2023-08-10 | MAIN --> PROD | DEV (cb1652e) --> STAGING #1782
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
This breaks out a base, where we create users. Currently, we are riding on the fact that 'anon' and friends were created long ago. They are not part of our setup/teardown process. There are some questions around how we setup/teardown users and views. This works, but it isn't a full-up/full-down yet. A command to create a signed JWT exists, but we need to do TF work and GH Secret work to actually integrate it into the stack. Not there yet.
This moves to a posture where: 1. We must have an `Authorization: Bearer <jwt>` in place. 2. We are ready for tribal access control based on api.data.gov role. 3. The API can be stood up and torn down fully/statelessly. Work in `run.sh` to follow.
This makes sure the API requires: 1. A good, signed JWT 2. Will not pass an incorrectly signed JWT 3. Will not pass a JWT encoding the wrong role I cannot test an API call that pulls content (yet) because baker is not storing data into the dissemination models/tables. This does test, however, the security pathways.
This set of changes: 1. Updates terraform and workflows to inject PGRST_JWT_SECRET 2. Updates/simplifes create_views (removes metadata) 3. Removes exp on JWT (this is a shared secret, not a token) With this deploy, we should be preventing access to fac-prod-postgrest.app.cloud.gov and requiring all users to go through api.fac.gov While the changes prepare us for api-dev.fac.gov and api-staging.fac.gov, those backends are not yet created in api.data.gov, and therefore cannot be used (yet).
Co-authored-by: Bret Mogilefsky <bret.mogilefsky@gsa.gov>
Co-authored-by: Bret Mogilefsky <bret.mogilefsky@gsa.gov>
Co-authored-by: Bret Mogilefsky <bret.mogilefsky@gsa.gov>
This may require a fix in GH Secrets as well. Made sure variable name was consistent everywhere. So, it was a good change. Linting.
Only allow api.data.gov to access the API
Fix deployment failures caused by .profile trying to execute non-existent Django management commands.
Missing ampersand FTW
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
Please close and re-open this pull request to ensure that a terraform plan is generated on the PR for the staging deployment after merging. |
* Check for existing users at Access instance creation. * Add empty email check.
|
Terraform plan for staging Plan: 0 to add, 1 to change, 0 to destroy.Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# module.staging.cloudfoundry_app.postgrest will be updated in-place
~ resource "cloudfoundry_app" "postgrest" {
~ environment = (sensitive value)
id = "db50e549-24c7-4dcf-b30e-e9dee3512be8"
~ id_bg = "************************************" -> (known after apply)
name = "postgrest"
# (13 unchanged attributes hidden)
# (1 unchanged block hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.✅ Plan applied in Deploy to Staging Environment #14 |
|
Terraform plan for production Plan: 0 to add, 3 to change, 2 to destroy.Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
~ update in-place
- destroy
Terraform will perform the following actions:
# module.production.cloudfoundry_app.postgrest will be updated in-place
~ resource "cloudfoundry_app" "postgrest" {
~ environment = (sensitive value)
id = "70ac44be-3507-4867-a75f-c2d1ab12ee89"
~ id_bg = "************************************" -> (known after apply)
name = "postgrest"
# (13 unchanged attributes hidden)
# (1 unchanged block hidden)
}
# module.production.cloudfoundry_app.swagger will be destroyed
# (because cloudfoundry_app.swagger is not in configuration)
- resource "cloudfoundry_app" "swagger" {
- disk_quota = 256 -> null
- docker_image = "swaggerapi/swagger-ui:latest" -> null
- enable_ssh = true -> null
- environment = (sensitive value) -> null
- health_check_invocation_timeout = 0 -> null
- health_check_timeout = 0 -> null
- health_check_type = "process" -> null
- id = "3f83d812-318f-49ab-b853-8c8ddbf02718" -> null
- id_bg = "3f83d812-318f-49ab-b853-8c8ddbf02718" -> null
- instances = 2 -> null
- memory = 256 -> null
- name = "swagger" -> null
- ports = [] -> null
- space = "5593dba8-7023-49a5-bdbe-e809fe23edf9" -> null
- stopped = false -> null
- strategy = "rolling" -> null
- timeout = 20 -> null
- routes {
- port = 0 -> null
- route = "9f004253-79d9-4edb-b069-70b3a457e9b5" -> null
}
}
# module.production.cloudfoundry_route.swagger will be destroyed
# (because cloudfoundry_route.swagger is not in configuration)
- resource "cloudfoundry_route" "swagger" {
- domain = "50ba3f69-cd54-4963-9172-14f3334b479e" -> null
- endpoint = "fac-production-swagger.app.cloud.gov" -> null
- hostname = "fac-production-swagger" -> null
- id = "9f004253-79d9-4edb-b069-70b3a457e9b5" -> null
- space = "5593dba8-7023-49a5-bdbe-e809fe23edf9" -> null
}
# module.production.module.clamav.cloudfoundry_app.clamav_api will be updated in-place
~ resource "cloudfoundry_app" "clamav_api" {
~ docker_image = "ghcr.io/gsa-tts/fac/clamav@sha256:0f54c4b052f7dfdc2a0c5ef28bcada6c296882932859e29588818b9644e00412" -> "ghcr.io/gsa-tts/fac/clamav@sha256:ec3f01affc0daf091232c148093969348d459aac1f7c6a153e8ff21f5ba8ca05"
id = "5d0afa4f-527b-472a-8671-79a60335417f"
name = "fac-av-production"
# (14 unchanged attributes hidden)
# (1 unchanged block hidden)
}
# module.production.module.https-proxy.cloudfoundry_app.egress_app will be updated in-place
~ resource "cloudfoundry_app" "egress_app" {
id = "5e81ca8b-99cf-41f8-ae42-76652d51a44c"
name = "https-proxy"
~ source_code_hash = "9fcf4a7f6abfc9a220de2b8bb97591ab490a271ac0933b984f606f645319e1a4" -> "9b63bf9766c73480bf1c2385e259b1321988ede71a7b68ebe5c451d9ff6bf1c1"
# (18 unchanged attributes hidden)
# (1 unchanged block hidden)
}
Plan: 0 to add, 3 to change, 2 to destroy.📝 Plan generated in Pull Request Checks #404 |
asteel-gsa
approved these changes
Aug 10, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is an auto-generated pull request to merge main into prod for a staging release on 2023-08-10 with the last commit being merged as cb1652e