zydronium/manage.get.gov
1
0
Fork 0
mirror of https://github.com/cisagov/manage.get.gov.git synced 2025-07-21 18:25:58 +02:00
Code Issues Projects Releases Packages Wiki Activity

add script for rotating cloud.gov secrets and runbook for description of script (#43)

Browse source 
* add script for rotating secrets and runbook for description of script

* add a note about why we rotate

* fix gh auth login if statement

* Update scripts/rotate_cloud_secrets.sh

Co-authored-by: Seamus Johnston <seamus.johnston@gsa.gov>

* add some comments about cf versions

Co-authored-by: Seamus Johnston <seamus.johnston@gsa.gov>
This commit is contained in:
Logan McDonald 2022-08-12 16:27:17 -04:00 committed by GitHub
parent 2fa2f33c3b
commit 0f5f6e24a8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 55 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

17
docs/runbook/continuous_delivery.md Normal file
View file

@ -0,0 +1,17 @@
# Cloud.gov Continuous Delivery
We use a [cloud.gov service account](https://cloud.gov/docs/services/cloud-gov-service-account/) to deploy from this repository to cloud.gov with a SpaceDeveloper user.
## Rotating Cloud.gov Secrets
Make sure that you have cf v7 and not cf v8 as it will not work with this script.
Secrets are set and rotated using the [cloud.gov secret rotation script](./scripts/rotate_cloud_secrets.sh).
Prerequistes for running the script are installations of `jq`, `gh`, and the `cf` CLI tool.
NOTE: Secrets must be rotated every 90 days. This script can be used for that routine rotation or it can be used to revoke and re-create tokens if they are compromised.
## Github Action
TBD info about how we are using the github action to deploy.

38
scripts/rotate_cloud_secrets.sh Executable file
View file

@ -0,0 +1,38 @@
# NOTE: This script does not work with cf v8. We recommend using cf v7 for all cloud.gov commands.
if [ ! $(command -v gh) ] || [ ! $(command -v jq) ] || [ ! $(command -v cf) ]; then
echo "jq, cf, and gh packages must be installed. Please install via your preferred manager."
exit 1
fi
cf spaces
read -p "Are you logged in to the dotgov-poc CF space above? (y/n) " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]
then
cf login -a https://api.fr.cloud.gov --sso
fi
gh auth status
read -p "Are you logged into a Github account with access to cisagov/dotgov? (y/n) " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]
then
gh auth login
fi
echo "Great, removing and replacing Github CD account..."
cf delete-service-key github-cd-account github-cd-key
cf create-service-key github-cd-account github-cd-key
cf service-key github-cd-account github-cd-key
read -p "Please confirm we should set the above username and key to Github secrets. (y/n) " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]
then
exit 1
fi
cf service-key github-cd-account github-cd-key | sed 1,2d | jq -r '[.username, .password]|@tsv' |
while read -r username password; do
gh secret --repo cisagov/dotgov set CF_USERNAME --body $username
gh secret --repo cisagov/dotgov set CF_PASSWORD --body $password
done