BIA Review of Architecture Diagram

[gary-fallon]

Description

The Architecture Diagram referenced in the BIA and used in eMASS requires additional information to be added.

• [x] Determine if additional architecture diagrams can be added to eMASS.

Tasks

The following tasks must be reviewed and completed as necessary.

• [x] Update the architecture diagram(s) to include major business processes, minor applications, necessary workflows (e.g., CI/CD), as well as traffic flow, security controls, identified boundaries, and any other relevant information.

Acceptance

The following tasks must be completed before this issue can be considered done.

• [x] Provide updated diagrams showing:
  • [x] Vets-Website & Vets-API Application Infrastructure
  • [x] CMS Application Infrastructure
  • [x] Vets-Website external connections
• [x] Review the document for accuracy and completeness.

[little-oddball]

This ticket is a child of the epic below which has the BIA, etc.: https://github.com/department-of-veterans-affairs/va.gov-team/issues/53055

[little-oddball]

@alyssagallion For diagram updating can you work w/ Jesse House who is the PM and Kyle Matheny?

[alyssagallion]

Started a group chat on Slack with @jhouse-solvd and @ph-One

[alyssagallion]

Assigning this ticket to @jhouse-solvd per our Slack conversation and meeting today.

[jhouse-solvd]

I added my team label (+infrastructure) to show up in our ZenHub workspace. I'm taking a look at this tonight to review and add some details about what diagrams are needed to satisfy the system description.

I've got some time set aside tomorrow as well. The plan is to provide @alyssagallion and the team with estimates tomorrow.

[jhouse-solvd]

A few notes [WIP]:

• It's probably best if this issue and #53289 are completed together
• It makes sense to land on an accurate written description of the system that's complemented by matching diagrams
• I'm planning to draft the diagrams and description and verify them with Platform engineers
• Although I'm not sure that it's specifically called out in the BIA, I think a level 0 (business capabilities) diagram like the one described here would be helpful
• See this page in my personal Confluence space for thoughts on what should be shown on the diagram(s)

[jhouse-solvd]

This issue has been rated as a 5 (following the guidance here).

[jhouse-solvd]

FYSA, I’m OOO tomorrow and Friday (2/23,24) and will work on this upon my return.

We have a good understanding of the scope and details to include. Now we need a few hours to update (or create) diagrams:

• [x] Update the BRD architecture diagram
  • [x] Include additional AWS components used by Vets-API and Vets-Website
  • [ ] Include additional AWS components used by CMS
• [x] Re-create and update the VSP Topology - VSP Downstream Connection Map diagram
  • [x] Include additional connections found in the forward proxy config
  • [x] Include additional connections found on the Platform Website
  • [x] Include identity stuff from the diagram provided by Joe Niquette.
• [ ] Create a Remote Access diagram that shows external connections (SOCKS, DNS, VPCs) -- In Progress
• [ ] Create a CI/CD diagram that shows how developers deploy code and applications -- In Progress
• [ ] Create observability and monitoring diagram that shows things like Datadog, Loki, Grafana, Prometheus, Sentry -- In Progress

Thanks to all who have helped get the info together. If you’re interested, there are notes and to-dos in my personal Confluence space.

[jhouse-solvd]

I'm working on this now and plan to have updated diagrams to share by EOD.

[jhouse-solvd]

I have an updated diagram showing application (Vets-API) infrastructure and another showing external connections. When Gary has time, I'd like to review these with him to ensure they depict the necessary level of detail.

I'll begin working on the remote access and CI/CD diagrams today.

[jhouse-solvd]

Note: This work will carry over into the next sprint.

[jhouse-solvd]

I did a review of diagrams w/ Kyle Matheny this morning. He provided feedback and clarified some technical details that would be good to represent. Gary and I will also be meeting later today to review. He'll likely have feedback as well.

I'll add notes to this issue later today or tomorrow.

[jhouse-solvd]

The external services connections relate to #53885

[fowusu2]

@Gary-fallon Is the architecture diagram finalized now

[gary-fallon]

@fowusu2 No, @jhouse-solvd is still working on the architecture diagram.

[jhouse-solvd]

The external connections diagram has been prioritized due to its relation to #53885.

I met w/ Joe Niquette and Gary Fallon and have updated the external connections diagram based on their feedback.

I scheduled time for tomorrow afternoon to make changes needed to provide additional clarity around where various backend services are hosted, e.g.

• within the VAEC?
• hosted in a DSVA AWS GovCloud account?
• within the broader VA network?
• outside of the VAEC, AWS GovCloud, and VA Network?

[jhouse-solvd]

I'm working on this now. I plan to have an updated diagram to share in the next couple of hours.

Please also see the recent comment here for useful context.

[jhouse-solvd]

@gary-fallon - Regarding the updates to the diagrams per yesterday's discussion:

• I made some changes to reflect Caseflow/appeals as inside of a neighboring VPC
• I've not yet added VA Notify, as I need to dig into the details there a bit better
• I went through each of the services listed in the VA network section on the right, and they all appear to be hosted by the VA, based on the documentation available to me, though I'm not sure of the specifics without further investigation
• I moved some services from the DOD into their own network
• I moved several services into a third-party data provider section; we could call this something else, but I want to reflect that somehow
• I marked VIC grey for now, because I found some information suggesting that it might not be in use; need to confirm
• I need to add a legend denoting what the colors mean; I have an idea but want to discuss w/ Gary once we have the connections correctly identified

I shared the diagram in DSVA Slack to get your feedback. Please let me know if you'd like to discuss this tomorrow or the next.

[gary-fallon]

@jhouse-solvd can you please include CMS as part of the AWS architecture diagram? Thank you.

[jhouse-solvd]

X-Post for visibility

[jhouse-solvd]

X-Post for visibility

[jhouse-solvd]

Per Gary's previous request, I'm working on adding CMS to the infrastructure architecture diagram now.

[gary-fallon]

@jhouse-solvd can you please share whatever diagrams you are currently working on?

I will be drafting the BIA and ISCP based on a new definition of the FISMA authorization boundary that includes all VFS applications.

I'll unassign this issue for now and follow up if I have questions. Thank you!

[jhouse-solvd]

@gary-fallon - Do you still want me to include CMS components on the infrastructure architecture diagram? I met w/ one of their DevOps engineers this morning to inquire about details.

I'm heading into a Team of Teams meeting right now but I will export and share these diagrams as soon as I'm finished.

[gary-fallon]

@jhouse-solvd yes, please finish up whatever you were working on first. Thank you!

[jhouse-solvd]

@gary-fallon - I sent you the following diagrams in DSVA Slack:

• 2023321 - VA.Gov Platform AWS Application Infrastructure for Vets-Website and Vets-API - Architecture Overview
• 20230321 - VA.Gov Platform AWS Application Infrastructure for CMS - Architecture Overview
• 20230321 - External Connections - Backend Service Architecture Overview

If you’d like, I can attach them to the issue as well, as long as there are no concerns about the sensitivity of security-related info.

Pending feedback on these diagrams, I’m happy to finish the a) CI/CD, b) remote access, and c) observability and monitoring diagrams. But I understand that those might not be as high priority as other work.

Please let me know how I can best support upcoming deadlines. :pray:

[gary-fallon]

I reviewed the diagrams provided by @jhouse-solvd.

[alyssagallion]

During our Gap Analysis, we realized that the System Security Plan (SSP) was incorrect. We have since updated it, presented it to the ISSO and Ray Wang is now reviewing the associated tickets he needs to approve. Once those are reviewed and approved, @ScottCutlip will continue the work on SSP.

SSP is the dependency. Until approved, all BIA work is on hold.

[alyssagallion]

@jhouse-solvd Can you also add points to this ticket? We are trying to get an accurate Burndown Report. Thanks!

[jhouse-solvd]

@alyssagallion - The Epic has 3 stories, each of which are 3 points, making the epic total 9. We could also point the epic, but it will skew the points higher (ie epic + stories).

Let me know what you'd like to do! :)

[jhouse-solvd]

The most recent architecture diagram has been included in the BIA.

Please see the parent epic for future updates.

Closing.