From d2ab8cf2c36754a3f2e25f86e3c3b5660a2f300c Mon Sep 17 00:00:00 2001 From: Tim Cheung <152907271+timckt@users.noreply.github.com> Date: Fri, 16 Feb 2024 14:54:19 +0000 Subject: [PATCH 1/4] update the guide for modifying external user permission on aws console --- .../source/aws-access-control.html.md.erb | 125 ++++++++++++++++++ runbooks/source/aws-create-user.html.md.erb | 46 ------- 2 files changed, 125 insertions(+), 46 deletions(-) create mode 100644 runbooks/source/aws-access-control.html.md.erb delete mode 100644 runbooks/source/aws-create-user.html.md.erb diff --git a/runbooks/source/aws-access-control.html.md.erb b/runbooks/source/aws-access-control.html.md.erb new file mode 100644 index 00000000..8bf03f79 --- /dev/null +++ b/runbooks/source/aws-access-control.html.md.erb @@ -0,0 +1,125 @@ +--- +title: AWS Console Access +weight: 115 +last_reviewed_on: 2023-11-20 +review_in: 6 months +--- + +# AWS Console Access + +New joiners for Cloud platform team will need AWS Console access for most things. IAM resources (users, groups, roles, etc) are managed by terraform so new users are nothing more than new resources **in terraform**. + +Related repositories: + + - [cloud-platform-infrastructure (/terraform/aws-accounts/cloud-platform-aws/account)](https://github.com/ministryofjustice/cloud-platform-infrastructure/tree/main/terraform/aws-accounts/cloud-platform-aws/account) + + - [cloud-platform-terraform-awsaccounts-iam][awsaccounts-iam] + + - [terraform-aws-iam module](https://github.com/terraform-aws-modules/terraform-aws-iam) + +## Steps to create/delete Cloud Platform team users + +1) Check the user is in the [webops GitHub team](https://github.com/orgs/ministryofjustice/teams/webops/members), which authorizes access to this AWS account. + +2) Create a git branch and add (or delete) the user as [terraform code][awsaccounts-iam]. Do not forget to link the user to a group. + +3) Using `terraform plan` in `cloud-platform-infrastructure/terraform/cloud-platform-account/` to verify you're happy with the terraform changes. + +4) Create the PR, ask the team to review it, and merge it. + +5) [Create a release](https://github.com/ministryofjustice/cloud-platform-terraform-awsaccounts-iam/releases). + +6) In the infrastructure repository, edit [the terraform config that calls that module](https://github.com/ministryofjustice/cloud-platform-infrastructure/blob/main/terraform/aws-accounts/cloud-platform-aws/account/main.tf#L44), to use the new release - see [example](https://github.com/ministryofjustice/cloud-platform-infrastructure/pull/938/files) + +7) Create the PR, ask the team to review it, and merge it. + +8) Apply the changes. + +9) Verify the user is created. (You can use AWS Console for this.) + +10) Tell them they can login here: https://aws-login.cloud-platform.service.justice.gov.uk + +## Activating MFA for new users + +Unfortunataly terraform can't activate MFA for users, this process must be done done manually either [through AWS Console (UI)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html) or [through the AWS CLI](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_cliapi.html). + +## Modifying external user permissions + +This part is the guideline for hanlding requests arise to modify AWS resource permissions on AWS console for users outside the Cloud Platform Team, such as granting read access to ElastiCache for external user. + +Related resouce: + + - [cloud-platform-infrastructure (/terraform/aws-accounts/cloud-platform-aws/account)](https://github.com/ministryofjustice/cloud-platform-infrastructure/tree/main/terraform/aws-accounts/cloud-platform-aws/account) + + - [cloud-platform-terraform-aws-sso] (https://github.com/ministryofjustice/cloud-platform-terraform-aws-sso) + + - Make sure you have the MoJ 1Password access + +1) Have a discussion within the Cloud Platform Team to assess and agree on the requested permission changes. + +2) Navigate to the [cloud-platform-terraform-aws-sso] (https://github.com/ministryofjustice/cloud-platform-terraform-aws-sso) to update or create a new Terraform file (e.g. elasticache.tf) with the new IAM policy for the specified resource. + +3) For the newly added resource, modify the [aws.tf] (https://github.com/ministryofjustice/cloud-platform-terraform-aws-sso/blob/main/aws.tf) to include the new policy in the latest `data "aws_iam_policy_document" "combined"` block. + +4) Create the PR and request a review from the team. + +5) Create a [new release] (https://github.com/ministryofjustice/cloud-platform-terraform-aws-sso/releases). + +6) In the [cloud-platform-infrastructure repository] (https://github.com/ministryofjustice/cloud-platform-infrastructure), go to [terraform/aws-accounts/cloud-platform-aws/account/main.tf] (https://github.com/ministryofjustice/cloud-platform-infrastructure/blob/main/terraform/aws-accounts/cloud-platform-aws/account/main.tf), bump and update the sso module version to the newly released version. + +7) Create a PR for the module update, monitor and observe the `terraform plan` result. + +8) Request a review from the team, and merge it. + +10) Use the cloud-platform-dummy-user with the credentials from MoJ 1Password to verify the newly granted access on [the AWS console] (https://justice-cloud-platform.eu.auth0.com/samlp/mQev56oEa7mrRCKAZRxSnDSoYt6Y7r5m?connection=github). + +11) Once verified, inform the user/requester that the permissions have been updated accordingly. + +### Troubleshooting for modifying external user permissions + +Sometimes when you add the newly created resource to the `data "aws_iam_policy_document" "combined"` block, you may see the below error. This is because there is a limitation of 6144 characters per managed policy. + +``` +│ Error: updating IAM Policy (arn:aws:iam::754256621582:policy/access-via-github): LimitExceeded: Cannot exceed quota for PolicySize: 6144 +│ status code: 409, request id: 63ce8d71-4992-4043-a656-a67be75210a7 +``` +To solve this error, you may follow the below steps. + +1) Go to the [aws.tf] (https://github.com/ministryofjustice/cloud-platform-terraform-aws-sso/blob/main/aws.tf), create a new AWS IAM Policy document block `data "aws_iam_policy_document" "combined_x"` with next numerical suffix pattern. + +``` +data "aws_iam_policy_document" "combined_x" { + source_policy_documents = [ + data.aws_iam_policy_document.elasticache_for_github.json, + ] +} +``` + +2) Create a new AWS IAM policy block `resource "aws_iam_policy" "github_access_x"` with next numerical suffix pattern. + +``` +resource "aws_iam_policy" "github_access_x" { + policy = data.aws_iam_policy_document.combined_x.json + name = "access-via-github-0x" + tags = { + GithubTeam = "webops" + } +} +``` + +3) Create a new AWS IAM policy attachment block `resource "aws_iam_role_policy_attachment" "github_access_x"` with next numerical suffix pattern. + +``` +resource "aws_iam_role_policy_attachment" "github_access_x" { + role = aws_iam_role.github_access.name + policy_arn = aws_iam_policy.github_access_x.arn +} +``` + +4) Create the PR and request a review from the team. + +5) Create a [new release] (https://github.com/ministryofjustice/cloud-platform-terraform-aws-sso/releases). + +6) Follow the steps 6-10 in [Modifying External User Permissions] (#modifying-external-user-permissions) to make changes on [cloud-platform-infrastructure repository] (https://github.com/ministryofjustice/cloud-platform-infrastructure). + +[awsaccounts-iam]: https://github.com/ministryofjustice/cloud-platform-terraform-awsaccounts-iam/blob/main/main.tf diff --git a/runbooks/source/aws-create-user.html.md.erb b/runbooks/source/aws-create-user.html.md.erb deleted file mode 100644 index 3c15dc8d..00000000 --- a/runbooks/source/aws-create-user.html.md.erb +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: AWS Console Access -weight: 115 -last_reviewed_on: 2023-11-20 -review_in: 6 months ---- - -# AWS Console Access - -New joiners for Cloud platform team will need AWS Console access for most things. IAM resources (users, groups, roles, etc) are managed by terraform so new users are nothing more than new resources **in terraform**. - -Related repositories: - - - [cloud-platform-infrastructure (/terraform/cloud-platform-account)](https://github.com/ministryofjustice/cloud-platform-infrastructure/tree/main/terraform/aws-accounts/cloud-platform-aws/account) - - - [cloud-platform-terraform-awsaccounts-iam][awsaccounts-iam] - - - [terraform-aws-iam module](https://github.com/terraform-aws-modules/terraform-aws-iam) - -## Steps to create/delete users - -1) Check the user is in the [webops GitHub team](https://github.com/orgs/ministryofjustice/teams/webops/members), which authorizes access to this AWS account. - -2) Create a git branch and add (or delete) the user as [terraform code][awsaccounts-iam]. Do not forget to link the user to a group. - -3) Using `terraform plan` in `cloud-platform-infrastructure/terraform/cloud-platform-account/` to verify you're happy with the terraform changes. - -4) Create the PR, ask the team to review it, and merge it. - -5) [Create a release](https://github.com/ministryofjustice/cloud-platform-terraform-awsaccounts-iam/releases). - -6) In the infrastructure repo, edit [the terraform config that calls that module](https://github.com/ministryofjustice/cloud-platform-infrastructure/blob/main/terraform/aws-accounts/cloud-platform-aws/account/main.tf#L44), to use the new release - see [example](https://github.com/ministryofjustice/cloud-platform-infrastructure/pull/938/files) - -7) Create the PR, ask the team to review it, and merge it. - -8) Apply the changes. - -9) Verify the user is created. (You can use AWS Console for this.) - -10) Tell them they can login here: https://aws-login.cloud-platform.service.justice.gov.uk - -## Activating MFA for new users - -Unfortunataly terraform can't activate MFA for users, this process must be done done manually either [through AWS Console (UI)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html) or [through the AWS CLI](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_cliapi.html). - -[awsaccounts-iam]: https://github.com/ministryofjustice/cloud-platform-terraform-awsaccounts-iam/blob/main/main.tf From fcb33754663a112873e88d1bb3ded804772f62e8 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 16 Feb 2024 14:55:49 +0000 Subject: [PATCH 2/4] Commit changes made by code formatters --- runbooks/source/aws-access-control.html.md.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/runbooks/source/aws-access-control.html.md.erb b/runbooks/source/aws-access-control.html.md.erb index 8bf03f79..a58f7fe9 100644 --- a/runbooks/source/aws-access-control.html.md.erb +++ b/runbooks/source/aws-access-control.html.md.erb @@ -67,7 +67,7 @@ Related resouce: 6) In the [cloud-platform-infrastructure repository] (https://github.com/ministryofjustice/cloud-platform-infrastructure), go to [terraform/aws-accounts/cloud-platform-aws/account/main.tf] (https://github.com/ministryofjustice/cloud-platform-infrastructure/blob/main/terraform/aws-accounts/cloud-platform-aws/account/main.tf), bump and update the sso module version to the newly released version. -7) Create a PR for the module update, monitor and observe the `terraform plan` result. +7) Create a PR for the module update, monitor and observe the `terraform plan` result. 8) Request a review from the team, and merge it. From 885f408bf6318f25ea60e96049f0c29a00bc365f Mon Sep 17 00:00:00 2001 From: Tim Cheung <152907271+timckt@users.noreply.github.com> Date: Fri, 16 Feb 2024 15:34:35 +0000 Subject: [PATCH 3/4] use more appropriate wording and update review date --- runbooks/source/aws-access-control.html.md.erb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/runbooks/source/aws-access-control.html.md.erb b/runbooks/source/aws-access-control.html.md.erb index a58f7fe9..45dbb120 100644 --- a/runbooks/source/aws-access-control.html.md.erb +++ b/runbooks/source/aws-access-control.html.md.erb @@ -1,7 +1,7 @@ --- title: AWS Console Access weight: 115 -last_reviewed_on: 2023-11-20 +last_reviewed_on: 2024-02-16 review_in: 6 months --- @@ -43,9 +43,9 @@ Related repositories: Unfortunataly terraform can't activate MFA for users, this process must be done done manually either [through AWS Console (UI)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html) or [through the AWS CLI](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_cliapi.html). -## Modifying external user permissions +## Modifying Cloud Platform users permissions -This part is the guideline for hanlding requests arise to modify AWS resource permissions on AWS console for users outside the Cloud Platform Team, such as granting read access to ElastiCache for external user. +This part is the guideline for handling requests arise to add or modify read only access to any aws resources that are created for Cloud Platform users. Related resouce: @@ -67,7 +67,7 @@ Related resouce: 6) In the [cloud-platform-infrastructure repository] (https://github.com/ministryofjustice/cloud-platform-infrastructure), go to [terraform/aws-accounts/cloud-platform-aws/account/main.tf] (https://github.com/ministryofjustice/cloud-platform-infrastructure/blob/main/terraform/aws-accounts/cloud-platform-aws/account/main.tf), bump and update the sso module version to the newly released version. -7) Create a PR for the module update, monitor and observe the `terraform plan` result. +7) Create a PR for the module update, monitor and observe the `terraform plan` result. 8) Request a review from the team, and merge it. @@ -75,12 +75,12 @@ Related resouce: 11) Once verified, inform the user/requester that the permissions have been updated accordingly. -### Troubleshooting for modifying external user permissions +### Troubleshooting for modifying Cloud Platform users permissions Sometimes when you add the newly created resource to the `data "aws_iam_policy_document" "combined"` block, you may see the below error. This is because there is a limitation of 6144 characters per managed policy. ``` -│ Error: updating IAM Policy (arn:aws:iam::754256621582:policy/access-via-github): LimitExceeded: Cannot exceed quota for PolicySize: 6144 +│ Error: updating IAM Policy (arn:aws:iam::xxxxxxxxxxxx:policy/access-via-github): LimitExceeded: Cannot exceed quota for PolicySize: 6144 │ status code: 409, request id: 63ce8d71-4992-4043-a656-a67be75210a7 ``` To solve this error, you may follow the below steps. From ac3b4de10cf3d76ac8683c8b6548e917fddb3142 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 16 Feb 2024 15:35:13 +0000 Subject: [PATCH 4/4] Commit changes made by code formatters --- runbooks/source/aws-access-control.html.md.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/runbooks/source/aws-access-control.html.md.erb b/runbooks/source/aws-access-control.html.md.erb index 45dbb120..43186a14 100644 --- a/runbooks/source/aws-access-control.html.md.erb +++ b/runbooks/source/aws-access-control.html.md.erb @@ -67,7 +67,7 @@ Related resouce: 6) In the [cloud-platform-infrastructure repository] (https://github.com/ministryofjustice/cloud-platform-infrastructure), go to [terraform/aws-accounts/cloud-platform-aws/account/main.tf] (https://github.com/ministryofjustice/cloud-platform-infrastructure/blob/main/terraform/aws-accounts/cloud-platform-aws/account/main.tf), bump and update the sso module version to the newly released version. -7) Create a PR for the module update, monitor and observe the `terraform plan` result. +7) Create a PR for the module update, monitor and observe the `terraform plan` result. 8) Request a review from the team, and merge it.