From 9e428a6c478ba7d5b7acf0ed2a71726c94bccf4c Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Fri, 2 Jan 2026 13:57:33 +0000
Subject: [PATCH 1/2] Add ooniapi citizenlab service to load balancer

---
 tf/modules/ooniapi_frontend/main.tf      | 22 ++++++++++++++++++++++
 tf/modules/ooniapi_frontend/variables.tf |  4 ++++
 2 files changed, 26 insertions(+)

diff --git a/tf/modules/ooniapi_frontend/main.tf b/tf/modules/ooniapi_frontend/main.tf
index 93de70fc..aa308b87 100644
--- a/tf/modules/ooniapi_frontend/main.tf
+++ b/tf/modules/ooniapi_frontend/main.tf
@@ -457,3 +457,25 @@ resource "aws_lb_listener_rule" "ooniapi_oonimeasurements_rule_2" {
     }
   }
 }
+
+resource "aws_lb_listener_rule" "ooniapi_citizenlab_rule" {
+  listener_arn = aws_alb_listener.ooniapi_listener_https.arn
+  priority     = 143
+
+  action {
+    type             = "forward"
+    target_group_arn = var.ooniapi_citizenlab_target_group_arn
+  }
+  condition {
+    path_pattern {
+      values = [
+        "/api/_/url-submission/test-list/*",
+        "/api/_/url-priorities/list",
+        "/api/_/url-priorities/update",
+        "/api/v1/url-submission/submit",
+        "/api/v1/url-submission/update-url",
+        "/api/",
+      ]
+    }
+  }
+}
diff --git a/tf/modules/ooniapi_frontend/variables.tf b/tf/modules/ooniapi_frontend/variables.tf
index d4ec3dd0..2c676694 100644
--- a/tf/modules/ooniapi_frontend/variables.tf
+++ b/tf/modules/ooniapi_frontend/variables.tf
@@ -37,6 +37,10 @@ variable "ooniapi_oonimeasurements_target_group_arn" {
   default     = null
 }
 
+variable "ooniapi_citizenlab_target_group_arn" {
+  description = "arn for the target group of the citizenlab service"
+}
+
 variable "dns_zone_ooni_io" {
   description = "id of the DNS zone for ooni_io"
 }

From 34fdc902c3a5f6867b8d0750db39190ac47b9921 Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Mon, 19 Jan 2026 12:27:46 +0100
Subject: [PATCH 2/2] Add Citizenlab service to dev environment

---
 tf/environments/dev/main.tf | 68 +++++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index a57442a0..5c015b1c 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -1086,6 +1086,74 @@ module "ooniapi_oonimeasurements" {
   )
 }
 
+### Tier2 Citizenlab service
+
+module "ooniapi_citizenlab_deployer" {
+  source = "../../modules/ooniapi_service_deployer"
+
+  service_name            = "citizenlab"
+  repo                    = "ooni/backend"
+  branch_name             = "master"
+  trigger_path            = "ooniapi/services/citizenlab/**"
+  buildspec_path          = "ooniapi/services/citizenlab/buildspec.yml"
+  codestar_connection_arn = aws_codestarconnections_connection.oonidevops.arn
+
+  codepipeline_bucket = aws_s3_bucket.ooniapi_codepipeline_bucket.bucket
+
+  ecs_service_name = module.ooniapi_citizenlab.ecs_service_name
+  ecs_cluster_name = module.oonitier1plus_cluster.cluster_name
+}
+
+module "ooniapi_citizenlab" {
+  source = "../../modules/ooniapi_service"
+
+  task_memory = 256
+
+  first_run = true
+  vpc_id    = module.network.vpc_id
+
+  service_name             = "citizenlab"
+  default_docker_image_url = "ooni/api-citizenlab:latest"
+  stage                    = local.environment
+  dns_zone_ooni_io         = local.dns_zone_ooni_io
+  key_name                 = module.adm_iam_roles.oonidevops_key_name
+  ecs_cluster_id           = module.oonitier1plus_cluster.cluster_id
+
+  task_secrets = {
+    POSTGRESQL_URL              = data.aws_ssm_parameter.oonipg_url.arn
+    JWT_ENCRYPTION_KEY          = data.aws_ssm_parameter.jwt_secret.arn
+    PROMETHEUS_METRICS_PASSWORD = data.aws_ssm_parameter.prometheus_metrics_password.arn
+    CLICKHOUSE_URL              = data.aws_ssm_parameter.clickhouse_readonly_test_url.arn
+  }
+
+  task_environment = {
+    # it has to be a json-compliant array
+    OTHER_COLLECTORS = jsonencode(["http://fastpath.${local.environment}.ooni.io:8475", "https://backend-hel.ooni.org"])
+    BASE_URL         = "https://api.${local.environment}.ooni.io"
+    S3_BUCKET_NAME   = "ooni-data-eu-fra-test"
+  }
+
+  ooniapi_service_security_groups = [
+    module.oonitier1plus_cluster.web_security_group_id
+  ]
+
+  use_autoscaling = true
+  service_desired_count = 1
+  max_desired_count = 8
+  autoscale_policies = [
+    {
+      name = "memory"
+      resource_type = "memory"
+      scaleout_treshold = 60
+    }
+  ]
+
+  tags = merge(
+    local.tags,
+    { Name = "ooni-tier2-citizenlab" }
+  )
+}
+
 #### OONI Tier0 API Frontend
 
 module "ooniapi_frontend" {