Investigate automatic secrets rotation with AWS Secrets Manager

[jakemulley]

We should investigate the possibility of automating our secrets rotation in AWS Secrets Manager. We currently hold two sets of secrets in which both services they're for provide APIs to update tokens.

[dms1981]

From an initial read this would require some lambda to properly implement:

• https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_turn-on-for-other.html
• https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-generic
• https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/blob/master/SecretsManagerRotationTemplate/lambda_function.py

[SimonPPledger]

we think we are now 'credential free' - once OIDC is complete. But need a separate ticket to review these are the secrets we have https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/rotating-secrets.html#introduction

once that is done, we might be able to close this

[davidkelliott]

We have very few secrets and most would require quite a lot of work to rotate. We now have a manual process in place for rotating so closing this.