Information for: DEVELOPERS   PARTNERS

Remote Administration automation

Automation delivers Remote Administration security updates. Acquia Remote Administration automation uses Remote Administration preferences, and has specific compatibility requirements.

Compatibility requirements

Meeting the following requirements allows a website to be updated by using Acquia’s automated security update process:

  • VCS: The subscription must use an Acquia Git repository. Automated security updates are pushed to the Acquia-hosted repository only. It’s the responsibility of your development team to merge updates into any external repository.
    • Subscriptions using externally hosted Git repositories are not eligible for automated security updates.
  • Clean core and contrib: The automated update process will overwrite core and contributed files, and any modifications will be lost. Modified contributed modules should either be excluded from the update process or correctly patched. Drupal core updates can’t be locked and all modifications must be patched or they will be lost.
  • Stable and working production code: The Remote Administration service is targeted at released, production websites on which primary development is complete. Installations running the Welcome tag (tag/WELCOME) can’t receive automated updates. It’s recommended that your development team apply upgrades to websites under current and active initial development as part of the development process so issues may be resolved as they arise and unnecessary merge tasks can be avoided. Websites in active development may be updated provided there is code on the Production environment. Your development team will need to merge updates from the update branch into the active development branch.
  • Composer: For compatibility with RA automation, Drupal 8-based websites must be built using Composer. Websites using Drupal 9.0 and greater also require Drush 9 to be installed in the docroot directory with Composer. RA can’t guarantee the compatibility of Drush updates provided to Drupal 8 websites. Legacy Premium RA subscribers can request a manual update if the website has a valid composer.json file configured above the docroot directory. For information about how to set up Composer for your website, see Acquia Automation: Composer builds.
  • Drush: Drush must be able to run on at least one multisite within the subscription and must work on all available environments. Broken custom modules or incorrectly configured include files in the sites.php and settings.php files can prevent automated update processes from functioning.
    • Drupal 7: The command drush pm-updatestatus and drush pm-updatecode must be able to be run on all environments.
    • Drupal 8: The command drush pm-security must be able to be run on all environments.
  • Drupal docroot: Drupal must be installed inside [reponame]/docroot. Installations not in this location will prevent automated update processes from functioning. Appropriately configured symlinks using a vendor structure that works with Drush are also acceptable.
  • PHP: The Remote Administration update script relies on Drush 8 and PHP to check for and perform updates.
  • Distributions that aren’t compatible with Drush updates can’t be updated using automation. Instead, the Remote Administration Team can manually update these distributions (by request) for Legacy Premium Remote Administration subscribers.

Note for Legacy Premium RA subscribers

Acquia can help troubleshoot incompatibilities with automation and help implement fixes through an Acquia Support ticket.

What Acquia’s update automation does

  • Regularly provides security updates without subscriber initiation.

  • Updates all security vulnerabilities using Drush or Composer. Be aware that Drush overwrites all core and contributed module modifications.

  • Detects non-Drupal files in the docroot directory, and ensures they are not deleted.

  • Every core and module update receives its own discrete commit. This allows for the easy reversion of a particular update if it’s found to be incompatible during testing and troubleshooting.

  • Including security updates, Acquia will implement bug-fix updates to the following modules, even if the modules are disabled, to ensure your subscription can take advantage of Acquia’s services:


    The Remote Administration module upgrade policy may not apply to Acquia-supplied modules, as RA may support major version updates for these modules (such as upgrading Acquia Connector from 7.x-2.17 to 7.x-3.0). This ensures continued compatibility with RA services and the Acquia Cloud platform.

    For some Acquia module update situations, RA may create non-deployed branches with the module for your testing. For more information, contact Acquia Support or create an RA work request.

  • Implements Stage File Proxy to manage file display.

  • Checks and reapplies patches in your application, and includes them in all updates. For this to work, you must follow the process described in Patching core and contributed modules. It’s your responsibility to ensure that patches are in place on the update branch.

  • Informs you through a ticket that an update is ready to test. The ticket outlines all applied updates.

What Acquia’s update automation doesn’t do


Acquia Remote Administration does not support automated Lightning updates. If you receive an Acquia Support ticket for Drupal core updates, inform Acquia Support you also require Acquia Lightning updates. Alternately, file an Acquia Support ticket to manually update Acquia Lightning.

  • Automation does not apply bug-fix updates other than those listed above. Bug fixes must be requested separately (Legacy Premium RA only) from security updates. An RA Support Engineer can use automation to start an update which includes specific updates.
  • Update automation won’t detect modifications to either core or contributed modules. All modifications must either be locked or properly patched.
  • Apply existing patches other than those specified in /reponame/patches.make. All other patches will be overwritten by Drush unless module locking is also properly set up.
  • Update websites built on distributions. Update automation will try to update such websites manually.
  • Update websites built with make files or build scripts. Custom builds dependent on manually updating individual files are considered custom code and can’t be updated through automation or manual updates.
  • Update websites built using Continuous Integration (CI).

Who receives automated updates


Subscribers who are undergoing onboarding as part of an Acquia Ready engagement are not provided with updates by default. Automated updates can be provided on request by your Acquia Ready Manager or engineer, or by filing a Support ticket.

All Standard and Legacy Premium RA subscriptions are eligible for automated security updates, provided the subscription is compatible with Acquia’s automation.

  • Security updates for Standard RA subscriptions must use automation.
  • Legacy Premium RA subscriptions aren’t required to receive updates through automation. However, Acquia’s automation is much more efficient than the manual process.
  • Acquia can’t guarantee a security update delivery timeline for subscriptions which aren’t compatible with Acquia’s security update automation.

Update process

The automation process follows our existing Security Update Workflow. For the timeline about initiating security updates, see ticket timelines.

After a website is queued for an automated update, the script will:

  • Scan the production website for pending security updates.
  • If a security vulnerability is detected, an update will be started.
  • RA Preferences for the subscription will be reviewed.
    • If RA preferences are set to Update Code, a branch will be deployed to the RA Environment, updated, and a ticket will be sent to your team.
    • If RA preferences are set to Inform Only, a ticket will be sent listing recommended security updates. You may request an update by changing your RA preferences and responding to this ticket, asking the RA Team to start a new update and ticket.
  • An updated branch will be available for testing within 24 to 48 hours of a Security Announcement on After a branch has been deployed, progress on the ticket is dependent upon subscriber testing through all steps of the RA security update workflow.
  • If an update branch already exists, unless a new security update is announced, you won’t receive a new ticket for two weeks.