Sourcegraph Accounts infrastructure operations

This document describes operational guidance for Sourcegraph Accounts infrastructure. This service is operated on the Managed Services Platform (MSP).

If you need assistance with MSP infrastructure, reach out to the Core Services team in #discuss-core-services.

Service overview

PROPERTYDETAILS
Service IDsourcegraph-accounts (specification)
Ownerscore-services
Service kindCloud Run service
Environmentsdev, prod
Docker imageus-central1-docker.pkg.dev/sourcegraph-dev/sourcegraph-accounts/accounts-server
Source codegithub.com/sourcegraph/sourcegraph-accounts - cmd/accounts-server

Operators cheat sheet

Get email domain stats

For Google sign-in abuse protection.

$ curl -s \
        -H "Authorization: Bearer $MANAGEMENT_SECRET" \
        https://accounts.sourcegraph.com/api/management/v1/email-domain-stats | jq

Create a new IdP client

$ curl -s -X POST \
        -H "Authorization: Bearer $MANAGEMENT_SECRET" \
        https://accounts.sourcegraph.com/api/management/v1/identity-provider/clients \
--data '{"name": "<SERVICE NAME>", "scopes": ["<SCOPE>"], "redirect_uris": ["<REDIRECT_URI>"]}' | jq

Add new scope to an IdP client

Connect to the “accounts” database:

UPDATE idp_clients
SET scopes = scopes || '["<SCOPE>"]'::jsonb
WHERE id = '<CLIENT_ID>'

Assign SSC admin role

  1. Connect to the “accounts” database.
  2. Get the user ID via email:
    SELECT user_id FROM emails WHERE email = '<EMAIL>';
    
  3. Insert metadata for ssc:
    INSERT INTO user_metadata (created_at, updated_at, user_id, scope, metadata)
    VALUES (now(), now(), <USER_ID>, 'ssc', '{ "roles": ["admin"] }');
    

Rollouts

PROPERTYDETAILS
Delivery pipelinesourcegraph-accounts-us-central1-rollout
Stagesdev -> prod

Changes to Sourcegraph Accounts are continuously delivered to the first stage (dev) of the delivery pipeline.

Promotion of a release to the next stage in the pipeline must be done manually using the GCP Delivery pipeline UI.

Environments

dev

PROPERTYDETAILS
Project IDsourcegraph-accounts-dev-csvc
Categorytest
Deployment typerollout
Resourcesdev Redis, dev PostgreSQL instance, dev BigQuery dataset
Slack notifications#alerts-sourcegraph-accounts-dev
AlertsGCP monitoring
ErrorsSentry sourcegraph-accounts-dev
Domainaccounts.sgdev.org
Cloudflare WAF

MSP infrastructure access needs to be requested using Entitle for time-bound privileges. Test environments may have less stringent requirements.

For Terraform Cloud access, see dev Terraform Cloud.

dev Cloud Run

The Sourcegraph Accounts dev service implementation is deployed on Google Cloud Run.

PROPERTYDETAILS
ConsoleCloud Run service
Service logsGCP logging
Service tracesCloud Trace
Service errorsSentry sourcegraph-accounts-dev

You can also use sg msp to quickly open a link to your service logs:

sg msp logs sourcegraph-accounts dev

dev Redis

PROPERTYDETAILS
ConsoleMemorystore Redis instances

dev PostgreSQL instance

PROPERTYDETAILS
ConsoleCloud SQL instances
Databasesaccounts

To connect to the PostgreSQL instance in this environment, use sg msp in the sourcegraph/managed-services repository:

# For read-only access
sg msp pg connect sourcegraph-accounts dev

# For write access - use with caution!
sg msp pg connect -write-access sourcegraph-accounts dev

dev BigQuery dataset

PROPERTYDETAILS
Dataset Projectsourcegraph-accounts-dev-csvc
Dataset IDsourcegraph_accounts
Tablesuser_emails, events

dev Terraform Cloud

This service’s configuration is defined in sourcegraph/managed-services/services/sourcegraph-accounts/service.yaml, and sg msp generate sourcegraph-accounts dev generates the required infrastructure configuration for this environment in Terraform. Terraform Cloud (TFC) workspaces specific to each service then provisions the required infrastructure from this configuration. You may want to check your service environment’s TFC workspaces if a Terraform apply fails (reported via GitHub commit status checks in the sourcegraph/managed-services repository, or in #alerts-msp-tfc).

To access this environment’s Terraform Cloud workspaces, you will need to log in to Terraform Cloud and then request Entitle access to membership in the “Managed Services Platform Operator” TFC team. The “Managed Services Platform Operator” team has access to all MSP TFC workspaces.

The Terraform Cloud workspaces for this service environment are grouped under the msp-sourcegraph-accounts-dev tag, or you can use:

sg msp tfc view sourcegraph-accounts dev

prod

PROPERTYDETAILS
Project IDsourcegraph-accounts-prod-csvc
Categoryexternal
Deployment typerollout
Resourcesprod Redis, prod PostgreSQL instance, prod BigQuery dataset
Slack notifications#alerts-sourcegraph-accounts-prod
AlertsGCP monitoring
ErrorsSentry sourcegraph-accounts-prod
Domainaccounts.sourcegraph.com
Cloudflare WAF

MSP infrastructure access needs to be requested using Entitle for time-bound privileges.

For Terraform Cloud access, see prod Terraform Cloud.

prod Cloud Run

The Sourcegraph Accounts prod service implementation is deployed on Google Cloud Run.

PROPERTYDETAILS
ConsoleCloud Run service
Service logsGCP logging
Service tracesCloud Trace
Service errorsSentry sourcegraph-accounts-prod

You can also use sg msp to quickly open a link to your service logs:

sg msp logs sourcegraph-accounts prod

prod Redis

PROPERTYDETAILS
ConsoleMemorystore Redis instances

prod PostgreSQL instance

PROPERTYDETAILS
ConsoleCloud SQL instances
Databasesaccounts

To connect to the PostgreSQL instance in this environment, use sg msp in the sourcegraph/managed-services repository:

# For read-only access
sg msp pg connect sourcegraph-accounts prod

# For write access - use with caution!
sg msp pg connect -write-access sourcegraph-accounts prod

prod BigQuery dataset

PROPERTYDETAILS
Dataset Projectsourcegraph-accounts-prod-csvc
Dataset IDsourcegraph_accounts
Tablesuser_emails, events

prod Terraform Cloud

This service’s configuration is defined in sourcegraph/managed-services/services/sourcegraph-accounts/service.yaml, and sg msp generate sourcegraph-accounts prod generates the required infrastructure configuration for this environment in Terraform. Terraform Cloud (TFC) workspaces specific to each service then provisions the required infrastructure from this configuration. You may want to check your service environment’s TFC workspaces if a Terraform apply fails (reported via GitHub commit status checks in the sourcegraph/managed-services repository, or in #alerts-msp-tfc).

To access this environment’s Terraform Cloud workspaces, you will need to log in to Terraform Cloud and then request Entitle access to membership in the “Managed Services Platform Operator” TFC team. The “Managed Services Platform Operator” team has access to all MSP TFC workspaces.

The Terraform Cloud workspaces for this service environment are grouped under the msp-sourcegraph-accounts-prod tag, or you can use:

sg msp tfc view sourcegraph-accounts prod