From f6cc141f5810f1dde78db02810180d4d7e7b1e5a Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Fri, 28 Apr 2023 16:03:33 -0400 Subject: [PATCH 1/9] Switch cg-egress-proxy back to main branch --- .github/actions/deploy-proxy/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/deploy-proxy/action.yml b/.github/actions/deploy-proxy/action.yml index c07a1c03f..13bdc494f 100644 --- a/.github/actions/deploy-proxy/action.yml +++ b/.github/actions/deploy-proxy/action.yml @@ -12,7 +12,7 @@ inputs: default: https://github.com/GSA-TTS/cg-egress-proxy.git proxy_version: description: git ref to be deployed - default: cflinuxfs4-deploy + default: main runs: using: composite steps: From a46b541cedb4f554650d740b4c00963364a92f1a Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Fri, 28 Apr 2023 17:02:17 -0400 Subject: [PATCH 2/9] Update Run Book added: * info on relationship to SSPP * tables to check for audit logs * how to create and update DNS records for notify.gov --- docs/run-book.md | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/docs/run-book.md b/docs/run-book.md index 822067977..f93114a99 100644 --- a/docs/run-book.md +++ b/docs/run-book.md @@ -1,12 +1,16 @@ Run Book ======== -Policies and Procedures needed before and during US Notify Operations +Policies and Procedures needed before and during US Notify Operations. Many of these policies are taken from the U.S. Notify System Security & Privacy Plan (SSPP). + +Any changes to policies and procedures defined both here and in the SSPP must be kept in sync, and should be done collaboratively with the System ISSO and ISSM to ensure +that the security of the system is maintained. 1. [Alerts, Notifications, Monitoring](#alerts) 1. [Restaging Apps](#restaging-apps) 1. [Smoke-testing the App](#smoke-testing) 1. [Configuration Management](#cm) +1. [DNS Changes](#dns) 1. [Known Gotchas](#gotcha) 1. [User Account Management](#ac) 1. [SMS Phone Number Management](#phone-numbers) @@ -19,6 +23,12 @@ Operational alerts are posted to the [#pb-notify-alerts](https://gsa-tts.slack.c [Cloud.gov Logging](https://logs.fr.cloud.gov/) is used to view and search application and platform logs. +In addition to the application logs, there are several tables in the application that store useful information for audit logging purposes: + +* `events` +* the various `*_history` tables + + ## Restaging Apps Our apps must be restaged whenever cloud.gov releases updates to buildpacks. Cloud.gov will send email notifications whenever buildpack updates affect a deployed app. @@ -103,6 +113,17 @@ US_Notify Administrators are responsible for ensuring that remediations for vuln * Low - 180 days * Informational - 365 days (depending on the analysis of the issue) +## DNS Changes + +U.S. Notify DNS records are maintained within [the 18f/dns repository](https://github.com/18F/dns/blob/main/terraform/notify.gov.tf). To create new DNS records for notify.gov or any subdomains: + +1. Update the `notify.gov.tf` terraform to update or create the new records within Route53 and push the branch to the 18f/dns repository. +1. Open a PR. +1. Verify that the plan output within circleci creates the records that you expect. +1. Request a PR review from the 18F/tts-tech-portfolio team +1. Once the PR is approved and merged, verify that the apply step happened correctly within [CircleCI](https://app.circleci.com/pipelines/github/18F/dns) + + ## Known Gotchas ### SSB Service Bindings are failing From 240d84b933ae559052fd3dbf42ea747dd4a92aee Mon Sep 17 00:00:00 2001 From: stvnrlly Date: Mon, 1 May 2023 21:40:36 -0400 Subject: [PATCH 3/9] =?UTF-8?q?update=20werkzeug=20&=20flask=20?= =?UTF-8?q?=F0=9F=A4=9E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Pipfile | 6 +- Pipfile.lock | 157 ++++++++++++++++++++++++++------------------------- 2 files changed, 82 insertions(+), 81 deletions(-) diff --git a/Pipfile b/Pipfile index b896c7240..ec6f0f07b 100644 --- a/Pipfile +++ b/Pipfile @@ -15,7 +15,7 @@ bcrypt = "==3.2.2" beautifulsoup4 = "==4.11.1" billiard = "==3.6.4.0" bleach = "==4.1.0" -blinker = "==1.4" +blinker = "~=1.4" boto3 = "==1.23.8" botocore = "==1.26.8" cachetools = "==5.1.0" @@ -35,7 +35,7 @@ dnspython = "==2.2.1" docopt = "==0.6.2" docutils = "==0.16" eventlet = "==0.33.1" -flask = "~=2.2" +flask = "~=2.3" flask-bcrypt = "==1.0.1" flask-marshmallow = "==0.14.0" flask-migrate = "==3.1.0" @@ -54,7 +54,7 @@ psycopg2-binary = "==2.9.3" pyjwt = "==2.4.0" python-dotenv = "==0.20.0" sqlalchemy = "==1.4.40" -werkzeug = "~=2.2" +werkzeug = "~=2.3" # gds metrics packages prometheus-client = "==0.14.1" gds-metrics = {version = "==0.2.4", ref = "6f1840a57b6fb1ee40b7e84f2f18ec229de8aa72", git = "https://github.com/alphagov/gds_metrics_python.git"} diff --git a/Pipfile.lock b/Pipfile.lock index 0f6796610..75008054f 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "f99ef7d5dbcae426e1dc5512454ea13d352b3259524b144c55bf2ae135102215" + "sha256": "7dd2aec17c3f7bb4a1f228c5319258e415ebd4d75be75b86119b8d73addef675" }, "pipfile-spec": 6, "requires": { @@ -115,10 +115,11 @@ }, "blinker": { "hashes": [ - "sha256:471aee25f3992bd325afa3772f1063dbdbbca947a041b8b89466dc00d606f8b6" + "sha256:4afd3de66ef3a9f8067559fb7a1cbe555c17dcbe15971b05d1b625c3e7abe213", + "sha256:c3d739772abb7bc2860abf5f2ec284223d9ad5c76da018234f6f50d6f31ab1f0" ], "index": "pypi", - "version": "==1.4" + "version": "==1.6.2" }, "boto3": { "hashes": [ @@ -349,11 +350,11 @@ }, "flask": { "hashes": [ - "sha256:13f6329ddbfff11340939cd11919daf150a01358ded4b7e81c03c055dfecb559", - "sha256:77504c4c097f56ac5f29b00f9009213010cf9d2923a288c0e0564a5db2bb53d6" + "sha256:77fd4e1249d8c9923de34907236b747ced06e5467ecac1a7bb7115ae0e9670b0", + "sha256:8c2f9abd47a9e8df7f0c3f091ce9497d011dc3b31effcf4c85a6e2b50f4114ef" ], "index": "pypi", - "version": "==2.2.4" + "version": "==2.3.2" }, "flask-bcrypt": { "hashes": [ @@ -828,10 +829,10 @@ }, "phonenumbers": { "hashes": [ - "sha256:421b69fd6d6650372000a6c47ab5b5c5d7b438b33f7b317739e728eff1ec1886", - "sha256:fe071b8324473e72a54b52e602d059c15b999ec9900fff9e42c01b422aeca662" + "sha256:107469114fd297258a485bdf8238d0522cb392db1257faf2bf23384ecbdb0e8a", + "sha256:3e3274d88cab3609b55ff5b93417075dbca2d13064f103fbf562e0ea1dda0f9a" ], - "version": "==8.13.10" + "version": "==8.13.11" }, "prometheus-client": { "hashes": [ @@ -1061,11 +1062,11 @@ }, "requests": { "hashes": [ - "sha256:64299f4909223da747622c030b781c0d7811e359c37124b4bd368fb8c6518baa", - "sha256:98b1b2782e3c6c4904938b84c0eb932721069dfdb9134313beff7c83c2df24bf" + "sha256:e8f3c9be120d3333921d213eef078af392fba3933ab7ed2d1cba3b56f2568c3b", + "sha256:f2e34a75f4749019bb0e3effb66683630e4ffeaf75819fb51bebef1bf5aef059" ], - "markers": "python_version >= '3.7' and python_version < '4'", - "version": "==2.28.2" + "markers": "python_version >= '3.7'", + "version": "==2.29.0" }, "rfc3339-validator": { "hashes": [ @@ -1267,11 +1268,11 @@ }, "werkzeug": { "hashes": [ - "sha256:340335057f72974d9281dbaf52c8090a9f9a59ba304ae814bf0656e6559c0020", - "sha256:3b6b46926d052b8ebca97c4dc73c12e47bdd07d57ab0600c039c3155450227bc" + "sha256:4866679a0722de00796a74086238bb3b98d90f423f05de039abb09315487254a", + "sha256:a987caf1092edc7523edb139edb20c70571c4a8d5eed02e0b547b4739174d091" ], "index": "pypi", - "version": "==2.3.0" + "version": "==2.3.3" }, "wrapt": { "hashes": [ @@ -1484,60 +1485,60 @@ "toml" ], "hashes": [ - "sha256:06ddd9c0249a0546997fdda5a30fbcb40f23926df0a874a60a8a185bc3a87d93", - "sha256:0743b0035d4b0e32bc1df5de70fba3059662ace5b9a2a86a9f894cfe66569013", - "sha256:0f3736a5d34e091b0a611964c6262fd68ca4363df56185902528f0b75dbb9c1f", - "sha256:1127b16220f7bfb3f1049ed4a62d26d81970a723544e8252db0efde853268e21", - "sha256:172db976ae6327ed4728e2507daf8a4de73c7cc89796483e0a9198fd2e47b462", - "sha256:182eb9ac3f2b4874a1f41b78b87db20b66da6b9cdc32737fbbf4fea0c35b23fc", - "sha256:1bb1e77a9a311346294621be905ea8a2c30d3ad371fc15bb72e98bfcfae532df", - "sha256:1fd78b911aea9cec3b7e1e2622c8018d51c0d2bbcf8faaf53c2497eb114911c1", - "sha256:20d1a2a76bb4eb00e4d36b9699f9b7aba93271c9c29220ad4c6a9581a0320235", - "sha256:21b154aba06df42e4b96fc915512ab39595105f6c483991287021ed95776d934", - "sha256:2c2e58e45fe53fab81f85474e5d4d226eeab0f27b45aa062856c89389da2f0d9", - "sha256:2c3b2803e730dc2797a017335827e9da6da0e84c745ce0f552e66400abdfb9a1", - "sha256:3146b8e16fa60427e03884301bf8209221f5761ac754ee6b267642a2fd354c48", - "sha256:344e714bd0fe921fc72d97404ebbdbf9127bac0ca1ff66d7b79efc143cf7c0c4", - "sha256:387065e420aed3c71b61af7e82c7b6bc1c592f7e3c7a66e9f78dd178699da4fe", - "sha256:3f04becd4fcda03c0160d0da9c8f0c246bc78f2f7af0feea1ec0930e7c93fa4a", - "sha256:4a42e1eff0ca9a7cb7dc9ecda41dfc7cbc17cb1d02117214be0561bd1134772b", - "sha256:4ea748802cc0de4de92ef8244dd84ffd793bd2e7be784cd8394d557a3c751e21", - "sha256:55416d7385774285b6e2a5feca0af9652f7f444a4fa3d29d8ab052fafef9d00d", - "sha256:5d0391fb4cfc171ce40437f67eb050a340fdbd0f9f49d6353a387f1b7f9dd4fa", - "sha256:63cdeaac4ae85a179a8d6bc09b77b564c096250d759eed343a89d91bce8b6367", - "sha256:72fcae5bcac3333a4cf3b8f34eec99cea1187acd55af723bcbd559adfdcb5535", - "sha256:7c4ed4e9f3b123aa403ab424430b426a1992e6f4c8fd3cb56ea520446e04d152", - "sha256:83957d349838a636e768251c7e9979e899a569794b44c3728eaebd11d848e58e", - "sha256:87ecc7c9a1a9f912e306997ffee020297ccb5ea388421fe62a2a02747e4d5539", - "sha256:8f69770f5ca1994cb32c38965e95f57504d3aea96b6c024624fdd5bb1aa494a1", - "sha256:8f6c930fd70d91ddee53194e93029e3ef2aabe26725aa3c2753df057e296b925", - "sha256:965ee3e782c7892befc25575fa171b521d33798132692df428a09efacaffe8d0", - "sha256:974bc90d6f6c1e59ceb1516ab00cf1cdfbb2e555795d49fa9571d611f449bcb2", - "sha256:981b4df72c93e3bc04478153df516d385317628bd9c10be699c93c26ddcca8ab", - "sha256:aa784405f0c640940595fa0f14064d8e84aff0b0f762fa18393e2760a2cf5841", - "sha256:ae7863a1d8db6a014b6f2ff9c1582ab1aad55a6d25bac19710a8df68921b6e30", - "sha256:aeae2aa38395b18106e552833f2a50c27ea0000122bde421c31d11ed7e6f9c91", - "sha256:b2317d5ed777bf5a033e83d4f1389fd4ef045763141d8f10eb09a7035cee774c", - "sha256:be19931a8dcbe6ab464f3339966856996b12a00f9fe53f346ab3be872d03e257", - "sha256:be9824c1c874b73b96288c6d3de793bf7f3a597770205068c6163ea1f326e8b9", - "sha256:c0045f8f23a5fb30b2eb3b8a83664d8dc4fb58faddf8155d7109166adb9f2040", - "sha256:c86bd45d1659b1ae3d0ba1909326b03598affbc9ed71520e0ff8c31a993ad911", - "sha256:ca0f34363e2634deffd390a0fef1aa99168ae9ed2af01af4a1f5865e362f8623", - "sha256:d298c2815fa4891edd9abe5ad6e6cb4207104c7dd9fd13aea3fdebf6f9b91259", - "sha256:d2a3a6146fe9319926e1d477842ca2a63fe99af5ae690b1f5c11e6af074a6b5c", - "sha256:dfd393094cd82ceb9b40df4c77976015a314b267d498268a076e940fe7be6b79", - "sha256:e58c0d41d336569d63d1b113bd573db8363bc4146f39444125b7f8060e4e04f5", - "sha256:ea3f5bc91d7d457da7d48c7a732beaf79d0c8131df3ab278e6bba6297e23c6c4", - "sha256:ea53151d87c52e98133eb8ac78f1206498c015849662ca8dc246255265d9c3c4", - "sha256:eb0edc3ce9760d2f21637766c3aa04822030e7451981ce569a1b3456b7053f22", - "sha256:f649dd53833b495c3ebd04d6eec58479454a1784987af8afb77540d6c1767abd", - "sha256:f760073fcf8f3d6933178d67754f4f2d4e924e321f4bb0dcef0424ca0215eba1", - "sha256:fa546d66639d69aa967bf08156eb8c9d0cd6f6de84be9e8c9819f52ad499c910", - "sha256:fd214917cabdd6f673a29d708574e9fbdb892cb77eb426d0eae3490d95ca7859", - "sha256:fff5aaa6becf2c6a1699ae6a39e2e6fb0672c2d42eca8eb0cafa91cf2e9bd312" + "sha256:0342a28617e63ad15d96dca0f7ae9479a37b7d8a295f749c14f3436ea59fdcb3", + "sha256:066b44897c493e0dcbc9e6a6d9f8bbb6607ef82367cf6810d387c09f0cd4fe9a", + "sha256:10b15394c13544fce02382360cab54e51a9e0fd1bd61ae9ce012c0d1e103c813", + "sha256:12580845917b1e59f8a1c2ffa6af6d0908cb39220f3019e36c110c943dc875b0", + "sha256:156192e5fd3dbbcb11cd777cc469cf010a294f4c736a2b2c891c77618cb1379a", + "sha256:1637253b11a18f453e34013c665d8bf15904c9e3c44fbda34c643fbdc9d452cd", + "sha256:292300f76440651529b8ceec283a9370532f4ecba9ad67d120617021bb5ef139", + "sha256:30dcaf05adfa69c2a7b9f7dfd9f60bc8e36b282d7ed25c308ef9e114de7fc23b", + "sha256:338aa9d9883aaaad53695cb14ccdeb36d4060485bb9388446330bef9c361c252", + "sha256:373ea34dca98f2fdb3e5cb33d83b6d801007a8074f992b80311fc589d3e6b790", + "sha256:38c0a497a000d50491055805313ed83ddba069353d102ece8aef5d11b5faf045", + "sha256:40cc0f91c6cde033da493227797be2826cbf8f388eaa36a0271a97a332bfd7ce", + "sha256:4436cc9ba5414c2c998eaedee5343f49c02ca93b21769c5fdfa4f9d799e84200", + "sha256:509ecd8334c380000d259dc66feb191dd0a93b21f2453faa75f7f9cdcefc0718", + "sha256:5c587f52c81211d4530fa6857884d37f514bcf9453bdeee0ff93eaaf906a5c1b", + "sha256:5f3671662dc4b422b15776cdca89c041a6349b4864a43aa2350b6b0b03bbcc7f", + "sha256:6599bf92f33ab041e36e06d25890afbdf12078aacfe1f1d08c713906e49a3fe5", + "sha256:6e8a95f243d01ba572341c52f89f3acb98a3b6d1d5d830efba86033dd3687ade", + "sha256:706ec567267c96717ab9363904d846ec009a48d5f832140b6ad08aad3791b1f5", + "sha256:780551e47d62095e088f251f5db428473c26db7829884323e56d9c0c3118791a", + "sha256:7ff8f3fb38233035028dbc93715551d81eadc110199e14bbbfa01c5c4a43f8d8", + "sha256:828189fcdda99aae0d6bf718ea766b2e715eabc1868670a0a07bf8404bf58c33", + "sha256:857abe2fa6a4973f8663e039ead8d22215d31db613ace76e4a98f52ec919068e", + "sha256:883123d0bbe1c136f76b56276074b0c79b5817dd4238097ffa64ac67257f4b6c", + "sha256:8877d9b437b35a85c18e3c6499b23674684bf690f5d96c1006a1ef61f9fdf0f3", + "sha256:8e575a59315a91ccd00c7757127f6b2488c2f914096077c745c2f1ba5b8c0969", + "sha256:97072cc90f1009386c8a5b7de9d4fc1a9f91ba5ef2146c55c1f005e7b5c5e068", + "sha256:9a22cbb5ede6fade0482111fa7f01115ff04039795d7092ed0db43522431b4f2", + "sha256:a063aad9f7b4c9f9da7b2550eae0a582ffc7623dca1c925e50c3fbde7a579771", + "sha256:a08c7401d0b24e8c2982f4e307124b671c6736d40d1c39e09d7a8687bddf83ed", + "sha256:a0b273fe6dc655b110e8dc89b8ec7f1a778d78c9fd9b4bda7c384c8906072212", + "sha256:a2b3b05e22a77bb0ae1a3125126a4e08535961c946b62f30985535ed40e26614", + "sha256:a66e055254a26c82aead7ff420d9fa8dc2da10c82679ea850d8feebf11074d88", + "sha256:aa387bd7489f3e1787ff82068b295bcaafbf6f79c3dad3cbc82ef88ce3f48ad3", + "sha256:ae453f655640157d76209f42c62c64c4d4f2c7f97256d3567e3b439bd5c9b06c", + "sha256:b5016e331b75310610c2cf955d9f58a9749943ed5f7b8cfc0bb89c6134ab0a84", + "sha256:b9a4ee55174b04f6af539218f9f8083140f61a46eabcaa4234f3c2a452c4ed11", + "sha256:bd3b4b8175c1db502adf209d06136c000df4d245105c8839e9d0be71c94aefe1", + "sha256:bebea5f5ed41f618797ce3ffb4606c64a5de92e9c3f26d26c2e0aae292f015c1", + "sha256:c10fbc8a64aa0f3ed136b0b086b6b577bc64d67d5581acd7cc129af52654384e", + "sha256:c2c41c1b1866b670573657d584de413df701f482574bad7e28214a2362cb1fd1", + "sha256:cf97ed82ca986e5c637ea286ba2793c85325b30f869bf64d3009ccc1a31ae3fd", + "sha256:d1f25ee9de21a39b3a8516f2c5feb8de248f17da7eead089c2e04aa097936b47", + "sha256:d2fbc2a127e857d2f8898aaabcc34c37771bf78a4d5e17d3e1f5c30cd0cbc62a", + "sha256:dc945064a8783b86fcce9a0a705abd7db2117d95e340df8a4333f00be5efb64c", + "sha256:ddc5a54edb653e9e215f75de377354e2455376f416c4378e1d43b08ec50acc31", + "sha256:e8834e5f17d89e05697c3c043d3e58a8b19682bf365048837383abfe39adaed5", + "sha256:ef9659d1cda9ce9ac9585c045aaa1e59223b143f2407db0eaee0b61a4f266fb6", + "sha256:f6f5cab2d7f0c12f8187a376cc6582c477d2df91d63f75341307fcdcb5d60303", + "sha256:f81c9b4bd8aa747d417407a7f6f0b1469a43b36a85748145e144ac4e8d303cb5", + "sha256:f99ef080288f09ffc687423b8d60978cf3a465d3f404a18d1a05474bd8575a47" ], "markers": "python_version >= '3.7'", - "version": "==7.2.3" + "version": "==7.2.5" }, "cryptography": { "hashes": [ @@ -2074,11 +2075,11 @@ }, "requests": { "hashes": [ - "sha256:64299f4909223da747622c030b781c0d7811e359c37124b4bd368fb8c6518baa", - "sha256:98b1b2782e3c6c4904938b84c0eb932721069dfdb9134313beff7c83c2df24bf" + "sha256:e8f3c9be120d3333921d213eef078af392fba3933ab7ed2d1cba3b56f2568c3b", + "sha256:f2e34a75f4749019bb0e3effb66683630e4ffeaf75819fb51bebef1bf5aef059" ], - "markers": "python_version >= '3.7' and python_version < '4'", - "version": "==2.28.2" + "markers": "python_version >= '3.7'", + "version": "==2.29.0" }, "requests-mock": { "hashes": [ @@ -2105,11 +2106,11 @@ }, "rich": { "hashes": [ - "sha256:22b74cae0278fd5086ff44144d3813be1cedc9115bdfabbfefd86400cb88b20a", - "sha256:b5d573e13605423ec80bdd0cd5f8541f7844a0e71a13f74cf454ccb2f490708b" + "sha256:2d11b9b8dd03868f09b4fffadc84a6a8cda574e40dc90821bd845720ebb8e89c", + "sha256:69cdf53799e63f38b95b9bf9c875f8c90e78dd62b2f00c13a911c7a3b9fa4704" ], "markers": "python_full_version >= '3.7.0'", - "version": "==13.3.4" + "version": "==13.3.5" }, "s3transfer": { "hashes": [ @@ -2190,11 +2191,11 @@ }, "werkzeug": { "hashes": [ - "sha256:340335057f72974d9281dbaf52c8090a9f9a59ba304ae814bf0656e6559c0020", - "sha256:3b6b46926d052b8ebca97c4dc73c12e47bdd07d57ab0600c039c3155450227bc" + "sha256:4866679a0722de00796a74086238bb3b98d90f423f05de039abb09315487254a", + "sha256:a987caf1092edc7523edb139edb20c70571c4a8d5eed02e0b547b4739174d091" ], "index": "pypi", - "version": "==2.3.0" + "version": "==2.3.3" }, "xmltodict": { "hashes": [ From 881f4794170cdd957bdeaa1ea8aaf181533737d6 Mon Sep 17 00:00:00 2001 From: Steven Reilly Date: Tue, 2 May 2023 10:25:02 -0400 Subject: [PATCH 4/9] Small doc updates (#253) --- README.md | 11 +++++++++++ docs/message-sending-path.md | 15 +++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 docs/message-sending-path.md diff --git a/README.md b/README.md index 34e367374..9ccbf6f8f 100644 --- a/README.md +++ b/README.md @@ -44,10 +44,15 @@ Our other repositories are: ### Common steps +On MacOS, using [Homebrew](https://brew.sh/) for package management is highly recommended. This helps avoid some known installation issues. + 1. Install pre-requisites for setup: * [jq](https://stedolan.github.io/jq/): `brew install jq` * [terraform](https://www.terraform.io/): `brew install terraform` or `brew install tfenv` and use `tfenv` to install `terraform ~> 1.4.0` * [cf-cli@8](https://docs.cloudfoundry.org/cf-cli/install-go-cli.html): `brew install cloudfoundry/tap/cf-cli@8` + * [postgresql](https://www.postgresql.org/): `brew install postgresql@15` (Homebrew requires a version pin, but any recent version will work) + * [redis](https://redis.io/): `brew install redis` + * [pyenv](https://github.com/pyenv/pyenv): `brew install pyenv` 1. [Log into cloud.gov](https://cloud.gov/docs/getting-started/setup/#set-up-the-command-line): `cf login -a api.fr.cloud.gov --sso` 1. Ensure you have access to the `notify-local-dev` and `notify-staging` spaces in cloud.gov 1. Run the development terraform with: @@ -111,6 +116,12 @@ If you're working in VS Code, you can also leverage Docker for a containerized d NOTE: when you change .env in the future, you'll need to rebuild the devcontainer for the change to take effect. VS Code _should_ detect the change and prompt you with a toast notification during a cached build. If not, you can find a manual rebuild in command pallette or just `docker rm` the notifications-api container. +### Known installation issues + +On M1 Macs, if you get a `fatal error: 'Python.h' file not found` message, try a different method of installing Python. Installation via `pyenv` is known to work. + +A direct installation of PostgreSQL will not put the `createdb` command on your `$PATH`. It can be added there in your shell startup script, or a Homebrew-managed installation of PostgreSQL will take care of it. + ## License && public domain Work through [commit `e604385`](https://github.com/GSA/notifications-api/commit/e604385e0cf4c2ab8c6451b7120ceb196cce21b5) is licensed by the UK government under the MIT license. Work after that commit is in the worldwide public domain. See [LICENSE.md](./LICENSE.md) for more information. diff --git a/docs/message-sending-path.md b/docs/message-sending-path.md new file mode 100644 index 000000000..4d3774756 --- /dev/null +++ b/docs/message-sending-path.md @@ -0,0 +1,15 @@ +# How messages are queued and sent + +There are several ways for notifications to come into the API. + +- Messages sent through the API enter through `app/notifications/post_notifications.py` +- One-off messages sent from the UI enter through `create_one_off_notification` in `app/service/rest.py` +- CSV uploads enter through `app/job/rest.py` + +API messages and one-off UI messages come in one at a time, and take slightly-separate routes +that both end up at `persist_notification`, which writes to the database, and `provider_tasks.deliver_sms`, +which enqueues the sending. + +For CSV uploads, the CSV is first stored in S3 and queued as a `Job`. When the job runs, it iterates +through the rows, running `process_job.save_sms` to send notifications through `persist_notification` and +`provider_tasks.deliver_sms`. From 2a2dfbd0f03422077901c49bbf196710d9eb5d43 Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Thu, 4 May 2023 13:00:12 -0400 Subject: [PATCH 5/9] Specify Production in new relic app name --- docs/run-book.md | 2 +- newrelic.ini | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/run-book.md b/docs/run-book.md index f93114a99..db47e8496 100644 --- a/docs/run-book.md +++ b/docs/run-book.md @@ -19,7 +19,7 @@ that the security of the system is maintained. Operational alerts are posted to the [#pb-notify-alerts](https://gsa-tts.slack.com/archives/C04U9BGHUDB) Slack channel. Please join this channel and enable push notifications for all messages whenever you are on call. -[NewRelic](https://one.newrelic.com/) is being used for monitoring the application. +[NewRelic](https://one.newrelic.com/) is being used for monitoring the application. [NewRelic Dashboard](https://onenr.io/08wokrnrvwx) can be filtered by environment and API, Admin, or Both. [Cloud.gov Logging](https://logs.fr.cloud.gov/) is used to view and search application and platform logs. diff --git a/newrelic.ini b/newrelic.ini index 394ae3c1a..5f5fec1e7 100644 --- a/newrelic.ini +++ b/newrelic.ini @@ -216,7 +216,7 @@ app_name = us-notify-api (Demo) monitor_mode = true [newrelic:production] -app_name = us-notify-api +app_name = us-notify-api (Production) monitor_mode = true # --------------------------------------------------------------------------- From 6515c44ca87dc2282a733733f65b0eb4a8a512bd Mon Sep 17 00:00:00 2001 From: Steven Reilly Date: Fri, 5 May 2023 14:11:18 -0400 Subject: [PATCH 6/9] bump pip-audit action to 1.0.6 (#261) --- .github/workflows/checks.yml | 2 +- .github/workflows/daily_checks.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 261d16a61..c6aef0e85 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -75,7 +75,7 @@ jobs: - uses: ./.github/actions/setup-project - name: Create requirements.txt run: pipenv requirements > requirements.txt - - uses: pypa/gh-action-pip-audit@v1.0.4 + - uses: pypa/gh-action-pip-audit@v1.0.6 with: inputs: requirements.txt diff --git a/.github/workflows/daily_checks.yml b/.github/workflows/daily_checks.yml index beac8fbb7..51e1a381f 100644 --- a/.github/workflows/daily_checks.yml +++ b/.github/workflows/daily_checks.yml @@ -27,7 +27,7 @@ jobs: - uses: ./.github/actions/setup-project - name: Create requirements.txt run: pipenv requirements > requirements.txt - - uses: pypa/gh-action-pip-audit@v1.0.4 + - uses: pypa/gh-action-pip-audit@v1.0.6 with: inputs: requirements.txt From 58ad32b560c29d969ec1aa3069ae76a9c6c63151 Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Mon, 8 May 2023 10:47:01 -0400 Subject: [PATCH 7/9] Enable production deploy --- .github/workflows/deploy-prod.yml | 87 +++++++++++++++++++ .github/workflows/terraform-production.yml | 2 +- .../notify-api-production.allow.acl | 4 + .../notify-api-production.deny.acl | 0 .../notify-api-production.deploy.acl | 1 + docs/deploying.md | 9 +- docs/infra-overview.md | 18 ++++ terraform/production/main.tf | 5 +- 8 files changed, 119 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/deploy-prod.yml create mode 100644 deploy-config/egress_proxy/notify-api-production.allow.acl create mode 100644 deploy-config/egress_proxy/notify-api-production.deny.acl create mode 100644 deploy-config/egress_proxy/notify-api-production.deploy.acl diff --git a/.github/workflows/deploy-prod.yml b/.github/workflows/deploy-prod.yml new file mode 100644 index 000000000..288064a77 --- /dev/null +++ b/.github/workflows/deploy-prod.yml @@ -0,0 +1,87 @@ +name: Deploy to production environment + +on: + push: + branches: [ production ] + +permissions: + contents: read + +# deploy-prod and deploy-demo will run in parallel now. +# TODO: Research if we want to serialize them +# by moving the jobs into a single file similar to +# https://github.com/GSA/usnotify-ssb/blob/main/.github/workflows/apply.yml +jobs: + deploy: + runs-on: ubuntu-latest + environment: production + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 2 + + - name: Check for changes to Terraform + id: changed-terraform-files + uses: tj-actions/changed-files@v34 + with: + files: | + terraform/production + terraform/shared + .github/workflows/deploy-prod.yml + - name: Terraform init + if: steps.changed-terraform-files.outputs.any_changed == 'true' + working-directory: terraform/production + env: + AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }} + run: terraform init + - name: Terraform apply + if: steps.changed-terraform-files.outputs.any_changed == 'true' + working-directory: terraform/production + env: + AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }} + TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }} + TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} + run: terraform apply -auto-approve -input=false + + - uses: ./.github/actions/setup-project + - name: Install application dependencies + run: make bootstrap + + - name: Create requirements.txt because Cloud Foundry does a weird pipenv thing + run: pipenv requirements > requirements.txt + + - name: Deploy to cloud.gov + uses: 18f/cg-deploy-action@main + env: + DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }} + SECRET_KEY: ${{ secrets.SECRET_KEY }} + ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }} + NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }} + with: + cf_username: ${{ secrets.CLOUDGOV_USERNAME }} + cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} + cf_org: gsa-tts-benefits-studio-prototyping + cf_space: notify-production + push_arguments: >- + --vars-file deploy-config/production.yml + --var DANGEROUS_SALT="$DANGEROUS_SALT" + --var SECRET_KEY="$SECRET_KEY" + --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET" + --var NEW_RELIC_LICENSE_KEY="$NEW_RELIC_LICENSE_KEY" + + - name: Check for changes to egress config + id: changed-egress-config + uses: tj-actions/changed-files@v34 + with: + files: | + deploy-config/egress_proxy/notify-api-production.*.acl + .github/actions/deploy-proxy/action.yml + .github/workflows/deploy-prod.yml + - name: Deploy egress proxy + if: steps.changed-egress-config.outputs.any_changed == 'true' + uses: ./.github/actions/deploy-proxy + with: + cf_space: notify-production + app: notify-api-production diff --git a/.github/workflows/terraform-production.yml b/.github/workflows/terraform-production.yml index e48000438..afb10dcfb 100644 --- a/.github/workflows/terraform-production.yml +++ b/.github/workflows/terraform-production.yml @@ -2,7 +2,7 @@ name: Run Terraform plan in production on: pull_request: - branches: [ production-disabled-for-now ] + branches: [ production ] paths: [ 'terraform/**' ] defaults: diff --git a/deploy-config/egress_proxy/notify-api-production.allow.acl b/deploy-config/egress_proxy/notify-api-production.allow.acl new file mode 100644 index 000000000..a6e4a2f65 --- /dev/null +++ b/deploy-config/egress_proxy/notify-api-production.allow.acl @@ -0,0 +1,4 @@ +email.us-gov-west-1.amazonaws.com +sns.us-gov-west-1.amazonaws.com +gov-collector.newrelic.com +egress-proxy-notify-api-production.apps.internal diff --git a/deploy-config/egress_proxy/notify-api-production.deny.acl b/deploy-config/egress_proxy/notify-api-production.deny.acl new file mode 100644 index 000000000..e69de29bb diff --git a/deploy-config/egress_proxy/notify-api-production.deploy.acl b/deploy-config/egress_proxy/notify-api-production.deploy.acl new file mode 100644 index 000000000..e5a3a541d --- /dev/null +++ b/deploy-config/egress_proxy/notify-api-production.deploy.acl @@ -0,0 +1 @@ +Update this file to force a re-deploy of the egress proxy even when notify-api-production..acl haven't changed diff --git a/docs/deploying.md b/docs/deploying.md index 2763a57a5..916a5279f 100644 --- a/docs/deploying.md +++ b/docs/deploying.md @@ -1,19 +1,20 @@ # Deploying -We deploy automatically to cloud.gov for demo and staging environments. +We deploy automatically to cloud.gov for production, demo, and staging environments. Deployment to staging runs via the [base deployment action](../.github/workflows/deploy.yml) on GitHub, which pulls credentials from GitHub's secrets store in the staging environment. Deployment to demo runs via the [demo deployment action](../.github/workflows/deploy-demo.yml) on GitHub, which pulls credentials from GitHub's secrets store in the demo environment. +Deployment to production runs via the [production deployment action](../.github/workflows/deploy-prod.yml) on GitHub, which pulls credentials from GitHub's secrets store in the production environment. + The [action that we use](https://github.com/18F/cg-deploy-action) deploys using [a rolling strategy](https://docs.cloudfoundry.org/devguide/deploy-apps/rolling-deploy.html), so all deployments should have zero downtime. -The API has 2 deployment environments: +The API has 3 deployment environments: - Staging, which deploys from `main` - Demo, which deploys from `production` - -In the future, we will add a Production deploy environment, which will deploy in parallel to Demo. +- Production, which deploys from `production` Configurations for these are located in [the `deploy-config` folder](../deploy-config/). diff --git a/docs/infra-overview.md b/docs/infra-overview.md index e7dd0768e..8707f9797 100644 --- a/docs/infra-overview.md +++ b/docs/infra-overview.md @@ -102,6 +102,24 @@ We are using [New Relic](https://one.newrelic.com/nr1-core?account=3389907) for These steps are required for new cloud.gov environments. Local development borrows SES & SNS infrastructure from the `notify-staging` cloud.gov space, so these steps are not required for new developers. +### Steps to do a clean prod deploy to cloud.gov + +Steps for deploying production from scratch. These can be updated for a new cloud.gov environment by subbing out `prod` or `production` for your desired environment within the steps. + +1. Deploy API app + 1. Update `terraform-production.yml` and `deploy-prod.yml` to point to the correct space and git branch. + 1. Ensure that the `domain` module is commented out in `terraform/production/main.tf` + 1. Run CI/CD pipeline on the `production` branch by opening a PR from `main` to `production` + 1. Create any necessary DNS records (check `notify-api-ses-production` service credentials for instructions) within https://github.com/18f/dns + 1. Follow the `Steps to prepare SES` below + 1. (Optional) if using a public API route, uncomment the `domain` module and re-trigger a deploy +1. Deploy Admin app + 1. Update `terraform-production.yml` and `deploy-prod.yml` to point to the correct space and git branch. + 1. Ensure that the `api_network_route` and `domain` modules are commented out in `terraform/production/main.tf` + 1. Run CI/CD pipeline on the `production` branch by opening a PR from `main` to `production` + 1. Uncomment the `api_network_route` and `domain` modules and re-trigger a deploy + 1. Create DNS records for `domain` module within https://github.com/18f/dns + ### Steps to prepare SES 1. After the first deploy of the application with the SSB-brokered SES service completes: diff --git a/terraform/production/main.tf b/terraform/production/main.tf index afe132ad4..49e7840d8 100644 --- a/terraform/production/main.tf +++ b/terraform/production/main.tf @@ -72,9 +72,10 @@ module "sns_sms" { ########################################################################### # The following lines need to be commented out for the initial `terraform apply` # It can be re-enabled after: +# TODO: decide on public API domain name # 1) the app has first been deployed # 2) the route has been manually created by an OrgManager: -# `cf create-domain TKTK-org-name TKTK-production-domain-name` +# `cf create-domain gsa-tts-benefits-studio-prototyping api.notify.gov` ########################################################################### # module "domain" { # source = "github.com/18f/terraform-cloudgov//domain?ref=v0.2.0" @@ -85,5 +86,5 @@ module "sns_sms" { # name = "${local.app_name}-domain-${local.env}" # recursive_delete = local.recursive_delete # cdn_plan_name = "domain" -# domain_name = "TKTK-production-domain-name" +# domain_name = "api.notify.gov" # } From 300414974c0c0c6515e1702bfa157ee4c081b2db Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Mon, 8 May 2023 15:15:25 -0400 Subject: [PATCH 8/9] Set service plan names for production --- terraform/production/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/production/main.tf b/terraform/production/main.tf index 49e7840d8..574ae0741 100644 --- a/terraform/production/main.tf +++ b/terraform/production/main.tf @@ -13,7 +13,7 @@ module "database" { cf_space_name = local.cf_space_name name = "${local.app_name}-rds-${local.env}" recursive_delete = local.recursive_delete - rds_plan_name = "TKTK-production-rds-plan" + rds_plan_name = "small-psql-redundant" } module "redis" { @@ -23,7 +23,7 @@ module "redis" { cf_space_name = local.cf_space_name name = "${local.app_name}-redis-${local.env}" recursive_delete = local.recursive_delete - redis_plan_name = "TKTK-production-redis-plan" + redis_plan_name = "redis-3node-large" } module "csv_upload_bucket" { From 0d685df51cc435ff4a5b7b02e40c24874745d42d Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Mon, 8 May 2023 15:29:12 -0400 Subject: [PATCH 9/9] Enable prod terraform drift check --- .github/workflows/drift.yml | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/workflows/drift.yml b/.github/workflows/drift.yml index 412290a49..616e72689 100644 --- a/.github/workflows/drift.yml +++ b/.github/workflows/drift.yml @@ -45,22 +45,22 @@ jobs: with: path: terraform/demo - # check_prod_drift: - # runs-on: ubuntu-latest - # name: Check for drift of production terraform configuration - # environment: production - # steps: - # - name: Checkout - # uses: actions/checkout@v3 - # with: - # ref: 'production' + check_prod_drift: + runs-on: ubuntu-latest + name: Check for drift of production terraform configuration + environment: production + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + ref: 'production' - # - name: Check for drift - # uses: dflook/terraform-check@v1 - # env: - # AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }} - # AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }} - # TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }} - # TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} - # with: - # path: terraform/production + - name: Check for drift + uses: dflook/terraform-check@v1 + env: + AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }} + TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }} + TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} + with: + path: terraform/production