Skip to content

Commit

Permalink
Merge pull request #6458 from ministryofjustice/update-rotate-secrets…
Browse files Browse the repository at this point in the history 
…-runbook

Update rotate secret runbook
  • Loading branch information
@sukeshreddyg
sukeshreddyg authored Mar 12, 2024
2 parents 8ce5501 + 128fbd3 commit 1bfe0d1
Showing 1 changed file with 12 additions and 1 deletion.
13 changes: 12 additions & 1 deletion source/runbooks/rotating-secrets.html.md.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ This guide advises where secrets are stored and how to rotate them.
| PagerDuty User Level API Token | pagerduty_userapi_token | PagerDuty api user level token, used to link services to Slack channels. A valid PD and Slack user needed (to authorise against a slack user), needed in addition to the org level token | AWS Secrets Manager | Log in to PagerDuty as your user, create the token and authorise it against Slack | 180 |
| PagerDuty Integration Keys | pagerduty_integration_keys | Map of integration keys generated and updated by Terraform PagerDuty integration resources when users create services, used to push alerts to those services | AWS Secrets Manager | Destroy and recreate the PagerDuty integration resource in Terraform | 180 |
| PagerDuty Modernisation Platform Team user | N/A | Used for dead-end notifications as all schedules need a user | Not stored | Use password reset process if needed | N/A |
| Slack Webhook URL | slack_webhook_url | Used to post alarms to Slack | AWS Secrets Manager | Contact [digital_it_forum](https://moj.enterprise.slack.com/archives/C0282GUGKL7) to issue a new incoming webhook for the `Modernisation Platform Alerts` custom Slack application. Revoke the old incoming webhook and update the secret. | 180 |
| Slack Webhook URL | slack_webhook_url | Used to post alarms to Slack | AWS Secrets Manager | Use this [runbook](https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/rotating-secrets.html#slack-webhook-url) to rotate the secret | 180 |
| GitHub MP CI User PAT | github_ci_user_pat | Used to create PRs etc in GitHub actions and deploy GitHub resources via Terraform | AWS Secrets Manager | Use this [runbook](https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/rotating-secrets.html#github-mp-ci-user-pat) to rotate the secret| 180 |
| GitHub MP CI User Environments Repo PAT | github_ci_user_environments_repo_pat | Used in reusable pipelines of the modernisation-platform-environments repository. This is so that the CI user can post comments in PRs, e.g. tf plan/apply output. | AWS Secrets Manager | Log in as the Modernisation Platform CI User and generate a new PAT, revoke the old one and update the secret.| 180 |
| GitHub MP CI User Password | github_ci_user_password | Used to log in and set the PAT | AWS Secrets Manager | Log in to GitHub as the user and reset the password, update the secret | 180 |
Expand Down Expand Up @@ -78,4 +78,15 @@ This runbook describes the process for rotating the **github_ci_user_environment
8. Run the [Github resources Workflow](https://github.com/ministryofjustice/modernisation-platform/actions/workflows/terraform-github.yml) manually on the main branch. This will populate the GH secret with the value that you have just updated in AWS Secrets Manager.
9. Wait for another workflow to run which uses the secret to confirm that the new token has taken effect successfully. (The secrets status will show as *"Last used within the last week"*)

### Slack Webhook URL

This runbook describes the process for rotating the **slack_webhook_url** secret.

1. Log into the [Slack API](https://api.slack.com/apps)
2. Select `Modernisation Platform Alerts` App Name from your apps, then choose `Incoming Webhooks`.
3. From there, click on `Add New Webhook to the Workspace`, and select 'modernisation-platform' as the channel name.
4. Copy the Webhook URL and replace it in both [GitHub secrets](https://github.com/ministryofjustice/modernisation-platform/settings/secrets/actions/SLACK_WEBHOOK_URL) and also in the [secrets manager]().
5. Navigate to the Secrets Manager [slack_webhook_url](https://eu-west-2.console.aws.amazon.com/secretsmanager/secret?name=slack_webhook_url&region=eu-west-2) secret and click `Retrieve secret value`
6. Click `Edit` and replace the secret value with the new one and click `Save`
7. Run the [Github resources Workflow](https://github.com/ministryofjustice/modernisation-platform/actions/workflows/terraform-github.yml) manually on the main branch. This will populate the GH secret with the value that you have just updated in AWS Secrets Manager.
8. Wait for another workflow to run which uses the secret to confirm that the new token has taken effect successfully. (The secrets status will show as *"Last used within the last week"*)

0 comments on commit 1bfe0d1

Please sign in to comment.