Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature/rotate testing ci creds #2837

Merged
merged 2 commits into from
Dec 15, 2022
Merged

feature/rotate testing ci creds #2837

merged 2 commits into from
Dec 15, 2022

Conversation

julialawrence
Copy link
Contributor

@julialawrence julialawrence commented Dec 15, 2022
edited
Loading

Relevant Issue: #2576

The resources relating to the testing-ci user, policies, secrets and keys have been moved to the GitHub folder because that is where they're chiefly consumed. Managing the aws access keys of the testing-ci user in the same folder where the github secrets are managed minimises the chance of drift between the actual key values and the contents of the github secrets.

The rotation works as follows:

  • A time_rotating resource is created which (right now) is set to recreate every 30 minutes but once tested will recreate every 7 days.
  • Due to this issue, the time_rotating resource can't trigger a recreation of another resource directly. Therefore an intermediate time_static resource is required which is changed rather than recreated every rotation period.
  • The time_static resource is linked to the aws_iam_access_key resource via a replace_triggered_by lifecycle rule, triggering a replace operation every rotation period.
  • The github secrets which consume the values of the access key resource via the secrets_manager_secret_version are recreated at the same time.
  • The github workflow will be modified to run every 7 days to make sure that the code is run at least once during each rotation period and triggers the key rotation

Changes:

  • Adding the code for the management and rotation of testing-ci user credentials. The rotation period is controlled via time_rotating resource but the replace_triggered_by lifecycle condition is triggered by the time_static resource due to the current implementation of teh time_rotating resource. Relevant resources have been manually imported into the github state.
  • Removing testing-ci user code and related resources from the testing folder. The resources have been manually removed from the state.

To do:

  • Fix tagging
  • Amend README
  • Set the rotation period to 7 days
  • Add schedule to github workflow

@julialawrence
Adding the code for the management and rotation of testing-ci user cr…
d277861 
…edentials. The rotation period is controlled via time_rotating resource but the replace_triggered_by lifecycle condition is triggered by the time_static resource due to the current implementation of teh time_rotating resource. Relevant resources have been manually imported into the github state.
@julialawrence
Removing testing-ci user code and related resources from the testing …
51a430d 
…folder. The resources have been manually removed from the state.
@julialawrence julialawrence requested a review from a team as a code owner December 15, 2022 10:38
@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output 
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

davidkelliott
davidkelliott approved these changes Dec 15, 2022
View reviewed changes
Copy link
Contributor

@davidkelliott davidkelliott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome! I'm going to close of sooo many risk register issues now :D

@julialawrence julialawrence merged commit 898a288 into main Dec 15, 2022
@julialawrence julialawrence deleted the feature/rotate-testing-ci-creds branch December 15, 2022 11:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davidkelliott davidkelliott davidkelliott approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@julialawrence @davidkelliott