Information for: DEVELOPERS   PARTNERS

Security update process

Security updates take place in several steps. Both automated and manual updates use a similar process:

  1. Step one: Test updates in an isolated branch
  2. Step two: Tag branch and deploy for more testing
  3. Step three: Deploy tested tag to production

Step one: Test updates in an isolated branch

The steps within step one won’t affect the operation of production, stage, or development servers. Acquia’s automated security update process will:

  1. Create a branch from the tag or branch deployed to your production environment.
  2. Deploy this branch to the RA Environment.
  3. Enable live development on the RA Environment.
  4. Copy the production database(s) to the RA environment.
  5. Use Drush or Composer to apply all security updates to this branch.
  6. Create a ticket to inform your team the security update branch is ready for testing and approval.

After you approve the security update branch, Acquia will proceed with the next step.

Step two: Tag branch and deploy for more testing

Once your team has approved the branch provided in the first step, RA Automation will:

  1. Make a tag of the approved security update branch. The only difference between this tag and the source from step one should be the tested and approved security updates.
  2. Backup all databases on your preferred testing environment.
  3. Copy the latest databases from production into your preferred test environment which defaults to the Stage environment. This ensures the final test is against the most recent production data.
  4. Deploy the tag to the testing environment for final testing.
  5. Inform your team the tag is ready for testing and approval to deploy to production. Acquia can’t move updated code to production without your explicit approval.

After you approve the tag of the security update branch, Acquia will proceed with the next step.

Step three: Deploy tested tag to production

Once your team approves the tag, it will be deployed to production. You can schedule this for a specific time with a 24-hour notice within normal business hours. See Scheduling production deploy windows for details.

Note

We cannot move code to production without explicit approval from the subscriber.

After you have approved the tag for release to production on the ticket, RA automation will do the following:

  1. Back up the production database(s).
  2. Deploy the tag.
  3. Run any required database updates.
  4. Inform you that production has been updated and must be tested.
  5. Your RA preference setting will determine who merges the security branch into your development branch:
    • If your RA preference is set to merge, RA automation will try to merge the update into your development branch. If the merge into the development branch requires troubleshooting, either Acquia or your team can create a new ticket (Premium Only).
    • If your RA preference isn’t set to merge, you should merge the branch/tag into your preferred branch (usually master). This ensures the security updates are included in all future work.

Alternate procedure: Tag branch and deploy directly to production

If you don’t want more testing, you may choose to skip Step two: Tag branch and deploy for more testing. Acquia ONLY recommends skipping step two if you are certain testing on the RA environment is enough.

Once your team has approved the branch provided in the first step, RA Automation will:

  1. Make a tag of the approved security update branch. The only difference between this tag and the source from step one should be the tested and approved security updates.
  2. Back up the production database(s).
  3. Deploy the tag.
  4. Run any required database updates.
  5. Inform you that production has been updated and must be tested.
  6. Your RA preference setting will determine who merges the security branch into your development branch:
    • If you set your RA preference to merge, RA automation will try to merge the update into your development branch. If the merge into the development branch requires troubleshooting, either Acquia or your team can create a new ticket (Premium Only).
    • If you don’t set your RA preference to merge, you should merge the branch/tag into your preferred development branch. This ensures the security updates are included in all future work.

For more detailed documentation on using Drush and CloudAPI commands to apply RA security updates, see Performing Acquia Automation security updates using CloudAPI and Drush.