BFD-Insights initial PR #257

RickHawesUSDS · 2020-04-21T17:56:06Z

Why
The basic idea behind the BFD-Insights project is listed here. https://confluence.cms.gov/display/BB/Business+and+Security+Analytics+for+DASG

What
This is the initial check-in for bfd-insights. It creates the basic terraform for the project. As an example workflow, a food truck project.

See the doc folder for details.

Choices Made

insights top-level folder
Use terraform for deployment including table definitions
Food Truck example project

Future Work
The choice of terraform leads to thinking that GitHub actions will be used for deploys.

- prod-lake - groups - common modules - docs

- foodtruck - new database/table/ organizatoin

- timestamp format in purchases - Analysts permissions - Documentation in organization

- Sarah Tully as an author - Adjusted permissions for readers and authors

insights/scripts/foodtruck/Pipfile

insights/terraform/groups/main.tf

insights/terraform/modules/bucket/main.tf

insights/terraform/modules/database/main.tf

insights/terraform/modules/firehose/main.tf

insights/terraform/modules/table/main.tf

- one bucket per project - group and cross-account policies per bucket - Update of documentation

njdister

Looking really good, just an informational question: now that there are separate project buckets, but also a data lake bucket, what are the delineation for their uses? Project buckets for the databases, and data lake bucket for user queries/scripts?

RickHawesUSDS · 2020-05-01T17:12:58Z

Looking really good, just an informational question: now that there are separate project buckets, but also a data lake bucket, what are the delineation for their uses? Project buckets for the databases, and data lake bucket for user queries/scripts?

@njdister Project buckets will contain the raw logs from the projects. They may also contain aggregations that are project-specific. The main data lake bucket will contain common aggregations (which there are none right now). From a security perspective, the project buckets are the entry-points for the project. The data-lake bucket is not accessible by the partners.

njdister

Reviewed additional documentation and diagrams, great work. 🎉

dtisza1 · 2020-05-15T16:34:15Z

@RickHawesUSDS A good way to improve package manager level security is to utilize the pip-tools hash-checking feature. I think this should be added to this project. Maybe as a backlog item.
For example, this uses the pip-compile "--generate-hashes" option when generating the requirements.txt file.

dtisza1

I've read through the related confluence documentation and this PR several times. This makes sense to me and is well thought out. It looks like a great base implementation. I'm looking forward to helping with related BB2 tasks!

Great work on this PR and project design!

Rick Hawes added 4 commits April 18, 2020 15:37

Initial check-in

d2cd85d

- prod-lake - groups - common modules - docs

Add the foodtruck project

fa90b4b

Update to deploy firehose, database, and table

339d121

- foodtruck - new database/table/ organizatoin

Small improvments

9404703

- timestamp format in purchases - Analysts permissions - Documentation in organization

RickHawesUSDS requested review from dtisza1 and njdister April 21, 2020 17:56

Rick Hawes added 2 commits April 21, 2020 14:04

Fixup ignores

2f71b9b

Remove PipLock

86f185f

RickHawesUSDS requested a review from lailasharshar April 21, 2020 19:04

Rick Hawes added 7 commits April 21, 2020 15:13

Update documentation

366e05f

Add dataflow diagram

058ad1b

Remove the unecessary KMS policy

7376dce

Made groups for the backend.tf convention

f6ce557

Fix broken link

7739273

Update BFD-Insights-Workflow.png

df9d28a

Add AB2D project

8a0bc82

RickHawesUSDS marked this pull request as ready for review April 23, 2020 15:18

Added the Authors role

2ff98ba

- Sarah Tully as an author - Adjusted permissions for readers and authors