Merge pull request #3996 from ustaxcourt/staging

Merge Staging into Prod

Author: jimlerza

.circleci/config.yml

@@ -37,13 +37,13 @@ RUN apt-get install -y build-essential
 RUN apt-get install -y libcairo2-dev libpango1.0-dev libjpeg-dev libgif-dev librsvg2-dev
 
 ENV JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
-RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-2.13.13.zip" -o "awscliv2.zip" && \
+RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-2.13.17.zip" -o "awscliv2.zip" && \
   unzip awscliv2.zip && \
   ./aws/install && \
   rm -rf awscliv2.zip
 
 RUN pip install --upgrade pip
-RUN wget -q -O terraform.zip https://releases.hashicorp.com/terraform/1.5.6/terraform_1.5.6_linux_amd64.zip && \ 
+RUN wget -q -O terraform.zip https://releases.hashicorp.com/terraform/1.5.7/terraform_1.5.7_linux_amd64.zip && \ 
   unzip -o terraform.zip terraform && \
   rm terraform.zip && \
   cp terraform /usr/local/bin/

Dockerfile

@@ -1,5 +1,4 @@
 import './commands';
-import 'cypress-real-events/support';
 
 before(() => {
   // Skip subsequent tests in spec when one fails.

cypress/cypress-integration/support/index.ts

@@ -35,11 +35,25 @@ At the moment, the only task we rotate is updating dependencies. As an open-sour
 
      > Refer to [ci-cd.md](ci-cd.md#docker) for more info on this as needed
 
-5. Verify the PDF's still pass by running the commands listed on `./docs/testing.md` under the _PDF Testing_ heading
+5. Check if there is an update to the Terraform AWS provider and update all of the following files to use the [latest version](https://registry.terraform.io/providers/hashicorp/aws/latest) of the provider.
+	- ./iam/terraform/account-specific/main/main.tf
+	- ./iam/terraform/environment-specific/main/main.tf
+	- ./shared/admin-tools/glue/glue_migrations/main.tf
+	- ./shared/admin-tools/glue/remote_role/main.tf
+	- ./web-api/terraform/main/main.tf
+	- ./web-api/workflow-terraform/migration/main/main.tf
+	- ./web-api/workflow-terraform/migration-cron/main/main.tf
+	- ./web-api/workflow-terraform/reindex-cron/main/main.tf
+	- ./web-api/workflow-terraform/switch-colors-cron/main/main.tf
+	- ./web-client/terraform/main/main.tf
 
-6. Check through the list of caveats to see if any of the documented issues have been resolved.
+	> aws = "latest version"
 
-7. Validate updates by deploying, with a [migration](./additional-resources/blue-green-migration.md#manual-migration-steps), to an experimental environment. This helps us verify that the package updates don't affect the migration workflow.
+6. Verify the PDF's still pass by running the commands listed on `./docs/testing.md` under the _PDF Testing_ heading
+
+7. Check through the list of caveats to see if any of the documented issues have been resolved.
+
+8. Validate updates by deploying, with a [migration](./additional-resources/blue-green-migration.md#manual-migration-steps), to an experimental environment. This helps us verify that the package updates don't affect the migration workflow.
 
 ## Caveats
 

docs/dependency-updates.md

@@ -16,25 +16,6 @@ resource "aws_iam_policy" "circle_ci_policy" {
 {
   "Version": "2012-10-17",
   "Statement": [
-    {
-      "Sid": "Route53",
-      "Effect": "Allow",
-      "Action": [
-        "route53:GetChange",
-        "route53:GetHostedZone",
-        "route53:ListResourceRecordSets",
-        "route53:ListHostedZones",
-        "route53:ChangeResourceRecordSets",
-        "route53:ListTagsForResource",
-        "route53:ListHostedZonesByName",
-        "route53:CreateHealthCheck",
-        "route53:DeleteHealthCheck",
-        "route53:GetHealthCheck",
-        "route53:ListHealthChecks",
-        "route53:UpdateHealthCheck"
-      ],
-      "Resource": "*"
-    },
     {
       "Sid": "DynamoDb",
       "Effect": "Allow",
@@ -111,6 +92,7 @@ resource "aws_iam_policy" "circle_ci_policy" {
       "Sid": "Acm",
       "Effect": "Allow",
       "Action": [
+        "acm:GetCertificate",
         "acm:RequestCertificate",
         "acm:ListCertificates",
         "acm:AddTagsToCertificate",
@@ -294,18 +276,18 @@ resource "aws_iam_policy" "circle_ci_policy" {
     },
     {
       "Action": [
-				"ssm:PutParameter",
-				"ssm:LabelParameterVersion",
-				"ssm:DeleteParameter",
-				"ssm:DeleteParameters",
-				"ssm:UnlabelParameterVersion",
+        "ssm:PutParameter",
+        "ssm:LabelParameterVersion",
+        "ssm:DeleteParameter",
+        "ssm:DeleteParameters",
+        "ssm:UnlabelParameterVersion",
         "ssm:ListTagsForResource",
-				"ssm:DescribeParameters",
-				"ssm:DescribeDocumentParameters",
-				"ssm:GetParameterHistory",
-				"ssm:GetParametersByPath",
-				"ssm:GetParameters",
-				"ssm:GetParameter"
+        "ssm:DescribeParameters",
+        "ssm:DescribeDocumentParameters",
+        "ssm:GetParameterHistory",
+        "ssm:GetParametersByPath",
+        "ssm:GetParameters",
+        "ssm:GetParameter"
       ],
       "Resource": "*",
       "Effect": "Allow"
@@ -320,6 +302,53 @@ resource "aws_iam_policy" "circle_ci_policy" {
         "arn:aws:ecs:us-east-1:${data.aws_caller_identity.current.account_id}:service/clamav_fargate_cluster_*/clamav_service_*"
       ],
       "Effect": "Allow"
+    },
+    {
+      "Action": [
+        "glue:GetJobRuns",
+        "glue:StartJobRun"
+      ],
+      "Resource": [
+        "arn:aws:glue:us-east-1:${data.aws_caller_identity.current.account_id}:job/*"
+      ],
+      "Effect": "Allow"
+    }
+  ]
+}
+
+EOF
+}
+
+resource "aws_iam_user_policy_attachment" "circle_ci_route53_policy_attachment" {
+  user       = aws_iam_user.circle_ci.name
+  policy_arn = aws_iam_policy.circle_ci_route53_policy.arn
+}
+
+resource "aws_iam_policy" "circle_ci_route53_policy" {
+  name = "circle_ci_route53_policy"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "Route53",
+      "Effect": "Allow",
+      "Action": [
+        "route53:GetChange",
+        "route53:GetHostedZone",
+        "route53:ListResourceRecordSets",
+        "route53:ListHostedZones",
+        "route53:ChangeResourceRecordSets",
+        "route53:ListTagsForResource",
+        "route53:ListHostedZonesByName",
+        "route53:CreateHealthCheck",
+        "route53:DeleteHealthCheck",
+        "route53:GetHealthCheck",
+        "route53:ListHealthChecks",
+        "route53:UpdateHealthCheck"
+      ],
+      "Resource": "*"
     }
   ]
 }

docs/operations/production-like-data-sets.md

@@ -17,6 +17,6 @@ terraform {
   }
 
   required_providers {
-    aws = "3.76.0"
+    aws = "5.16.1"
   }
 }

iam/terraform/account-specific/main/circle-ci.tf

@@ -0,0 +1,53 @@
+resource "aws_iam_role" "glue_job_status_role" {
+  name = "glue_job_status_role_${var.environment}"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "glue_job_status_policy" {
+  name = "glue_job_status_policy_${var.environment}"
+  role = aws_iam_role.glue_job_status_role.id
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents",
+        "logs:DescribeLogStreams"
+      ],
+      "Resource": [
+        "arn:aws:logs:*:*:*"
+      ]
+    },
+    {
+      "Action": [
+        "glue:GetJobRuns"
+      ],
+      "Resource": [
+        "arn:aws:glue:us-east-1:${data.aws_caller_identity.current.account_id}:job/*"
+      ],
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}

iam/terraform/account-specific/main/main.tf

@@ -7,6 +7,6 @@ terraform {
   }
 
   required_providers {
-    aws = "3.76.0"
+    aws = "5.16.1"
   }
 }