How to Rotate Secrets
Introduction
We don’t have many secrets on stored on the Modernisation Platform, but they are rotated regularly.
This guide advises where secrets are stored and how to rotate them.
| Secret | Useage | Location | How to rotate |
|---|---|---|---|
| PagerDuty Token | Used by PagerDuty Terraform to manage PagerDuty resources | AWS Secrets Manager | Contact Operations Engineering to issue a new token and update the secret. |
| PagerDuty Modernisation Platform Team user | Used for dead-end notifications as all schedules need a user | Not stored | Use password reset process if needed |
| Slack Webhook URL | Used to post alarms to Slack | AWS Secrets Manager | Contact Operations Engineeering to issue a new incoming webhook for the Modernisation Platform Alerts custom Slack application. Revoke the old incoming webhook and update the secret. |
| GitHub MP CI User PAT | Used to create PRs etc in GitHub actions and deploy GitHub resources via Terraform | AWS Secrets Manager | Log in as the Modernisation Platform CI User and generate a new PAT, revoke the old one and update the secret. |
| GitHub MP CI User Environments Repo PAT | Used in reusable pipelines of the modernisation-platform-environments repository. This is so that the CI user can post comments in PRs, e.g. tf plan/apply output. | AWS Secrets Manager | Log in as the Modernisation Platform CI User and generate a new PAT, revoke the old one and update the secret. |
| GitHub MP CI User Password | Used to log in and set the PAT | AWS Secrets Manager | Log in to GitHub as the user and reset the password, update the secret |
| ModernisationPlatformOrganisationManagement IAM user in MoJ root account | Used to perform limited activities in the root account. No longer used as replaced by OIDC but user kept for breakglass purposes. | Not stored | No active access keys, if keys or password needed contact Operations Engineering |
| Modernisation Platform Account Root User Password | Only used during initial platform set up, log in prevented via SCP and no password or keys set | Not stored | Disable or move account to a non SCP protected OU and follow the password reset steps |
This page was last reviewed on 17 August 2023.
It needs to be reviewed again on 17 February 2024
by the page owner #modernisation-platform
.
This page was set to be reviewed before 17 February 2024
by the page owner #modernisation-platform.
This might mean the content is out of date.