From 56509a68641f1bb66b5bb7c9d5c881228225ab3c Mon Sep 17 00:00:00 2001 From: Poornima Krishnasamy Date: Wed, 13 Dec 2023 17:36:30 +0000 Subject: [PATCH 1/2] Update leavers guide with correct list, contact details and fix links --- runbooks/source/leavers-guide.html.md.erb | 83 ++++++++++++++--------- 1 file changed, 51 insertions(+), 32 deletions(-) diff --git a/runbooks/source/leavers-guide.html.md.erb b/runbooks/source/leavers-guide.html.md.erb index bfb8e607..befab671 100644 --- a/runbooks/source/leavers-guide.html.md.erb +++ b/runbooks/source/leavers-guide.html.md.erb @@ -1,7 +1,7 @@ --- title: Leavers Guide weight: 9100 -last_reviewed_on: 2023-11-20 +last_reviewed_on: 2023-12-13 review_in: 3 months --- @@ -13,62 +13,81 @@ When CP team members leave, follow this guide, and log completion in a ticket. ### Digital Services -The Service Desk will be able to remove and revoke access from a number of different accounts outside of Cloud Platform. +#### Google account closure + This has to be ordered in advance of them leaving, by creating a ServiceNow order [Return device for Digital Mac & WTP users](https://mojprod.service-now.com/moj_sp?id=sc_cat_item&sys_id=a1f163211bb1a8507b10ca286e4bcb7a) -#### 1/ Google account closure, ordered in advance of them leaving, by creating a ServiceNow order [Return device for Digital Mac & WTP users](https://mojprod.service-now.com/moj_sp?id=sc_cat_item&sys_id=a1f163211bb1a8507b10ca286e4bcb7a) + This is not just about returning their Mac - it will do the important step of closing their Google account. -This is not just about returning their Mac - it will do the important step of closing their Google account. + This is usually raised by the line manager for civil servants. -* Note - Include details in the ServiceNow request to transfer the leaver's Google Drive to someone in their team. + * Note - Include details in the ServiceNow request to transfer the leaver's Google Drive to someone in their team. -* Note - for leavers from the cloud-platforms team - ask the service desk to transfer any slack webhook integrations to someone in the team.
IT IS MOST IMPORTANT THAT YOU REQUEST THIS BEFORE THE PERSON LEAVES
-This is because if the person has created a slack-webhook for alerting purposes, the loss of that slack-webhook can cause problems - when their profile is deleted (as the webhook link is referenced in [cloud-platform-infrastructure/blob/main/terraform/cloud-platform-components/terraform.tfvars](https://github.com/ministryofjustice/cloud-platform-infrastructure/blob/main/terraform/cloud-platform-components/terraform.tfvars). + * Note - If the leaver has created any slack apps, these will need to be transferred to someone else in the team. + + Contact #digital-it-forum channel for any queries + +#### MOJ Digital VPN removal + Create a ServiceNow order: [Digital VPN add/remove](https://mojprod.service-now.com/moj_sp?id=sc_cat_item&sys_id=6860adc01b8b6818f58d206fe54bcbe3) + This is usually raised by the line manager for civil servants. + +#### Slack account deactivation + + Cloud Platform maintain a list of webhooks for [Alertmanager Notifications](https://api.slack.com/apps/ABFSJLD8W/incoming-webhooks). When the slack account is deactivated, + these webhooks will still be active. Hence, no action is needed. + + Some apps that member installed which require member-specific permissions may be atomatically deactivated. + Check in advance, if the leaver has installed any such apps and if so, transfer them to someone else in the team by creating a ServiceNow order: [Slack tasks for the D&T Workspace](https://mojprod.service-now.com/moj_sp?id=sc_cat_item&sys_id=2749c237db9c609050fbbfce3b9619bb) + Also make sure there there is atleast one other member who is collaborator for the app. -#### 2/ MOJ Digital VPN removal by creating a ServiceNow order: [Digital VPN add/remove](https://mojprod.service-now.com/moj_sp?id=sc_cat_item&sys_id=6860adc01b8b6818f58d206fe54bcbe3) ### AWS Accounts -#### 1/ Purge them from AWS accounts: +* Purge them from AWS accounts: -* [moj-cp](https://justice-cloud-platform.eu.auth0.com/samlp/bnqndz9kxf7wDge8ndCWyVwIX1OEElYf) -* [mojdsd](https://moj.awsapps.com/start#/) -* Cloud Platform Ephemeral Test -* Cloud Platform Transit Gateways + * [moj-cp](https://moj.awsapps.com/start#/) + * [mojdsd](https://moj.awsapps.com/start#/) + * Cloud Platform Ephemeral Test + * Cloud Platform Transit Gateways -To login, use the SSO links above, or use the [AWS console](https://console.aws.amazon.com/) + To login, use the SSO links above, or use the [AWS console](https://console.aws.amazon.com/) -#### 2/ Remove them from `cloud-platform-terraform-awsaccounts-iam` +* Remove them from `cloud-platform-terraform-awsaccounts-iam` -* As per [this PR](https://github.com/ministryofjustice/cloud-platform-terraform-awsaccounts-iam/pull/2/files) + * As per [this PR](https://github.com/ministryofjustice/cloud-platform-terraform-awsaccounts-iam/pull/2/files) -#### 3/ Remove them from `cloud-platform-eks` +* Remove them from `cloud-platform eks cluster` -* As per [this File](https://github.com/ministryofjustice/cloud-platform-infrastructure/blob/main/terraform/cloud-platform-eks/cluster.tf) + * As per [this File](https://github.com/ministryofjustice/cloud-platform-infrastructure/blob/main/terraform/aws-accounts/cloud-platform-aws/vpc/eks/cluster.tf#L243) -#### 4/ Request Password Management removal - [contact details here](https://docs.google.com/document/d/1Q6bHUyGEuVi81Bmvi7kOa-DvC-y-L-H3BR13DPsYiVs/edit) removal +### Other 3rd Party Accounts access removal -#### 5/ Remove their access to: +Below are the list of 3rd party accounts that need to be removed when a member leaves the team. Contact [#ask-operations-engineering channel](https://mojdt.slack.com/archives/C01BUKJSZD4) requesting the removal -* [Auth0 justice-cloud-platform](https://manage.auth0.com/dashboard/eu/justice-cloud-platform/users) +1. Request Password Management removal - [1Password](https://1password.com/) -* [Auth0 moj-cloud-platforms](https://manage.auth0.com/dashboard/eu/moj-cloud-platforms-dev/users) +2. [Auth0 justice-cloud-platform](https://manage.auth0.com/dashboard/eu/justice-cloud-platform/users) -* [Pagerduty](https://moj-digital-tools.pagerduty.com/users) +3. [Auth0 moj-cloud-platforms](https://manage.auth0.com/dashboard/eu/moj-cloud-platforms-dev/users) -* [DockerHub MoJ teams](https://cloud.docker.com/orgs/ministryofjustice/teams) +4. [Pagerduty](https://moj-digital-tools.pagerduty.com/users) -* [Pingdom](https://www.pingdom.com) +5. [DockerHub MoJ teams](https://cloud.docker.com/orgs/ministryofjustice/teams) -* [1Password](https://1password.com/) +6. [Pingdom](https://www.pingdom.com) -* [MoJ Github Organisation](https://github.com/ministryofjustice) +7. [1Password](https://1password.com/) -#### 6/ Remove them from the [PagerDuty support rota](https://moj-digital-tools.pagerduty.com/schedules#PFX6FHX/edit) (if applicable) +8. [Sentry](https://ministryofjustice.sentry.io/settings/teams/) -#### 7/ Remove them from [platforms@digital.justice.gov.uk Google Group](https://groups.google.com/a/digital.justice.gov.uk/g/platforms/members) +8. [MoJ Github Organisation](https://github.com/ministryofjustice) -## Line manager actions +10. [Zenhub](https://app.zenhub.com/workspaces/cloud-platform-team-5ccb0b8a81f66118c983c189/board) + +9. Remove them from the [PagerDuty support rota](https://moj-digital-tools.pagerduty.com/schedules#PFX6FHX/edit) (if applicable) -#### 1/ Fill in the MOJ Digital [Leavers Form](https://leavers.form.service.justice.gov.uk/) +10.Remove them from [platforms@digital.justice.gov.uk Google Group](https://groups.google.com/a/digital.justice.gov.uk/g/platforms/members) + +## Line manager actions -#### 2/ Complete the [Leavers Checklist for Managers](https://intranet.justice.gov.uk/documents/2015/04/leavers-checklist-for-managers.docx) +1. Fill in the MOJ Digital [Leavers Form](https://leavers.form.service.justice.gov.uk/) +2. Complete the [Leavers Checklist for Managers](https://intranet.justice.gov.uk/documents/2015/04/leavers-checklist-for-managers.docx) From c9e617989f239a62d761e213ad58f1faea91c8bd Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 13 Dec 2023 17:37:23 +0000 Subject: [PATCH 2/2] Commit changes made by code formatters --- runbooks/source/leavers-guide.html.md.erb | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/runbooks/source/leavers-guide.html.md.erb b/runbooks/source/leavers-guide.html.md.erb index befab671..3af1165b 100644 --- a/runbooks/source/leavers-guide.html.md.erb +++ b/runbooks/source/leavers-guide.html.md.erb @@ -13,33 +13,32 @@ When CP team members leave, follow this guide, and log completion in a ticket. ### Digital Services -#### Google account closure +#### Google account closure This has to be ordered in advance of them leaving, by creating a ServiceNow order [Return device for Digital Mac & WTP users](https://mojprod.service-now.com/moj_sp?id=sc_cat_item&sys_id=a1f163211bb1a8507b10ca286e4bcb7a) This is not just about returning their Mac - it will do the important step of closing their Google account. - This is usually raised by the line manager for civil servants. + This is usually raised by the line manager for civil servants. * Note - Include details in the ServiceNow request to transfer the leaver's Google Drive to someone in their team. - * Note - If the leaver has created any slack apps, these will need to be transferred to someone else in the team. + * Note - If the leaver has created any slack apps, these will need to be transferred to someone else in the team. Contact #digital-it-forum channel for any queries -#### MOJ Digital VPN removal +#### MOJ Digital VPN removal Create a ServiceNow order: [Digital VPN add/remove](https://mojprod.service-now.com/moj_sp?id=sc_cat_item&sys_id=6860adc01b8b6818f58d206fe54bcbe3) - This is usually raised by the line manager for civil servants. + This is usually raised by the line manager for civil servants. #### Slack account deactivation Cloud Platform maintain a list of webhooks for [Alertmanager Notifications](https://api.slack.com/apps/ABFSJLD8W/incoming-webhooks). When the slack account is deactivated, - these webhooks will still be active. Hence, no action is needed. - - Some apps that member installed which require member-specific permissions may be atomatically deactivated. + these webhooks will still be active. Hence, no action is needed. + + Some apps that member installed which require member-specific permissions may be atomatically deactivated. Check in advance, if the leaver has installed any such apps and if so, transfer them to someone else in the team by creating a ServiceNow order: [Slack tasks for the D&T Workspace](https://mojprod.service-now.com/moj_sp?id=sc_cat_item&sys_id=2749c237db9c609050fbbfce3b9619bb) Also make sure there there is atleast one other member who is collaborator for the app. - ### AWS Accounts * Purge them from AWS accounts: