As ACF tech lead, I need all secret keys rotated and rotation steps updated

[ADPennington]

We decided to close out the secret key mitigation epic for release 1 after manual steps for rotating secret keys are centrally documented. In a future release we will revisit discussion for a more automated solution for rotating these keys.

Currently, there are only a couple of keys that require rotation on quarterly basis:

• jwt key for login.gov-- the rotation steps are documented here. These steps should be reviewed, updated if needed, and followed.
• django secret key - the rotation steps are not yet documented in the repo
• ams secret key for ACF AMS - the rotation steps are not yet documented in the repo

Since there are only a couple, and in an effort to keep the number of markdowns down to what is necessary, we can update the existing markdown to be inclusive of all these keys

ACs:

• steps for rotating django secret key added to README
• steps for jwt_key rotatation is up-to-date
• steps for ams rotatation added to README
• django secret keys rotated
• jwt_keys rotated
• ams keys rotated
• no breaking changes apparent in TDP app deployment
• Testing Checklist has been run and all tests pass

Tasks:

• steps for rotating django secret key added to md
• rotate django secret key
• review steps for jwt_key rotatation to confirm update-to-date for logingov prod env
• rotate jwt_keys
• steps for rotating ams keys added to md
• rotate ams keys

Notes:

• see comment
• We should prioritize ensuring that the authentication services are working properly in production before rotating those keys.
• hackmd

[valcollignon]

Discuss the priority of this alongside the update to where to store secret key markdown. Talk about at next tech sync on Friday 1.7.
CC: @abottoms-coder @ADPennington

[valcollignon]

@ADPennington and @abottoms-coder to sync on this issue at next tech sync to pull into next sprint. Per backlog refinement 1.25.22

[stevenino]

This ticket is still required for epic #972 but it does not have have to be completed as part of v1.0. It can be done as part of a supplemental release.

[stevenino]

Likely waiting for NexGen XMS to complete.

[ADPennington]

this will probably be closed but will revisit after decision is made on login.gov vs nextgen. #1818 is updating this for login.gov.

[ADPennington]

this will probably be closed but will revisit after decision is made on login.gov vs nextgen. #1818 is updating this for login.gov.

actually, nevermind the above note 😄

We have at least 3 sets of secret keys that we need to ensure are rotated quarterly:

1. django secret key --this is dynamically generated since Issue 967: Dynamically generate DJANGO_SECRET_KEY for initial deployments #1151, so all that would be need to be done to rotate is re-run the deployment workflow in CircleCi (i tested this in staging to be sure)
2. jwt key --this documentation has been updated via Updating rotation steps after working on JWT keys #1818 and captures the process for the logingov sandbox env. We will revisit these steps if the rotation process is different in logingov prod env.
3. ams key -- the ACF AMS Ops team manages these credentials and we will need to submit a service request ticket when we need keys rotated.

This issue's description has been updated to capture goals to document the rotation steps for these keys