Acquia CMS

Security update process

Security updates take place in several steps.

  1. Step one: Test updates in an isolated branch

  2. Step one approval: Test and approve the security update

  3. Step two: Tag branch and deploy for more testing

  4. Step two approval: Final testing and approval

  5. Step three: Deploy tested tag to production

Step one: Test updates in an isolated branch

Owner: Acquia Remote Administration

The steps within Step one will not affect the operation of production, stage, or development servers. Acquia’s automated security update process will:

  1. Create a branch from the tag or branch deployed to your production environment.

  2. Deploy this branch to the RA Environment.

  3. Copy the production database(s) to the RA environment.

  4. Use Drush or Composer to apply all security updates to this branch.

  5. Create a ticket to inform your team the security update branch is ready for testing and approval.

Step one approval: Test and approve the security update

Owner: Customer

Your team receives a Support ticket informing you that the security update branch is ready for testing and approval. You can find this ticket under the My Cases section of the Acquia Help Center. For more information on accessing Support tickets, see Support and TAM ticket information.

There is a summary of the changes and next steps within the ticket feed, as well as in the Description of Issue on the right. In the Remote Administration Workflow section in the bottom right, your team can review the RA Workflow State and provide your approval for the next phase of the RA process. From the Approval Needed dropdown menu in this section, your team informs the RA team that you are ready for the next step of the RA process.

Review and test the security update available in your RA environment on your Cloud Platform application.

When your team finishes testing:

  1. Navigate to the ticket within the Acquia Help Center.

  2. Locate the Remote Administration Workflow section in the bottom corner of the ticket.

  3. In Approval Needed, select Approved.

  4. Click Save.

After you approve the security update branch in the dropdown menu, Acquia will proceed with the next step.

Important

Your team must update the Approval Needed field within the Support ticket to continue with the RA process.

Step two: Tag branch and deploy for more testing

Owner: Acquia Remote Administration

Once your team has approved the branch provided in the first step, RA Automation will:

  1. Make a tag of the approved security update branch. The only difference between this tag and the source from step one should be the tested and approved security updates.

  2. Backup all databases on your preferred testing environment.

  3. Copy the latest databases from production into your preferred test environment which defaults to the Stage environment. This ensures the final test is against the most recent production data.

  4. Deploy the tag to the testing environment for final testing.

  5. Inform your team the tag is ready for testing and approval to deploy to production. Acquia cannot move updated code to production without your explicit approval.

Step two approval: Final testing and approval

Owner: Customer

Review the tag in your Cloud Platform application and complete final testing of the security update.

When your team finishes testing, your team must provide explicit approval in the support ticket for the RA team to deploy the update. Your team can specify the day/time of the deployment for the update in your RA preferences. For more information on how to schedule your RA update deployments, see Remote Administration preferences.

To provide approval to the RA team:

  1. Navigate to the ticket within the Acquia Help Center.

  2. Locate the Remote Administration Workflow section in the bottom corner of the ticket.

  3. In Approval Needed, select Approved.

  4. Click Save.

After you approve the security update branch in the dropdown menu, Acquia will proceed with deploying the tag to production.

Important

Your team must update the Approval Needed field within the Support ticket to continue with the RA process.

Step three: Deploy tested tag to production

Owner: Acquia Remote Administration

Once your team approves the tag, it will be deployed to production. You can schedule this for a specific time with a 24-hour notice within normal business hours. See Scheduling production deploy windows for details.

Note

We cannot move code to production without explicit approval from the subscriber.

After you have set a deploy time in your RA preferences and approved the tag for release to production on the ticket, RA automation will do the following:

  1. Make a tag of the approved security update branch. The only difference between this tag and the source from step one should be the tested and approved security updates.

  2. Back up the production database(s).

  3. Deploy the tag.

  4. Run any required database updates.

  5. Inform you that production has been updated and must be tested.

  6. Your RA preference setting will determine who merges the security branch into your development branch:

    • If you set your RA preference to merge, RA automation will try to merge the update into your development branch. If the merge into the development branch requires troubleshooting, either Acquia or your team can create a new ticket (Legacy Premium RA only).

    • If you don’t set your RA preference to merge, you should merge the branch/tag into your preferred development branch. This ensures the security updates are included in all future work.