Migrate PLG to Prod

[elipe17]

Summary of Changes

• Updated cloud.gov nginx conf to proxy Grafana
• Updated networking to correctly tunnel routes to and from the production space
• Fixed grafana config to correctly auto upload resources and set more conformant session limitations
• Removed some extremely annoying log messages
• Updated Loki to have 1GB of memory
  Pull request closes PLG Production Migration #3222

How to Test

1. Deploy the PR to an environment of your choice.
2. Use the CF CLI to verify that PLG is not in the dev space anymore. If you have the privilege, verify the apps are only in prod.
3. Give yourself sys admin or developer role and verify the frontend will proxy grafana in the prod env
4. Reach out to me for credentials to log into grafana since we don't have sso setup

Deliverables

More details on how deliverables herein are assessed included here.

Deliverable 1: Accepted Features

Checklist of ACs:

• PLG is deployed in prod
• Dev and Staging apps are still observable from PLG in prod
• Testing Checklist has been run and all tests pass
• README is updated, if necessary

Deliverable 2: Tested Code

• Are all areas of code introduced in this PR meaningfully tested?
  • If this PR introduces backend code changes, are they meaningfully tested?
  • If this PR introduces frontend code changes, are they meaningfully tested?
• Are code coverage minimums met?
  • Frontend coverage: [insert coverage %] (see CodeCov Report comment in PR)
  • Backend coverage: [insert coverage %] (see CodeCov Report comment in PR)

Deliverable 3: Properly Styled Code

• Are backend code style checks passing on CircleCI?
• Are frontend code style checks passing on CircleCI?
• Are code maintainability principles being followed?

Deliverable 4: Accessible

• Does this PR complete the epic?
• Are links included to any other gov-approved PRs associated with epic?
• Does PR include documentation for Raft's a11y review?
• Did automated and manual testing with iamjolly and ttran-hub using Accessibility Insights reveal any errors introduced in this PR?

Deliverable 5: Deployed

• Was the code successfully deployed via automated CircleCI process to development on Cloud.gov?

Deliverable 6: Documented

• Does this PR provide background for why coding decisions were made?
• If this PR introduces backend code, is that code easy to understand and sufficiently documented, both inline and overall?
• If this PR introduces frontend code, is that code easy to understand and sufficiently documented, both inline and overall?
• If this PR introduces dependencies, are their licenses documented?
• Can reviewer explain and take ownership of these elements presented in this code review?

Deliverable 7: Secure

• Does the OWASP Scan pass on CircleCI?
• Do manual code review and manual testing detect any new security issues?
• If new issues detected, is investigation and/or remediation plan documented?

Deliverable 8: User Research

Research product(s) clearly articulate(s):

• the purpose of the research
• methods used to conduct the research
• who participated in the research
• what was tested and how
• impact of research on TDP
• (if applicable) final design mockups produced for TDP development

[lhuxraft]

[DONE] Attach to 3222

[ADPennington]

@elipe17 cf cli issue in the pipeline affecting the deployment on this branch.

[ADPennington]

@elipe17 this LGTM! testing notes below and one question.

---

• Confirmed ability to get to grafana with sys admin permissions
• Confirmed inability to get to grafana w/o sys admin permissions
• Confirmed PLG stack not available in tanf-dev space (via cf apps)
• Confirmed PLG apps only available in tanf-prod space
• Confirmed the following least privilege protocols over access to grafana are in-place:
  • Access to grafana requires to levels of sign-in. First, sign-in via TDP authentication service, then approved users with developer or sys admin permissions can access grafana endpoint. Second, must sign-in with grafana-specific user/pass credentials.
  • admin/ofa users have more visibility than non-admin users
  • non-admin user has visibility to dev and staging logs