Release/0003 #139
Open
Release/0003 #139
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* ALS-5427: Updating Introspection token (#117) * token needs to be updated if persistent. * need to update the DML persisting via snapshot script to include upserting updated tokens. * should upsert in pic-sure-schema.sql as well to get ready to remove DML from DDL. * both the resources-registration.sql and pic-sure-schema.sql will be eliminated by using proper migration scripts. --------- Co-authored-by: Tom <[email protected]> * Add XSS protection in httpd-vhosts config (#119) The httpd-vhosts.conf configuration file now includes an option for built-in XSS protection supported by modern web browsers. It is set to block the entire page if a Cross-Site Scripting (XSS) attack is detected. This header already exists in our frontend harness and previously existed in the UI vhost files. * Update gss_prefix in infrastructure instances (#120) This commit modifies the gss_prefix in multiple Terraform instances to include a new variable, environment_prefix. It also adds this new variable in the variables.tf file for infrastructure app. This change provides more flexibility and control over the configuration of infrastructure instances. * [ALS-5567] Modify infrastructure to make a configurable value (#121) * [ALS-5567] Parameterize help link in app configuration * [ALS-5567] Add login link variable to app configuration * [ALS-5514] Add Okta configuration to infrastructure The Okta client API and domain configurations have been added. These are used for session management, improving secure access control to the application. The respective fields have been included in wildfly-instance.tf, standalone.xml, and variables.tf files. * [ALS-5514] Correct Okta variable in wildfly-instance.tf An incorrect Okta variable name was identified and replaced as necessary. The okta_domain has been properly replaced with okta_client_origin for proper Okta configuration management. * [ALS-5558] Add privacyPolicyLink (#122) * [ALS-5514] Adjust indentations in standalone.xml * [ALS-5514] Migrating changes from GitLab Co-authored-by: TDeSain <[email protected]> Co-authored-by: Tom <[email protected]> Co-authored-by: James <[email protected]>
* [ALS-5082] Remove unused code This code is tracked by version control and I would prefer not to have dead code within the codebase. * [ALS-5082] Update MySQL connector version in Wildfly module config The MySQL connector version in the Wildfly configuration file has been updated from 5.1.38 to 8.0.33. This is necessary for keeping with the latest stable version for improved performance and security. * [ALS-5082] Add initial roles, privileges, resources, and create initial tables for database The commit includes SQL scripts to insert initial roles and privileges in the 'auth' database and to create the initial tables required for 'picsure' and 'auth' databases. Additionally, the commit inserts resources into the 'picsure' database. These updates initialize the foundational data structures needed for the application's function. * Refactor DNS records management in terraform Removed deprecated comments, unused code and the reliance on Jenkins and AWS CLI for managing route53 DNS records in the route53-template.tf file. The refactoring now utilizes Terraform natively, directly handling AWS Route53 changes and improving code clarity. * [ALS-5082] Update Terraform configuration and application to use persisted database, remove unnecessary vars, use DB username/host/password vars, add resource IDs and optimize AWS instance size and volume. This change allows us to have a persistent database for our application, which retains data across sessions and improves the overall performance and cost-effectiveness of the AWS instance. Various unnecessary variables have been obliterated, further streamlining the configuration process. * [ALS-5082] Remove resource-registration.sql
A new RewriteRule has been added to the httpd-vhosts.conf configurations. The rule matches any request to /picsureui/health and returns a 200 OK status. This update will help monitor the health status of the PicsureUI application.
* Replace variables with hardcoded IDs in configs The `auth_hpds_resource_id` and `dictionary_resource_id` variables in application configurations have been removed and replaced with hardcoded values. This change affected several files including `wildfly-instance.tf` and `picsureui_settings.json`. This modification simplifies configuration and minimizes the risk of misconfiguration errors. * Update resource insertions in V2__Insert_Resources.sql The diff reflects changes made to the resource insertion queries in `V2__Insert_Resources.sql` file. Some names have been replaced with hardcoded values, and a few parameters, such as 'include_open_hpds' and 'include_auth_hpds', have been added to aid better flexibility and consistency in resource management. * Add private DNS name variable to wildfly-instance.tf A new variable 'env_private_dns_name' from environment variables has been included in the wildfly-instance.tf file. Furthermore, this variable has been incorporated in the JAVA_OPTS of the wildfly-user_data.sh script to use the target stack and private DNS dynamically. This inclusion enhances the adaptability of the script in various execution environments.
Remove additional "/" all strings that are appended to the idp_provider_uri start with a "/".
Added "include_bdc_specific_filters" field to configuration. This field enables filters specific to the Big Data Commons(BDC) infrastructure to be included when set to true.
* [ALS-6198] Convert picsure resource id to a variable Some request are being sent to the API with the auth-hpds UUID. This is likely a result of this UUID being used in some request. We need to ensure open or auth queries the appropriate HPDS type. * [ALS-6198] Update AWS instance type in wildfly-instance Terraform file Changed the AWS instance type for wildfly-ec2 resource in Terraform configuration file. It's been updated from "m5.large" to "m5.2xlarge" to enhance the server capacity and handle more traffic efficiently.
## [ALS-6225] Integration of AWS Secrets Manager and MySQL Connector Updates for Wildfly Deployment ### Summary: - Implemented AWS Secrets Manager JDBC for managing database credentials, enhancing security by utilizing secrets for loading usernames and passwords. - Updated the Wildfly MySQL module and standalone configuration to include the new MySQL Java Connector, ensuring proper SQL connectivity and aligning secret names with updated standards. - Modified `wildfly-user_data.sh` to correctly reference the updated MySQL connector path and removed outdated MySQL module configurations to streamline deployment. - Refactored IAM roles and policy attachments for Wildfly deployment, improving monitoring and management capabilities by attaching CloudWatchAgentServerPolicy and AmazonSSMManagedInstanceCore policy. - Streamlined the Terraform configuration by updating IAM instance profiles and segregating IAM resources into `wildfly-iam.tf`, removing duplication. - Enhanced the standalone.xml configuration by adding MySQL and H2 drivers, updating JDBC connection details, and reintroducing the ExampleDS datasource for improved database connectivity. - Documented the configuration and deployment process in a new README.md file, providing clarity on dynamic generation of module.xml during Docker image build. - Performed cleanup by removing obsolete configurations and variables related to AWS region and IAM roles for secret management, ensuring a leaner configuration.
The httpd-vhosts configuration has been updated to include Cross-Site Scripting (XSS) protection. This change uses the built-in XSS protection available in modern web browsers. If an XSS attack is detected, the browser will block the entire page.
This file is used to set environment variables with-in the PSAMA docker container.
This file overrides the default connection information in the application.properties. This allows us to change the database type, class, dialect and more.
The inspection URL now points to the psama container and port.
The wildfly-user_data.sh script has been refactored and broken into separate Wildfly and PSAMA scripts. Each Docker container now has its own script, which improves separation of concerns and maintains a modular code base. The refactoring also reduced the initial sleep command from 600 to 300 in the user_data script.
PSAMA request are redirected to the Wildfly EC2 using port 8090.
Added psama.env to the wildfly-instance.tf to render necessary values at deployment time. Additionally, removed no variables from standalone.xml template_file that were removed from the file.
Additional access permissions have been added to the AWS IAM policy to allow getting objects from S3. This includes permissions for accessing 'psama.env' and 'psama-db-config.properties' files located in the specified S3 bucket.
Adjusted memory allocation in psama-docker.sh and wildfly-docker.sh scripts. This change reduces the memory footprint of Docker containers, optimizing system performance and resource utilization.
This commit includes a new SQL script that trims leading spaces from the 'rule' field within the 'access_rule' table. This will ensure that all entries have a uniform starting point and prevent issues that could arise from having leading spaces.
This commit reverts the deletion of the V6_Trim_Leading_Spaces.sql script in the app-infrastructure/db/auth directory. The script originally served the purpose of updating rows for access rules by removing any leading spaces.
This commit updates the session-cookie configuration in the standalone.xml file. A "name" parameter with the value "JSESSIONID" and a "path" attribute have been added to improve app's session management.
Both of these files have been moved into the pic-sure-auth-micro-app repository.
psama-db-config.properties is now added to the docker container during the docker build. The path for psama configuration and release files are no longer based on the stack_githash. These files are already tracked/versioned by git.
psama.env is no longer rendered by terraform on each deployment. Instead it is configured once and left unchanged until necessary.
Removed redundant S3 access policies and reconfigured necessary ones in the IAM configuration file, wildfly-iam.tf
This commit changes the naming convention in the roles, privileges, and access rules tables. The previous "FENCE" prefix has been replaced with "MANAGED" to reflect our new naming standards. This update affects both the name and description fields in each table.
The commit modifies several SQL update statements in our database script. It changes naming convention from 'FENCE' to 'MANAGED' throughout role, privilege, and access rule tables.
Added additional '_' to match wildfly naming convention
* enable splunk boot-start in wildfly user-script * enable splunk boot-start in open-hdps user-script * enable splunk boot-start in httpd user-script * enable splunk boot-start in dictionary user-script * enable splunk boot-start din auth_hpds user-script
* Enable syslog logging for psama Docker container Added syslog logging configuration to the psama Docker run command, specifying 'wildfly' as the log tag. Updated the Splunk configuration and created a new log directory for psama logs to improve logging and monitoring capabilities. * Add logging directories for Psama Docker
This commit updates the metadata access rule to use the 'Target Service' field and changes the MANAGED_ROLE_OPEN_ACCESS role to MANUAL_ROLE_OPEN_ACCESS. It also introduces a new access rule, privileges, and roles for named dataset access to enhance data querying capabilities.
Introduced new variables: `ras_idp_provider_uri`, `ras_client_id`, and `ras_okta_idp_id` to support RAS identity provider integration. These variables were added to `httpd-instance.tf`, `variables.tf`, and `picsureui_settings.json`.
Introduced new variables `login_redirect_uri` and `ras_session_logout_uri` to manage user session and logout URIs for RAS. Updated `psama-docker.sh` script to optionally enable remote debugging with an additional script argument.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.