# Splunk App Distribution

Or, "How do apps get put onto splunk servers?"

## Summary

There are a few methods:
* Salt from the `msoc-infrastructure` repository:
* salt from customer-specific repositories such as `msoc-moose-cm`
* The splunk-app-updater script
* Manually

## The splunk-app-updater script

Each customer account has a splunk bucket of the format `xdr-modelclient-test-splunk-apps`.
This bucket has folders for each server function:

* sh-es - The ES SH
* idx - Indexers
* etc.

In side these folders are subfolders per source. For example, stuff from the content team's `content_source` repository is placed into `/sh-es/content_source/`.

The script `splunk-app-updater` runs on a cron schedule (10am ET Mon-Thur) and downloads all files for the server's purpose from
that folder.

If any packageshave changed since the last install, it installs the app using the splunk commandline (using the '--update' command).

### But how do they get into the bucket?

Any method can be used to place apps into the bucket. If it's in the bucket, it will be downloaded and installed.

The Primary way they get into the bucket is through the CodeBuild scripts in each customer account. This codebuild script
downloads the source from https://github.xdr.accenturefederalcyber.com/content-delivery/content_source and builds the apps
based on the particular tags.

### But how does it build?

The apps are built using a container image that resides in common services. This container is built using the `Dockerfile.codebuild` file in
https://github.xdr.accenturefederalcyber.com/content-delivery/content_generator

The container is built and placed into ECR by a job that runs in the common services account.