From 6976f78c05f013e59b6e5c37077dbf9006f5f51b Mon Sep 17 00:00:00 2001 From: Sukesh Date: Tue, 12 Mar 2024 14:44:06 +0000 Subject: [PATCH 1/2] Update rotate secret runbook --- source/runbooks/rotating-secrets.html.md.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/runbooks/rotating-secrets.html.md.erb b/source/runbooks/rotating-secrets.html.md.erb index 9d065a0fc..16f70ad91 100644 --- a/source/runbooks/rotating-secrets.html.md.erb +++ b/source/runbooks/rotating-secrets.html.md.erb @@ -28,7 +28,7 @@ This guide advises where secrets are stored and how to rotate them. | PagerDuty User Level API Token | pagerduty_userapi_token | PagerDuty api user level token, used to link services to Slack channels. A valid PD and Slack user needed (to authorise against a slack user), needed in addition to the org level token | AWS Secrets Manager | Log in to PagerDuty as your user, create the token and authorise it against Slack | 180 | | PagerDuty Integration Keys | pagerduty_integration_keys | Map of integration keys generated and updated by Terraform PagerDuty integration resources when users create services, used to push alerts to those services | AWS Secrets Manager | Destroy and recreate the PagerDuty integration resource in Terraform | 180 | | PagerDuty Modernisation Platform Team user | N/A | Used for dead-end notifications as all schedules need a user | Not stored | Use password reset process if needed | N/A | -| Slack Webhook URL | slack_webhook_url | Used to post alarms to Slack | AWS Secrets Manager | Contact [digital_it_forum](https://moj.enterprise.slack.com/archives/C0282GUGKL7) to issue a new incoming webhook for the `Modernisation Platform Alerts` custom Slack application. Revoke the old incoming webhook and update the secret. | 180 | +| Slack Webhook URL | slack_webhook_url | Used to post alarms to Slack | AWS Secrets Manager | Log into the [Slack API](https://api.slack.com/apps) select `Modernisation Platform Alerts` from your apps, then choose `Incoming Webhooks`. From there, Add New Webhook to the Workspace. Copy the Webhook URL and replace it in both GitHub secrets and also in the secrets manager. | 180 | | GitHub MP CI User PAT | github_ci_user_pat | Used to create PRs etc in GitHub actions and deploy GitHub resources via Terraform | AWS Secrets Manager | Use this [runbook](https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/rotating-secrets.html#github-mp-ci-user-pat) to rotate the secret| 180 | | GitHub MP CI User Environments Repo PAT | github_ci_user_environments_repo_pat | Used in reusable pipelines of the modernisation-platform-environments repository. This is so that the CI user can post comments in PRs, e.g. tf plan/apply output. | AWS Secrets Manager | Log in as the Modernisation Platform CI User and generate a new PAT, revoke the old one and update the secret.| 180 | | GitHub MP CI User Password | github_ci_user_password | Used to log in and set the PAT | AWS Secrets Manager | Log in to GitHub as the user and reset the password, update the secret | 180 | From 128fbd31c45d1a95962099f123b9dcb8bfab89f2 Mon Sep 17 00:00:00 2001 From: Sukesh Date: Tue, 12 Mar 2024 15:26:57 +0000 Subject: [PATCH 2/2] Update rotate secret runbook --- source/runbooks/rotating-secrets.html.md.erb | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/source/runbooks/rotating-secrets.html.md.erb b/source/runbooks/rotating-secrets.html.md.erb index 16f70ad91..0145ce472 100644 --- a/source/runbooks/rotating-secrets.html.md.erb +++ b/source/runbooks/rotating-secrets.html.md.erb @@ -28,7 +28,7 @@ This guide advises where secrets are stored and how to rotate them. | PagerDuty User Level API Token | pagerduty_userapi_token | PagerDuty api user level token, used to link services to Slack channels. A valid PD and Slack user needed (to authorise against a slack user), needed in addition to the org level token | AWS Secrets Manager | Log in to PagerDuty as your user, create the token and authorise it against Slack | 180 | | PagerDuty Integration Keys | pagerduty_integration_keys | Map of integration keys generated and updated by Terraform PagerDuty integration resources when users create services, used to push alerts to those services | AWS Secrets Manager | Destroy and recreate the PagerDuty integration resource in Terraform | 180 | | PagerDuty Modernisation Platform Team user | N/A | Used for dead-end notifications as all schedules need a user | Not stored | Use password reset process if needed | N/A | -| Slack Webhook URL | slack_webhook_url | Used to post alarms to Slack | AWS Secrets Manager | Log into the [Slack API](https://api.slack.com/apps) select `Modernisation Platform Alerts` from your apps, then choose `Incoming Webhooks`. From there, Add New Webhook to the Workspace. Copy the Webhook URL and replace it in both GitHub secrets and also in the secrets manager. | 180 | +| Slack Webhook URL | slack_webhook_url | Used to post alarms to Slack | AWS Secrets Manager | Use this [runbook](https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/rotating-secrets.html#slack-webhook-url) to rotate the secret | 180 | | GitHub MP CI User PAT | github_ci_user_pat | Used to create PRs etc in GitHub actions and deploy GitHub resources via Terraform | AWS Secrets Manager | Use this [runbook](https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/rotating-secrets.html#github-mp-ci-user-pat) to rotate the secret| 180 | | GitHub MP CI User Environments Repo PAT | github_ci_user_environments_repo_pat | Used in reusable pipelines of the modernisation-platform-environments repository. This is so that the CI user can post comments in PRs, e.g. tf plan/apply output. | AWS Secrets Manager | Log in as the Modernisation Platform CI User and generate a new PAT, revoke the old one and update the secret.| 180 | | GitHub MP CI User Password | github_ci_user_password | Used to log in and set the PAT | AWS Secrets Manager | Log in to GitHub as the user and reset the password, update the secret | 180 | @@ -78,4 +78,15 @@ This runbook describes the process for rotating the **github_ci_user_environment 8. Run the [Github resources Workflow](https://github.com/ministryofjustice/modernisation-platform/actions/workflows/terraform-github.yml) manually on the main branch. This will populate the GH secret with the value that you have just updated in AWS Secrets Manager. 9. Wait for another workflow to run which uses the secret to confirm that the new token has taken effect successfully. (The secrets status will show as *"Last used within the last week"*) +### Slack Webhook URL +This runbook describes the process for rotating the **slack_webhook_url** secret. + +1. Log into the [Slack API](https://api.slack.com/apps) +2. Select `Modernisation Platform Alerts` App Name from your apps, then choose `Incoming Webhooks`. +3. From there, click on `Add New Webhook to the Workspace`, and select 'modernisation-platform' as the channel name. +4. Copy the Webhook URL and replace it in both [GitHub secrets](https://github.com/ministryofjustice/modernisation-platform/settings/secrets/actions/SLACK_WEBHOOK_URL) and also in the [secrets manager](). +5. Navigate to the Secrets Manager [slack_webhook_url](https://eu-west-2.console.aws.amazon.com/secretsmanager/secret?name=slack_webhook_url®ion=eu-west-2) secret and click `Retrieve secret value` +6. Click `Edit` and replace the secret value with the new one and click `Save` +7. Run the [Github resources Workflow](https://github.com/ministryofjustice/modernisation-platform/actions/workflows/terraform-github.yml) manually on the main branch. This will populate the GH secret with the value that you have just updated in AWS Secrets Manager. +8. Wait for another workflow to run which uses the secret to confirm that the new token has taken effect successfully. (The secrets status will show as *"Last used within the last week"*) \ No newline at end of file