Merge pull request #412 from usagov/stage

Prod Push for Aug 11 2022
usagov · Aug 11, 2022 · ac83a50 · ac83a50
2 parents 0780032 + 3a9ba8e
commit ac83a50
Show file tree

Hide file tree

Showing 74 changed files with 1,848 additions and 101 deletions.
diff --git a/bin/build b/bin/build
@@ -5,12 +5,9 @@ if [ -f env.local ]; then
   . env.local
 fi
 
-CURR_UID=$(id -u)
-CURR_GID=$(id -g)
-
 docker compose build --no-cache \
-  --build-arg BUID=${BUID:-"$CURR_UID"} \
-  --build-arg BGID=${BGID:-"$CURR_GID"} \
+  --build-arg BUID=${BUID:-$(id -u)} \
+  --build-arg BGID=${BGID:-$(id -g)} \
   --build-arg GITBRANCH=$(git symbolic-ref --short HEAD 2>/dev/null || echo "") \
   --build-arg GITCOMMIT=$(git rev-parse HEAD 2>/dev/null || echo "") \
   --build-arg GITTAG=$(git tag --points-at $(git rev-parse HEAD 2>/dev/null) | grep ^v | sort -rV | head -n 1 2>/dev/null || echo "") \

diff --git a/bin/ccb b/bin/ccb
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+COMMIT_A=${1:-stage}
+COMMIT_B=${2:-prod}
+
+if ! git cat-file -t $COMMIT_A > /dev/null; then
+  echo "Commit '$COMMIT_A' not found in this repo"
+  exit 1
+fi
+if ! git cat-file -t $COMMIT_B > /dev/null; then
+  echo "Commit '$COMMIT_B' not found in this repo"
+  exit 1
+fi
+
+# reorder the inputs by commit time
+COMMIT_SORT=$(git show -s --format="%ct %S" $COMMIT_B $COMMIT_A | sort -n | awk '{print $2}')
+NEWEST=$(echo "$COMMIT_SORT" | head -n 1)
+OLDEST=$(echo "$COMMIT_SORT" | tail -n 1)
+
+if [ "$NEWEST" == "$OLDEST" ]; then
+    echo "Commits are the same $NEWEST..$OLDEST"
+    exit 0
+fi
+
+echo "Tickets between $NEWEST <-> $OLDEST"
+echo
+
+# the name of the repo shows up as a ticket so we have to explicitly ignore it
+# branch names have been sloppy so accept anything from "Usa 123" to "usa_123" to "USAGOV-123"
+# be careful because [-_ 	] has a space and a tab inside of the brackets
+git log ${NEWEST}..${OLDEST} | grep -Eio 'usa(gov)?[-_ 	]([0-9]+)' | sed -E 's/usa(gov)?[-_ 	]([0-9]+)/USAGOV-\2/ig' | grep -iv usagov-2021 | sort -u
diff --git a/bin/cloudgov/apps-egress-allow.acl b/bin/cloudgov/apps-egress-allow.acl
@@ -1,11 +1,9 @@
-*.google.com
-*.drupal.org
-*.npmjs.com
-*.newrelic.com
-*.packagist.org
-*.github.com
-*.amazonaws.com
-*.s3.amazonaws.com
+secureauth.gsa.gov
 *.docker.io
 *.docker.com
+docker.io
+docker.com
+*.newrelic.com
+newrelic.com
 *.app.cloud.gov
+*.apps.internal
diff --git a/bin/cloudgov/create-app-space b/bin/cloudgov/create-app-space
@@ -9,6 +9,10 @@ STARTORG=$(   cf target | grep org:   | awk '{ print $2 }')
 APP_SPACE=${1:-$STARTSPACE}
 APP_ORG=${2:-$STARTORG}
 
+# we have no control over the container host so we cannot tell it about our proxy
+# we must allow apps that are in a staging state un-proxied access to docker hub
+# so the host can access the available images
+
 # default staging asgs: dns public_network trusted_local_networks
 # default running asgs: dns
 STAGING_SECURITY_GROUPS="dns trusted_local_networks_egress public_networks_egress"

diff --git a/bin/cloudgov/deploy-cms b/bin/cloudgov/deploy-cms
@@ -40,7 +40,7 @@ else
   cf push cms --docker-image ${DOCKERUSER}/${DOCKERREPO}${CDIGEST}
 fi
 
-# the egress-settup doesn't interfere with bootstrapping
+# the egress-setup doesn't interfere with bootstrapping
 # but cms needs to exist in the first place
 # for route mapping and egress setup to run
 

diff --git a/bin/cloudgov/deploy-waf b/bin/cloudgov/deploy-waf
@@ -54,6 +54,10 @@ printf "\tAPPS_DOMAIN: $APPS_DOMAIN\n"
 printf "\nFetching ROUTE_DOMAIN\n"
 printf "\tAPPS_DOMAIN: $ROUTE_DOMAIN\n"
 
+# remove proxy during staging
+cf set-env waf http_proxy  ""
+cf set-env waf https_proxy ""
+
 cf push "${ROUTE_SERVICE_APP_NAME}" --no-start --var app-name="${ROUTE_SERVICE_APP_NAME}"
 cf set-env "${ROUTE_SERVICE_APP_NAME}" ALLOWED_IPS "$(printf "%s" "${NGINX_ALLOW_STATEMENTS:-}")"
 cf start "${ROUTE_SERVICE_APP_NAME}"

diff --git a/bin/cloudgov/setup-egress-for-apps b/bin/cloudgov/setup-egress-for-apps
@@ -133,8 +133,13 @@ for app in $applist; do
     $output cf set-env "$app" https_proxy $proxyroute
     $output cf set-env "$app" AWS_CA_BUNDLE /etc/ssl/certs/ca-certificates.crt
     $output cf set-env "$app" REQUESTS_CA_BUNDLE /etc/ssl/certs/ca-certificates.crt
-    # $output cf restart "$app" --no-wait --strategy rolling
-    $output cf restart "$app"
+
+    # do not restart app here as this causes extra restarts during cms deploy
+    # devs may have to call cf restart directly in some cases where this script
+    # is used standone from the deploy scripts
+
+    $output cf restart "$app" --no-wait --strategy rolling
+    # $output cf restart "$app"
 done
 
 popspace
diff --git a/bin/cloudgov/setup-egress-for-space b/bin/cloudgov/setup-egress-for-space
@@ -104,10 +104,11 @@ for app in $applist ; do
     do
         # Add attached buckets to the allow list
         BUCKET=$(            echo -E "$VCAP_SERVICES" | jq -r ".s3[$i].credentials.bucket")
-        AWS_ENDPOINT=$(      echo -E "$VCAP_SERVICES" | jq -r ".s3[$i].credentials.endpoint")
-        AWS_FIPS_ENDPOINT=$( echo -E "$VCAP_SERVICES" | jq -r ".s3[$i].credentials.fips_endpoint")
+        AWS_ENDPOINT=$(      echo -E "$VCAP_SERVICES" | jq -r ".s3[$i].credentials.endpoint" | uniq )
+        AWS_ENDPOINT_ALT=$(  echo -E "$AWS_ENDPOINT"  | sed 's/s3\-us\-/s3.us-/g' | uniq )
+        AWS_FIPS_ENDPOINT=$( echo -E "$VCAP_SERVICES" | jq -r ".s3[$i].credentials.fips_endpoint" | uniq )
         # Add both the FIPS and non-FIPS hostnames
-        buckethosts="$buckethosts ${BUCKET}.${AWS_ENDPOINT} ${BUCKET}.${AWS_FIPS_ENDPOINT}"
+        buckethosts="$buckethosts ${BUCKET}.${AWS_ENDPOINT} ${BUCKET}.${AWS_ENDPOINT_ALT} ${BUCKET}.${AWS_FIPS_ENDPOINT}"
         ((i+=1))
     done
 done

diff --git a/bin/init b/bin/init
@@ -3,8 +3,6 @@
 # Setup environmental variables so current User and Group Ids are available at container build time
 # spam out to a variety of possible files to cover common cases
 echo "Setup BUID and BGID environmental variables"
-export BUID=$(id -u)
-export GUID=$(id -g)
 if [ -f ~/.zshrc ] && ! grep -q 'export BUID=' ~/.zshrc; then
   echo "export BUID=\$(id -u)" >> ~/.zshrc
   echo "export BGID=\$(id -g)" >> ~/.zshrc
@@ -47,8 +45,8 @@ bin/build
 
 echo "Fix permissions inside Containers - this could take a long time"
 docker compose run \
- -e BUID=$(id -u) \
- -e BGID=$(id -g) \
+ -e BUID=${BUID:-$(id -u)} \
+ -e BGID=${BGID:-$(id -g)} \
  --rm --no-deps --workdir /var/www  \
  -u root composer /var/www/bin/fix-perms-in-container
 

diff --git a/config/sync/block.block.leftmenuenglish_3.yml b/config/sync/block.block.leftmenuenglish_3.yml
@@ -51,3 +51,4 @@ visibility:
     bundles:
       basic_page: basic_page
       directory_record: directory_record
+      state_directory_record: state_directory_record
diff --git a/config/sync/block.block.leftmenuspanish_2.yml b/config/sync/block.block.leftmenuspanish_2.yml
@@ -50,3 +50,5 @@ visibility:
       node: '@node.node_route_context:node'
     bundles:
       basic_page: basic_page
+      directory_record: directory_record
+      state_directory_record: state_directory_record
diff --git a/config/sync/core.base_field_override.node.state_directory_record.promote.yml b/config/sync/core.base_field_override.node.state_directory_record.promote.yml
@@ -0,0 +1,22 @@
+uuid: fec2315e-00a5-475b-98a7-f112199f2abe
+langcode: en
+status: true
+dependencies:
+  config:
+    - node.type.state_directory_record
+id: node.state_directory_record.promote
+field_name: promote
+entity_type: node
+bundle: state_directory_record
+label: 'Promoted to front page'
+description: ''
+required: false
+translatable: true
+default_value:
+  -
+    value: 0
+default_value_callback: ''
+settings:
+  on_label: 'On'
+  off_label: 'Off'
+field_type: boolean