Document egress proxy and sandbox environment within deploying.md

This commit is contained in:
Ryan Ahearn
2022-11-08 16:26:59 -05:00
parent 82847d3f71
commit 2e6deb1556

View File

@@ -20,3 +20,42 @@ Configurations for these are located in [the `deploy-config` folder](../deploy-c
In the event that a deployment includes a Terraform change, that change will run before any code is deployed to the environment. Each environment has its own Terraform GitHub Action to handle that change.
Failures in any of these GitHub workflows will be surfaced in the Pull Request related to the code change, and in the case of `checks.yml` actively prevent the PR from being merged. Failure in the Terraform workflow will not actively prevent the PR from being merged, but reviewers should not approve a PR with a failing terraform plan.
## Egress Proxy
The API app runs in a [restricted egress space](https://cloud.gov/docs/management/space-egress/).
This allows direct communication to cloud.gov-brokered services, but
not to other APIs that we require.
As part of the deploy, we create an
[egress proxy application](https://github.com/GSA/cg-egress-proxy) that allows traffic out of our
application to a select list of allowed domains.
Update the allowed domains by updating `deploy-config/egress_proxy/notify-api-<env>.allow.acl`
and deploying an updated version of the application throught he normal deploy process.
## Sandbox environment
There is a sandbox space, complete with terraform and `deploy-config/sandbox.yml` file available
for experimenting with infrastructure changes without going through the full CI/CD cycle each time.
Rules for use:
1. Ensure that no other developer is using the environment, as there is nothing stopping changes from overwriting each other.
1. Clean up services you create when you are done. `terraform destroy` from within the `terraform/sandbox` directory should do it.
### Deploying to the sandbox
1. Set up services:
```
$ cd terraform/sandbox
$ ../create_service_account.sh -s notify-sandbox -u <your-name>-terraform -m > secrets.auto.tfvars
$ terraform init
$ terraform plan
$ terraform apply
```
1. start a pipenv shell as a shortcut to load `.env` file variables: `$ pipenv shell`
1. Deploy the application:
```
cf push --vars-file deploy-config/sandbox.yml --var AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID --var AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
```