department-of-veterans-affairs / va.gov-cms

Editor-centered management for Veteran-centered content.
https://prod.cms.va.gov
GNU General Public License v2.0
98 stars 68 forks source link

[SPIKE] Discovery on switching from AL2 base AMI to AL2-Hardened #15646

Open ndouglas opened 1 year ago

ndouglas commented 1 year ago

Description

Platform has a new hardened AL2 image and is switching from an Ansible-based build system to Packer. We should make an effort to conform 🙂

it should take your compliance from 55% up to about 80-84%

  • Kyle

Note from Erika: Our target for hardening is ~95%. We are currently at 90.5% so we should try to be above as to not pull down the overall score.

We should do discovery on this to determine how much work it'll take (if any) to transition to the new image and make a plan for a complete transition. This should not be a massive lift, but should improve our standing within the system.

https://github.com/department-of-veterans-affairs/vsp-platform-infrastructure/tree/main/packer/al2-hardened

Reference List

Acceptance Criteria

ndouglas commented 12 months ago

Hey team! Please add your planning poker estimate with Zenhub @edmund-dunn @olivereri @teeshe @ariperez @JunTaoLuo

olivereri commented 12 months ago

I know the idea wasn't to literally use this rubric but it seemed like an easy way to give my thinking behind the score:

Clarity: Clear as a bell Approach: If we encounter issues or technical roadblocks early on how long should we work to overcome them? Dependencies: None Complexity: Basic knowledge about how Jenkins parameters work in our build and deploy jobs. Maybe creating Github Actions to build AMIs if Platform doesn't already have one running on a schedule. Risks: None Wait-Time vs. Work Time: Will require very little involvement from the Platform team.

EWashb commented 11 months ago

@maortiz-27-80 @BerniXiongA6 I have spoken with out Security expert and this does need to be prioritized as soon as possible, especially within the next sprint. @olivereri has more context to share for anyone that picks up this discovery ticket.

EWashb commented 11 months ago

@maortiz-27-80 @BerniXiongA6 @olivereri, after consulting with @little-oddball, the hardened instances are not quite ready after all. Let's just make sure to have our portion of the discovery refined for when that work is completed. I will continue to be in contact with Clint and others on Platform so that we can all be in sync. They are hoping the instances are ready by the end of the year.

This ticket has more in-depth info about what's upcoming and links to the related platform work for those interesting in learning more.

EWashb commented 10 months ago

@maortiz-27-80 @ndouglas - just heard from Clint on Platform. They will be finishing up their piece of the work in the next sprint and we are free to begin after that. This takes us into right after the new year.

Some additional context: Our target for hardening is ~95%. We are currently at 90.5% so we should try to be above as to not pull down the overall score.

BerniXiongA6 commented 9 months ago

@EWashb to follow up with Clint. cc: @maortiz-27-80

EWashb commented 9 months ago

@michelle-dooley this will require very close collaboration with our other Platform DevOps teams..

little-oddball commented 9 months ago

@michelle-dooley - we should work to carve a little time to have your DevOps folk interact w/ some of the folks on Platform related to this item. Just let me know and I can help bridge that.

michelle-dooley commented 9 months ago

Hey @little-oddball - that sounds great!! Tyle Bird (not in GH yet) is our DevOps Engineer that started last week. And we have another one Hassan Tariq starting Monday. Should we wait until Monday when they are both here? If not I can hook you up with Tyler this week. Just let me know what you think is best...

little-oddball commented 9 months ago

@michelle-dooley - that sounds great, just hit me up when they get settled in. End of next week or something like that.

gracekretschmer-metrostar commented 8 months ago

@edmund-dunn

gracekretschmer-metrostar commented 7 months ago

3/7/2024 update: per @little-oddball guidance, @EWashb has decided to deprioritize this work until the platform team is ready to support. This will likely happen in a few months (~summer 2024).