Fix Service Account Module

[sj-williams]

Background

Having identified the 1.27 warning issue with our implementation of the terraform service account module:

https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#auto-generated-legacy-serviceaccount-token-clean-up

We have a branch which has removed the secret referencing inside of the service account resource:

https://github.com/ministryofjustice/cloud-platform-terraform-serviceaccount/tree/remove-sa-secret-ref

This has been tested on our abundant namespace, no change occurs within the token itself.

We are now just waiting for Peter Phillips to test this branch against some of his workloads to verify this resolves his CircleCI warning issues. He has a merged in PR completed here, but still just needs to test running a pipeline in CircleCI following this switch. He will be in touch with the team week starting 2/4 after BH weekend.

Then we can cut a new release and roll out.

NOTE: We need to ensure that newly managed secrets once this change goes in, do not get labelled as legacy. This can be checked by rotating a secret with the module, and then having a user trigger a CircleCI run, and verifying that this action does not add:

  labels:
    kubernetes.io/legacy-token-last-used: "2024-**-**"

to the token containing secret.

<!- - Describe background of the story -->

Proposed user journey

Approach

Which part of the user docs does this impact

Communicate changes

• [ ] post for #cloud-platform-update
• [ ] Weeknotes item
• [ ] Show the Thing/P&A All Hands/User CoP
• [ ] Announcements channel

Questions / Assumptions

Definition of done

• [ ] readme has been updated
• [ ] user docs have been updated
• [ ] another team member has reviewed
• [ ] smoke tests are green
• [ ] prepare demo for the team

Reference

How to write good user stories tt