generated from ministryofjustice/template-repository
-
Notifications
You must be signed in to change notification settings - Fork 290
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #9039 from ministryofjustice/docs/yjaf-pages
Legacy YJAF docs
- Loading branch information
Showing
4 changed files
with
148 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| --- | ||
| owner_slack: "#modernisation-platform" | ||
| title: Duty Rota | ||
| last_reviewed_on: 2025-01-22 | ||
| review_in: 6 months | ||
| --- | ||
|
|
||
| # YJAF AWS IAM Account Creation | ||
|
|
||
| This process covers the creation of IAM accounts for the YJAF AWS account. | ||
|
|
||
| This is a semi-automated process. New users are managed in Terraform, however, user credentials are issued manually. | ||
|
|
||
| ## Add users to code | ||
|
|
||
| 1. Create a module for the new user in [users.tf](https://github.com/ministryofjustice/yjaf-infra-aws-mgmt/blob/main/user-groups/users.tf). | ||
|
|
||
| Example (replace FirstnameSurname with actual user details): | ||
| ``` | ||
| module "FirstnameSurname" { | ||
| source = "../modules/user" | ||
| username = "FirstnameSurname" | ||
| tags = local.tags | ||
| } | ||
| ``` | ||
| 2. Add users new `username` (that you created in step 1) to appropriate list in [env_config](https://github.com/ministryofjustice/yjaf-infra-aws-mgmt/blob/main/env_configs/yjaf-mgmt-users.tfvars) depending on level of access required. | ||
|
|
||
| Example: | ||
| ``` | ||
| i2n_devops_members = [ | ||
| "FirstnameSurname", | ||
| ] | ||
| ``` | ||
| This would add the new user `FirstnameSurname` to the `i2n_devops_members` group and allow them specifc permissions. All permissions and policies can be found elsewhere in this repository. | ||
|
|
||
| 3. Raise a PR. | ||
|
|
||
| 4. On merging the PR an automated Terraform Apply will run. | ||
|
|
||
| After the apply has finished successfully you can access the AWS account to get the users login details for the next steps. | ||
|
|
||
| ## Issue login details | ||
|
|
||
| 5. Use AWS SSO to access the `Youth Justice Framework Management` account. | ||
|
|
||
| 6. Access the IAM console. | ||
|
|
||
| 7. Go to the `Users` section. | ||
|
|
||
| 8. Click on the new user who was created via Terraform in the previous steps. | ||
|
|
||
| 9. Navigate to the `Security credentials` tab. | ||
|
|
||
| 10. Click on the `Enable console access` button. | ||
|
|
||
| 11. On the next sectionm select `Auto generated password` and ensure the `User must create new password at next sign-in` box is checked. Then click on the `Enable console access` button to save and move on. | ||
|
|
||
| 12. The next screen contains the login url, username and password. Make a note of these and provide these details to the new users via email. | ||
|
|
||
| Example email: | ||
|
|
||
| ``` | ||
| Hi Firstname, | ||
|
|
||
| Please see below for your new Youth Justice AWS console login details: | ||
|
|
||
| Console URL: https://yjaf-mgmt.signin.aws.amazon.com/console | ||
|
|
||
| Username: FirstnameSurname | ||
|
|
||
| Password: ************** | ||
|
|
||
| You will be asked to set a new password on first login. | ||
|
|
||
| You will also need to set up 2FA on the account. Please ensure the device name is identical to your Username i.e. FirstnameSurname. | ||
|
|
||
| Any issues please let me know. | ||
| ``` | ||
|
|
||
| 13. Send email to users with new console login details. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| --- | ||
| owner_slack: "#modernisation-platform" | ||
| title: Duty Rota | ||
| last_reviewed_on: 2025-01-22 | ||
| review_in: 6 months | ||
| --- | ||
|
|
||
| # YJAF AWS IAM Account Deletion | ||
|
|
||
| This process covers the removal of IAM accounts for the YJAF AWS account. | ||
|
|
||
| The existing pipelines are not able to delete accounts so there are some manual steps before you update and apply the terraform code. | ||
|
|
||
| ## Manual steps to delete IAM Account | ||
|
|
||
| 1. Access the **Youth Justice Framework Management AWS account** via [SSO](https://moj.awsapps.com/start/#/?tab=accounts). | ||
|
|
||
| 2. Go to the IAM Console. | ||
|
|
||
| 3. Click on `Users` tab. | ||
|
|
||
| 4. Click on the user name you will be deleting. | ||
|
|
||
| 5. Click on the `Security Credentials` tab | ||
|
|
||
| 6. Go to the `Multi-factor authentication (MFA)` section. Select all devices and click on the `Remove` button. | ||
|
|
||
| 7. Then click on the `Delete` button in the top right corner of the UI. You'll need to confirm deletion on the next screen and save changes. The user IAM account will now be deleted. | ||
|
|
||
| ## Update [yjaf-infra-aws-mgmt](https://github.com/ministryofjustice/yjaf-infra-aws-mgmt) and apply terraform | ||
|
|
||
| There are two files to update: | ||
|
|
||
| - Remove the user name for the relevant lists in the [yjaf-mgmt-users.tfvars](https://github.com/ministryofjustice/yjaf-infra-aws-mgmt/blob/main/env_configs/yjaf-mgmt-users.tfvars) file. | ||
|
|
||
| - Remove the user module block from the [user.tf](https://github.com/ministryofjustice/yjaf-infra-aws-mgmt/blob/main/user-groups/users.tf) file. | ||
|
|
||
| Raise a PR for changes to be reviewed by the Team. Merge changes to run automated pipelines. | ||
|
|
||
| Done. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| --- | ||
| owner_slack: "#modernisation-platform" | ||
| title: Duty Rota | ||
| last_reviewed_on: 2025-01-22 | ||
| review_in: 6 months | ||
| --- | ||
|
|
||
| # YJAF AWS Account Password Resets | ||
|
|
||
| From time to time we may get requests to the Operations Engineering mailbox for Youth Justice Application Framework (YJAF) AWS IAM account resets. | ||
|
|
||
| This is a manual process that is managed via the console. | ||
|
|
||
| ## Steps to reset password | ||
|
|
||
| 1. Access the **Youth Justice Framework Management AWS account** via [SSO](https://moj.awsapps.com/start/#/?tab=accounts). | ||
| 2. Go to the IAM Console. | ||
| 3. Click on `Users` tab. | ||
| 4. Click on the user name that requires a password reset. | ||
| 5. Click on the `Security Credentials` tab | ||
| 6. Click on the `Manage console access` button | ||
| 7. Select the `Reset Password` option | ||
| 8. Check that `Autogenerated password` is selected and tick the `User must create new password at next sign-in` | ||
| 9. Click on the `Reset Password` button to generate a new password | ||
| 10. Copy the autogenerated password and email it to the user |