GSA-TTS · mogul · May 4, 2023 · May 3, 2023 · May 3, 2023 · May 3, 2023
diff --git a/.github/ISSUE_TEMPLATE/offboarding.md b/.github/ISSUE_TEMPLATE/offboarding.md
@@ -19,6 +19,9 @@ assignees: ''
 **For engineers, also...**
 
 - [ ] Make a PR to [remove the departing team member from the list of developers and managers](https://github.com/GSA-TTS/FAC/tree/main/terraform/management/config.tf) with access to our spaces.
+- [ ] [Remove the departing team member as a member of the FAC group in New Relic.](https://one.newrelic.com/admin-portal/organizations/users-list) (@GSA-TTS/fac-admins can do this)
+    - [ ] If they're leaving TTS altogether, also delete their account. 
+
 
 **For product leads/owners, also...**
 

diff --git a/.github/ISSUE_TEMPLATE/onboarding.md b/.github/ISSUE_TEMPLATE/onboarding.md
@@ -77,7 +77,7 @@ Note: If you're not able to do any of these yourself, you're still responsible f
 - [ ] [Add as a form manager to the touchpoints recruitment intercept](https://touchpoints.app.cloud.gov/admin/forms/9412c559/permissions)
 
 **For engineers, also...**
-- [ ] [...nothing currently...]
+- [ ] [Add as a member of the FAC group in New Relic](https://one.newrelic.com/admin-portal/organizations/users-list) (@GSA-TTS/fac-admins can do this)
 
 **For product leads/owners, also...**
 - [ ] Make them Owner of [the various Google Groups in the project README](https://docs.google.com/document/d/1g8nYqYS_ifFlZB-DBgfeSoJRMB__EqWsmLnacyk-bDI/edit#heading=h.81zynabayrrg)

diff --git a/.github/workflows/terraform-apply-env.yml b/.github/workflows/terraform-apply-env.yml
@@ -18,6 +18,7 @@ jobs:
       KEY: "terraform.tfstate.${{ inputs.environment }}"
       TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
       TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
+      TF_VAR_new_relic_license_key: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       TERRAFORM_PRE_RUN: |
           apt-get update

diff --git a/.github/workflows/terraform-plan-env.yml b/.github/workflows/terraform-plan-env.yml
@@ -18,6 +18,7 @@ jobs:
       KEY: "terraform.tfstate.${{ inputs.environment }}"
       TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
       TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
+      TF_VAR_new_relic_license_key: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       TERRAFORM_PRE_RUN: |
           apt-get update

diff --git a/backend/.profile b/backend/.profile
@@ -1,11 +1,23 @@
+#!/bin/bash
+
 export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
 
+# Grab the New Relic license key from the newrelic-creds user-provided service instance
+export NEW_RELIC_LICENSE_KEY="$(echo "$VCAP_SERVICES" | jq --raw-output --arg service_name "newrelic-creds" ".[][] | select(.name == \$service_name) | .credentials.NEW_RELIC_LICENSE_KEY")"
+
+# Set the application name for New Relic telemetry.
+export NEW_RELIC_APP_NAME="$(echo "$VCAP_APPLICATION" | jq -r .application_name)"
+
+# Set the environment name for New Relic telemetry.
+export NEW_RELIC_ENVIRONMENT="$(echo "$VCAP_APPLICATION" | jq -r .space_name)"
+
 # We only want to run migrate and collecstatic for the first app instance, not
 # for additional app instances, so we gate all of this behind CF_INSTANCE_INDEX
 # being 0.
-[ "$CF_INSTANCE_INDEX" = 0 ] && echo 'Starting .profile' &&
+[ "$CF_INSTANCE_INDEX" = 0 ] &&
+echo 'Starting migrate' &&
 python manage.py migrate &&
 echo 'Finished migrate' &&
 echo 'Starting collectstatic' &&
 python manage.py collectstatic --noinput &&
-echo 'Finished collectstatic, finished .profile'
+echo 'Finished collectstatic'
diff --git a/backend/Procfile b/backend/Procfile
@@ -1,2 +1,2 @@
 # used by cloud.gov
-web: gunicorn config.wsgi -t 60
+web: newrelic-admin run-program gunicorn config.wsgi -t 60
diff --git a/backend/config/settings.py b/backend/config/settings.py
@@ -9,13 +9,15 @@
 For the full list of settings and their values, see
 https://docs.djangoproject.com/en/4.0/ref/settings/
 """
-
+import newrelic.agent
 from base64 import b64decode
 import os
 import json
 import environs
 from cfenv import AppEnv
 
+newrelic.agent.initialize()
+
 env = environs.Env()
 
 ENVIRONMENT = env.str("ENV", "UNDEFINED").upper()

diff --git a/backend/manifests/manifest-fac.yml b/backend/manifests/manifest-fac.yml
@@ -19,3 +19,4 @@ applications:
       - fac-db
       - fac-public-s3
       - fac-key-service
+      - newrelic-creds
diff --git a/backend/requirements.txt b/backend/requirements.txt
@@ -1,5 +1,5 @@
 #
-# This file is autogenerated by pip-compile with Python 3.10
+# This file is autogenerated by pip-compile with Python 3.11
 # by the following command:
 #
 #    pip-compile --allow-unsafe --generate-hashes --output-file=requirements.txt ./requirements/requirements.in
@@ -20,7 +20,6 @@ botocore==1.29.90 \
     --hash=sha256:1b8c1b8c366875e65d39237a296842b9c0ea33af2ba4a2771db2ba6aefa663ef \
     --hash=sha256:2dbbc2c7d93ddefcf9896268597212d446e5d416fbceb1b12c793660fa9f83f3
     # via
-    #   -r ./requirements/requirements.in
     #   boto3
     #   s3transfer
 certifi==2022.12.7 \
@@ -356,6 +355,23 @@ marshmallow==3.19.0 \
     --hash=sha256:90032c0fd650ce94b6ec6dc8dfeb0e3ff50c144586462c389b81a07205bedb78 \
     --hash=sha256:93f0958568da045b0021ec6aeb7ac37c81bfcccbb9a0e7ed8559885070b3a19b
     # via environs
+newrelic==8.8.0 \
+    --hash=sha256:1bc307d06e2033637e7b484af22f540ca041fb23a54b311bcd5968ca1a64e4ef \
+    --hash=sha256:435ac9e3791f78e05c9da8107a6ef49c13e62ac302696858fa2411198fe201ff \
+    --hash=sha256:6662ec79493f23f9d0995a015177c87508bea4c541f7c9f17a61b503b82e1367 \
+    --hash=sha256:67902b3c53fa497dba887068166261d114ac2347c8a4908d735d7594cca163dc \
+    --hash=sha256:6b4db0e7544232d4e6e835a02ee28637970576f8dce82ffcaa3d675246e822d5 \
+    --hash=sha256:796ed5ff44b04b41e051dc0112e5016e53a37e39e95023c45ff7ecd34c254a7d \
+    --hash=sha256:84d1f71284efa5f1cae696161e0c3cb65eaa2f53116fe5e7c5a62be7d15d9536 \
+    --hash=sha256:9355f209ba8d82fd0f9d78d7cc1d9bef0ae4677b3cfed7b7aaec521adbe87559 \
+    --hash=sha256:9c0d5153b7363d5cb5cac7f8d1a4e03669b074afee2dda201851a67c7bed1e32 \
+    --hash=sha256:bcd3219e1e816a0fdb51ac993cac6744e6a835c13ee72e21d86bcbc2d16628ce \
+    --hash=sha256:c4a0556c6ece49132ab1c32bfe398047a8311f9a8b6862b482495d132fcb0ad4 \
+    --hash=sha256:caccdf201735df80b470ddf772f60a154f2c07c0c1b2b3f6e999d55e79ce601e \
+    --hash=sha256:d21af16cee1e0caf4c73c4c1b2d7ba9f33fe6a870d93135dc8b23ac592f49b38 \
+    --hash=sha256:da8f2dc31e182768fe314d8ceb6f42acd09956708846f8ae71f07f044a3aa05e \
+    --hash=sha256:ef9c178329f8c04f0574908c1f04ff1f18b9eba55b869744583fee3eac48e571
+    # via -r ./requirements/requirements.in
 numpy==1.24.2 \
     --hash=sha256:003a9f530e880cb2cd177cba1af7220b9aa42def9c4afc2a2fc3ee6be7eb2b22 \
     --hash=sha256:150947adbdfeceec4e5926d956a06865c1c690f2fd902efede4ca6fe2e657c3f \
@@ -723,6 +739,10 @@ typing-extensions==4.5.0 \
     --hash=sha256:5cb5f4a79139d699607b3ef622a1dedafa84e115ab0024e0d9c044a9479ca7cb \
     --hash=sha256:fb33085c39dd998ac16d1431ebc293a8b3eedd00fd4a32de0ff79002c19511b4
     # via oic
+tzdata==2023.3 \
+    --hash=sha256:11ef1e08e54acb0d4f95bdb1be05da659673de4acbd21bf9c69e94cc5e907a3a \
+    --hash=sha256:7e65763eef3120314099b6939b5546db7adce1e7d6f2e179e3df563c70511eda
+    # via django
 uritemplate==4.1.1 \
     --hash=sha256:4346edfc5c3b79f694bccd6d6099a322bbeb628dbf2cd86eea55a456ce5124f0 \
     --hash=sha256:830c08b8d99bdd312ea4ead05994a38e8936266f84b9a7878232db50b044e02e

diff --git a/backend/requirements/requirements.in b/backend/requirements/requirements.in
@@ -12,6 +12,7 @@ environs[django]
 gunicorn
 jsonpath-ng
 jsonschema
+newrelic
 oic
 openpyxl
 pandas

diff --git a/terraform/dev/dev.tf b/terraform/dev/dev.tf
@@ -1,6 +1,7 @@
 module "dev" {
-  source        = "../shared/modules/env-base"
-  cf_space_name = "dev"
+  source                = "../shared/modules/env-base"
+  cf_space_name         = "dev"
+  new_relic_license_key = var.new_relic_license_key
 
   database_plan       = "micro-psql"
   postgrest_instances = 1

diff --git a/terraform/dev/variables.tf b/terraform/dev/variables.tf
@@ -8,3 +8,8 @@ variable "cf_password" {
   description = "secret; cloud.gov deployer account password"
   sensitive   = true
 }
+
+variable "new_relic_license_key" {
+  type        = string
+  description = "the license key to use when setting up the New Relic agent"
+}
diff --git a/terraform/production/production.tf b/terraform/production/production.tf
@@ -1,6 +1,7 @@
 module "production" {
-  source        = "../shared/modules/env-base"
-  cf_space_name = "production"
+  source                = "../shared/modules/env-base"
+  cf_space_name         = "production"
+  new_relic_license_key = var.new_relic_license_key
 }
 
 # module "production-egress" {

diff --git a/terraform/production/variables.tf b/terraform/production/variables.tf
@@ -8,3 +8,8 @@ variable "cf_password" {
   description = "secret; cloud.gov deployer account password"
   sensitive   = true
 }
+
+variable "new_relic_license_key" {
+  type        = string
+  description = "the license key to use when setting up the New Relic agent"
+}
diff --git a/terraform/shared/modules/env-base/env-base.tf b/terraform/shared/modules/env-base/env-base.tf
@@ -68,3 +68,10 @@ data "cloudfoundry_service_instance" "database" {
   ]
 }
 
+resource "cloudfoundry_user_provided_service" "credentials" {
+  name  = "newrelic-creds"
+  space = data.cloudfoundry_space.apps.id
+  credentials = {
+    "NEW_RELIC_LICENSE_KEY" = var.new_relic_license_key
+  }
+}
diff --git a/terraform/shared/modules/env-base/variables.tf b/terraform/shared/modules/env-base/variables.tf
@@ -55,3 +55,8 @@ variable "swagger_instances" {
   description = "the number of instances of the swagger application to run (default: 2)"
   default     = 2
 }
+
+variable "new_relic_license_key" {
+  type        = string
+  description = "the license key to use when setting up the New Relic agent"
+}
diff --git a/terraform/shared/modules/env-egress/env-egress.tf b/terraform/shared/modules/env-egress/env-egress.tf
@@ -11,7 +11,13 @@ module "egress-proxy" {
   gitref = "7487f882903b9e834a5133a883a88b16fb8b16c9"
 
   allowlist = {
-    gsa-fac = ["api.sam.gov:443"],
+    gsa-fac = [
+      # SAM.gov API (https://open.gsa.gov/api/entity-api/)
+      "api.sam.gov:443",
+
+      # New Relic telemetry (https://docs.newrelic.com/docs/new-relic-solutions/get-started/networks/#data-ingest)
+      "collector*.newrelic.com:443", "*-api.newrelic.com:443"
+    ],
   }
   denylist = {}
 }

diff --git a/terraform/staging/staging.tf b/terraform/staging/staging.tf
@@ -1,6 +1,7 @@
 module "staging" {
-  source        = "../shared/modules/env-base"
-  cf_space_name = "staging"
+  source                = "../shared/modules/env-base"
+  cf_space_name         = "staging"
+  new_relic_license_key = var.new_relic_license_key
 
   database_plan       = "medium-gp-psql"
   postgrest_instances = 1

diff --git a/terraform/staging/variables.tf b/terraform/staging/variables.tf
@@ -9,3 +9,7 @@ variable "cf_password" {
   sensitive   = true
 }
 
+variable "new_relic_license_key" {
+  type        = string
+  description = "the license key to use when setting up the New Relic agent"
+}