Skip to content

Commit

Permalink
Docs/5646 rotate GitHub ci user pat (#5829)
Browse files Browse the repository at this point in the history 
* initial commit

* add process

* add new steps

* formatting updates

* add more detail
  • Loading branch information
@richgreen-moj
richgreen-moj authored Dec 19, 2023
1 parent 0542fe4 commit 28b5d2f
Showing 1 changed file with 26 additions and 1 deletion.
27 changes: 26 additions & 1 deletion source/runbooks/rotating-secrets.html.md.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ This guide advises where secrets are stored and how to rotate them.
| PagerDuty Integration Keys | pagerduty_integration_keys | Map of integration keys generated and updated by Terraform PagerDuty integration resources when users create services, used to push alerts to those services | AWS Secrets Manager | Destroy and recreate the PagerDuty integration resource in Terraform | 180 |
| PagerDuty Modernisation Platform Team user | N/A | Used for dead-end notifications as all schedules need a user | Not stored | Use password reset process if needed | N/A |
| Slack Webhook URL | slack_webhook_url | Used to post alarms to Slack | AWS Secrets Manager | Contact Operations Engineeering to issue a new incoming webhook for the `Modernisation Platform Alerts` custom Slack application. Revoke the old incoming webhook and update the secret. | 180 |
| GitHub MP CI User PAT | github_ci_user_pat | Used to create PRs etc in GitHub actions and deploy GitHub resources via Terraform | AWS Secrets Manager | Log in as the Modernisation Platform CI User and generate a new PAT, revoke the old one and update the secret.| 180 |
| GitHub MP CI User PAT | github_ci_user_pat | Used to create PRs etc in GitHub actions and deploy GitHub resources via Terraform | AWS Secrets Manager | Use this [runbook](https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/rotating-secrets.html#github-mp-ci-user-pat) to rotate the secret| 180 |
| GitHub MP CI User Environments Repo PAT | github_ci_user_environments_repo_pat | Used in reusable pipelines of the modernisation-platform-environments repository. This is so that the CI user can post comments in PRs, e.g. tf plan/apply output. | AWS Secrets Manager | Log in as the Modernisation Platform CI User and generate a new PAT, revoke the old one and update the secret.| 180 |
| GitHub MP CI User Password | github_ci_user_password | Used to log in and set the PAT | AWS Secrets Manager | Log in to GitHub as the user and reset the password, update the secret | 180 |
| Environment Management | environment_management | A Map of account names to IDs, and data for environment management, such as organizational unit IDs | AWS Secrets Manager | Does not need rotating, not really a secret and regenerated on each account creation | N/A |
Expand All @@ -29,3 +29,28 @@ This guide advises where secrets are stored and how to rotate them.
| Circle CI ID | mod-platform-circleci | CircleCI organisation ID for ministryofjustice, used for OIDC IAM policies | AWS Secrets Manager | Not really a secret, should not be rotated | N/A |
| ModernisationPlatformOrganisationManagement IAM user in MoJ root account | N/A | Used to perform limited activities in the root account. No longer used as replaced by OIDC but user kept for breakglass purposes. | Not stored | No active access keys, if keys or password needed contact Operations Engineering | N/A |
| Modernisation Platform Account Root User Password | N/A | Only used during initial platform set up, log in prevented via SCP and no password or keys set | Not stored | Disable or move account to a non SCP protected OU and follow the password reset steps | N/A |

## Runbooks

### GitHub MP CI User PAT

This runbook describes the process for rotating the **github_ci_user_pat** secret.

1. Retrieve the MP GitHub credentials by logging in to the AWS [Modernisation Platform account](https://moj.awsapps.com/start#/) with **AdministratorAccess**
2. Navigate to the Secrets Manager [github_ci_user_password](https://eu-west-2.console.aws.amazon.com/secretsmanager/secret?name=github_ci_user_password&region=eu-west-2) secret and click `Retrieve secret value`
3. Use the credentials provided to log in to [GitHub](https://github.com)
4. Once logged in click on the profile icon and then **Settings > Developer settings > Personal access tokens > Tokens (classic) > Generate new token (classic)**
5. Fill out the details:
* In the **Note** field give the token a descriptive name e.g. `"Modernisation Platform GitHub Terraform"`
* Set **Expiration** value to `"No Expiration"`
* Set Scopes by ticking the following boxes:
* workflow
* admin:org (write:org | read:org | manage_runners:org)
* user:email
* project (read:project)
6. Click `Generate token` and then copy the token to your clipboard
7. Navigate to the Secrets Manager [github_ci_user_pat](https://eu-west-2.console.aws.amazon.com/secretsmanager/secret?name=github_ci_user_pat&region=eu-west-2) secret and click `Retrieve secret value`
8. Click `Edit` and replace the token with the new one and click `Save`
9. Run the [Github resources Workflow](https://github.com/ministryofjustice/modernisation-platform/actions/workflows/terraform-github.yml) manually on the main branch. This will populate the GH secret with the value that you have just updated in AWS Secrets Manager.
10. Wait for another workflow to run which uses the secret to confirm that the new token has taken effect successfully. (The secrets status will show as *"Last used within the last week"*)
11. When you are confident the new secret is working successfully you can delete the old PAT token in GitHub

0 comments on commit 28b5d2f

Please sign in to comment.