an optional DynamoDB table used for distributed locking.
+- `--lock-indexes` option to lock index objects in S3 using said DynamoDB table.
 - `--put-root-index` option to write a root index that lists all package names.
 
 ### Changed

diff --git a/README.md b/README.md
@@ -49,6 +49,13 @@ your domain, with a matching (wildcard) certificate in [AWS Certificate
 Manager]. If your certificate is a wildcard certificate, add
 `use_wildcard_certificate = true` to `config.auto.tfvars`.
 
+#### Distributed locking with DynamoDB
+
+To ensure that concurrent invocations of `s3pypi` do not overwrite each other's
+changes, the objects in S3 can be locked via an optional DynamoDB table (using
+the `--lock-indexes` option). To create this table, add `enable_dynamodb_locking
+= true` to `config.auto.tfvars`.
+
 #### Basic authentication
 
 To enable basic authentication, add `enable_basic_auth = true` to
@@ -94,6 +101,7 @@ module "s3pypi" {
   domain = "pypi.example.com"
 
   use_wildcard_certificate = true
+  enable_dynamodb_locking  = true
   enable_basic_auth        = true
 
   providers = {

diff --git a/terraform/modules/s3pypi/main.tf b/terraform/modules/s3pypi/main.tf
@@ -14,6 +14,12 @@ variable "use_wildcard_certificate" {
   description = "Use a wildcard certificate (*.example.com)"
 }
 
+variable "enable_dynamodb_locking" {
+  type        = bool
+  default     = false
+  description = "Create a DynamoDB table for locking"
+}
+
 variable "enable_basic_auth" {
   type        = bool
   default     = false
@@ -143,6 +149,19 @@ data "aws_iam_policy_document" "s3_policy" {
   }
 }
 
+resource "aws_dynamodb_table" "locks" {
+  count = var.enable_dynamodb_locking ? 1 : 0
+
+  name         = var.bucket
+  billing_mode = "PAY_PER_REQUEST"
+  hash_key     = "LockID"
+
+  attribute {
+    name = "LockID"
+    type = "S"
+  }
+}
+
 module "basic_auth" {
   count = var.enable_basic_auth ? 1 : 0