Merge branch 'main' into upgrade-issue-tmpl

.github/ISSUE_TEMPLATE/cloud-platform-support-request.md

@@ -1,6 +1,7 @@
 ---
 name: Cloud Platform Support Request
-about: Create new Cloud Platform Support request
+about: This template is for service teams of Cloud Platform to create a new support request
+labels: 'support team, needs refining'
 
 ---
 

runbooks/source/aws-access-control.html.md.erb

@@ -0,0 +1,125 @@
+---
+title: AWS Console Access
+weight: 115
+last_reviewed_on: 2024-02-16
+review_in: 6 months
+---
+
+# AWS Console Access
+
+New joiners for Cloud platform team will need AWS Console access for most things. IAM resources (users, groups, roles, etc) are managed by terraform so new users are nothing more than new resources **in terraform**.
+
+Related repositories:
+
+ - [cloud-platform-infrastructure (/terraform/aws-accounts/cloud-platform-aws/account)](https://github.com/ministryofjustice/cloud-platform-infrastructure/tree/main/terraform/aws-accounts/cloud-platform-aws/account)
+
+ - [cloud-platform-terraform-awsaccounts-iam][awsaccounts-iam]
+
+ - [terraform-aws-iam module](https://github.com/terraform-aws-modules/terraform-aws-iam)
+
+## Steps to create/delete Cloud Platform team users
+
+1) Check the user is in the [webops GitHub team](https://github.com/orgs/ministryofjustice/teams/webops/members), which authorizes access to this AWS account.
+
+2) Create a git branch and add (or delete) the user as [terraform code][awsaccounts-iam]. Do not forget to link the user to a group.
+
+3) Using `terraform plan` in `cloud-platform-infrastructure/terraform/cloud-platform-account/` to verify you're happy with the terraform changes.
+
+4) Create the PR, ask the team to review it, and merge it.
+
+5) [Create a release](https://github.com/ministryofjustice/cloud-platform-terraform-awsaccounts-iam/releases).
+
+6) In the infrastructure repository, edit [the terraform config that calls that module](https://github.com/ministryofjustice/cloud-platform-infrastructure/blob/main/terraform/aws-accounts/cloud-platform-aws/account/main.tf#L44), to use the new release - see [example](https://github.com/ministryofjustice/cloud-platform-infrastructure/pull/938/files)
+
+7) Create the PR, ask the team to review it, and merge it.
+
+8) Apply the changes.
+
+9) Verify the user is created. (You can use AWS Console for this.)
+
+10) Tell them they can login here: https://aws-login.cloud-platform.service.justice.gov.uk
+
+## Activating MFA for new users
+
+Unfortunataly terraform can't activate MFA for users, this process must be done done manually either [through AWS Console (UI)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html) or [through the AWS CLI](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_cliapi.html).
+
+## Modifying Cloud Platform users permissions
+
+This part is the guideline for handling requests arise to add or modify read only access to any aws resources that are created for Cloud Platform users.
+
+Related resouce:
+
+ - [cloud-platform-infrastructure (/terraform/aws-accounts/cloud-platform-aws/account)](https://github.com/ministryofjustice/cloud-platform-infrastructure/tree/main/terraform/aws-accounts/cloud-platform-aws/account)
+
+ - [cloud-platform-terraform-aws-sso] (https://github.com/ministryofjustice/cloud-platform-terraform-aws-sso)
+
+ - Make sure you have the MoJ 1Password access
+
+1) Have a discussion within the Cloud Platform Team to assess and agree on the requested permission changes.
+
+2) Navigate to the [cloud-platform-terraform-aws-sso] (https://github.com/ministryofjustice/cloud-platform-terraform-aws-sso) to update or create a new Terraform file (e.g. elasticache.tf) with the new IAM policy for the specified resource.
+
+3) For the newly added resource, modify the [aws.tf] (https://github.com/ministryofjustice/cloud-platform-terraform-aws-sso/blob/main/aws.tf) to include the new policy in the latest `data "aws_iam_policy_document" "combined"` block.
+
+4) Create the PR and request a review from the team.
+
+5) Create a [new release] (https://github.com/ministryofjustice/cloud-platform-terraform-aws-sso/releases).
+
+6) In the [cloud-platform-infrastructure repository] (https://github.com/ministryofjustice/cloud-platform-infrastructure), go to [terraform/aws-accounts/cloud-platform-aws/account/main.tf] (https://github.com/ministryofjustice/cloud-platform-infrastructure/blob/main/terraform/aws-accounts/cloud-platform-aws/account/main.tf), bump and update the sso module version to the newly released version.
+
+7) Create a PR for the module update, monitor and observe the `terraform plan` result.
+
+8) Request a review from the team, and merge it.
+
+10) Use the cloud-platform-dummy-user with the credentials from MoJ 1Password to verify the newly granted access on [the AWS console] (https://justice-cloud-platform.eu.auth0.com/samlp/mQev56oEa7mrRCKAZRxSnDSoYt6Y7r5m?connection=github).
+
+11) Once verified, inform the user/requester that the permissions have been updated accordingly.
+
+### Troubleshooting for modifying Cloud Platform users permissions
+
+Sometimes when you add the newly created resource to the `data "aws_iam_policy_document" "combined"` block, you may see the below error. This is because there is a limitation of 6144 characters per managed policy.
+
+```
+│ Error: updating IAM Policy (arn:aws:iam::xxxxxxxxxxxx:policy/access-via-github): LimitExceeded: Cannot exceed quota for PolicySize: 6144
+│ 	status code: 409, request id: 63ce8d71-4992-4043-a656-a67be75210a7
+```
+To solve this error, you may follow the below steps.
+
+1) Go to the [aws.tf] (https://github.com/ministryofjustice/cloud-platform-terraform-aws-sso/blob/main/aws.tf), create a new AWS IAM Policy document block `data "aws_iam_policy_document" "combined_x"` with next numerical suffix pattern.
+
+```
+data "aws_iam_policy_document" "combined_x" {
+  source_policy_documents = [
+    data.aws_iam_policy_document.elasticache_for_github.json,
+  ]
+}
+```
+
+2) Create a new AWS IAM policy block `resource "aws_iam_policy" "github_access_x"` with next numerical suffix pattern.
+
+```
+resource "aws_iam_policy" "github_access_x" {
+  policy = data.aws_iam_policy_document.combined_x.json
+  name   = "access-via-github-0x"
+  tags = {
+    GithubTeam = "webops"
+  }
+}
+```
+
+3) Create a new AWS IAM policy attachment block `resource "aws_iam_role_policy_attachment" "github_access_x"`  with next numerical suffix pattern.
+
+```
+resource "aws_iam_role_policy_attachment" "github_access_x" {
+  role       = aws_iam_role.github_access.name
+  policy_arn = aws_iam_policy.github_access_x.arn
+}
+```
+
+4) Create the PR and request a review from the team.
+
+5) Create a [new release] (https://github.com/ministryofjustice/cloud-platform-terraform-aws-sso/releases).
+
+6) Follow the steps 6-10 in [Modifying External User Permissions] (#modifying-external-user-permissions) to make changes on [cloud-platform-infrastructure repository] (https://github.com/ministryofjustice/cloud-platform-infrastructure).
+
+[awsaccounts-iam]: https://github.com/ministryofjustice/cloud-platform-terraform-awsaccounts-iam/blob/main/main.tf

runbooks/source/aws-leaked-credentials.html.md.erb

@@ -1,8 +1,8 @@
 ---
 title: AWS Compromised Credentials
 weight: 110
-last_reviewed_on: 2023-11-20
-review_in: 3 months
+last_reviewed_on: 2024-02-23
+review_in: 6 months
 ---
 
 # AWS Compromised Credentials
@@ -30,4 +30,4 @@ Most of the users and keys are created through terraform, the process to recreat
 ## Audit the compromised credentials
 
 Check CloudTrail for any activity of the credentials after it got exposed. This can be done by logging into AWS Management Console
-Go to **Services -> CloudTrail -> Event history and filter by `AWS access key`
+Go to Services -> CloudTrail -> Event history and filter by `AWS access key`

runbooks/source/cloud-platform-communications-plan.html.md.erb

@@ -1,8 +1,8 @@
 ---
 title: Cloud Platform Communications Plan
 weight: 9190
-last_reviewed_on: 2023-11-20
-review_in: 3 months
+last_reviewed_on: 2024-02-23
+review_in: 6 months
 ---
 
 # Cloud Platform Communications Plan
@@ -21,7 +21,7 @@ The table below sets out the typical types of communications the Cloud Platform
 | Things we have learned | Justice Digital & Technology | Regularly when we have key things to show or promote | Show the Thing |
 | Service impacting incidents | Service Teams | When an incident has been declared, key updates during resolution, and at incident closure | #cloud-platform-update |
 | Sharing postmortems for service impacting incidents | Service Teams | When postmortem has been documented | #cloud-platform-update |
-| Service impacting upgrades/Maintence | Service Teams | As required | #cloud-platform-update |
+| Service impacting upgrades/Maintenance | Service Teams | As required | #cloud-platform-update |
 | Sharing successes | Chief Technology Officer | Weekly | One to ones and team meetings |
 | Sharing successes | SMT | Fortnightly | Architecture & Platforms weeknotes |
 | Sharing successes | Justice Digital & Technology | Regularly when we have key things to show or promote | Post about them in #chat or #announcements on Slack/Consider for a Show the Thing |
@@ -42,9 +42,9 @@ The #cloud-platform-update channel is used for a number of different types of co
 
 - service impact/what users might be reporting
 - action being taken (this might just be that we are investigating the issue)
-- when users can expact a progress update (and make sure that the update actually happens when you say it will)
+- when users can expect a progress update (and make sure that the update actually happens when you say it will)
 - details of any actions users need to take (if applicable)
-- apoligise for the inconvenience (it might not be an issue in our control but this can build trust and let users know that you are taking resolution seriously)
+- apologise for the inconvenience (it might not be an issue in our control but this can build trust and let users know that you are taking resolution seriously)
 
 ### Example
 
@@ -60,7 +60,7 @@ The #cloud-platform-update channel is used for a number of different types of co
 - What you are upgrading
 - When the upgrade will take place (including times)
 - Why you are upgrading (in might be useful to include a link to some change notes or something that users can refer to if they want more information rather than adding it all in the comms.)
-- Details of any service impact or anthing users might need to take action on as a result of changes (including if we are pausing pipelines)
+- Details of any service impact or anything users might need to take action on as a result of changes (including if we are pausing pipelines)
 - Details of any risks posed to services as a result of not taking requested actions
 - Include examples of code if it helps users understand the changes
 - Provide a high level overview of the process we will be taking to implement changes

runbooks/source/cloud-platform-to-tgw.html.md.erb

@@ -1,7 +1,7 @@
 ---
 title: Adding a route to connect to a TGW
 weight: 9000
-last_reviewed_on: 2024-01-31
+last_reviewed_on: 2024-02-27
 review_in: 6 months
 ---
 
@@ -64,17 +64,8 @@ The Transit Gateway attachment from live-2 VPC to MoJ Transit Gateway has been p
 We decided not to add this for now as there are no requirements for any routing from live-2 VPC to the MoJ Transition Gateway. Also live-2 is planned for decommission.
 If there is a requirement for this, the [add-live-2-tgw-routes branch] shows the code that needs to be applied.
 
-## Moving away from the *old* Cloud Platform Transit Gateway account
-`Cloud Platform Transit Gateway` AWS account and [transit-gateways repo] previosuly held the terraform state in s3 bucket and terrform code respectively. We have migrated this to the `Cloud-Platform` AWS account and [cloud-platform-infrastructure] repo now. The following tasks remain to completely decommision the old Cloud Platform Transit Gateway:
-
-- Confirm with owners of Transit Gateway VPC Attachments in Cloud Platform Transit Gateways AWS account can be deleted
-- Confirm with owners of Transit Gateway Peering Attachment in Cloud Platform Transit Gateways AWS account can be deleted
-- Terraform destroy all redundant Transit Gateway related resources in Cloud Platform Transit Gateways AWS account that are currently being managed by terraform.
-- Remove redundant code from [transit-gateways repo]
-
 [cloud-platform-infrastructure]: https://github.com/ministryofjustice/cloud-platform-infrastructure
 [github repository]: https://github.com/ministryofjustice/deployment-tgw
 [transit-gateway-cloud-platform folder]: https://github.com/ministryofjustice/cloud-platform-infrastructure/tree/main/terraform/aws-accounts/cloud-platform-aws/vpc/transit-gateway
 [add-live-2-tgw-routes branch]: https://github.com/ministryofjustice/cloud-platform-infrastructure/tree/add-live-2-tgw-routes
 [Concourse pipeline]: https://github.com/ministryofjustice/cloud-platform-terraform-concourse/blob/main/pipelines/manager/main/infrastructure-vpc-live-1.yaml
-[transit-gateways repo]: https://github.com/ministryofjustice/transit-gateways

runbooks/source/custom-domain.html.md.erb

@@ -1,8 +1,8 @@
 ---
 title: Add a custom domain
 weight: 80
-last_reviewed_on: 2023-11-20
-review_in: 3 months
+last_reviewed_on: 2024-02-23
+review_in: 6 months
 ---
 
 # <%= current_page.data.title %>
@@ -13,13 +13,7 @@ If this is a new sub-domain of `service.justice.gov.uk`, these steps are require
 
 * Wait for the new hosted zone to be created by the pipeline, once the user's PR to define it has been merged
 * Find the hosted zone record in the Route53 section of the AWS console of the cloud-platform account, and copy the nameserver details from the `NS` record. Create a temporary copy of these values (on the clipboard or a text file)
-* Switch to the mojdsd AWS account console, and find the [hosted zone for service.justice.gov.uk] in the Route53 section
-* Use the "Create Record Set" button:
-  * Name: The new sub-domain
-  * Type: NS - Name server
-  * TTL: 300
-  * Value: The nameserver details you copied from the cloud-platform AWS account hosted zone
-  * Routing Policy: Simple
+* Contact Operations Engineering to request the new records be added
 
 [user guide article]: https://user-guide.cloud-platform.service.justice.gov.uk/documentation/other-topics/custom-domain-cert.html
 [hosted zone for service.justice.gov.uk]: https://console.aws.amazon.com/route53/home?region=eu-west-1#resource-record-sets:Z1QLRMQEXOI5G4

runbooks/source/incident-process.html.md.erb

@@ -1,8 +1,8 @@
 ---
 title: Incident Process
 weight: 40
-last_reviewed_on: 2023-11-20
-review_in: 3 months
+last_reviewed_on: 2024-02-23
+review_in: 6 months
 ---
 
 # Incident Process

runbooks/source/manually-apply-namespace.html.md.erb

@@ -1,8 +1,8 @@
 ---
 title: Manually Plan/Apply Namespace Resources
 weight: 180
-last_reviewed_on: 2023-11-20
-review_in: 3 months
+last_reviewed_on: 2024-02-23
+review_in: 6 months
 ---
 
 # Manually Plan/Apply Namespace Resources in live cluster

runbooks/source/on-call.html.md.erb

@@ -1,8 +1,8 @@
 ---
 title: Going on call
 weight: 9150
-last_reviewed_on: 2023-11-20
-review_in: 3 months
+last_reviewed_on: 2024-02-23
+review_in: 6 months
 ---
 
 # Going on call
@@ -17,7 +17,7 @@ Cloud Platform team members provide support out of hours, as detailed in [Cloud
 * Understand how to carry out those actions, and what they do.
 * Verify access ahead of time to various systems and interfaces required to carry out these actions.
 
-> Getting set up to access production is quite involved if you don’t work on the service you’re supporting, so it’s worth making sure you’ve done so ahead of time.
+> Getting set up to access production is quite involved if you don't work on the service you're supporting, so it's worth making sure you've done so ahead of time.
 
 ### Not expected:
 

runbooks/source/rotate-git-crypt-key.html.md.erb

@@ -1,8 +1,8 @@
 ---
 title: Git-crypt
 weight: 75
-last_reviewed_on: 2023-11-20
-review_in: 3 months
+last_reviewed_on: 2024-02-23
+review_in: 6 months
 ---
 
 # Git-crypt

runbooks/source/velero.html.md.erb

@@ -1,8 +1,8 @@
 ---
 title: Velero - Cluster backups and disaster recovery
 weight: 601
-last_reviewed_on: 2023-11-20
-review_in: 3 months
+last_reviewed_on: 2024-02-23
+review_in: 6 months
 ---
 
 # Velero - Cluster backups and disaster recovery