Migration of the infrastructure
Intro
This year, we've taken significant steps to upgrade our infrastructure and API, aiming to enhance security, performance, and scalability. This post outlines our journey from adopting new security measures like the X-Apollo-Operation-Name header to a complete re-architecture with Terraform, shedding light on the decisions driving our progress.
BREAKING Changes to the API
New X-Apollo-Operation-Name Header Requirement
To make our API more secure, we’re asking for a specific header, X-Apollo-Operation-Name, in some requests. This is needed for requests using a GET method or uploading files directly to the API.
You can learn why and how on this documentation page at Apollo GraphQL Docs.
Setting Up Rate Limits
To prevent overuse, we've limited your requests to our API to 3000 every 5 minutes. This number is double what we usually see, so it should work well for most situations. This is a hard limit, but if you think you need more, please get in touch. We're here to help if you need more.
See the Limits page for more information.
Removal of old Endpoint
Due to upcoming infrastructure changes, we will no longer support the old endpoint, web.memomeister.com/v2/graphql. The endpoint pointed to the same version of the graphql API as the official endpoint api.memomeister.com, which we introduced about 1.5 years ago.
Please ensure that you are using the latest endpoint and not using outdated software or application versions that still use the old endpoint. This includes, for example, older and deprecated versions (before v2.36, the current version is v2.55) of the mobile application. Once the old endpoint is removed, these versions will no longer work.
The exact sunset date for the old endpoint has not yet been set, but our current estimate is within the next 2-3 months.
More Changes to the API
Changes to the File Uploads
Instead of uploading files directly to the API, we now support uploading files to S3. This means you can now implement resumeable file uploads. This is done by creating an upload transaction; you can get a pre-signed URL to upload the file there. After the file is uploaded, you can finish the transaction by creating a document as usual. For more information, please see our documentation on creating documents.
Company Account Level API Daily Quota
From 01.05.2024, you can see how many Requests your Account made daily, reset every day at 00:00 UTC, on the API Key Page. This enables you to possibly change your API usage to avoid hitting your quota.
The enforcement of this quota will not start before 01.06.2024. If you are over the quota, you will get an HTTP 429. The default quota is set to 10000 (10k) requests per day. This value should be enough for most use cases. If you need more requests, please contact us, and we will see how we can help you.
Admins can see all the API keys of the company account.
As we introduce account-level quotas, we also introduce the possibility for Admins to see all the Company Account API Keys from all users. This enables you to see which API Key is used, how much, and if you need to change the usage of the API Key. This is only available for Admins of the Company Account.
In addition, we added an indicator to those API keys that were not used in the past 90 days to help you clean up your API Keys. We don't recommend keeping unused API Keys around for too long.
Further Changes to the Rest of the System
These are now mostly changes that do not affect you directly or the API. But it might still be interesting for you to know what we were doing the past few months.
Switched from Solr to Opensearch
After 2.5 years of utilizing Solr for our search infrastructure, we strategically moved to AWS Managed OpenSearch. This transition was primarily driven by the desire to reduce the management overhead associated with self-hosted Solr solutions, including routine tasks such as backups, updates, and schema modifications. Additionally, the need to revise our index/schema to accommodate new features in the pipeline played a crucial role in this decision.
An unexpected yet welcome boost came in the form of funding from AWS for a Proof of Concept (PoC), which you can read more about in the TecRacer Success Story. This support validated our direction and provided the necessary resources to ensure a smooth transition.
Now, OpenSearch powers the filter tab on our web application, reflecting a significant upgrade in how we manage and deploy search capabilities. This shift isn't just about operational efficiency; it's about creating a more scalable, flexible search infrastructure that can evolve with our application's needs.
Rearchitected Infrastructure & completely in Terraform
Last year, we embarked on a comprehensive audit of our infrastructure alongside TecRacer, revealing numerous areas for improvement. Before the audit, our approach to infrastructure management was manual, exclusively utilizing the AWS Console. This made scaling efforts cumbersome and introduced significant overhead in managing and deploying services.
The audit's findings prompted us to conceptualize a new infrastructure model, prioritizing best practices in our design. By September 2023, we initiated a ground-up rearchitecture of our infrastructure using Terraform. This strategic shift began with deploying a new OAuth-based authentication system in November 2023, marking our first step towards a more scalable, automated, and secure infrastructure.
A notable change was replacing Traefik with AWS Application Load Balancer (ALB) to enhance simplicity and ensure high availability. Furthermore, we migrated all our services to Docker and Amazon ECS, streamlining deployment and management processes. This migration has significantly reduced operational complexity and improved our deployment workflow, which is now fully automated through CI/CD pipelines.
The culmination of these efforts is an infrastructure that scales more efficiently and accelerates our feature development cycle, enhancing both security and reliability. This transition embodies our commitment to adopting best practices and leveraging modern tooling to build a robust foundation for our future growth.
Added security.txt to most domains
We’ve just rolled out security.txt across most domains—including our web apps, APIs, and more. It’s part of our ongoing effort to ramp up security and streamline how you can report any issues you spot.
The security.txt makes it easy for anyone who notices a security issue to contact us directly. The file includes details like how to contact us securely and information about our encryption keys.
We’re excited about this because it boosts our transparency and commitment to security. If you ever discover something that doesn’t look right, please don’t hesitate to use the info in security.txt to let us know. Your help is invaluable in keeping our services safe and secure.