From fb0c3e99d9db7264e69b84194b8867c93b1afb81 Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Mon, 23 Jan 2023 10:41:26 -0500 Subject: [PATCH] Configure egress proxy for new relic integration --- .github/actions/deploy-proxy/action.yml | 42 +++++++++++++++++++ .github/workflows/deploy-demo.yml | 17 ++++++++ .github/workflows/deploy.yml | 17 ++++++++ .profile | 6 +++ .../egress_proxy/notify-admin-demo.allow.acl | 1 + .../egress_proxy/notify-admin-demo.deny.acl | 0 .../notify-admin-staging.allow.acl | 1 + .../notify-admin-staging.deny.acl | 0 .../notify-admin-staging.deploy.acl | 1 + manifest.yml | 4 ++ 10 files changed, 89 insertions(+) create mode 100644 .github/actions/deploy-proxy/action.yml create mode 100644 .profile create mode 100644 deploy-config/egress_proxy/notify-admin-demo.allow.acl create mode 100644 deploy-config/egress_proxy/notify-admin-demo.deny.acl create mode 100644 deploy-config/egress_proxy/notify-admin-staging.allow.acl create mode 100644 deploy-config/egress_proxy/notify-admin-staging.deny.acl create mode 100644 deploy-config/egress_proxy/notify-admin-staging.deploy.acl diff --git a/.github/actions/deploy-proxy/action.yml b/.github/actions/deploy-proxy/action.yml new file mode 100644 index 000000000..2c1f4e882 --- /dev/null +++ b/.github/actions/deploy-proxy/action.yml @@ -0,0 +1,42 @@ +name: Deploy egress proxy +description: Set egress space security groups and deploy proxy +inputs: + cf_space: + description: The space the target app exists in. + required: true + app: + description: application name to be proxied. + required: true + proxy_repo: + description: git repo for cg-egress-proxy + default: https://github.com/GSA/cg-egress-proxy.git + proxy_version: + description: git ref to be deployed + default: main +runs: + using: composite + steps: + - name: Set restricted space egress + shell: bash + run: ./terraform/set_space_egress.sh -t -s ${{ inputs.cf_space }} + - name: Set public space egress + shell: bash + run: ./terraform/set_space_egress.sh -p -s ${{ inputs.cf_space }}-egress + - name: Create temp directory + shell: bash + id: create-temp-dir + run: echo "path=$(mktemp -d -t egress-XXXXXXXXXX --tmpdir=$RUNNER_TEMP)" >> $GITHUB_OUTPUT + - name: Clone cg-egress-proxy + shell: bash + run: git clone ${{ inputs.proxy_repo }} ${{ steps.create-temp-dir.outputs.path }} + - name: Switch to deploy ref + shell: bash + working-directory: ${{ steps.create-temp-dir.outputs.path }} + run: git checkout ${{ inputs.proxy_version }} + - name: Copy config files + shell: bash + run: cp ./deploy-config/egress_proxy/${{ inputs.app }}.*.acl ${{ steps.create-temp-dir.outputs.path }} + - name: Build and deploy proxy + shell: bash + working-directory: ${{ steps.create-temp-dir.outputs.path }} + run: make && ./bin/cf-deployproxy -a ${{ inputs.app }} -p egress-proxy -e egress_proxy diff --git a/.github/workflows/deploy-demo.yml b/.github/workflows/deploy-demo.yml index 41a15b5e4..1c6ded91e 100644 --- a/.github/workflows/deploy-demo.yml +++ b/.github/workflows/deploy-demo.yml @@ -53,6 +53,7 @@ jobs: ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }} BASIC_AUTH_PASSWORD: ${{ secrets.BASIC_AUTH_PASSWORD }} REDIS_ENABLED: ${{ secrets.REDIS_ENABLED }} + NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }} with: cf_username: ${{ secrets.CLOUDGOV_USERNAME }} cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} @@ -69,3 +70,19 @@ jobs: --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET" --var BASIC_AUTH_USERNAME="curiousabout" --var BASIC_AUTH_PASSWORD="$BASIC_AUTH_PASSWORD" + --var NEW_RELIC_LICENSE_KEY="$NEW_RELIC_LICENSE_KEY" + + - name: Check for changes to egress config + id: changed-egress-config + uses: tj-actions/changed-files@v34 + with: + files: | + deploy-config/egress_proxy/notify-admin-demo.*.acl + .github/actions/deploy-proxy/action.yml + .github/workflows/deploy-demo.yml + - name: Deploy egress proxy + if: steps.changed-egress-config.outputs.any_changed == 'true' + uses: ./.github/actions/deploy-proxy + with: + cf_space: notify-demo + app: notify-admin-demo diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 5e46ca1c4..65b814bf6 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -58,6 +58,7 @@ jobs: ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }} BASIC_AUTH_PASSWORD: ${{ secrets.BASIC_AUTH_PASSWORD }} REDIS_ENABLED: ${{ secrets.REDIS_ENABLED }} + NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }} with: cf_username: ${{ secrets.CLOUDGOV_USERNAME }} cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} @@ -74,6 +75,22 @@ jobs: --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET" --var BASIC_AUTH_USERNAME="curiousabout" --var BASIC_AUTH_PASSWORD="$BASIC_AUTH_PASSWORD" + --var NEW_RELIC_LICENSE_KEY="$NEW_RELIC_LICENSE_KEY" + + - name: Check for changes to egress config + id: changed-egress-config + uses: tj-actions/changed-files@v34 + with: + files: | + deploy-config/egress_proxy/notify-admin-staging.*.acl + .github/actions/deploy-proxy/action.yml + .github/workflows/deploy.yml + - name: Deploy egress proxy + if: steps.changed-egress-config.outputs.any_changed == 'true' + uses: ./.github/actions/deploy-proxy + with: + cf_space: notify-staging + app: notify-admin-staging bail: runs-on: ubuntu-latest diff --git a/.profile b/.profile new file mode 100644 index 000000000..6df32fc64 --- /dev/null +++ b/.profile @@ -0,0 +1,6 @@ +## +# Cloud Foundry app initialization script +# https://docs.cloudfoundry.org/devguide/deploy-apps/deploy-app.html#profile +## + +export NEW_RELIC_PROXY_HOST=$egress_proxy diff --git a/deploy-config/egress_proxy/notify-admin-demo.allow.acl b/deploy-config/egress_proxy/notify-admin-demo.allow.acl new file mode 100644 index 000000000..65ae560ac --- /dev/null +++ b/deploy-config/egress_proxy/notify-admin-demo.allow.acl @@ -0,0 +1 @@ +gov-collector.newrelic.com diff --git a/deploy-config/egress_proxy/notify-admin-demo.deny.acl b/deploy-config/egress_proxy/notify-admin-demo.deny.acl new file mode 100644 index 000000000..e69de29bb diff --git a/deploy-config/egress_proxy/notify-admin-staging.allow.acl b/deploy-config/egress_proxy/notify-admin-staging.allow.acl new file mode 100644 index 000000000..65ae560ac --- /dev/null +++ b/deploy-config/egress_proxy/notify-admin-staging.allow.acl @@ -0,0 +1 @@ +gov-collector.newrelic.com diff --git a/deploy-config/egress_proxy/notify-admin-staging.deny.acl b/deploy-config/egress_proxy/notify-admin-staging.deny.acl new file mode 100644 index 000000000..e69de29bb diff --git a/deploy-config/egress_proxy/notify-admin-staging.deploy.acl b/deploy-config/egress_proxy/notify-admin-staging.deploy.acl new file mode 100644 index 000000000..4dd64b327 --- /dev/null +++ b/deploy-config/egress_proxy/notify-admin-staging.deploy.acl @@ -0,0 +1 @@ +Update this file to force a re-deploy of the egress proxy even when notify-admin-staging..acl haven't changed diff --git a/manifest.yml b/manifest.yml index 01ec57a45..f54d4406f 100644 --- a/manifest.yml +++ b/manifest.yml @@ -23,6 +23,9 @@ applications: NOTIFY_LOG_LEVEL: INFO FLASK_APP: application.py FLASK_DEBUG: "false" + NEW_RELIC_CONFIG_FILE: newrelic.ini + NEW_RELIC_ENVIRONMENT: ((env)) + REDIS_ENABLED: ((REDIS_ENABLED)) ADMIN_BASE_URL: https://((public_admin_route)) API_HOST_NAME: https://notify-api-((env)).apps.internal:61443 @@ -34,6 +37,7 @@ applications: SECRET_KEY: ((SECRET_KEY)) BASIC_AUTH_USERNAME: ((BASIC_AUTH_USERNAME)) BASIC_AUTH_PASSWORD: ((BASIC_AUTH_PASSWORD)) + NEW_RELIC_LICENSE_KEY: ((NEW_RELIC_LICENSE_KEY)) AWS_REGION: us-west-2 AWS_ACCESS_KEY_ID: ((AWS_ACCESS_KEY_ID))