department-of-veterans-affairs · madebydna · Jan 21, 2025 · Jan 31, 2025 · Feb 7, 2025 · Feb 7, 2025
@@ -607,7 +607,7 @@ app/uploaders/form1010cg @department-of-veterans-affairs/vfs-10-10 @department-o
 app/uploaders/form1010cg/poa_uploader.rb @department-of-veterans-affairs/vfs-10-10 @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group
 app/uploaders/form_upload @department-of-veterans-affairs/platform-va-product-forms @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group
 app/uploaders/hca_attachment_uploader.rb @department-of-veterans-affairs/vfs-authenticated-experience-backend @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group
-app/uploaders/lighthouse_document_uploader_base.rb @department-of-veterans-affairs/benefits-management-tools-be @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group @department-of-veterans-affairs/benefits-admin 
+app/uploaders/lighthouse_document_uploader_base.rb @department-of-veterans-affairs/benefits-management-tools-be @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group @department-of-veterans-affairs/benefits-admin
 app/uploaders/lighthouse_document_uploader.rb @department-of-veterans-affairs/benefits-management-tools-be @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group @department-of-veterans-affairs/benefits-admin
 app/uploaders/preneed_attachment_uploader.rb @department-of-veterans-affairs/mbs-core-team @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group
 app/uploaders/set_aws_config.rb @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group
@@ -657,6 +657,7 @@ app/sidekiq/hca @department-of-veterans-affairs/vfs-10-10 @department-of-veteran
 app/sidekiq/identity @department-of-veterans-affairs/octo-identity
 app/sidekiq/income_limits @department-of-veterans-affairs/vfs-public-websites-frontend @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group
 app/sidekiq/in_progress_form_cleaner.rb @department-of-veterans-affairs/vfs-authenticated-experience-backend @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group
+app/sidekiq/kafka @department-of-veterans-affairs/ves-submission-traceability @department-of-veterans-affairs/backend-review-group
 app/sidekiq/kms_key_rotation @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group
 app/sidekiq/lighthouse @department-of-veterans-affairs/backend-review-group
 app/sidekiq/lighthouse/submit_career_counseling_job.rb @department-of-veterans-affairs/my-education-benefits @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group
@@ -947,6 +948,7 @@ lib/ihub @department-of-veterans-affairs/va-api-engineers @department-of-veteran
 lib/income_and_assets @department-of-veterans-affairs/pension-and-burials @department-of-veterans-affairs/backend-review-group
 lib/json_marshal @department-of-veterans-affairs/vsa-healthcare-health-quest-1-backend @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group
 lib/json_schema @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group
+lib/kafka @department-of-veterans-affairs/ves-submission-traceability @department-of-veterans-affairs/backend-review-group
 lib/lgy @department-of-veterans-affairs/benefits-non-disability @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group
 lib/lgy/configuration.rb @department-of-veterans-affairs/benefits-non-disability @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group
 lib/lgy/service.rb @department-of-veterans-affairs/benefits-non-disability @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group
@@ -1367,6 +1369,7 @@ spec/fixtures/supplemental_claims @department-of-veterans-affairs/benefits-decis
 spec/fixtures/va_profile @department-of-veterans-affairs/vfs-authenticated-experience-backend @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group
 spec/fixtures/vba_documents @department-of-veterans-affairs/lighthouse-banana-peels @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group
 spec/fixtures/vbms @department-of-veterans-affairs/benefits-dependents-management @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group
+spec/lib/kafka @department-of-veterans-affairs/ves-submission-traceability @department-of-veterans-affairs/backend-review-group
 spec/lib/vye @department-of-veterans-affairs/backend-review-group @department-of-veterans-affairs/govcio-vfep-codereviewers
 spec/sidekiq/account_login_statistics_job_spec.rb @department-of-veterans-affairs/octo-identity
 spec/sidekiq/benefits_intake_status_job_spec.rb @department-of-veterans-affairs/platform-va-product-forms @department-of-veterans-affairs/Disability-Experience @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group

@@ -45,6 +45,8 @@ gem 'aasm'
 gem 'activerecord-import'
 gem 'activerecord-postgis-adapter'
 gem 'addressable'
+gem 'avro'
+gem 'aws-msk-iam-sasl-signer', '~> 0.1.1'
 gem 'aws-sdk-kms'
 gem 'aws-sdk-s3', '~> 1'
 gem 'aws-sdk-sns', '~> 1'
@@ -163,6 +165,7 @@ gem 'utf8-cleaner'
 gem 'vets_json_schema', git: 'https://github.com/department-of-veterans-affairs/vets-json-schema', branch: 'master'
 gem 'virtus'
 gem 'warden-github'
+gem 'waterdrop'
 gem 'will_paginate'
 gem 'with_advisory_lock'
 

@@ -138,7 +138,7 @@ GEM
       gserver
       sidekiq (>= 7.3.7, < 8)
       sidekiq-pro (>= 7.3.4, < 8)
-    sidekiq-pro (7.3.5)
+    sidekiq-pro (7.3.6)
       sidekiq (>= 7.3.7, < 8)
 
 GEM
@@ -235,16 +235,24 @@ GEM
       fiddle
     ast (2.4.2)
     attr_extras (7.1.0)
+    avro (1.12.0)
+      multi_json (~> 1.0)
     awesome_print (1.9.2)
     aws-eventstream (1.3.0)
-    aws-partitions (1.1048.0)
-    aws-sdk-core (3.218.1)
+    aws-msk-iam-sasl-signer (0.1.1)
+      aws-sdk-kafka
+      thor
+    aws-partitions (1.1039.0)
+    aws-sdk-core (3.216.0)
       aws-eventstream (~> 1, >= 1.3.0)
       aws-partitions (~> 1, >= 1.992.0)
       aws-sigv4 (~> 1.9)
       base64
       jmespath (~> 1, >= 1.6.1)
-    aws-sdk-kms (1.98.0)
+    aws-sdk-kafka (1.89.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
+      aws-sigv4 (~> 1.5)
+    aws-sdk-kms (1.97.0)
       aws-sdk-core (~> 3, >= 3.216.0)
       aws-sigv4 (~> 1.5)
     aws-sdk-s3 (1.180.0)
@@ -619,6 +627,13 @@ GEM
     jwe (0.4.0)
     jwt (2.10.1)
       base64
+    karafka-core (2.4.8)
+      karafka-rdkafka (>= 0.17.6, < 0.19.0)
+      logger (>= 1.6.0)
+    karafka-rdkafka (0.18.1)
+      ffi (~> 1.15)
+      mini_portile2 (~> 2.6)
+      rake (> 12)
     kms_encrypted (1.6.0)
       activesupport (>= 6.1)
     kramdown (2.4.0)
@@ -1108,6 +1123,10 @@ GEM
       addressable
       faraday (>= 1.9, < 3)
       nokogiri (>= 1.13.9)
+    waterdrop (2.8.1)
+      karafka-core (>= 2.4.3, < 3.0.0)
+      karafka-rdkafka (>= 0.17.5)
+      zeitwerk (~> 2.3)
     web-console (4.2.1)
       actionview (>= 6.0.0)
       activemodel (>= 6.0.0)
@@ -1158,8 +1177,10 @@ DEPENDENCIES
   appeals_api!
   apps_api!
   ask_va_api!
+  avro
   avs!
   awesome_print
+  aws-msk-iam-sasl-signer (~> 0.1.1)
   aws-sdk-kms
   aws-sdk-s3 (~> 1)
   aws-sdk-sns (~> 1)
@@ -1349,6 +1370,7 @@ DEPENDENCIES
   virtus
   vye!
   warden-github
+  waterdrop
   web-console
   webmock
   webrick

diff --git a/app/sidekiq/kafka/example_job.rb b/app/sidekiq/kafka/example_job.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require 'kafka/avro_producer'
+module Kafka
+  class ExampleJob
+    include Sidekiq::Job
+    # Errors that might occur during the job execution are usually not retryable,
+    # though we might want to experiment with this in practice
+    sidekiq_options retry: false
+
+    def perform(topic, payload)
+      Kafka::AvroProducer.new.produce(topic, payload)
+    end
+  end
+end
@@ -2039,6 +2039,9 @@ features:
   virtual_agent_enable_datadog_logging:
     actor_type: user
     description: If enabled, allows for the use of Datadog logging for the chatbot
+  kafka_producer:
+    actor_type: cookie_id
+    description: Enables the Kafka producer for the VA.gov platform
   show_about_yellow_ribbon_program:
     actor_type: user
     description: If enabled, show additional info about the yellow ribbon program
@@ -49,6 +49,10 @@
     config.death_handlers << lambda do |job, ex|
       Rails.logger.error "#{job['class']} #{job['jid']} died with error #{ex.message}."
     end
+
+    config.on(:shutdown) do
+      Kafka::ProducerManager.instance.producer&.close
+    end
   end
 
   Sidekiq.configure_client do |config|

@@ -12,3 +12,7 @@
   SemanticLogger.reopen
   ActiveRecord::Base.establish_connection
 end
+
+on_worker_shutdown do
+  Kafka::ProducerManager.instance.producer&.close
+end
@@ -645,6 +645,11 @@ ivc_forms:
   sidekiq:
     missing_form_status_job:
       enabled: true
+kafka_producer:
+  aws_region: "us-gov-west-1"
+  aws_role_arn: <%= ENV['KAFKA_PRODUCER__AWS_ROLE_ARN'] %>
+  broker_urls: <%= ENV['KAFKA_PRODUCER__BROKER_URLS'] %>
+  schema_registry_url: <%= ENV['KAFKA_PRODUCER__SCHEMA_REGISTRY_URL'] %>
 kms_key_id: <%= ENV['kms_key_id'] %>
 lgy:
   api_key: <%= ENV['lgy__api_key'] %>

@@ -645,6 +645,11 @@ ivc_forms:
   sidekiq:
     missing_form_status_job:
       enabled: true
+kafka_producer:
+  aws_region: "us-gov-west-1"
+  aws_role_arn: "arn:aws:iam::123456789012:role/role-name" # this is an example
+  broker_urls: ["localhost:19092"] # for local Kafka cluster in Docker
+  schema_registry_url: "http://localhost:8081" # for local Schema Registry in Docker
 kms_key_id: ~
 lgy:
   api_key: ~

@@ -1,4 +1,3 @@
----
 acc_rep_management:
   prefill: true
 account:
@@ -640,6 +639,11 @@ ivc_forms:
   sidekiq:
     missing_form_status_job:
       enabled: true
+kafka_producer:
+  aws_region: "us-gov-west-1"
+  aws_role_arn: 'arn:aws:iam::123456789012:role/role-name' # this is an example
+  broker_urls: ['localhost:19092'] # for local Kafka cluster in Docker
+  schema_registry_url: 'http://localhost:8081' # for local Schema Registry in Docker
 kms_key_id: ~
 lgy:
   api_key: fake_api_key

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+require 'avro'
+require 'kafka/producer_manager'
+
+module Kafka
+  class AvroProducer
+    attr_reader :producer
+
+    def initialize(producer: nil)
+      @producer = producer || Kafka::ProducerManager.instance.producer
+    end
+
+    def produce(topic, payload, schema_version: 1)
+      schema = get_schema(topic, schema_version)
+      encoded_payload = encode_payload(schema, payload)
+      producer.produce_sync(topic:, payload: encoded_payload)
+    rescue => e
+      # https://karafka.io/docs/WaterDrop-Error-Handling/
+      # Errors are rescued and re-raised to demonstrate the types of errors that can occur
+      log_error(e, topic)
+      raise
+    end
+
+    private
+
+    def get_schema(topic, schema_version)
+      schema_path = Rails.root.join('lib', 'kafka', 'schemas', "#{topic}-value-#{schema_version}.avsc")
+      Avro::Schema.parse(File.read(schema_path))
+    end
+
+    def encode_payload(schema, payload)
+      validate_payload!(schema, payload)
+
+      datum_writer = Avro::IO::DatumWriter.new(schema)
+      buffer = StringIO.new
+      encoder = Avro::IO::BinaryEncoder.new(buffer)
+      datum_writer.write(payload, encoder)
+      avro_payload = buffer.string
+
+      # Add magic byte and schema ID to the payload
+      magic_byte = [0].pack('C')
+      # NOTE: This is a placeholder schema ID. In a real-world scenario, this should be fetched from a schema registry
+      # ID = 5 is the Event Bus schema ID for test schema, replace this with the actual schema ID when running locally
+      schema_id_bytes = [5].pack('N') # should be schema id
+      magic_byte + schema_id_bytes + avro_payload
+    end
+
+    def validate_payload!(schema, payload)
+      Avro::SchemaValidator.validate!(schema, payload)
+    end
+
+    def log_error(error, topic)
+      case error
+      when Avro::SchemaValidator::ValidationError
+        Rails.logger.error "Schema validation error: #{error}"
+      when WaterDrop::Errors::MessageInvalidError
+        Rails.logger.error "Message is invalid: #{error}"
+      when WaterDrop::Errors::ProduceError
+        Rails.logger.error 'Producer error. See the logs for more information. ' \
+                           'This dispatch will not reach Kafka'
+      else
+        Rails.logger.error 'An unexpected error occurred while producing a message to ' \
+                           "#{topic}. Please check the logs for more information. " \
+                           'This dispatch will not reach Kafka'
+      end
+    end
+  end
+end
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'aws_msk_iam_sasl_signer'
+
+module Kafka
+  class OauthTokenRefresher
+    # Refresh OAuth tokens when required by the WaterDrop connection lifecycle
+    def on_oauthbearer_token_refresh(event)
+      signer = AwsMskIamSaslSigner::MSKTokenProvider.new(region: Settings.kafka_producer.region)
+      token = signer.generate_auth_token_from_role_arn(
+        role_arn: Settings.kafka_producer.role_arn
+      )
+
+      if token
+        event[:bearer].oauthbearer_set_token(
+          token: token.token,
+          lifetime_ms: token.expiration_time_ms,
+          principal_name: 'kafka-cluster'
+        )
+      else
+        event[:bearer].oauthbearer_set_token_failure(
+          token.failure_reason
+        )
+      end
+    end
+  end
+end
@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require 'singleton'
+require 'waterdrop'
+require 'kafka/oauth_token_refresher'
+
+module Kafka
+  class ProducerManager
+    include Singleton
+
+    attr_reader :producer
+
+    def initialize
+      setup_producer if Flipper.enabled?(:kafka_producer)
+    end
+
+    private
+
+    def setup_producer
+      @producer = WaterDrop::Producer.new do |config|
+        config.deliver = true
+        config.kafka = {
+          'bootstrap.servers': Settings.kafka_producer.broker_urls.join(','),
+          'request.required.acks': 1,
+          'message.timeout.ms': 100
+        }
+        config.logger = Rails.logger
+        config.client_class = if Rails.env.test?
+                                WaterDrop::Clients::Buffered
+                              else
+                                WaterDrop::Clients::Rdkafka
+                              end
+
+        # Authentication to MSK via IAM OauthBearer token
+        # Once we're ready to test connection to the Event Bus, this should be uncommented
+        config.oauth.token_provider_listener = Kafka::OauthTokenRefresher.new unless Rails.env.test?
+      end
+      setup_instrumentation
+    end
+
+    def setup_instrumentation
+      producer.monitor.subscribe('error.occurred') do |event|
+        producer_id = event[:producer_id]
+        case event[:type]
+        when 'librdkafka.dispatch_error'
+          Rails.logger.error(
+            "Waterdrop [#{producer_id}]: Message with label: #{event[:delivery_report].label} failed to be delivered"
+          )
+        else
+          Rails.logger.error "Waterdrop [#{producer_id}]: #{event[:type]} occurred"
+        end
+      end
+
+      producer.monitor.subscribe('message.acknowledged') do |event|
+        producer_id = event[:producer_id]
+        offset = event[:offset]
+
+        Rails.logger.info "WaterDrop [#{producer_id}] delivered message with offset: #{offset}"
+      end
+    end
+  end
+end
@@ -0,0 +1,12 @@
+{
+  "type": "record",
+  "name": "TestRecord",
+  "namespace": "gov.va.eventbus.test.data",
+  "fields": [
+    {
+      "name": "data",
+      "type": { "type": "map", "values": "string" },
+      "default": {}
+    }
+  ]
+}