modernisation-platform icon indicating copy to clipboard operation
modernisation-platform copied to clipboard

Published 20 hours ago verified publisher icon ministryofjustice

Change core platform to use OIDC instead of credentials

Open davidkelliott opened this issue 2 years ago • 1 comments

User Story

This ticket needs to be broken down in to the following -

  1. Create OIDC provider using the module
  2. Update each terraform in the core repo to:
  3. ensure the action can assume the required roles
  4. Update providers if needed
  5. update the workflow file
  6. test pipeline and locally running

User Type(s)

Value

Questions / Assumptions / Hypothesis

Definition of done

  • [ ] readme has been updated
  • [ ] user docs have been updated
  • [ ] another team member has reviewed
  • [ ] tests are green
  • [ ] UR test OR added to continual research plan

Reference

How to write good user stories

davidkelliott avatar Jul 20 '22 11:07 davidkelliott

https://github.com/ministryofjustice/modernisation-platform/issues/1975

davidkelliott avatar Jul 21 '22 10:07 davidkelliott

Using a different approach from the environments: one OIDC provider in modernisation platform account with the same permissions as the main ci user which will assume roles in core accounts. Alternative required either a different provider configuration for local plans/applies (not really viable) or substantial reworking of the IAM components in core accounts and main MP account.

Single OIDC provider also simplifies the conversion substantially for core accounts. Requires no terraform code changes in the core accounts, just refactoring the workflow files to use OIDC.

Relevant PRs:

https://github.com/ministryofjustice/modernisation-platform/pull/2392 (and the fix: https://github.com/ministryofjustice/modernisation-platform/pull/2393) for adding OIDC provider and refactoring core security workflow.

https://github.com/ministryofjustice/modernisation-platform/pull/2386 for adding MP environment secret to MP repo.

OIDC module:

https://github.com/ministryofjustice/modernisation-platform-github-oidc-provider/pull/8 -- fixing go tests

https://github.com/ministryofjustice/modernisation-platform-github-oidc-provider/pull/9 -- Adding managed policies var in order to configure the github-actions role with similar permissions to the ci user.

julialawrence avatar Oct 12 '22 08:10 julialawrence

Additionally, as part of this work, got the opportunity to test an OIDC usecase for providing limited access to only one account and a different repo:

Relevant PRs:

https://github.com/ministryofjustice/modernisation-platform/pull/2391

And consumption:

https://github.com/ministryofjustice/modernisation-platform-instance-scheduler/pull/4

I might be worth a think if this is actually a usecase we might want to support going forward instead of using member-ci creds.

julialawrence avatar Oct 12 '22 08:10 julialawrence