Federal employees and staff contractors, expand this section. Not applicable to project contractors.
Engineers who are federal employees or staff contractors have a Contingency Plan role and may participate in Incident Response, so they must complete the CP and IR trainings. Project contractors do not need to complete these trainings. Check one of the following:
- [ ] Coordinate with your onboarding buddy to schedule Contingency Planning training within 60 days. (and annually after that). This will cover the following document, which you should also review before or after training:
- [ ] Read the [Contingency Plan](https://cloud.gov/docs/ops/contingency-plan/).
- [ ] Coordinate with your onboarding buddy to schedule [Incident Response Training](https://docs.google.com/presentation/d/1AZjQE8zBzMRWZIFUuJPkJLted1ykGtALrLPoPRx5Vls/edit#slide=id.p) within 60 days of joining the team (and annually after that). This will cover the following document, which you should also review before or after training:
- [ ] Read the [Incident Response Guide](https://cloud.gov/docs/ops/security-ir/).
Slack channels
Project contractors: Your buddy will add you to the private channel for your project.
Federal employees and staff contractors, expand this section:
Your onboarding buddy will add you to these Slack channels:
- [ ] `#cg-aws-security` - private channel where bots post security notices
- [ ] `#cg-billing` - private business development channel (if applicable)
- [ ] `#cg-incidents` - private channel for incident response
- [ ] `#cg-ops-banter` - private channel for operations/engineering banter
- [ ] `#cg-priv-all` - private channel for in-team discussion
- [ ] `#cg-priv-compliance` - private channel for security and compliance discussions
Google Groups
Federal employees and staff contractors, expand this section:
- [ ] [cloud.gov AWS](https://groups.google.com/a/gsa.gov/g/cloud-gov-aws/members)
- [ ] [cloud.gov Notifications](https://groups.google.com/a/gsa.gov/g/cloud-gov-notifications/members) (🗣️)
- [ ] [cloud.gov Operations](https://groups.google.com/a/gsa.gov/g/cloud-gov-operations/members)
- [ ] [cloud.gov Security](https://groups.google.com/a/gsa.gov/g/cloud-gov-security/members)
- [ ] [cloud.gov Support](https://groups.google.com/a/gsa.gov/g/cloud-gov-support/members) (🗣️)
Channels marked with (🗣️) receive a lot of messages, either from customers or bots, and you may want to mute them.
[x] Read the cloud.gov Security Policies and Procedures. These documents explain the high-level policies and procedures we must comply with while running cloud.gov, sorted into security control "families" They explain that we follow GSA IT security policy, and they provide a summary of the procedures in our System Security Plan.
[x] Review the System Security Plan (the latest version lives on Google Drive; look for "cloud.gov System Security Plan (SSP)" as a .docx file). Of particular note for onboarding: Section 9 (System Description) and Section 10 (System Environment)
[x] Review the team's Engineering Practices. Some of these are mandatory because they fulfill FedRAMP requirements.
[x] Sign up for a cloud.gov sandbox using your GSA email address and start experimenting to get familiar with the basics of the PaaS from a user's perspective.
This is also required in order to make you a platform admin once you've completed the Cybersecurity and Privacy training.
Engineering-specific items
Machine admin rights
[x] In order to install development tools on your Mac, you will need to request local admin rights by submitting a ServiceDesk ticket using this justification. If you're unable to create a ticket for yourself, your onboarding buddy can create one for you.
AWS user names should be identical across accounts so that permissions can be correctly managed by Terraform.
[x] Create AWS Accounts by following these instructions. These accounts should be setup as read-only at the start, and once the 3 mandatory cloud.gov trainings are complete they will be switched to full admin accounts and added to the audit input file:
[x] AWS Commercial accounts
[x] AWS GovCloud accounts
[x] Ensure new person creates a 55-day Google Calendar reminder to update passwords, which expire every 60 days
[x] Add them to Nessus Manager via the GUI
[x] Add them to the ScanAdmins team in Settings > Groups
Federal employees and staff contractors, expand this section:
You are a member of the Cloud Operations team, which means you have additional administrative permissions:
- [ ] [Make them an admin](https://cloud.gov/docs/ops/managing-users/#managing-admins) of the platform.
- [ ] Add them to the [`platform-ops`](https://github.com/orgs/cloud-gov/teams/platform-ops) team in GitHub.
- [ ] Add them as an admin on the cg-django-uaa [docs](https://readthedocs.org/projects/cg-django-uaa/)
- [ ] Add them to [our dockerhub org](https://hub.docker.com/orgs/cloudgov) and ensure we're not over our license count
- [ ] Add them as an `agent` to the cloud.gov support Zendesk (Ask a cloud.gov member with admin access to Zendesk to add them).
- [ ] Add them as Technical users to [Ubuntu Advantage](https://ubuntu.com/pro/users) (Admin users for leads and supervisors)
Additional compliance setup/review
[x] Install caulking git leak prevention by following the README
[x] Verify caulking by running make audit and pasting a screenshot as a comment on this GitHub issue
[x] Set GPG signing set up for GitHub (instructions here) and paste the output of git config commit.gpgsign as a comment on this GitHub issue
Install a development environment for cloud.gov
Note: Make sure you have followed the instructions in Machine admin rights at the top of this section to get local admin rights on your machine before moving forward
[x] Fix fly, the Concourse CLI, by running xattr -d com.apple.quarantine /opt/homebrew/bin/fly. Concourse does not sign fly with an Apple Developer account, so you must use xattr to manually remove the binary from quarantine. Verify by running fly -h in your command line.
[x] Install cloud.gov dev tools by cloning the cg-scripts repo: run git clone https://github.com/cloud-gov/cg-scripts.git in your command line
Figure out your first tasks
Project contractors: Check in with your project lead about first tasks.
Federal employees and staff contractors, expand this for instructions:
The engineering team currently contains the following squads, each with their own projects:
- Assurance, which focuses on security and compliance
- Platform, which maintains and improves cloud.gov, focusing on internals like our AWS architecture and Cloud Foundry
- Customer Success, which focuses on customer-facing features like service brokers and observability tools
If you are not already assigned to a particular squad, work with your onboarding buddy to join squad standups and learn what each squad is working on.
Assurance-specific items
These items are only mandatory for someone stepping into an Assurance squad role, but you are welcome to subscribe even if you are on another squad:
New Engineer Onboarding Checklist
Special Notes
Complete additional cloud.gov trainings
Federal employees and staff contractors, expand this section. Not applicable to project contractors.
Engineers who are federal employees or staff contractors have a Contingency Plan role and may participate in Incident Response, so they must complete the CP and IR trainings. Project contractors do not need to complete these trainings. Check one of the following: - [ ] Coordinate with your onboarding buddy to schedule Contingency Planning training within 60 days. (and annually after that). This will cover the following document, which you should also review before or after training: - [ ] Read the [Contingency Plan](https://cloud.gov/docs/ops/contingency-plan/). - [ ] Coordinate with your onboarding buddy to schedule [Incident Response Training](https://docs.google.com/presentation/d/1AZjQE8zBzMRWZIFUuJPkJLted1ykGtALrLPoPRx5Vls/edit#slide=id.p) within 60 days of joining the team (and annually after that). This will cover the following document, which you should also review before or after training: - [ ] Read the [Incident Response Guide](https://cloud.gov/docs/ops/security-ir/).Slack channels
Project contractors: Your buddy will add you to the private channel for your project.
Federal employees and staff contractors, expand this section:
Your onboarding buddy will add you to these Slack channels: - [ ] `#cg-aws-security` - private channel where bots post security notices - [ ] `#cg-billing` - private business development channel (if applicable) - [ ] `#cg-incidents` - private channel for incident response - [ ] `#cg-ops-banter` - private channel for operations/engineering banter - [ ] `#cg-priv-all` - private channel for in-team discussion - [ ] `#cg-priv-compliance` - private channel for security and compliance discussionsGoogle Groups
Federal employees and staff contractors, expand this section:
- [ ] [cloud.gov AWS](https://groups.google.com/a/gsa.gov/g/cloud-gov-aws/members) - [ ] [cloud.gov Notifications](https://groups.google.com/a/gsa.gov/g/cloud-gov-notifications/members) (🗣️) - [ ] [cloud.gov Operations](https://groups.google.com/a/gsa.gov/g/cloud-gov-operations/members) - [ ] [cloud.gov Security](https://groups.google.com/a/gsa.gov/g/cloud-gov-security/members) - [ ] [cloud.gov Support](https://groups.google.com/a/gsa.gov/g/cloud-gov-support/members) (🗣️) Channels marked with (🗣️) receive a lot of messages, either from customers or bots, and you may want to mute them.Learn our policies and procedures
In addition to the topics in the trainings section, review the following documents:
Getting to know cloud.gov
Resources on cloud.gov:
Resources on CloudFoundry/BOSH:
Getting hands-on with cloud.gov:
Engineering-specific items
Machine admin rights
Engineering account management
Before starting this section, you must complete:
AWS user names should be identical across accounts so that permissions can be correctly managed by Terraform.
Federal employees and staff contractors, expand this section:
You are a member of the Cloud Operations team, which means you have additional administrative permissions: - [ ] [Make them an admin](https://cloud.gov/docs/ops/managing-users/#managing-admins) of the platform. - [ ] Add them to the [`platform-ops`](https://github.com/orgs/cloud-gov/teams/platform-ops) team in GitHub. - [ ] Add them as an admin on the cg-django-uaa [docs](https://readthedocs.org/projects/cg-django-uaa/) - [ ] Add them to [our dockerhub org](https://hub.docker.com/orgs/cloudgov) and ensure we're not over our license count - [ ] Add them as an `agent` to the cloud.gov support Zendesk (Ask a cloud.gov member with admin access to Zendesk to add them). - [ ] Add them as Technical users to [Ubuntu Advantage](https://ubuntu.com/pro/users) (Admin users for leads and supervisors)Additional compliance setup/review
caulking
git leak prevention by following the READMEcaulking
by runningmake audit
and pasting a screenshot as a comment on this GitHub issuegit config commit.gpgsign
as a comment on this GitHub issueInstall a development environment for cloud.gov
brew
)cd
into it, and runbrew bundle install
to install everything inBrewfile
.cf login -a api.fr.cloud.gov --sso
cf orgs
aws-vault
by following our directionsfly
, the Concourse CLI, by runningxattr -d com.apple.quarantine /opt/homebrew/bin/fly
. Concourse does not signfly
with an Apple Developer account, so you must usexattr
to manually remove the binary from quarantine. Verify by runningfly -h
in your command line.cg-scripts
repo: rungit clone https://github.com/cloud-gov/cg-scripts.git
in your command lineFigure out your first tasks
Project contractors: Check in with your project lead about first tasks.
Federal employees and staff contractors, expand this for instructions:
The engineering team currently contains the following squads, each with their own projects: - Assurance, which focuses on security and compliance - Platform, which maintains and improves cloud.gov, focusing on internals like our AWS architecture and Cloud Foundry - Customer Success, which focuses on customer-facing features like service brokers and observability tools If you are not already assigned to a particular squad, work with your onboarding buddy to join squad standups and learn what each squad is working on.Assurance-specific items
These items are only mandatory for someone stepping into an Assurance squad role, but you are welcome to subscribe even if you are on another squad: