Discussion items for May 3 Developer Sync

[jimduff-usds]

@RickHawesUSDS @Mr0grog @mauricereeves @mry-usds @carlosfelix2 @ronaldheft-usds @joemeree @submit Agenda items as desired!

[ronaldheft-gov]

Discuss Palo Alto firewall test / production plan.

• Scheduled test with Palo Alto team
  • We need to simulate SFTP / API traffic in Ron's Azure dev environment to validate the Palo Alto is functioning correctly
  • What do we need to do to prepare and when can we schedule this test
• Roll out
  • All environments will need to be migrated to a new CDC-controlled VNET
  • Out existing resource groups will be okay
  • Migration is actually not too bad from a Terraform perspective, needs more planning to minimize outage window
  • External IP will change; need to communicate our new range with PHDs
• Caveats
  • The new VNET will remove our VPN and I haven't asked yet, but I doubt we will get the firewall rules approved to allow VPN ingress
  • CDC's VPN choice is CyberArk and we should use it
  • Firewall rules are added by port / IP
  • This means every site we connect to will need a firewall rule request
  • Palo Alto team is commiting to a 1 week turnaround time or less on new firewall rules, we need to make this part of our onboarding process
  • If firewall rules become onerous, Palo Alto team is open to explore alternative processes for rule approval

Notes

• Jim and Rick to assist that settings are configured correctly for this test
• Aiming to have CyberArk before VPN

Notes for Palo Alto Team

• Can we whitelist ports and use the "AI" power of Palo Alto to be alerted when we have drastic changes in egress traffic?
• Whitelisting by IP / port will slow us down and PHDs may be changing their IPs

[carlosfelix2]

Discuss if schema documentation in HTML will exist with the markup files (both at the same time). Looks to me that having both will be useful. Re: https://github.com/CDCgov/prime-data-hub/pull/985

Depending on the above, Sonar flags the HTML as duplicate code.

Need to coordinate changes to third party library versions to make sure they are updated in Gradle. If a change is merged then the current Gradle branch needs to be updates, and once the Gradle branch is merged then I could go back and merge from master and update the Gradle build file in that branch.

There are a lot of pull requests open.

[joemeree]

Ron, It's not clear if this affects the WATERS to ReportStream interface

Joe Meree AI Architect DataRobot cell:703-967-4730 @.> @.

From: Ron Heft @.> Sent: Monday, May 3, 2021 10:36 AM To: CDCgov/prime-data-hub @.> Cc: Joe Meree @.>; Mention @.> Subject: Re: [CDCgov/prime-data-hub] Discussion items for May 3 Developer Sync (#986)

Discuss Palo Alto firewall test / production plan.

• Scheduled test with Palo Alto team

• We need to simulate SFTP / API traffic in Ron's Azure dev environment to validate the Palo Alto is functioning correctly

• What do we need to do to prepare and when can we schedule this test

• Roll out

• All environments will need to be migrated to a new CDC-controlled VNET

• Out existing resource groups will be okay

• Migration is actually not too bad from a Terraform perspective, needs more planning to minimize outage window

• Caveats

• The new VNET will remove our VPN and I haven't asked yet, but I doubt we will get the firewall rules approved to allow VPN ingress

• CDC's VPN choice is CyberArk and we should use it

• Firewall rules are added by port / IP

• This means every site we connect to will need a firewall rule request

• Palo Alto team is commiting to a 1 week turnaround time or less on new firewall rules, we need to make this part of our onboarding process

• If firewall rules become onerous, Palo Alto team is open to explore alternative processes for rule approval

• You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com %2FCDCgov%2Fprime-data-hub%2Fissues%2F986%23issuecomment-831301579&data=04%7 C01%7C%7C08fc10e02cba4fa6f03e08d90e40d7ce%7C84df9e7fe9f640afb435aaaaaaaaaaaa %7C1%7C0%7C637556493924427840%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLC JQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sxFeuBCkwrV3o3EpDl 8%2FZ1D95S7RnZcPlcWWi1Gn%2BXw%3D&reserved=0 , or unsubscribe https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com %2Fnotifications%2Funsubscribe-auth%2FAGGJNEJTNLU7S5HANL6BTADTL2YGXANCNFSM44 A4F4AQ&data=04%7C01%7C%7C08fc10e02cba4fa6f03e08d90e40d7ce%7C84df9e7fe9f640af b435aaaaaaaaaaaa%7C1%7C0%7C637556493924427840%7CUnknown%7CTWFpbGZsb3d8eyJWIj oiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Tl UcL6pyneXfoYkgmuX7TtkSfxRfPwv1lHj%2FaO67Jo4%3D&reserved=0 . https://github.com/notifications/beacon/AGGJNEPVOLAVOTKLQ77KX2DTL2YGXA5CNFS M44A4F4A2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOGGGKPSY .gif

[ronaldheft-gov]

@joemeree There is no impact to Waters.