modernisation-platform
modernisation-platform copied to clipboard
ministryofjustice
Update member workflow files to use OIDC
User Story
Following on from https://github.com/ministryofjustice/modernisation-platform/issues/2038, make the same changes across all the remaining member github workflow files.
https://github.com/ministryofjustice/modernisation-platform-environments/blob/main/.github/workflows/sprinkler.yml
See branch here for spike implementation - https://github.com/ministryofjustice/modernisation-platform-environments/blob/features/oidc/.github/workflows/sprinkler.yml
And readme here - https://github.com/ministryofjustice/modernisation-platform/files/9140446/open-id-connect-with-terraform.md
Both the plan and apply jobs should be updated to use the OIDC provider, and the AWS credentials removed from the environment variables.
User Type(s)
Member users using the workflow
Value
Allows credentials to be replaced with the OIDC provider temporary credentials for more secure actions.
Questions / Assumptions / Hypothesis
Definition of done
- [ ] update the workflow file
- [ ] another team member has reviewed
Reference
How to write good user stories
https://github.com/ministryofjustice/modernisation-platform/issues/1975
We'll want to review our documentation once OIDC is in use - https://user-guide.modernisation-platform.service.justice.gov.uk/user-guide/deploying-your-application.html makes reference to using AWS credentials
Should we call out any actions/involvement we'll need from engineers in tenant teams in order to complete this ticket? Also, do we need a list of which tenants we'll be doing specifically and in which order?
This ticket is to be done at the same time as ticket 2050 - https://github.com/ministryofjustice/modernisation-platform/issues/2350
@seanprivett Maybe something like this in the mod-platform-update channel?:
Update of Member Workflow Files for OIDC and improved user experience :robot_face: Hi everyone, the Mod Platform team will be upgrading the environments repo workflow files to use OIDC instead of static AWS credentials for authentication as well as updating the files for improved user experience. Things to know :point_down: When? Next sprint, which starts on October 4th How will it affect you? Hopefully not at all. We will let you know if any refactoring is required. Is there anything customers/tenants need to do? You’ll need to be aware that Mod platform team will need to adjust some of your terraform code to allow you to continue to use local plans, and we’ll need to update our github actions workflow files to improve user experience and remove static credentials. Hopefully it won’t affect your day to day work, but if you have any questions please contact us in the #ask-modernisation-platform channel.
OIDC PRs now approved and merged:
https://github.com/ministryofjustice/modernisation-platform-environments/pull/949 https://github.com/ministryofjustice/modernisation-platform-environments/pull/950 https://github.com/ministryofjustice/modernisation-platform-environments/pull/952 https://github.com/ministryofjustice/modernisation-platform-environments/pull/953 https://github.com/ministryofjustice/modernisation-platform-environments/pull/954 https://github.com/ministryofjustice/modernisation-platform-environments/pull/955 https://github.com/ministryofjustice/modernisation-platform-environments/pull/956 https://github.com/ministryofjustice/modernisation-platform-environments/pull/957 https://github.com/ministryofjustice/modernisation-platform-environments/pull/958 https://github.com/ministryofjustice/modernisation-platform-environments/pull/959 https://github.com/ministryofjustice/modernisation-platform-environments/pull/960 https://github.com/ministryofjustice/modernisation-platform-environments/pull/963 https://github.com/ministryofjustice/modernisation-platform-environments/pull/964
Updates to template files so new accounts get new versions of the workflow files:
https://github.com/ministryofjustice/modernisation-platform/pull/2378
The documentation for running local plans has been updated.