Configure egress proxy for new relic integration

.github/actions/deploy-proxy/action.yml

@@ -0,0 +1,42 @@
+name: Deploy egress proxy
+description: Set egress space security groups and deploy proxy
+inputs:
+  cf_space:
+    description: The space the target app exists in.
+    required: true
+  app:
+    description: application name to be proxied.
+    required: true
+  proxy_repo:
+    description: git repo for cg-egress-proxy
+    default: https://github.com/GSA/cg-egress-proxy.git
+  proxy_version:
+    description: git ref to be deployed
+    default: main
+runs:
+  using: composite
+  steps:
+    - name: Set restricted space egress
+      shell: bash
+      run: ./terraform/set_space_egress.sh -t -s ${{ inputs.cf_space }}
+    - name: Set public space egress
+      shell: bash
+      run: ./terraform/set_space_egress.sh -p -s ${{ inputs.cf_space }}-egress
+    - name: Create temp directory
+      shell: bash
+      id: create-temp-dir
+      run: echo "path=$(mktemp -d -t egress-XXXXXXXXXX --tmpdir=$RUNNER_TEMP)" >> $GITHUB_OUTPUT
+    - name: Clone cg-egress-proxy
+      shell: bash
+      run: git clone ${{ inputs.proxy_repo }} ${{ steps.create-temp-dir.outputs.path }}
+    - name: Switch to deploy ref
+      shell: bash
+      working-directory: ${{ steps.create-temp-dir.outputs.path }}
+      run: git checkout ${{ inputs.proxy_version }}
+    - name: Copy config files
+      shell: bash
+      run: cp ./deploy-config/egress_proxy/${{ inputs.app }}.*.acl ${{ steps.create-temp-dir.outputs.path }}
+    - name: Build and deploy proxy
+      shell: bash
+      working-directory: ${{ steps.create-temp-dir.outputs.path }}
+      run: make && ./bin/cf-deployproxy -a ${{ inputs.app }} -p egress-proxy -e egress_proxy

.github/workflows/deploy-demo.yml

@@ -53,6 +53,7 @@ jobs:
           ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }}
           BASIC_AUTH_PASSWORD: ${{ secrets.BASIC_AUTH_PASSWORD }}
           REDIS_ENABLED: ${{ secrets.REDIS_ENABLED }}
+          NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
         with:
           cf_username: ${{ secrets.CLOUDGOV_USERNAME }}
           cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
@@ -69,3 +70,19 @@ jobs:
             --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET"
             --var BASIC_AUTH_USERNAME="curiousabout"
             --var BASIC_AUTH_PASSWORD="$BASIC_AUTH_PASSWORD"
+            --var NEW_RELIC_LICENSE_KEY="$NEW_RELIC_LICENSE_KEY"
+
+      - name: Check for changes to egress config
+        id: changed-egress-config
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            deploy-config/egress_proxy/notify-admin-demo.*.acl
+            .github/actions/deploy-proxy/action.yml
+            .github/workflows/deploy-demo.yml
+      - name: Deploy egress proxy
+        if: steps.changed-egress-config.outputs.any_changed == 'true'
+        uses: ./.github/actions/deploy-proxy
+        with:
+          cf_space: notify-demo
+          app: notify-admin-demo

.github/workflows/deploy.yml

@@ -58,6 +58,7 @@ jobs:
           ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }}
           BASIC_AUTH_PASSWORD: ${{ secrets.BASIC_AUTH_PASSWORD }}
           REDIS_ENABLED: ${{ secrets.REDIS_ENABLED }}
+          NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
         with:
           cf_username: ${{ secrets.CLOUDGOV_USERNAME }}
           cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
@@ -74,6 +75,22 @@ jobs:
             --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET"
             --var BASIC_AUTH_USERNAME="curiousabout"
             --var BASIC_AUTH_PASSWORD="$BASIC_AUTH_PASSWORD"
+            --var NEW_RELIC_LICENSE_KEY="$NEW_RELIC_LICENSE_KEY"
+
+      - name: Check for changes to egress config
+        id: changed-egress-config
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            deploy-config/egress_proxy/notify-admin-staging.*.acl
+            .github/actions/deploy-proxy/action.yml
+            .github/workflows/deploy.yml
+      - name: Deploy egress proxy
+        if: steps.changed-egress-config.outputs.any_changed == 'true'
+        uses: ./.github/actions/deploy-proxy
+        with:
+          cf_space: notify-staging
+          app: notify-admin-staging
 
   bail:
     runs-on: ubuntu-latest

.profile

@@ -0,0 +1,6 @@
+##
+# Cloud Foundry app initialization script
+# https://docs.cloudfoundry.org/devguide/deploy-apps/deploy-app.html#profile
+##
+
+export NEW_RELIC_PROXY_HOST=$egress_proxy

deploy-config/egress_proxy/notify-admin-demo.allow.acl

@@ -0,0 +1 @@
+gov-collector.newrelic.com

deploy-config/egress_proxy/notify-admin-staging.allow.acl

@@ -0,0 +1 @@
+gov-collector.newrelic.com

deploy-config/egress_proxy/notify-admin-staging.deploy.acl

@@ -0,0 +1 @@
+Update this file to force a re-deploy of the egress proxy even when notify-admin-staging.<allow|deny>.acl haven't changed

manifest.yml

@@ -23,6 +23,9 @@ applications:
       NOTIFY_LOG_LEVEL: INFO
       FLASK_APP: application.py
       FLASK_DEBUG: "false"
+      NEW_RELIC_CONFIG_FILE: newrelic.ini
+      NEW_RELIC_ENVIRONMENT: ((env))
+
       REDIS_ENABLED: ((REDIS_ENABLED))
       ADMIN_BASE_URL: https://((public_admin_route))
       API_HOST_NAME: https://notify-api-((env)).apps.internal:61443
@@ -34,6 +37,7 @@ applications:
       SECRET_KEY: ((SECRET_KEY))
       BASIC_AUTH_USERNAME: ((BASIC_AUTH_USERNAME))
       BASIC_AUTH_PASSWORD: ((BASIC_AUTH_PASSWORD))
+      NEW_RELIC_LICENSE_KEY: ((NEW_RELIC_LICENSE_KEY))
 
       AWS_REGION: us-west-2
       AWS_ACCESS_KEY_ID: ((AWS_ACCESS_KEY_ID))