Regular update for Dependencies

[mjones-oddball]

User Story - Business Need

We wish to keep dependencies up to date so we do not need such massive overhauls of our system. This will be a recurring ticket that will be done every sprint. We will update all dependencies we are able to. Any conflicts will get a ticket. This is intended to be a day of work at most because this is intended to update with only non-breaking changes.

• [x] Ticket is understood and QA has been contacted

User Story

As VA Notify I want to keep our service up to date So that we are secure and as free of bugs as possible

Additional Info and Resources

• Relevant section of README.md

Engineering Checklist

• [x] Update performed
• [x] Dependabot issues updated
• [x] Any conflicts removed and tickets created
• [x] Passes all tests locally
• [x] Passes userflows and QA Suite testing against Dev
• [x] Any major changes are investigated (compare existing to new version changes)
  • [x] Any questionable version changes are removed and a ticket is created
• [x] Tickets created are added to the Epic for tracking purposes

Acceptance Criteria

Repo dependencies are updated and we have no broken functionality. Issues opened by Dependabot are resolved. Tickets created for any updates we could, or should, not do.

QA Considerations

• [x] Check to see if these updates cancel out any Twistlock issues
• [x] QA Regression tests pass after deploying this code.

[cris-oddball]

@EvanParish noting that the click Dependbot issue could not be closed out the last time because requirements-cli.txt was not updated with click. Can you be sure to take a look at that file, please?

[EvanParish]

When attempting to test the dependency updates the regression suit was run against the deployed code and something in this branch caused it to run for 30+ min before we stopped it. Going back to master we saw it take the usual < 5 min amount of time. I'm working on figuring out what might be causing the issue.

[EvanParish]

I rolled back all of the patch updates and deployed with just minor version updates. This seems to have solved the issue, but I'm not sure which package caused the delayed sending in the first place. I suspect that future updates probably won't have that issue, so it's most likely just a waste of time finding the specific one.

[cris-oddball]

Sending approved and merged PR to Perf on tag v1.6.13-1472-dependencies. Doesn't look like any Twistlock issues can be cleared here.

[cris-oddball]

Click dependabot issue cleared on this one.

[cris-oddball]

A number of failed tests on the first run

 FAILED tests/test_communication_item.py::test_get_communication_item_invalid_communication_item_404
FAILED tests/test_service.py::test_get_all_services - AssertionError: Invalid...
FAILED tests/test_service_api_key.py::test_get_an_api_key - AssertionError: I...
FAILED tests/test_service_template.py::test_get_all_templates - AssertionErro...
FAILED tests/test_v2_notifications_email.py::test_send_email[Email: Basic Formatting w/ EDIPI and Optional Properties]
FAILED tests/test_v3_notifications_email.py::test_send_v3_email[Email: Basic Formatting]
FAILED tests/test_v3_notifications_email.py::test_send_v3_email_invalid_payload_400[400 EMAIL: Missing required property 'template_id']
FAILED tests/test_v3_notifications_email.py::test_send_v3_email_invalid_payload_400[400 EMAIL: Invalid type 'client_reference' not a string]
FAILED tests/test_v3_notifications_sms.py::test_send_v3_sms[SMS: Short w/ sms and EDIPI recipient ID]
FAILED tests/test_v3_notifications_sms.py::test_send_v3_sms_invalid_auth_401_403[SMS 403: invalid bearer token]

Re-running tests, might be related to the same issue as when the regression is run immediately after the deploy to Staging. The tag Push to Perf also runs the regression immediately.

[cris-oddball]

Now even more test failures on run 2

FAILED tests/test_communication_item.py::test_create_communication_item[Create Communication Item w Default Send Indicator as true]
FAILED tests/test_communication_item.py::test_create_communication_item[Create Communication Item w Default Send Indicator as false]
FAILED tests/test_communication_item.py::test_get_by_communication_item_id - ...
FAILED tests/test_communication_item.py::test_update_communication_item_negative_tests_400[Payload Name non-unique]
FAILED tests/test_communication_item.py::test_get_communication_item_invalid_bearer_token_401[GET All]
FAILED tests/test_communication_item.py::test_create_communication_item_negative_tests_400[Payload VAProfile Item ID non-unique]
FAILED tests/test_service_sms_sender.py::test_get_all_sms_senders - Assertion...
FAILED tests/test_v2_notifications_email.py::test_get_email_notification_statuses
FAILED tests/test_v2_notifications_sms.py::test_get_sms_notification_statuses
FAILED tests/test_v2_notifications_sms.py::test_send_sms_incorrect_format_phone_number_400
FAILED tests/test_v3_notifications_email.py::test_send_v3_email[Email: Basic Formatting w/ BIRLSID]
FAILED tests/test_v3_notifications_email.py::test_send_v3_email_invalid_auth_401_403[SMS 403: invalid bearer token]
FAILED tests/test_v3_notifications_email.py::test_send_v3_email_invalid_payload_400[400 EMAIL: Invalid type 'template_id' not a UUID]
FAILED tests/test_v3_notifications_email.py::test_send_v3_email_invalid_payload_400[400 EMAIL: Invalid type 'email_address' not a string]
FAILED tests/test_v3_notifications_email.py::test_send_v3_email_invalid_payload_400[400 EMAIL: Invalid type 'client_reference' not a string]
FAILED tests/test_v3_notifications_email.py::test_send_v3_email_invalid_payload_400[400 EMAIL: Invalid type 'billing_code' not a string]
FAILED tests/test_v3_notifications_sms.py::test_send_v3_sms[SMS: Short w/ alternate Pinpoint SMS Sender ID]
FAILED tests/test_v3_notifications_sms.py::test_send_v3_sms_invalid_payload_400[400 SMS: Invalid format 'phone_number']
============ 18 failed, 172 passed, 3 xfailed in 264.17s (0:04:24) =============

I need to investigate this prior to running any more regressions.

[cris-oddball]

It is read timeouts all the way down.

[cris-oddball]

Running the regression from the QA repo against the private endpoints now.

[cris-oddball]

Private regression failed due to a communication item not being properly deleted on the previous test run. Re-running.

[cris-oddball]

Regression passes in Perf ================== 190 passed, 3 xfailed in 172.58s (0:02:52) ==================

Holding ticket for the remaining dependabot upgrades.

[cris-oddball]

Dependbot cryptography issue merged and sent to Perf on v1.6.13-1472-cryptography. Regression fails against public endpoints with read timeouts, running regression from QA repo against private endpoints.

[cris-oddball]

Regression passes ================== 190 passed, 3 xfailed in 160.74s (0:02:40) ==================

The next dependabot issues are all for actions.

[cris-oddball]

For the dependabot docker/build-push-action upgrade, am sending master up to Perf using the Deploy to Env action.

Will wait for the cron to run tonight on Update cached Docker image.

[EvanParish]

Created ticket up update phonenumbers package in utils repo: https://app.zenhub.com/workspaces/va-notify-620d21369d810a00146ed9c8/issues/gh/department-of-veterans-affairs/notification-utils/143

[cris-oddball]

Have removed the run-qa-suite from the 3 workflows and merged to master. Using Deploy to Env to send up docker/build-push-action (which will actually test that action).

[cris-oddball]

Build/Push validated as working correctly.

The next PR combines and touches a number of workflows, including Build, User Flows, Locust, DB Downgrade, Deploy Lambda, Deployment, Regression (not going to bother testing), Tests, Twistlock, Update Cached Image (will wait for cron), Datadog Image Update. Will come up with a test plan after it is merged.

• aws-actions/configure-aws-credentials from 2.2.0 to 4.0.1
• actions/checkout v3 to v4
• setup-buildx-action v2 to v3

[cris-oddball]

Validation checklist for combined PR for workflow updates:

• [x] Wait for tomorrow's run of Update Cached Image and ensure it ran without errors
• [x] Deploy to Perf with action and send lambdas to vet a number of workflows
  • [x] Twistlock
  • [x] Build
  • [x] Deploy
  • [x] Deploy Lambda
• [x] Run an sms locust test
• [x] Run an email locust test
• [x] Wait for some PR push to see if unit tests still run
• [x] Not testing Datadog Image Update - has not been run in over a year
• [x] Not testing the regression workflow - is not stable on public endpoints
• [x] Not testing DB downgrade

[cris-oddball]

Who knows if the locust email load test ever worked. Has not been run before, I ran it against perf and dev and kept getting

Waiter CommandExecuted failed: Max attempts exceeded. Previously accepted state: For expression "Status" we matched expected path: "InProgress"

The locust instance is up and running, reporting healthy status checks.

[cris-oddball]

Update cached docker image works as expected.

Closing as passed!

[EvanParish]

I felt that I should leave my notes here about the rest of the dependencies.

Dependabot PR Test failures:

• urllib3 v1.26.16 -> v2.0.6
  • botocore depends on urllib3<1.27 and >=1.25.4
  • ticket to find a workaround for this is already created
• phone numbers v8.12.57 -> v8.13.22
  • utils depends on v8.12.57 and a test breaks when updating to v8.13.22
  • create ticket for this - utils-143
• flake8 v3.7.7 -> v6.1.0
  • code style check fails in many places
  • would this be handled by the black format ticket?
• marshmallow v2.20.5 -> v3.20.1
  • we need to upgrade sql alchemy first, which is planned for a later time