GSA
diff --git a/‎.github/actions/setup-project/action.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/actions/setup-project/action.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/checks.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/checks.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/drift.yml‎
Lines changed: 42 additions & 9 deletions b/‎.github/workflows/drift.yml‎
Lines changed: 42 additions & 9 deletions
diff --git a/‎README.md‎
Lines changed: 43 additions & 31 deletions b/‎README.md‎
Lines changed: 43 additions & 31 deletions
diff --git a/‎app/authentication/auth.py‎
Lines changed: 3 additions & 3 deletions b/‎app/authentication/auth.py‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎app/commands.py‎
Lines changed: 1 addition & 1 deletion b/‎app/commands.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/config_files/templates.json‎
Lines changed: 2 additions & 0 deletions b/‎app/config_files/templates.json‎
Lines changed: 2 additions & 0 deletions
@@ -9,10 +9,10 @@ runs:
         sudo apt-get update \
         && sudo apt-get install -y --no-install-recommends \
         libcurl4-openssl-dev
-    - name: Set up Python 3.12.2
+    - name: Set up Python 3.12.9
       uses: actions/setup-python@v4
       with:
-        python-version: "3.12.2"
+        python-version: "3.12.9"
     - name: Install poetry
       shell: bash
       run: pip install poetry==2.1.3
 
@@ -64,7 +64,7 @@ jobs:
         NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }}
     - name: Check coverage threshold
       # TODO get this back up to 95
-      run: poetry run coverage report -m --fail-under=93
+      run: poetry run coverage report -m --fail-under=92
 
   validate-new-relic-config:
     runs-on: ubuntu-latest
 
@@ -24,14 +24,25 @@ jobs:
           terraform_wrapper: false
 
       - name: Check for drift
-        uses: dflook/terraform-check@v1
         env:
           AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
           TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }}
           TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
-        with:
-          path: terraform/staging
+        run: |
+          cd terraform/staging
+          terraform init
+          terraform plan -detailed-exitcode
+          exit_code=$?
+          if [ $exit_code -eq 0 ]; then
+            echo "No changes detected.  Intrastructure is up-to-date."
+          elif [ $exit_code -eq 2 ]; then
+            echo "Changes detected.  Infrastructure drift found."
+            exit 1
+          else
+            echo "Error running terraform plan."
+            exit $exit_code
+          fi
 
   check_demo_drift:
     runs-on: ubuntu-latest
@@ -52,14 +63,25 @@ jobs:
           terraform_wrapper: false
 
       - name: Check for drift
-        uses: dflook/terraform-check@v1
         env:
           AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
           TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }}
           TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
-        with:
-          path: terraform/demo
+        run: |
+          cd terraform/demo
+          terraform init
+          terraform plan -detailed-exitcode
+          exit_code=$?
+          if [ $exit_code -eq 0 ]; then
+            echo "No changes detected.  Intrastructure is up-to-date."
+          elif [ $exit_code -eq 2 ]; then
+            echo "Changes detected.  Infrastructure drift found."
+            exit 1
+          else
+            echo "Error running terraform plan."
+            exit $exit_code
+          fi
 
   check_prod_drift:
     runs-on: ubuntu-latest
@@ -80,11 +102,22 @@ jobs:
           terraform_wrapper: false
 
       - name: Check for drift
-        uses: dflook/terraform-check@v1
         env:
           AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
           TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }}
           TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
-        with:
-          path: terraform/production
+        run: |
+          cd terraform/production
+          terraform init
+          terraform plan -detailed-exitcode
+          exit_code=$?
+          if [ $exit_code -eq 0 ]; then
+            echo "No changes detected.  Intrastructure is up-to-date."
+          elif [ $exit_code -eq 2 ]; then
+            echo "Changes detected.  Infrastructure drift found."
+            exit 1
+          else
+            echo "Error running terraform plan."
+            exit $exit_code
+          fi
@@ -9,7 +9,7 @@ It's cloned from the brilliant work of the team at
 This repo contains:
 
 - A public-facing REST API for Notify.gov, which teams can integrate with using
- [API clients built by UK](https://www.notifications.service.gov.uk/documentation).
+  [API clients built by UK](https://www.notifications.service.gov.uk/documentation).
 - An internal-only REST API built using Flask to manage services, users,
   templates, etc., which the
   [Notify.gov Admin UI](http://github.com/18F/notifications-admin) talks to.
@@ -18,7 +18,6 @@ This repo contains:
 
 Our other repositories are:
 
-- [notifications-admin](https://github.com/GSA/notifications-admin)
 - [us-notify-compliance](https://github.com/GSA/us-notify-compliance/)
 - [notify-python-demo](https://github.com/GSA/notify-python-demo)
 
@@ -53,7 +52,7 @@ recommended. This helps avoid some known installation issues. Start by following
 the installation instructions on the Homebrew homepage.
 
 **Note:** You will also need Xcode or the Xcode Command Line Tools installed. The
-quickest way to do this is is by installing the command line tools in the shell:
+quickest way to do this is by installing the command line tools in the shell:
 
 ```sh
 xcode-select –-install
@@ -71,11 +70,13 @@ Your system `$PATH` environment variable is likely set in one of these
 locations:
 
 For BASH shells:
+
 - `~/.bashrc`
 - `~/.bash_profile`
 - `~/.profile`
 
 For ZSH shells:
+
 - `~/.zshrc`
 - `~/.zprofile`
 
@@ -85,7 +86,7 @@ environments.
 Which file you need to modify depends on whether or not you are running an
 interactive shell or a login shell
 (see [this Stack Overflow post](https://stackoverflow.com/questions/18186929/what-are-the-differences-between-a-login-shell-and-interactive-shell)
-for an explanation of the differences).  If you're still not sure, please ask
+for an explanation of the differences). If you're still not sure, please ask
 the team for help!
 
 Once you determine which file you'll need to modify, add these lines before any
@@ -147,7 +148,7 @@ tfenv use 1.7.x # x = the patch version installed
 #### Python Installation
 
 Now we're going to install a tool to help us manage Python versions and
-virtual environments on our system.  First, we'll install
+virtual environments on our system. First, we'll install
 [pyenv](https://github.com/pyenv/pyenv) and one of its plugins,
 [pyenv-virtualenv](https://github.com/pyenv/pyenv-virtualenv), with Homebrew:
 
@@ -201,10 +202,6 @@ requires a version number to be included with it when installing it:
 brew install postgresql@15
 ```
 
-_NOTE: This project currently works with PostgreSQL version 15.x; version 12.x is currently used in our hosted environments._
-
-_NOTE: If you have a pre-existing instance of PSQL installed because of another product like PGAdmin, your database configuration may differ from the instructions above, which uses Homebrew to install and configure PostgreSQL.  If this is the case for you, you may have to either account for slightly different user permissions with the database, or uninstall PGAdmin and/or PostgreSQL itself, and reinstall it with Homebrew to follow the steps above._
-
 You'll now need to modify (or create, if it doesn't already exist) the `$PATH`
 environment variable to include the PostgreSQL binaries. Open the file you have
 worked with before to adjust your shell environment with the previous steps and
@@ -224,6 +221,10 @@ this, which will include the PostgreSQL binaries:
 export PATH="/opt/homebrew/opt/postgresql@15/bin:$PATH"
 ```
 
+_NOTE: This project currently works with PostgreSQL version 15.x; version 12.x is currently used in our hosted environments._
+
+_NOTE: If you have a pre-existing instance of PSQL installed because of another product like PGAdmin, your database configuration may differ from the instructions above, which uses Homebrew to install and configure PostgreSQL. If this is the case for you, you may have to either account for slightly different user permissions with the database, or uninstall PGAdmin and/or PostgreSQL itself, and reinstall it with Homebrew to follow the steps above._
+
 _NOTE: You don't want to overwrite your existing `$PATH` environment variable! Hence the reason why it is included on the end like this; paths are separated by a colon._
 
 #### Starting PostgreSQL and Redis
@@ -259,23 +260,24 @@ git clone git@github.com:GSA/notifications-api.git
 
 Now go into the project directory (`notifications-api` by default), create a
 virtual environment, and set the local Python version to point to the virtual
-environment (assumes version Python `3.12.2` is what is installed on your
+environment (assumes version Python `3.12.9` is what is installed on your
 machine):
 
 ```sh
 cd notifications-api
-pyenv virtualenv 3.12.2 notify-api
+pyenv virtualenv 3.12.9 notify-api
 pyenv local notify-api
 ```
 
-_If you're not sure which version of Python was installed with `pyenv`, you can check by running `pyenv versions` and it'll list everything available currently._
+_NOTE: If you're not sure which version of Python was installed with `pyenv`, you can check by running `pyenv versions` and it'll list everything available currently._
 
 Now [log into cloud.gov](https://cloud.gov/docs/getting-started/setup/#set-up-the-command-line)
 in the command line by using this command:
 
 ```sh
 cf login -a api.fr.cloud.gov --sso
 ```
+
 If you are offered a choice of orgs, select `gsa-tts-benefits-studio`.
 For the space, choose `notify-local-dev` to start with (assuming you are
 setting up local development).
@@ -317,7 +319,7 @@ we'll use `3.13` in our example here since we recently upgraded to this version:
 pyenv install 3.13
 ```
 
-Next, delete the virtual environment you previously had set up.  If you followed
+Next, delete the virtual environment you previously had set up. If you followed
 the instructions above with the first-time set up, you can do this with `pyenv`:
 
 ```sh
@@ -329,17 +331,16 @@ environment with the newer version of Python you just installed:
 
 ```sh
 cd notifications-api
-pyenv virtualenv 3.12.2 notify-api
+pyenv virtualenv 3.12.9 notify-api
 pyenv local notify-api
 ```
 
 At this point, proceed with the rest of the instructions here in the README and
 you'll be set with an upgraded version of Python.
 
-_If you're not sure about the details of your current virtual environment, you can run `poetry env info` to get more information. If you've been using `pyenv` for everything, you can also see all available virtual environments with `pyenv virtualenvs`._
-
+_NOTE: If you're not sure about the details of your current virtual environment, you can run `poetry env info` to get more information. If you've been using `pyenv` for everything, you can also see all available virtual environments with `pyenv virtualenvs`._
 
-#### Poetry upgrades ####
+#### Poetry upgrades
 
 If you are doing a new project setup, then after you install poetry you need to install the export plugin
 
@@ -356,7 +357,7 @@ poetry self add poetry-export-plugin
 
 ### Final environment setup
 
-There's one final thing to adjust in the newly created `.env` file.  This
+There's one final thing to adjust in the newly created `.env` file. This
 project has support for end-to-end (E2E) tests and has some additional checks
 for the presence of an E2E test user so that it can be authenticated properly.
 
@@ -380,8 +381,8 @@ variable to something else, preferably a lengthy passphrase.**
 With those two environment variable set, the database migrations will run
 properly and an E2E test user will be ready to go for use in the admin project.
 
-_Note:  Whatever you set these two environment variables to, you'll need to
-match their values on the admin side.  Please see the admin README and
+_Note: Whatever you set these two environment variables to, you'll need to
+match their values on the admin side. Please see the admin README and
 documentation for more details._
 
 ## Running the Project and Routine Maintenance
@@ -407,7 +408,7 @@ make run-procfile
 If it runs correctly, you will be able to visit http://127.0.0.1:6011/ and see
 JSON from the API in your web browser.
 
-This will run all of the services within the same shell session.  If you need to
+This will run all of the services within the same shell session. If you need to
 run them separately to help with debugging or tracing logs, you can do so by
 opening three sepearate shell sessions and running one of these commands in each
 one separately:
@@ -419,16 +420,27 @@ one separately:
 ## Python Dependency Management
 
 We're using [`Poetry`](https://python-poetry.org/) for managing our Python
-dependencies and local virtual environments. When it comes to managing the
-Python dependencies, there are a couple of things to bear in mind.
+dependencies and local virtual environments.
+
+This project has two key dependency files that must be managed together:
+
+- `pyproject.toml` - Contains the dependency specifications
+- `poetry.lock` - Contains the exact versions of all dependencies (including transitive ones)
 
-For situations where you manually manipulate the `pyproject.toml` file, you
-should use the `make py-lock` command to sync the `poetry.lock` file. This will
+### Managing Dependencies
+
+There are two approaches for updating dependencies:
+
+#### 1. Manual manipulation of `pyproject.toml`
+
+If you manually edit the `pyproject.toml` file, you should use the `make py-lock` command to sync the `poetry.lock` file. This will
 ensure that you don't inadvertently bring in other transitive dependency updates
 that have not been fully tested with the project yet.
 
-If you're just trying to update a dependency to a newer (or the latest) version,
-you should let Poetry take care of that for you by running the following:
+#### 2. Using Poetry to update dependencies (recommended)
+
+If you're updating a dependency to a newer (or the latest) version,
+let Poetry handle it by running:
 
 ```sh
 poetry update <dependency> [<dependency>...]
@@ -441,9 +453,9 @@ will do the following for you:
 - Install the new versions
 - Update and sync the `poetry.lock` file
 
-In either situation, once you are finished and have verified the dependency
-changes are working, please be sure to commit both the `pyproject.toml` and
-`poetry.lock` files.
+**Important:** In either situation, once you are finished and have verified the dependency
+changes are working, you must commit both the `pyproject.toml` and
+`poetry.lock` files together.
 
 ## Known Installation Issues
 
@@ -513,7 +525,7 @@ instructions above for more details.
 - [Pull Requests](.docs/all.md#pull-requests)
   - [Getting Started](.docs/all.md#getting-started)
   - [Description](.docs/all.md#description)
-  - [TODO (optional)](.docs/all.md#todo-(optional))
+  - [TODO (optional)](<.docs/all.md#todo-(optional)>)
   - [Security Considerations](.docs/all.md#security-considerations)
 - [Code Reviews](.docs/all.md#code-reviews)
   - [For the reviewer](.docs/all.md#for-the-reviewer)
 
@@ -2,6 +2,9 @@
 import uuid
 
 from flask import current_app, g, request
+from sqlalchemy.orm.exc import NoResultFound
+
+from app.serialised_models import SerialisedService
 from notifications_python_client.authentication import (
     decode_jwt_token,
     get_token_issuer,
@@ -13,9 +16,6 @@
     TokenExpiredError,
     TokenIssuerError,
 )
-from sqlalchemy.orm.exc import NoResultFound
-
-from app.serialised_models import SerialisedService
 from notifications_utils import request_helper
 
 # stvnrlly - this is silly, but bandit has a multiline string bug (https://github.com/PyCQA/bandit/issues/658)
 
@@ -11,7 +11,6 @@
 from click_datetime import Datetime as click_dt
 from faker import Faker
 from flask import current_app, json
-from notifications_python_client.authentication import create_jwt_token
 from sqlalchemy import and_, select, text, update
 from sqlalchemy.exc import IntegrityError
 from sqlalchemy.orm.exc import NoResultFound
@@ -58,6 +57,7 @@
     User,
 )
 from app.utils import utc_now
+from notifications_python_client.authentication import create_jwt_token
 from notifications_utils.recipients import RecipientCSV
 from notifications_utils.template import SMSMessageTemplate
 from tests.app.db import (
 
@@ -20,6 +20,8 @@
       "Notify.gov makes it easy to keep people updated by helping you send text messages.",
       "",
       "",
+      "If you have not done so, please log out before joining.",
+      "",
       "[Join Service](((url)))",
       "If you’re new to Notify.gov you will first be directed to Login.gov create an account with us.",
       "",