diff --git a/docs/runbook/continuous_delivery.md b/docs/runbook/continuous_delivery.md new file mode 100644 index 000000000..4d38463d6 --- /dev/null +++ b/docs/runbook/continuous_delivery.md @@ -0,0 +1,17 @@ +# Cloud.gov Continuous Delivery + +We use a [cloud.gov service account](https://cloud.gov/docs/services/cloud-gov-service-account/) to deploy from this repository to cloud.gov with a SpaceDeveloper user. + +## Rotating Cloud.gov Secrets + +Make sure that you have cf v7 and not cf v8 as it will not work with this script. + +Secrets are set and rotated using the [cloud.gov secret rotation script](./scripts/rotate_cloud_secrets.sh). + +Prerequistes for running the script are installations of `jq`, `gh`, and the `cf` CLI tool. + +NOTE: Secrets must be rotated every 90 days. This script can be used for that routine rotation or it can be used to revoke and re-create tokens if they are compromised. + +## Github Action + +TBD info about how we are using the github action to deploy. diff --git a/scripts/rotate_cloud_secrets.sh b/scripts/rotate_cloud_secrets.sh new file mode 100755 index 000000000..68f5371dc --- /dev/null +++ b/scripts/rotate_cloud_secrets.sh @@ -0,0 +1,38 @@ +# NOTE: This script does not work with cf v8. We recommend using cf v7 for all cloud.gov commands. +if [ ! $(command -v gh) ] || [ ! $(command -v jq) ] || [ ! $(command -v cf) ]; then + echo "jq, cf, and gh packages must be installed. Please install via your preferred manager." + exit 1 +fi + +cf spaces +read -p "Are you logged in to the dotgov-poc CF space above? (y/n) " -n 1 -r +echo +if [[ ! $REPLY =~ ^[Yy]$ ]] +then + cf login -a https://api.fr.cloud.gov --sso +fi + +gh auth status +read -p "Are you logged into a Github account with access to cisagov/dotgov? (y/n) " -n 1 -r +echo +if [[ ! $REPLY =~ ^[Yy]$ ]] +then + gh auth login +fi + +echo "Great, removing and replacing Github CD account..." +cf delete-service-key github-cd-account github-cd-key +cf create-service-key github-cd-account github-cd-key +cf service-key github-cd-account github-cd-key +read -p "Please confirm we should set the above username and key to Github secrets. (y/n) " -n 1 -r +echo +if [[ ! $REPLY =~ ^[Yy]$ ]] +then + exit 1 +fi + +cf service-key github-cd-account github-cd-key | sed 1,2d | jq -r '[.username, .password]|@tsv' | +while read -r username password; do + gh secret --repo cisagov/dotgov set CF_USERNAME --body $username + gh secret --repo cisagov/dotgov set CF_PASSWORD --body $password +done