Merge pull request #4440 from GSA-TTS/main

.github/workflows/trivy-cache.yml

@@ -0,0 +1,38 @@
+# In your scan workflow, set TRIVY_SKIP_DB_UPDATE=true and TRIVY_SKIP_JAVA_DB_UPDATE=true.
+name: Update Trivy Cache
+
+on:
+  schedule:
+    - cron: '0 0 * * *'  # Run daily at midnight UTC
+  workflow_dispatch:  # Allow manual triggering
+
+jobs:
+  update-trivy-db:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup oras
+        uses: oras-project/setup-oras@v1
+
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
+      - name: Download and extract the vulnerability DB
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
+          oras pull ghcr.io/aquasecurity/trivy-db:2
+          tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
+          rm db.tar.gz
+
+      - name: Download and extract the Java DB
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
+          oras pull ghcr.io/aquasecurity/trivy-java-db:1
+          tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
+          rm javadb.tar.gz
+
+      - name: Cache DBs
+        uses: actions/cache/save@v4
+        with:
+          path: ${{ github.workspace }}/.cache/trivy
+          key: cache-trivy-${{ steps.date.outputs.date }}

.github/workflows/trivy.yml

@@ -20,6 +20,7 @@ jobs:
       security-events: write
       actions: read
     env:
+      repo_name: gsa-tts/fac
       DOCKER_NAME: fac
       WORKING_DIRECTORY: ./backend
     name: Trivy Scan FAC Web Container
@@ -40,6 +41,11 @@ jobs:
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/[email protected]
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db,ghcr.io/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
         with:
           image-ref: '${{ env.DOCKER_NAME }}:${{ steps.date.outputs.date }}'
           scan-type: 'image'
@@ -63,6 +69,8 @@ jobs:
       actions: read
     name: Trivy Scan Third Party Images
     runs-on: ubuntu-latest
+    env:
+      repo_name: gsa-tts/fac
     strategy:
       fail-fast: false
       matrix:
@@ -75,6 +83,11 @@ jobs:
 
       - name: Run Trivy vulnerability scanner on Third Party Images
         uses: aquasecurity/[email protected]
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db,ghcr.io/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
         with:
           image-ref: '${{ matrix.image.name }}'
           scan-type: 'image'

.gitignore

@@ -167,6 +167,14 @@ terraform/**/*.tfstate*
 terraform/**/*.tfvars
 terraform/shared/modules/egress-proxy/proxy.zip
 terraform/shared/modules/egress-proxy/test/client.zip
+terraform/shared/modules/app/app.zip
+terraform/shared/modules/https-proxy/proxy.zip
+terraform/shared/modules/https-proxy/.terraform.lock.hcl
+terraform/shared/modules/stream-proxy/proxy.zip
+terraform/shared/modules/https-proxy/.terraform.lock.hcl
+terraform/shared/modules/sandbox-proxy/proxy.zip
+terraform/shared/modules/sandbox-proxy/.terraform.lock.hcl
+
 
 # XLSX ignores
 .~*#

backend/.profile

@@ -1,9 +1,9 @@
 #!/bin/bash
 
 # Source everything; everything is now a function.
-# Remember: bash has no idea if a function exists, 
+# Remember: bash has no idea if a function exists,
 # so a typo in a function name will fail silently. Similarly,
-# bash has horrible scoping, so use of `local` in functions is 
+# bash has horrible scoping, so use of `local` in functions is
 # critical for cleanliness in the startup script.
 source tools/util_startup.sh
 # This will choose the correct environment
@@ -14,6 +14,7 @@ source tools/migrate_app_tables.sh
 source tools/api_standup.sh
 source tools/run_collectstatic.sh
 source tools/seed_cog_baseline.sh
+source tools/materialized_views.sh
 
 #####
 # SETUP THE CGOV ENVIRONMENT
@@ -43,15 +44,18 @@ if [[ "$CF_INSTANCE_INDEX" == 0 ]]; then
     #####
     # COLLECT STATIC
     # Do Django things with static files.
-    run_collectstatic
-    gonogo "run_collectstatic"
+    # run_collectstatic
+    # gonogo "run_collectstatic"
 
     #####
     # SEED COG/OVER TABLES
     # Setup tables for cog/over assignments
     seed_cog_baseline
     gonogo "seed_cog_baseline"
+
+    # materialized_views
+    # gonogo "materialized_views"
 fi
 
 # Make psql usable by scripts, for debugging, etc.
-alias psql='/home/vcap/deps/0/apt/usr/lib/postgresql/*/bin/psql'
+alias psql='/home/vcap/deps/0/apt/usr/lib/postgresql/*/bin/psql'

backend/config/settings.py

@@ -227,8 +227,7 @@
 
 # Environment specific configurations
 DEBUG = False
-
-if ENVIRONMENT not in ["DEVELOPMENT", "PREVIEW", "STAGING", "PRODUCTION"]:
+if ENVIRONMENT not in ["SANDBOX", "DEVELOPMENT", "PREVIEW", "STAGING", "PRODUCTION"]:
     DATABASES = {
         "default": env.dj_db_url(
             "DATABASE_URL", default="postgres://postgres:[email protected]/backend"

backend/tools/materialized_views.sh

@@ -0,0 +1,9 @@
+source tools/util_startup.sh
+
+function materialized_views {
+    startup_log "RUN_MATERIALIZEDVIEWS" "BEGIN"
+    python manage.py materialized_views --create &&
+    local result=$?
+    startup_log "RUN_MATERIALIZEDVIEWS" "END"
+    return $result
+}

bin/ops/create_service_account.sh

@@ -70,4 +70,4 @@ cat << EOF
 
 cf_user = $username
 cf_password = $password
-EOF
+EOF

bin/ops/destroy_service_account.sh

@@ -50,4 +50,4 @@ cf target -o $org -s $space
 cf delete-service-key $service ${service}-key -f
 
 # destroy service
-cf delete-service $service -f
+cf delete-service $service -f

bin/ops/get_service_account.sh

@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+
+org="gsa-tts-oros-fac"
+
+usage="
+$0: Create a Service User Account for a given space
+
+Usage:
+  $0 -h
+  $0 -s <SPACE NAME> -u <USER NAME> [-r <ROLE NAME>] [-o <ORG NAME>]
+
+Options:
+-h: show help and exit
+-s <SPACE NAME>: configure the space to act on. Required
+-u <USER NAME>: set the service user name. Required
+-r <ROLE NAME>: set the service user's role to either space-deployer or space-auditor. Default: space-deployer
+-o <ORG NAME>: configure the organization to act on. Default: $org
+"
+
+set -e
+set -o pipefail
+
+space=""
+service=""
+role="space-deployer"
+
+while getopts ":hs:u:r:o:" opt; do
+  case "$opt" in
+    s)
+      space=${OPTARG}
+      ;;
+    u)
+      service=${OPTARG}
+      ;;
+    r)
+      role=${OPTARG}
+      ;;
+    o)
+      org=${OPTARG}
+      ;;
+    h)
+      echo "$usage"
+      exit 0
+      ;;
+  esac
+done
+
+if [[ $space = "" || $service = "" ]]; then
+  echo "$usage"
+  exit 1
+fi
+
+>&2 echo "Targeting org $org and space $space"
+cf target -o $org -s $space > /dev/null 2>&1
+
+# get service key
+cf service-key $service ${service}-key > /dev/null 2>&1
+
+# output service key to stdout in secrets.auto.tfvars format
+creds=`cf service-key $service ${service}-key | tail -n 7`
+username=`echo $creds | jq '.credentials.username'`
+password=`echo $creds | jq '.credentials.password'`
+
+cat <<EOM
+# generated with $0 -s $space -u $service -r $role -o $org
+# revoke with $(dirname $0)/destroy_service_account.sh -s $space -u $service -o $org
+
+cf_user = $username
+cf_password = $password
+EOM

terraform/.gitignore

@@ -1,6 +1,7 @@
-*/backend.tfvars
-*/.terraform
-*/terraform.tfstate
-*/terraform.tfstate.backup
-*/deployer-creds.auto.tfvars
-shared/config/backend.tfvars
+*/backend.tfvars
+*/.terraform
+*/terraform.tfstate
+*/terraform.tfstate.backup
+*/deployer-creds.auto.tfvars
+shared/config/backend.tfvars
+*/*.tfplan

terraform/dev/dev.tf-example

@@ -1,3 +1,12 @@
+# The content of this file is managed by Terraform. If you modify it, it may
+# be reverted the next time Terraform runs. If you want to make changes, do it
+# in ../meta/bootstrap-env/templates.
+
+# Add resources to this module describing what you want in the corresponding 
+# space in cloud.gov. You should probably just reference a shared module as in the
+# example below to keep consistency across spaces, but you can also vary the 
+# content for each environment as needed.
+
 module "dev" {
   source        = "../shared/modules/env"
   cf_space_name = "dev"

terraform/preview/preview.tf-example

@@ -2,6 +2,11 @@
 # be reverted the next time Terraform runs. If you want to make changes, do it
 # in ../meta/bootstrap-env/templates.
 
+# Add resources to this module describing what you want in the corresponding 
+# space in cloud.gov. You should probably just reference a shared module as in the
+# example below to keep consistency across spaces, but you can also vary the 
+# content for each environment as needed.
+
 module "preview" {
   source        = "../shared/modules/env"
   cf_space_name = "preview"

terraform/production/production.tf-example

@@ -1,3 +1,12 @@
+# The content of this file is managed by Terraform. If you modify it, it may
+# be reverted the next time Terraform runs. If you want to make changes, do it
+# in ../meta/bootstrap-env/templates.
+
+# Add resources to this module describing what you want in the corresponding 
+# space in cloud.gov. You should probably just reference a shared module as in the
+# example below to keep consistency across spaces, but you can also vary the 
+# content for each environment as needed.
+
 module "production" {
   source        = "../shared/modules/env"
   cf_space_name = "production"