From 6458b0be6f04f91e27c6d314ba2cc3f24535e2e6 Mon Sep 17 00:00:00 2001
From: lizpearl <lizpearl@users.noreply.github.com>
Date: Wed, 27 Nov 2024 16:03:50 -0600
Subject: [PATCH 1/4] Add documentation for adding secrets to an existing
 sandbox

---
 .../add_secrets_to_existing_sandbox.md        | 76 +++++++++++++++++++
 1 file changed, 76 insertions(+)
 create mode 100644 docs/operations/runbooks/add_secrets_to_existing_sandbox.md

diff --git a/docs/operations/runbooks/add_secrets_to_existing_sandbox.md b/docs/operations/runbooks/add_secrets_to_existing_sandbox.md
new file mode 100644
index 000000000..5c7ef8a5f
--- /dev/null
+++ b/docs/operations/runbooks/add_secrets_to_existing_sandbox.md
@@ -0,0 +1,76 @@
+# HOWTO Add secrets to an existing sandbox
+
+
+### Check if you need to add secrets
+Run this command to get the environment variables from a sandbox:
+
+```sh
+cf env <APP>
+```
+For example `cf env getgov-development`
+
+Check that these environment variables exist:
+```
+{
+  "DJANGO_SECRET_KEY": "EXAMPLE",
+  "DJANGO_SECRET_LOGIN_KEY": "EXAMPLE",
+  "AWS_ACCESS_KEY_ID": "EXAMPLE",
+  "AWS_SECRET_ACCESS_KEY": "EXAMPLE",
+  "REGISTRY_KEY": "EXAMPLE,
+  ...
+}
+```
+
+If those variable are not present, use the following steps to set secrets by creating a new `credentials-<ENVIRONMENT>.json` file and uploading it.
+(Note that many of these commands were taken from the [`create_dev_sandbox.sh`](../../../ops/scripts/create_dev_sandbox.sh) script and were tested on MacOS)
+
+### Create a new Django key
+```sh
+django_key=$(python3 -c 'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())')
+```
+
+### Replace the existing certificate 
+Create a certificate:
+```sh
+openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout private-<ENVIRONMENT>.pem -out public-<ENVIRONMENT>.crt
+```
+
+Fill in the following for the prompts:
+
+Note: for "Common Name" you should put the name of the sandbox and for "Email Address" it should be the address of who owns that sandbox (such as the developer's email, if it's a developer sandbox, or whoever ran this action otherwise)
+
+```sh
+Country Name (2 letter code) [AU]:US
+State or Province Name (full name) [Some-State]:DC
+Locality Name (eg, city) []:DC
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:DHS
+Organizational Unit Name (eg, section) []:CISA
+Common Name (e.g. server FQDN or YOUR name) []:<ENVIRONMENT>
+Email Address []: <example@something.com>
+```
+Go to https://dashboard.int.identitysandbox.gov/service_providers/2640/edit to remove the old certificate and upload the new one. 
+
+Create the login key:
+```sh
+login_key=$(base64 -i private-<ENVIRONMENT>.pem)
+```
+
+### Create the credentials file
+```sh
+jq -n --arg django_key "$django_key" --arg login_key "$login_key" '{"DJANGO_SECRET_KEY":$django_key,"DJANGO_SECRET_LOGIN_KEY":$login_key}' > credentials-<ENVIRONMENT>.json
+```
+
+Copy `REGISTRY_*` credentials from another sandbox into your `credentials-<ENVIRONMENT>.json` file.  Also add your `AWS_*` credentials if you have them, otherwise also copy them from another sandbox. You can either use the cloud.gov dashboard or the command `cf env <APP>` to find other credentials.
+
+Go to https://dashboard.fr.cloud.gov/home.  Find the `getgov-credentials` service tied to your ENVIRONMENT. Double check it is the right one and delete it. Recreate the service using the updated credentials:
+```sh
+cf cups getgov-credentials -p credentials-<ENVIRONMENT>.json
+```
+
+### Push your manifest
+
+```sh
+cf push getgov-<ENVIRONMENT> -f ops/manifests/manifest-<ENVIRONMENT>.yaml
+```
+
+If you don't need to push a manifest, restaging might also work
\ No newline at end of file

From 3b34e0d8f52fc8979ed23d048d72a24735189932 Mon Sep 17 00:00:00 2001
From: lizpearl <lizpearl@users.noreply.github.com>
Date: Tue, 3 Dec 2024 09:24:15 -0600
Subject: [PATCH 2/4] Update
 docs/operations/runbooks/add_secrets_to_existing_sandbox.md

Co-authored-by: zandercymatics <141044360+zandercymatics@users.noreply.github.com>
---
 .../runbooks/add_secrets_to_existing_sandbox.md      | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/docs/operations/runbooks/add_secrets_to_existing_sandbox.md b/docs/operations/runbooks/add_secrets_to_existing_sandbox.md
index 5c7ef8a5f..571842d00 100644
--- a/docs/operations/runbooks/add_secrets_to_existing_sandbox.md
+++ b/docs/operations/runbooks/add_secrets_to_existing_sandbox.md
@@ -40,12 +40,12 @@ Fill in the following for the prompts:
 Note: for "Common Name" you should put the name of the sandbox and for "Email Address" it should be the address of who owns that sandbox (such as the developer's email, if it's a developer sandbox, or whoever ran this action otherwise)
 
 ```sh
-Country Name (2 letter code) [AU]:US
-State or Province Name (full name) [Some-State]:DC
-Locality Name (eg, city) []:DC
-Organization Name (eg, company) [Internet Widgits Pty Ltd]:DHS
-Organizational Unit Name (eg, section) []:CISA
-Common Name (e.g. server FQDN or YOUR name) []:<ENVIRONMENT>
+Country Name (2 letter code) [AU]: US
+State or Province Name (full name) [Some-State]: DC
+Locality Name (eg, city) []: DC
+Organization Name (eg, company) [Internet Widgits Pty Ltd]: DHS
+Organizational Unit Name (eg, section) []: CISA
+Common Name (e.g. server FQDN or YOUR name) []: <ENVIRONMENT>
 Email Address []: <example@something.com>
 ```
 Go to https://dashboard.int.identitysandbox.gov/service_providers/2640/edit to remove the old certificate and upload the new one. 

From 21c41e5f84dbd8fc95cdf9c246e8b221a437b5c7 Mon Sep 17 00:00:00 2001
From: lizpearl <lizpearl@users.noreply.github.com>
Date: Tue, 3 Dec 2024 09:35:13 -0600
Subject: [PATCH 3/4] Updated documentation based on code review

---
 .../operations/runbooks/add_secrets_to_existing_sandbox.md | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/docs/operations/runbooks/add_secrets_to_existing_sandbox.md b/docs/operations/runbooks/add_secrets_to_existing_sandbox.md
index 571842d00..979b12209 100644
--- a/docs/operations/runbooks/add_secrets_to_existing_sandbox.md
+++ b/docs/operations/runbooks/add_secrets_to_existing_sandbox.md
@@ -50,7 +50,7 @@ Email Address []: <example@something.com>
 ```
 Go to https://dashboard.int.identitysandbox.gov/service_providers/2640/edit to remove the old certificate and upload the new one. 
 
-Create the login key:
+### Create the login key
 ```sh
 login_key=$(base64 -i private-<ENVIRONMENT>.pem)
 ```
@@ -67,10 +67,9 @@ Go to https://dashboard.fr.cloud.gov/home.  Find the `getgov-credentials` servic
 cf cups getgov-credentials -p credentials-<ENVIRONMENT>.json
 ```
 
-### Push your manifest
+### Restart, restage or push manifest
+Pushing the manifest works but a restart or restage might work as well.
 
 ```sh
 cf push getgov-<ENVIRONMENT> -f ops/manifests/manifest-<ENVIRONMENT>.yaml
 ```
-
-If you don't need to push a manifest, restaging might also work
\ No newline at end of file

From 7005006b1e3c17eec967fee5cd472fc57fc4faa4 Mon Sep 17 00:00:00 2001
From: lizpearl <lizpearl@users.noreply.github.com>
Date: Fri, 6 Dec 2024 17:41:55 -0600
Subject: [PATCH 4/4] Correct documentation since we should restage our
 application instead of restarting or pushing a manifest.  Also include
 whitespace so it triggers checks

---
 .../runbooks/add_secrets_to_existing_sandbox.md      | 12 +++++-------
 ops/scripts/create_dev_sandbox.sh                    |  1 +
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/docs/operations/runbooks/add_secrets_to_existing_sandbox.md b/docs/operations/runbooks/add_secrets_to_existing_sandbox.md
index 979b12209..411f9c90a 100644
--- a/docs/operations/runbooks/add_secrets_to_existing_sandbox.md
+++ b/docs/operations/runbooks/add_secrets_to_existing_sandbox.md
@@ -62,14 +62,12 @@ jq -n --arg django_key "$django_key" --arg login_key "$login_key" '{"DJANGO_SECR
 
 Copy `REGISTRY_*` credentials from another sandbox into your `credentials-<ENVIRONMENT>.json` file.  Also add your `AWS_*` credentials if you have them, otherwise also copy them from another sandbox. You can either use the cloud.gov dashboard or the command `cf env <APP>` to find other credentials.
 
-Go to https://dashboard.fr.cloud.gov/home.  Find the `getgov-credentials` service tied to your ENVIRONMENT. Double check it is the right one and delete it. Recreate the service using the updated credentials:
+### Update the `getgov-credentials` service tied to your environment.
 ```sh
-cf cups getgov-credentials -p credentials-<ENVIRONMENT>.json
+cf uups getgov-credentials -p credentials-<ENVIRONMENT>.json
 ```
 
-### Restart, restage or push manifest
-Pushing the manifest works but a restart or restage might work as well.
-
+### Restage your application
 ```sh
-cf push getgov-<ENVIRONMENT> -f ops/manifests/manifest-<ENVIRONMENT>.yaml
-```
+cf restage getgov-<ENVIRONMENT> --strategy rolling
+```
\ No newline at end of file
diff --git a/ops/scripts/create_dev_sandbox.sh b/ops/scripts/create_dev_sandbox.sh
index 6cbad9c4f..1796817a8 100755
--- a/ops/scripts/create_dev_sandbox.sh
+++ b/ops/scripts/create_dev_sandbox.sh
@@ -136,6 +136,7 @@ then
 fi
 
 cf service-key github-cd-account github-cd-key | sed 1,2d  | jq -r '[.username, .password]|@tsv' | 
+
 while read -r username password; do
     gh secret --repo cisagov/getgov set CF_${upcase_name}_USERNAME --body $username
     gh secret --repo cisagov/getgov set CF_${upcase_name}_PASSWORD --body $password