Page MenuHomePhabricator
Create Task
Maniphest T370319

Network configuration for Gravy integration
Closed, ResolvedPublic
Actions

Description

Determine IP addresses and / or hostnames that need to be accessible from CiviCRM and payments-wiki for FROPs Allowlist.

List: https://etherpad.wikimedia.org/p/gr4vy-allowlist

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT364501 Gravy Integration
 ResolvedDwisehauptT370319 Network configuration for Gravy integration
Restricted Task

Event Timeline

Damilare created this task.Jul 17 2024, 5:12 PM
Damilare mentioned this in T370159: Copy Gravy certificate to dedicated Cert directory.Jul 17 2024, 5:15 PM
Dwisehaupt moved this task from Triage to Up Next on the fundraising-tech-ops board.Jul 17 2024, 7:01 PM
Dwisehaupt subscribed.

Ok. Looks like they are using google cloud computing for those endpoints. I'll have to check our config on the pfw, but this may necessitate moving from a strict allow list to a dns based iptables list. We have been able to avoid that for the payments role at this point.

Dwisehaupt added a comment.EditedJul 18 2024, 8:54 PM

IP addresses from gr4vy.

API:

  • 34.36.3.1
  • 34.149.116.58

Webhook server:

  • 34.83.124.27

Going to use IP mappings for now instead of dns_to_ipset since they state that the ips are stable and shouldn't change.

Dwisehaupt added a comment.Jul 18 2024, 9:23 PM

Iptables rules updated and applied to civicrm, payments, and payments_listener role for the API addresses. The frdev role did not have the other payment gateways rules so I'm not certain we need it on that role. Correct me if I'm wrong.

Also, the webhook server should be the ip that contacts our frpig hosts. We don't restrict access from the external sources in that manner so we should be ok with that.

PFW changes to follow.

Dwisehaupt added a subtask: Restricted Task.Jul 18 2024, 9:56 PM
Dwisehaupt moved this task from Up Next to In Progress on the fundraising-tech-ops board.

PFW changes added to the repo and pushed to the PFWs for application Network task tracked in T370481.

Dwisehaupt moved this task from Triage to FR-Ops on the Fundraising-Backlog board.Jul 22 2024, 7:54 PM
Dwisehaupt closed subtask Restricted Task as Resolved.Jul 22 2024, 8:23 PM
Dwisehaupt closed this task as Resolved.Jul 22 2024, 8:46 PM
Dwisehaupt claimed this task.
Dwisehaupt moved this task from In Progress to Done on the fundraising-tech-ops board.

PFW changes deployed so we should be all set. closing.

jgleeson moved this task from Backlog to Internal Test on the payments-orchestration board.Aug 21 2024, 7:24 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits