Note
This page is specific to the BAS Catalogue.
For managing secrets and common Config options.
- create a new 1Password service account with access to the infrastructure vault
Resources for the Catalogue GitLab Store are managed using Infrastructure as Code (IaC).
This includes a GitLab bot user to enable:
IaC will:
- create this bot user
- add the bot user as a member of the GitLab projects containing issues relevant to the Interactive Publishing Workflow, with at least the reporter role
IaC will:
- create and store in 1Password a personal access token to enable the
Workstation Module to:
- access and manage records in the GitLab Store
- as part of the Non-Interactive Publishing Workflow
Manually:
- reference this token in relevant Ansible Vault templates to set Config options
IaC will:
- create a personal access token to enable the Power Automate flow for Item Enquires
- store this token in 1Password
Manually:
- set this token in the authorisation header for the 'create-issue' action in the Power Automate flow
The majority of the Catalogue Site hosting is managed using Infrastructure as Code (IaC).
Once applied, manually configure Reverse Proxying.
IaC will:
- create an IAM user to enable the Workstation Module with a suitable inline
policy to:
- manage content and create invalidations in the Catalogue hosting buckets and distributions to enable the Interactive and Non-Interactive publishing workflows
- create and store an access key in 1Password for each non-development environment
Manually:
- reference the relevant access key in the corresponding Ansible Vault templates to set Config options
The BAS Operations Data Store 🛡️ is used by this project for Trusted Publishing in the Catalogue.
Manually:
- create and secure an area in the Operations Data Store web root [1]
- configure this area [2]
- configure Reverse Proxying
[1] As the Ops Data Store control user from a server with ACLs enabled:
$ mkdir -p $DOCUMENT_ROOT/content/cat
$ chgrp magic $DOCUMENT_ROOT/content/cat
$ chmod g+s $DOCUMENT_ROOT/content/cat
$ setfacl -m g::rwx,g:apache:rx,o::--- -m d:g::rwx,d:g:apache:rx,d:o::--- $DOCUMENT_ROOT/content/cat
This:
- creates a catalogue directory
- sets group inheritance on this directory
- sets an ACL on this directory which:
- grants members of the default group (i.e.
magic) full control - grants the web server user read access
- revokes all access to others/world
- grants members of the default group (i.e.
[2] As a user in the magic group:
$ umask 002
$ mkdir -p $DOCUMENT_ROOT/content/cat/testing/items /data/ops-data-store/www/content/cat/live/items
Set up reverse proxying within the BAS HAProxy load balancer to direct traffic to either:
- the legacy DMS catalogue
- Static Hosting for untrusted/public content
- Secure Hosting for Trusted Publishing content
This requires a request to BAS IT asking for:
- frontend ACLs matching any of the static [1] or secure [2] site endpoints for each non-development environment
- backends for each of these environments with:
- a single server pointing to either:
- the relevant AWS CloudFront Distribution
- or the relevant Operations Data Store endpoint
- a health check using the Health Check Endpoint (for static hosting)
- URL rewriting as needed (for secure hosting) [3]
- a single server pointing to either:
[1] Static site endpoints:
/-/
/collections
/features
/guides
/items
/legal
/maps
/records
/series
/static
/teams
/waf
/.well-known/api-catalog
[2] Secure site endpoints:
/-/items/
[3]
For secure hosting, URL rewrites are required to change /- to /cat/testing or /cat/live in the internal HAProxy,
to ensure requests map to the Operations Data Store web root. E.g.:
# rewrite '/-' to '/cat/testing' (e.g. '/-/items/000/index.html' to '/cat/testing/items/000/index.html')
http-request replace-path ^/-/(.*) /cat/testing/\1A Sentry project for Error Monitoring Protection is managed using Infrastructure as Code (IaC).
IaC will:
- register a new Sentry project and create a
sentry_dsnoutput for the default DSN
Note
DSNs are not considered secret in newer Sentry versions.
Manually:
- set the relevant Config option for the DSN as a hard-coded value
- create an Uptime Check for the production environment:
- url:
https://data.bas.ac.uk/collections/bas-maps - interval: 5 minutes
- timeout: 3 seconds
- url:
Tip
Uptime monitors cannot be managed via IaC.
A Cloudflare Turnstile widget for Bot Protection is managed using Infrastructure as Code (IaC).
IaC will:
- create a Turnstile widget, including Hosting Endpoints
- store the site and secret keys in 1Password
Manually:
- reference the site key as the relevant Config option in:
- the
/resources/dev/.env.tpltemplate - the relevant Ansible Vault template
- the
- set the secret key token as the 'secret' property value in the body of the 'turnstile-verify' action in the item enquiries Power Automate Flow
Manually:
- register a new Plausible Analytics site for the production Hosting endpoint
- record the domain in 1Password
- set the relevant Config option in the
.envtemplate and Ansible Vault for use in the Environment Module template
Manually:
- register a new Font Awesome kit with:
- version 7.x
- CSS only embedding method (to support non-JavaScript clients)
- automatic subsetting (classic -> regular)
- hostnames for each Hosting endpoint
- set the kit CDN URL in the
styles_font_awesome()Common Macro
Manually:
- import
resources/flows/lantern-item-enquires.zipinto Power Automate as a new flow - set the 'secret' property value in the body of the 'turnstile-verify' action to the Cloudflare Turnstile secret key from 1Password
- for MAGIC point of contact branch, set the GitLab Personal Access Token in the authentication header in the 'create-issue' action
- set the flow endpoint as the relevant Config option in the
.envtemplate and Ansible Vault for use in the Environment Module template
An OAuth client application is registered in ArcGIS Online for accessing restricted content and syncing catalogue metadata to ArcGIS items.
Manually:
- using a privileged account, create a developer credentials item:
- credential type: OAuth 2.0 credentials for app authentication
- where will you use the credentials: Private application that impersonates you
- settings:
- referrer URLs: NONE (not applicable)
- item details:
- title:
BAS Data Catalogue (Lantern) - summary: [1]
- title:
- set the relevant Extra Config options in the
.envtemplate
[1]
Application representing the Lantern data catalogue to allow:
- reading items to add distribution options to records for services
- read and write item metadata to apply record information to the item
Managed by MAGIC.