With the move to the Redis queue, we need to remove the AWS SQS related dependencies, configuration, and logic from the app and its deployments.

Acceptance Criteria

• Remove the user provided services supply now deprecated SQS credentials
• Remove config for SQS
• Remove logic within app for SQS

Security considerations

Needed for SCR

User Story

As a Federalist Operator I want to remove legacy functionality

Acceptance Criteria

• customers with legacy large container config are updated in admin
• legacy functionality and configuration removed
• Change made live via deploy federalist builder

Level of effort - low

"><img src=x onerror=prompt('XSS');>
``

Add a new field to the healthcheck to report the estimated number of queued and running builds.

This is estimated because (from @jmhooper):

You can get an approximation of messages in an SQS queue, but that number does not include messages have been read since the visibility timeout.
Which means that if you have read a build and not executed on it within 5 or 10 seconds, it won’t appear in the approximation.

Refs:

• https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_GetQueueAttributes.html

Good news: New Relic instrumentation is working as of #34

However, its require needs to be moved slightly to make sure all code instrumented:

See:

{"ok":false,"reasons":["{\"error\":\"unauthorized\",\"error_description\":\"password change required\"}"]}

https://nodejs.org/en/about/releases/

This would make it a lot easier to find specific builds, and to quickly see when streaming logs what is being built.

I'm thinking that it would be added to the bracketed log lines, like:

[clone.sh - 18F/some-repo]: blahblahblah
...
[build.sh - 18F/some-repo]: boopboopboop

Easy change!

Local issue for cloud-gov/pages-core#1072

User Story

A user can 1) build a site in a garden build instance without being blocked by Federalist Builders inability to launch a fresh garden build container due to stale Cloud.gov service account credentials. 2) deploy Federalist apps to cloud.gov via CircleCI without being blocked by CircleCI having stale cloud.gov service account credentials.

Background Information (Optional)

Description of feature or bug
There was a recent instance where credentials went stale and caused a production issue. (more details: https://docs.google.com/document/d/1bdgN4J8o4fKqdOuRYuWq2JjDzH5DBx6mZcyI6VD7rYU/edit)

Acceptance Criteria

• add expiry date for CI service account in it's respective user provided service
• add expiry date for builder service account to it's respective user provided service
• expiry date for CI services account to appear in healthcheck JSON
• expiry date for builder services account to appear in healthcheck JSON
• federalist builder healthcheck check throw error if credentials expiry < 7 days

Manage Cloud Foundry tasks to ensure we stay below memory and disk limits, run a task for each new build, monitor the tasks for completion or timeout.

As reported by Gemnasium.

Remediation: upgrade hapi to latest version (16.6.0) so that that we get the newest version of content (3.0.6).

More info: https://nodesecurity.io/advisories/530

When no site build containers are available to start a site build, the bull queue moves the site build state from latest to active if the first attempt cannot successfully kick off a build. The current logic in the bull queue does not check for any builds in the active queue so they will get stuck and not be able to ever kickoff the build.

Acceptance Criteria

• Update the queue check to also check the active state builds

Add feature flags for:

• SQS queue
• Bull queue

To enable multiple instances to leverage only 1 queue type.

• Add a count of available build container instances in the STARTED state that the builder can see to the healthcheck output
• Add an environment variable EXPECTED_BUILD_CONTAINERS and if the number of available containers is below that number, then change the ok value in the healthcheck to false
• Add a reason field to the healthcheck (so that we can say "number of build containers is less than expected" and such).

User Story

Background (Optional)

Acceptance Criteria

• Change made live via .

After evaluating, edit this part:

Level of effort - <low/medium/high>

Implementation outline (if higher than "low" effort):

Per cloud-gov/pages-core#376, we want to reset the AWS related key and secrets on this application.

{
 "VCAP_SERVICES": {
  "user-provided": [
   {
    "credentials": {
     "access_key": "",
     "secret_key": ""
    },
    "label": "user-provided",
    "name": "federalist-aws-user",
    "syslog_drain_url": "",
    "tags": []
   }
  ]
 }
}

Likely the same problem the Federalist web app had as described in cloud-gov/pages-core#1002 (comment) and fixed in cloud-gov/pages-core#1021.

If Federalist builder fails to start a build for some reason, it should alert Federalist to the issue using the STATUS_CALLBACK variable in the container environment.

We should setup ESLint in this repo and use it to enforce style guidelines. In addition, it would be neat to find a way to use the linter to enforce styles on CI that wasn't disruptive.

Local issue for cloud-gov/pages-core#1073

User Story

Background (Optional)

The healtcheck was designed based on the health of the build containers. Builds now run as tasks and measure of health should be updated accordingly

Acceptance Criteria

• Change made live via .

After evaluating, edit this part:

Level of effort - <low/medium/high>

Implementation outline (if higher than "low" effort):

We are exploring the idea of using docker-compose to orchestrate easier local development of this app, a queue and 18f/federalist-docker-build.

To do that this app needs a Dockerfile

It looks like we have a red alert from Gemnasium for Hapi being out of date.

Ref: https://gemnasium.com/github.com/18F/federalist-builder/alerts#alert-5668662

After the completion of monitor bull queues, remove the server since the queues will be monitored from the admin interface.

We currently use tasks to launch builds and no longer need to the application pool implementation. This removes legacy code so we no longer need to maintain it.

Do NOT remove the architecture of allowing multiple implementations so that we can support a Docker implementation for local usage.

User Story

A developer user should be able to find the cloud-gov setup details on the README file.

Background (Optional)

add https://github.com/18F/federalist.18f.gov/blob/main/pages/documentation/cloud-gov-setup.md to Federalist-builder README

Acceptance Criteria

• former cloud-gov setup documentation available on README
• Change made live via deploy of federalist-builder

After evaluating, edit this part:

Level of effort - Medium

Implementation outline (if higher than "low" effort):

• compare README and cloud-gov setup doc and see what is missing
• update REAME with missing details

Acceptance Criteria

• Change made live via deploy of federalist-builder

After evaluating, edit this part:

Level of effort - low

Implementation outline (if higher than "low" effort):

• remove credentials-rotator from manifest.yml
• remove credentials-rotator from staging-manifest.yml
• delete credentials-rotator service in staging @davemcorwin
• delete credentials-rotator service in production

Assignee

• Move master branch to main:

  • git branch -m master main
  • git push -u origin main

• Migrate code, content references, and links:

  • master -> main
  • whitelist -> allowlist
  • blacklist -> denylist
  • ???

• Migrate CircleCI configuration and deploy scripts

• Migrate branch protections

If default branch is master

• [] Migrate Codeclimate configuration
• [] Migrate Github default branch

All team members update local clones

• Dave
• Amir
• Andrew
• Eddie

1. If you don't have the master branch pulled down locally, then there is nothing you need to do. You can check with git branch.

2. If you do have the master branch pulled down locally
   Here are instructions for updating locally AFTER the changes have been made in Github, but I'm not totally sure if they are all necessary.

git checkout master
git branch -m master main
git fetch
git branch --unset-upstream
git branch -u origin/main
git symbolic-ref refs/remotes/origin/HEAD refs/remotes/origin/main

Assignee (much later)

• Deletemaster branch locally and in Github (optional)

Automatic deploys are set up; however, I don't remember the password for the federalist-deploy user, so we need to either reset it or set up a new user. This is the same user for federalist deploys, so if we reset the password, we need to update here as well.

cc @jeremiak