This is for internal use by the PaaS team. Public-facing documentation is located at docs.cloud.service.gov.uk.

PaaS Team Manual

Incident and support model

• Incident process
• Support manual
• Support roles and responsibilities
• Service Targets

Support Runbook

Response

• Responding to alerts
• Responding to security issues
• Responding to AWS alerts

How-to

• How to close billable accounts
• How to do common support tasks
• How to do user and organisation management
• How to use GPG
• How to respond to CVEs and upgrade stemcells and cflinuxfs
• How to enable Github OAuth for your dev environment
• How to sign into your CF admin account
• How to connect to Concourse, Credhub, and BOSH
• How to set up VPC Peering
• How to upgrade BOSH
• How to upgrade Concourse
• How to upgrade cf-deployment
• How to upgrade buildpacks
• How to update Logstash filters in Logit
• How to find route owners
• How to find apps with noisy logging
• How to find activity
• How to restore Opensearch backups
• Shipping Elasticsearch metrics to our tenants
• How to apply tenant ElastiCache (redis) service updates
• How to restore the CF databases
• How to restore the bosh director
• How to release bosh blobs
• How to run paas-cf tests locally
• How to rotate credentials
• How to test Alertmanager
• How to look up users by Google IDs
• How to disable a single AZ on GOV.UK PaaS
• How to contact cyber
• How to teardown and create a dev environment
• How to reduce Logit volume
• How to resolve Kibana indexing errors
• How to get the Google Search Console back
• How to manage frontend dependencies
• How to use the fast-startup-and-shutdown pipelines
• How to enable private access to backing services
• How to update Docker images

Other information

• Our orgs on the paas
• Enhancing Kibana
• Investigating Rsyslog issues
• Cloud Foundry debugging tips
• Tenant application penetration testing
• Spruce (for merging YAML)
• Effective remote pairing
• Platform alerting

Tenant Account Management

• Account lifecycle
• Closing GOV.UK PaaS trial accounts
• Getting data about trial accounts
• Tenant personal data

Tenant Billing

• Billing process for GOV.UK PaaS paid accounts

Team Accounts and Software

• So you’re the person on support for GOV.UK PaaS
• Zendesk
• Statuspage
• Pagerduty
• Documentation for tenants (paas-tech-docs)
• Third parties cloud accounts

Policies and Procedures

Team process

• Orientation
• Dashboard mac mini
• How to notify tenants
• Comms lead role

Working practices

• Development process
• Development Stories
• Tech doc changes

Technical Design

• Audit
• BOSH
• GOV.UK PaaS Architecture Document (team visibility)
• Prometheus
• Networking in AWS

Styleguides

This section contains some team-specific styleguides. These should be used in addition to the GDS styleguides.

• YAML
• Concourse pipelines

Upcoming Plans

• Decomissioning of Production Ireland
• Decommissioning Central PaaS infrastructure

Architecture decision records

This section contains Architecture Decision Records (ADR) as described in this blog post http://thinkrelevance.com/blog/2011/11/15/documenting-architecture-decisions.

• ADR-001 Manifest management
• ADR-002 Concourse pool resource
• ADR-003 AWS credentials
• ADR-004 Domain naming scheme
• ADR-005 Pingdom healthchecks
• ADR-006 Rds broker
• ADR-007 Terminating tls at elbs
• ADR-008 HAProxy for request rewriting
• ADR-009 X-Forwarded headers
• ADR-010 Postgres bind behaviour
• ADR-011 Security group structure
• ADR-012 Haproxy healthcheck
• ADR-013 Building bosh releases
• ADR-014 Hsts preload using api gateway
• ADR-015 Rds storage encryption plans
• ADR-016 End to end encryption
• ADR-017 Cell capacity assignment
• ADR-018 Rds broker restore last operation
• ADR-019 Accessing user provided services
• ADR-020 Deletion of ci environment
• ADR-021 Cell capacity assignment 2
• ADR-022 Web app language and framework selection
• ADR-023 Idle cpu alerting change
• ADR-024 Web app language and framework selection
• ADR-025 Service plan naming conventions
• ADR-026 DNS layout for UK hosting
• ADR-027 Pipeline locking
• ADR-028 Move platform logs to Logit
• ADR-029 Aiven project structure
• ADR-030 Single staging environment in London
• ADR-031 Separate PaaS services from the Platform core pipeline
• ADR-032 SSL only for applications and cf endpoints
• ADR-033 Redirect http for applications
• ADR-034 Continuously deploy platform CF applications
• ADR-035 Do not use HAProxy, use AWS ALB
• ADR-036 Add new RDS broker plans
• ADR-037 Automated certificate rotation
• ADR-038 Audit logs in Splunk
• ADR-039 Provide Aiven metrics to users
• ADR-040 BOSH access without SOCKS
• ADR-041 BOSH access with mTLS
• ADR-042 Isolation segments
• ADR-043 New product pages language and framework selection
• ADR-044 Remove IPSec
• ADR-045 AWS WAF and WAF Log access by AWS DDoS Response Team
• ADR-046 Postgres Service Plans
• ADR-047 Postgres allowed-extensions approach
• ADR-048 Billing: Include record for services/resources provisioned for tenants
• ADR-049 Billing: Decouple what we’re calculating bills for from how the bills are calculated
• ADR-050 Plans for the cloudapps.digital domain post platform retirement
• ADR-051 How we plan to migrate from cflinuxfs3 to cflinuxfs4
• ADR-053 Plan for maintaining product pages post Ireland retirement