as tech lead, I need develop and staging branches to deploy to acf domains

[ADPennington]

Description: to model production environment as closely as possible, we want to use acf domains for qasp-approved work.

for the develop env, the domains are: https://tdp-frontend-develop.acf.hhs.gov https://tdp-backend-develop.acf.hhs.gov

for staging env, the domains are: https://tdp-frontend-staging.acf.hhs.gov https://tdp-backend-staging.acf.hhs.gov

We need to set up external domain service and update the codebase to deploy to these new urls.

Acceptance Criteria:

• [ ] staging-deployment workflow from raft CI is successful.
• [ ] staging-deployment workflow from HHS CI is successful.
• [ ] (non) ACF users can login at develop and staging sites
• [ ] (non) ACF users can request access at develop and staging sites
• [ ] (non) ACF users can submit data at develop and staging sites
• [ ] Admins can access all parts of DAC to manage users and data via backend develop and staging sites
• [ ] nightly scans are saved in relevant backends
• [ ] Testing Checklist has been run and all tests pass
• [ ] README is updated, if necessary

Tasks:

• [x] submit DNS requests to ACF OCIO
• [ ] create external domain service (example steps here)
• [ ] update relevant parts of the codebase and docs 1, 2 and likely more
• [x] update login.gov redirect URIs
• [ ] update AMS redirect URIs
• [ ] Run Testing Checklist and confirm all tests pass

[andrew-jameson]

Unable to create domain or external domain:

ajameson@G6D61549VJ-ajameson-Raft TANF-app %  cf create-service external-domain domain tdp-staging-domain -c '{"domains": "tdp-frontend-develop.acf.hhs.gov, tdp-backend-develop.acf.hhs.gov, tdp-frontend-staging.acf.hhs.gov, tdp-backend-staging.acf.hhs.gov"}'
Creating service instance tdp-staging-domain in org hhs-acf-ofa / space tanf-staging as ajameson@teamraft.com...
Service broker error: We could not find correct CNAME records for one or more of your domains.
Please ensure the following DNS records are in place and try to provision
this service again:
  CNAME _acme-challenge.tdp-frontend-develop.acf.hhs.gov should point to _acme-challenge.tdp-frontend-develop.acf.hhs.gov.external-domains-production.cloud.gov, but it does not exist.
  CNAME _acme-challenge.tdp-backend-develop.acf.hhs.gov should point to _acme-challenge.tdp-backend-develop.acf.hhs.gov.external-domains-production.cloud.gov, but it does not exist.
  CNAME _acme-challenge.tdp-frontend-staging.acf.hhs.gov should point to _acme-challenge.tdp-frontend-staging.acf.hhs.gov.external-domains-production.cloud.gov, but it does not exist.
  CNAME _acme-challenge.tdp-backend-staging.acf.hhs.gov should point to _acme-challenge.tdp-backend-staging.acf.hhs.gov.external-domains-production.cloud.gov, but it does not exist.
FAILED
ajameson@G6D61549VJ-ajameson-Raft TANF-app % nslookup _acme-challenge.tdp-backend-staging.acf.hhs.gov
Server:     10.0.0.1
Address:    10.0.0.1#53

** server can't find _acme-challenge.tdp-backend-staging.acf.hhs.gov: NXDOMAIN

ajameson@G6D61549VJ-ajameson-Raft TANF-app % cf create-domain hhs-acf-ofa tdp-frontend-develop.acf.hhs.gov
Creating private domain tdp-frontend-develop.acf.hhs.gov for org hhs-acf-ofa as ajameson@teamraft.com...
You are not authorized to perform the requested action
FAILED

Also, adding this documentation explicitly as I believe previously linked comment is not sufficient.

[ADPennington]

@andrew-jameson I reached out to OCIO today for support on this ticket.

[ADPennington]

@Smithh-Co @andrew-jameson I submitted updated forms to OCIO on 2/14. we had tdp-develop-frontend instead of tdp-frontend-develop and so on. 🤪

[ADPennington]

@andrew-jameson -- OCIO updated our URLs. The staging external domain service creation is in progress (see steps taken below):

apennington@HHSLBDSWL73 MINGW64 /
$ cf create-domain hhs-acf-ofa tdp-frontend-develop.acf.hhs.gov
Creating private domain tdp-frontend-develop.acf.hhs.gov for org hhs-acf-ofa as [alexandra.pennington@acf.hhs.gov](mailto:alexandra.pennington@acf.hhs.gov)...
OK

TIP: Domain 'tdp-frontend-develop.acf.hhs.gov' is a private domain. Run 'cf share-private-domain' to share this domain with a different org.

apennington@HHSLBDSWL73 MINGW64 /
$ cf create-domain hhs-acf-ofa tdp-backend-develop.acf.hhs.gov
Creating private domain tdp-backend-develop.acf.hhs.gov for org hhs-acf-ofa as [alexandra.pennington@acf.hhs.gov](mailto:alexandra.pennington@acf.hhs.gov)...
OK

TIP: Domain 'tdp-backend-develop.acf.hhs.gov' is a private domain. Run 'cf share-private-domain' to share this domain with a different org.

apennington@HHSLBDSWL73 MINGW64 /
$ cf create-domain hhs-acf-ofa tdp-frontend-staging.acf.hhs.gov
Creating private domain tdp-frontend-staging.acf.hhs.gov for org hhs-acf-ofa as [alexandra.pennington@acf.hhs.gov](mailto:alexandra.pennington@acf.hhs.gov)...
OK

TIP: Domain 'tdp-frontend-staging.acf.hhs.gov' is a private domain. Run 'cf share-private-domain' to share this domain with a different org.

apennington@HHSLBDSWL73 MINGW64 /
$ cf create-domain hhs-acf-ofa tdp-backend-staging.acf.hhs.gov
Creating private domain tdp-backend-staging.acf.hhs.gov for org hhs-acf-ofa as [alexandra.pennington@acf.hhs.gov](mailto:alexandra.pennington@acf.hhs.gov)...
OK

TIP: Domain 'tdp-backend-staging.acf.hhs.gov' is a private domain. Run 'cf share-private-domain' to share this domain with a different org.
apennington@HHSLBDSWL73 MINGW64 /
$ cf domains
Getting domains in org hhs-acf-ofa as alexandra.pennington@acf.hhs.gov...

name                               availability   internal   protocols
api-tanfdata.acf.hhs.gov           private                   http
api.tanfdata.acf.hhs.gov           private                   http
app.cloud.gov                      shared                    http
apps.internal                      shared         true       http
fr.cloud.gov                       shared                    http
tanfdata.acf.hhs.gov               private                   http
tdp-backend-develop.acf.hhs.gov    private                   http
tdp-backend-staging.acf.hhs.gov    private                   http
tdp-frontend-develop.acf.hhs.gov   private                   http
tdp-frontend-staging.acf.hhs.gov   private                   http

apennington@HHSLBDSWL73 MINGW64 /
$ cf create-service external-domain domain tdp-staging-domains -c '{"domains": "tdp-frontend-develop.acf.hhs.gov, tdp-backend-develop.acf.hhs.gov, tdp-frontend-staging.acf.hhs.gov, tdp-backend-staging.acf.hhs.gov"}'
Creating service instance tdp-staging-domains in org hhs-acf-ofa / space tanf-staging as alexandra.pennington@acf.hhs.gov...
OK

Create in progress. Use 'cf services' or 'cf service tdp-staging-domains' to check operation status.

apennington@HHSLBDSWL73 MINGW64 /
$ cf service tdp-staging-domains
Showing info of service tdp-staging-domains in org hhs-acf-ofa / space tanf-staging as alexandra.pennington@acf.hhs.gov...

name:             tdp-staging-domains
service:          external-domain
tags:
plan:             domain
description:      Assign a custom domain to your application with TLS and an optional CDN.
documentation:    https://github.com/cloud-gov/external-domain-broker
dashboard:
service broker:   external-domain-broker

Showing status of last operation from service tdp-staging-domains...

status:    create in progress
message:   Waiting for DNS changes
started:   2023-02-22T16:04:27Z
updated:   2023-02-22T16:05:29Z

There are no bound apps for this service.

Upgrades are not supported by this broker.

[andrew-jameson]

• [x] Create new branch for hijacking deploy-develop workflows so we can test all of the below
• [x] Adjust ALLOWED_HOSTS for class Staging(CloudGov) for new domains
• [x] Adjust route-mapping in scripts/deploy-backend.sh for staging envs akin to production
• [x] Adjust .env values in scripts/deploy-frontend.sh to accommodate new domains
• [ ] Adjust BASE_URL and FRONTEND_URL in cf env on backend manually for testing
• [ ] Then change ^^ these again but codified via CircleCI environment variables
• [ ] Investigate if any frontend code changes might be necessary

Using below, investigate any other files that have acf-domain specific carve-outs:

ajameson@G6D61549VJ-ajameson-Raft TANF-app % grep -R "acf.hhs.gov" .|grep -vE "\.md:|\.jsx|mail|\.html"
./scripts/deploy-frontend.sh:        echo "REACT_APP_BACKEND_URL=https://api-tanfdata.acf.hhs.gov/v1" >> .env.production
./scripts/deploy-frontend.sh:        echo "REACT_APP_BACKEND_HOST=https://api-tanfdata.acf.hhs.gov" >> .env.production
./scripts/deploy-frontend.sh:        cf map-route "$CGHOSTNAME_FRONTEND" tanfdata.acf.hhs.gov
./scripts/zap-hook.py:    if 'web' in target or 'backend' in target or 'https://api-tanfdata.acf.hhs.gov' in target:
./scripts/zap-hook.py:    if 'frontend' in target or 'https://tanfdata.acf.hhs.gov' in target:
./scripts/deploy-backend.sh:        cf map-route tdp-backend-prod api-tanfdata.acf.hhs.gov
./scripts/deploy-backend.sh:  BASE_URL="https://api-tanfdata.acf.hhs.gov/v1"
./scripts/deploy-backend.sh:  FRONTEND_BASE_URL="https://tanfdata.acf.hhs.gov"
./scripts/zap-scanner.sh:        APP_URL="https://api-tanfdata.acf.hhs.gov/"
./scripts/zap-scanner.sh:            APP_URL="https://tanfdata.acf.hhs.gov/"
./tdrs-frontend/nginx/nginx.conf:    add_header Content-Security-Policy "default-src 'self'; *.acf.hhs.gov; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; *.acf.hhs.gov manifest-src 'self'; object-src 'none'; frame-ancestors 'none'; form-action 'none';";
./tdrs-frontend/nginx/nginx.conf:    add_header Access-Control-Allow-Origin "https://tanfdata.acf.hhs.gov";
./tdrs-backend/tdpservice/settings/cloudgov.py:    ALLOWED_HOSTS = ['api-tanfdata.acf.hhs.gov', 'tdp-backend-prod.app.cloud.gov']
./tdrs-backend/tdpservice/settings/cloudgov.py:    SESSION_COOKIE_DOMAIN = '.acf.hhs.gov'
./tdrs-backend/tdpservice/settings/common.py:    CSRF_TRUSTED_ORIGINS = ['.app.cloud.gov', '.acf.hhs.gov']
./tdrs-backend/tdpservice/middleware.py:        response["Access-Control-Allow-Origin"] = "https://tanfdata.acf.hhs.gov"

[George-Hudson]

Closing this ticket as it was merged into Mo's NGINX ticket that has already been approved and merged into develop