Verify vets-api connection to VES database & define next steps

[jilladams]

Currently blocked awaiting Platform support (slack threads ongoing)

Description

https://dsva.slack.com/archives/C0229UT3HSR/p1674492166999389

The Oracle VES database we want to use for Income Limits backend must be accessible via vets-api in order to move forward. Joshua Faulkner owns that db and we are nudging integration with Platform team. Until that connection is established and can be tested, API is blocked.

Once they confirm it's available and testable, we can test and resolve this. This will unblock the next step of writing the actual API in Ruby.

Prereqs

• Joshua must set up an AWS RDS non-prod instance for us to connect to

Acceptance Criteria

• [ ] Work with Platform and/or CMS infra folks to help confirm if vets-api can reach VES database
• [ ] If so: Schedule meeting with Lindsey Hattamer (Platform), Daniel, Josh to look at the connection and begin planning the API Ruby implementation in vets-api (https://dsva.slack.com/archives/C52CL1PKQ/p1675106253098949?thread_ts=1675105994.965369&cid=C52CL1PKQ)
• [ ] If not: reopen ESECC ticket for next steps or open new ticket, with tips from Joshua Faulkner

Team

Please check the team(s) that will do this work.

• [ ] CMS Team
• [X] Public Websites
• [ ] Facilities
• [ ] User support

[dsasser]

Latest from Joshua regarding escalating to ESECC:

It passed VAEC technical review and is now at ISSO review and approval, this process takes a while.

[jilladams]

Being tracked in RFC-009658 in the ESECC portal: https://esecc.va.gov/CGWeb/MainUI/Changemanagement/StaffRFC.aspx?boundtable=IChangeManagementTicket&CloseOnPerformAction=false&ID=12650&windowWidth=1050&openTime=1676411788165

[jilladams]

ESECC approved: https://dsva.slack.com/archives/C0229UT3HSR/p1677597409530699?thread_ts=1674492166.999389&cid=C0229UT3HSR

Next step: Plat implementation. Then we can verify.

[dsasser]

Status Update

The ESECC ticket closed. Moving to testing the connectivity from within the expected subnets (ones that vets-api uses).

Test results

• ❌ Tested locally using sqlplus: connection timeout (it turns out, this may probably never work, since SOCKS proxy only proxies a few domains, and I may have misunderstood Platform's comments about connecting over SOCKS)
• ❓ Pinged Platform for assistance but was directed to use team resources due to Platform dealing with high priority incidents.
• ❌ Eric Oliver tested using sqlplus from the Staging server, and netcat/telnet from other subnets. All of which failed to connect, and instead connection timeout errors occurred.

Next Steps

It appears we may need to escalate this to ESECC as some part of the connection between subnets/VPCs isn't allowing traffic though as expected. This may require coordination with CMS Devops engineers since they are the only ones on our team able to access resources on the test subnets.

[jilladams]

@dsasser for next steps, I'll be a bit of a bottleneck these days -- are you comfortable chasing that? Let me know if/where you get blocked and happy to help with unblocking as needed. (I recognize you have a sprint goal on another ticket, so let's discuss if this isn't actually practical given your other commitments.)

[jilladams]

Backend refinement update:

• No luck connecting so far, https://dsva.slack.com/archives/C0229UT3HSR/p1680637137781229?thread_ts=1674492166.999389&cid=C0229UT3HSR
• Daniel will try to schedule call with Platform, Eric, Joshua
• If that fails, need escalation to DaveC for how to break through

[dsasser]

It has come to my attention that I may have misunderstood how SOCKS can play a role with accessing the VES database from a local dev environment. It is likely to be impossible to reach the database from SOCKS alone. If it turns out to be true, this will make development difficult if at all possible with a live database connection.

We understood the VES database to be a "simpler" drop-in solution for the IncLim backend than rolling our own or utilizing the vets-api postgresql instance(s). With the "new" information about SOCKS, it may actually be more difficult to create and maintain the new API with the VES db as a backend. Since the vets-api postgresql db is native to vets-api powered APIs, there won't be such a challenge with initial development or maintenance with regards to limitations on the local side of things. That, along with the lack of Housebound limits in the VES database, may mean we should consider if VES is even worth pursuing over other alternatives. The viability of using vets-api postgresql hasn't been flushed out, but it is one of our options, and one that eliminates 3rd party-owned resources should it prove an acceptable option.

[jilladams]

13189 = Alternative to VES DB discovery.

[dsasser]

Status Update

We tested connectivity from an ostensibly allowed subnet, but it was not successful. Testing over SOCKS was also not successful.

Next Steps: A Troubleshooting Call

We need to fully validate the connectivity is/is not established by bringing in: Joshua Faulker, Eric Oliver, and Platform (probably Kyle Matheny since he has been involved already) to a troubleshooting call whereby we can fully validate connectivity status from all 3 subnets. This has proven difficult/impossible for two reasons: Platform has indicated they have high priority concerns, and Eric Oliver has been under tight sprint deadlines.

[jilladams]

Progress on booking some of Eric's time: https://dsva.slack.com/archives/C03LFSPGV16/p1681231109596099?thread_ts=1680712011.784739&cid=C03LFSPGV16

[dsasser]

Status Update 4/19/2023

We need confirmed tests in all 3 subnets before escalating to ESECC. Eric Oliver is slated to test in all 3 subnets using a java jar file delivered by Joshua Faulkner. This will do two things:

1. Make it easier to test. There will be no need to setup a sql client to test connectivity.
2. Inform connectivity tests as confirmed/unconfirmed with confidence. The consistent output of the java jar file test will provide certainty that our connection is/is not established at a network level. This will be useful information should we need to escalate to ESECC.

Relevant slack conversation: https://dsva.slack.com/archives/C0229UT3HSR/p1681836819887469?thread_ts=1674492166.999389&cid=C0229UT3HSR

[davidconlon]

Note: Covered in mid-sprint check in that this is at risk for not completely coming across the line in 82 (but still hopeful!) Understand the collab and dependencies here. (We knew all this walking into the sprint/sprint planning)

[dsasser]

Status Update 4/21/2023

@olivereri tested connectivity to the Oracle database from 3 VPCs on 4/20/23. As Eric notes here, the tests had mixed results. The details are summarized below.

Summary of VES Oracle DB Connectivity Tests

Production VPC: ❌ Failed Staging VPC: ❌ Failed Sandbox VPC: ✅ Successful

[jilladams]

A small 🎉 for one ✅ .

[dsasser]

Status Update 5/4/23

A troubleshooting call is scheduled for Thursday May 11th with Network Edge Operations NOC, Joshua, myself, and Eric Oliver.

[dsasser]

Status Update 5/17/23

Connectivity established!

From the troubleshooting call on the 11th, the VA Network Edge Operations team noted they found a typo in the original implementation, and corrected this. Today, Eric successfully connected to the target network from all three subnets.

[wesrowe]

Options for VES-vets-api connection:

Don't want real-time – will migrate data periodically. Concerns are performance, outages, etc.

Option A: Import VES tables directly into vets-api

• local dev: not possible to do the same as staging/prod, so we would need a separate process. Data dump from staging, would be manual; Platform has said the Security team would have to do it.
• Possible next step: ask another team using postgres how they do local – AR: Josh to ask check-in team.

Option B: keep CSV process the way it is using S3 just automate export from VES

• Ideally, we would create a sidekiq job that handles the export and upload
• Plus: iteration of current approach rather than replacement; local keeps working
• Minus: 2 scheduled jobs that have to work in concert (low risk)
• Plus: resilience if VES makes changes
• Next steps (tickets):
  • discovery: how to export CSV from VES
  • spike: how to move CSVs to S3
  • create scheduled job to automate
• challenging to develop and test because it can't be run locally
• GFE: ask Swirt if this would make initial development easier

We picked Option B