-
Notifications
You must be signed in to change notification settings - Fork 21
Security and Maintenance
Note: This page is linked to from the Application Vulnerability Management - Process Improvement Proposal.
We rotate the responsibility for handling maintenance for the Terra UI codebase amongst teams.
- Handling security updates. See Dependabot Security Updates below.
- General maintenance requests that are not tied to a specific project
- Triaging integration test failures
- The maintaining team is responsible for looking at test failures and assigning them appropriately.
- If the failure is flaky due to shared resources (including the testing infrastructure) the maintaining team would take ownership of the fix.
- Rotating service account keys quarterly
- Adjusting prod deploy times for daylight savings time changes bi-annually
- Q1: Batch - Workflows
- Q2: Cloud Integrations
- Q3: Workspaces
- Q4: Interactive Analysis
Every three months, the service account key used by CircleCI to deploy Terra UI to prod
needs to be rotated for security purposes, by the maintaining team. The steps below describe the process:
- Having logged in with your
@firecloud.org
account, go to Google Cloud Console's CircleCI Service Account Keys page of theIAM & Admin
section for projectBVDP Saturn Prod
. If you receive a permissions error, ask on#terra-ui
Slack channel to be grantedEditor
role on Google projectBVDP Saturn Prod
. - Click on the
ADD KEY
button. - Select
Create new key
. - Make sure
JSON
is selected as key type, and click onCREATE
. - Make sure the
.json
file was downloaded onto your computer.
- Create a new browser tab, and go to CircleCI's Environment Variables page. If you can't view this page, ask on
#terra-ui
Slack channel to be added to GitHub team SaturnDeployers. - Delete the environment variable named
GCP_SA_KEY
by clicking onX
to the right of it. - Click on the button
Add Environment Variable
and fill outName
andValue
on the dialog that pops up.-
Name
should beGCP_SA_KEY
-
Value
is supposed to be the text content of the.json
file you had downloaded.
-
- Manually redeploy to
prod
to verify the new SA key works by following the instructionshere. - Observe on the saturn-ui-prod-deploy CircleCI page that the job has succeeded.
- Go to https://app.terra.bio/#workspaces; click on the hamburger menu on the upper left; click on the link to the right of
Built on:
on the buttom; verify that the latest GitHub commit is on the new tab that pops up.
- Now you can disable the old key(s). It's not possible to disable a SA key on the GCP console. You will need to use
gcloud
on your local system (e.g.Terminal
on MacOS). After making sure you're authenticated with your@firecloud.org
account on your local system, rungcloud iam service-accounts keys disable <service_account_key_name> [email protected] --project bvdp-saturn-prod
. Substitute into that command, the key obtained fromKey
column on the GCP console page for SA keys. More details on disabling service account keys can be found here. If you getERROR: (gcloud.iam.service-accounts.keys) Invalid choice: 'disable'.
, try upgrading your SDK viagcloud components update
. Verify on the GCP console page that the key'sStatus
is nowDisabled
(as opposed toActive
). - To be sure, rerun the prod deploy job and verify that everything still works.
- Assuming everything is still working, you can now safely delete the old key using the trash can icon in the UI.
- Set a Slack reminder on
#terra-ui
channel for the next maintaining team by typing something like/remind :alert_red_light: Reminder to rotate the service account key for prod deploys by following these (https://github.com/DataBiosphere/terra-ui/wiki/Security-and-Maintenance#service-account-key-rotation) instructions in 85 days
.
- Add the new
.json
key file (that you downloaded at the beginning) toVault
(e.g.vault write secret/dsp/service-accts/bvdp-saturn-prod-sa-2021-12-14.json @/Users/<your username>/Downloads/<new sa file name>.json
).
In order to see Dependabot alerts, your account must be added by a maintainer to the list of people who get notified.
A lot of the Dependabot alerts can be safely dismissed. These are all valid reasons for dismissing the alerts:
- The alert is in our integration-test
yarn.lock
file. These are dependencies for running our integration tests, so none of this code is exposed to users. - The alert is for a library version that is only used by development tools, and thus not exposed to users. To figure this out, use
yarn why -R LIBRARY_NAME
. - The alert is for a library version that is only used in the packaging of our code (for example, packaging CSS). To figure this out, use
yarn why -R LIBRARY_NAME
. - The alert is incorrect. By examining the
yarn.lock
file and usingyarn why LIBRARY_NAME
it is clear that we actually don't use the library version that the alert is warning about.
If the library version does need to be upgraded because it is exposed to users in Terra's UI, these are the recommended steps:
- If the library is one of our direct dependencies, update the version in
package.json
and generate an updatedyarn.lock
file as detailed below. - If the library is a transitive dependency, delete entries in
yarn.lock
files that reference the library with the security update (note that we have 2yarn.lock
files). - Run
yarn install
to generate the new content inyarn.lock
. Verify the library versions satisfy the security update. - Run
yarn dedupe
to remove duplicated content from theyarn.lock
file. - Create a PR with the modified
yarn.lock
file(s). - Bonus: update our direct dependencies (
package.json
files) that introduce the transitive dependency to their most recent versions.
Compliance timeframe for addressing security alerts can be found under 'Vulnerability Remediation'.
Prod deploy time has been chosen as 11am Eastern Time
. See this PR for start of DST and this PR for end of DST.
Terra UI is a Goole App Engine application. Every time CircleCI deploys Terra UI, it creates a new version. App Engine allows a maximum of 210 versions of any app. Therefore, we must periodically clean up old versions.
Note: There is an automated script to handle this for prod, so these instructions only apply to non-prod: currently dev, alpha, staging, and perf.
For each [bvdp-saturn-dev
, bvdp-saturn-alpha
, bvdp-saturn-staging
, bvdp-saturn-perf
],
- Go to the App Engine versions page in cloud console, e.g.: https://console.cloud.google.com/appengine/versions?project=bvdp-saturn-dev&serviceId=default
- Recommended: At the bottom of the list, select the maximum rows per page that you can.
- Select all versions. You can switch between pages if necessary. The UI will remember selections on previous pages as you go.
- Choose a date within the past week (I like to leave a few days buffer just in case we need to rollback) and unselect any versions deployed after that date. This includes the current version that shows 100% traffic allocation.
- Alternately, with an empty selection, clicking one and shift clicking another will select all versions in between.
- Important, dev-only step: Unselect all versions that begin with "pr-". These are the versions that are deployed when a PR is opened. As of this writing, there are 11 of these.
- Delete the selected versions.
You're done! Thank you for your service!
Terra UI Wiki.
- Getting Started
- Contributor Guide
- Intro to UI Development
- Troubleshooting Build Failures
- Editor Configuration
- BEEs
- Pull Requests
- How to Find a PR Site
- Feature Flags
- Mixpanel
- Cobranding and White-Label Sites
- Using Terra UI packages in other projects