Implementing security updates
Acquia uses an automated process to deploy a security update branch to
the Environment.
- Acquia’s security update automation requires your subscription
is correctly set up. Ensure all required
setup is fully implemented.
- Standard RA subscriptions will only receive security updates using
Acquia’s automated security update process. It’s the responsibility
of your team to ensure your website is compatible with the
automated update process.
- Legacy Premium RA subscribers may request help to ensure your website
is compatible with Acquia’s security update automation.
- Acquia’s security update automation behaves according to RA
preferences set per subscription. Unless these
preferences are manually set, the default preferences will be used.
- Inform-Only subscriptions will receive a ticket noting
recommended security updates, but no action will be taken. If you
would like to receive an update, you must change your preference to
Full Deploy. This preference can be changed back after the specific
update is complete.
Legacy Premium RA subscriptions which aren’t compatible with Acquia’s
security update automation will receive updates as soon as possible, but
Acquia can’t guarantee a timeline.
Ticket timelines
Security Updates are implemented using a semi-automated queue. At this
time, Acquia initiates automated updates as follows:
- When a core security update is announced on drupal.org. The queue will be initiated within 24
hours of the release. Subscribers should receive tickets within
24 to 48 hours.
- Production websites are periodically scanned for core and module
security updates.
- Subscribers can specifically request updates.
After the queue is initiated, update automation will detect security
updates, start the update process, and create a new ticket notifying
your team an updated branch is ready to test on the RA environment.
Acquia implements security updates depending on your subscription
preferences:
- Inform Only subscriptions: Acquia sends a security update notification
for Drupal Core SA releases within 24 to 48 hours of the announcement. These
tickets are only for notification purposes and do not require any action.
They will be resolved. To update your subscription, set your preferences to
Full Deploy, provide your response in the initial ticket, and resolve
it. Acquia will create an update and a new ticket in the next weekly run for
your subscription.
- Full Deploy subscriptions: Acquia’s RA team will update all Full
Deploy subscriptions by using an automated process. Your team will
receive a new ticket detailing all the changes after updates have
been deployed and are ready for testing on the RA Environment. Use of
this environment prevents any disruption to your ongoing development.
All security updates are implemented as follows:
- After Acquia deploys an update and sends a ticket, the time to solve
the ticket depends on testing and troubleshooting.
- Moving through each update step requires your approval. Acquia will
not deploy a secure branch to either your testing or production
environment without explicit approval by a member of your team.
- After you approve a tag, Acquia moves the website to production as soon as
possible, or during a scheduled and approved deploy window. The scheduled
and approved deploy window must be set in RA preferences.
Scheduling production deploy windows
To deploy an update to production at a specific time, set a deploy time in your
RA preferences. If you do not set a specific time, the system deploys the update
immediately post your approval. This service is available every day.
Be aware of the following items when requesting to schedule production
deploys:
- To allow time for scheduling, all requests must be made with a
minimum of one full business day’s notice. Although we can’t
guarantee a window with fewer than 24 hours’ notice, Acquia will try to
accommodate these requests, when possible.
- Be sure to provide a one-hour window in your preferred time zone for
the deploy, and clearly state your time zone in the ticket. Acquia
will confirm the window.
- Production deployment requests are not monitored. If you experience issues
in your production deployment, file a critical support ticket adhering to standard procedures for critical
support, and reference the RA update ticket.
- If your production deployment does not get completed as expected, the system
notifies you. You must review, make the necessary changes, and let Acquia
know by updating the existing ticket to reschedule the deployment.