Merge pull request 2i2c-org#4303 from sgibson91/regenerate-nasa-smce-…

…deployer-creds-docs Add documentation on regeneration deployer credentials for NASA SMCE accounts to docs
sean-morris · Jun 28, 2024 · 14f28d8 · 14f28d8
2 parents 2a0176e + 636e7f3
commit 14f28d8
Show file tree

Hide file tree

Showing 4 changed files with 78 additions and 22 deletions.
diff --git a/docs/howto/regenerate-smce-creds.md b/docs/howto/regenerate-smce-creds.md
@@ -0,0 +1,74 @@
+# Regenerating credentials for NASA SMCE accounts
+
+This document describes how we regenerate credentials for _users_ and the `deployer` when they expire in NASA SMCE accounts.
+
+(nasa-smce:regenerate-deployer-creds)=
+## Regenerate credentials for the `deployer`
+
+1. Set the cluster name as an environment variable
+
+   ```bash
+   export CLUSTER_NAME=...
+   ```
+
+1. Authenticate yourself using the `deployer exec aws` command.
+   See the `--help` information for more details.
+
+1. Navigate to the AWS terraform folder in the infrastructure repo.
+
+   ```bash
+   cd terraform/aws
+   ```
+
+1. Initialise terraform.
+
+   ```bash
+   terraform init
+   ```
+
+1. Select the correct workspace, either by using the terraform command or setting another environment variable.
+
+   ```bash
+   # Using terraform command
+   terraform workspace select $CLUSTER_NAME
+
+   # Using an environment variable
+   export TF_WORKSPACE=$CLUSTER_NAME
+   ```
+
+1. Replace the previous deployer credentials with new ones.
+
+   ```bash
+   terraform apply -replace=aws_iam_access_key.continuous_deployer -var-file=projects/$CLUSTER_NAME.tfvars
+   ```
+
+1. Export the new credentials to a file and then encrypt them in-place with `sops`.
+
+   ```bash
+   terraform output -raw continuous_deployer_creds > ../../config/clusters/$CLUSTER_NAME/enc-deployer-credentials.secret.json
+   sops -i -e ../../config/clusters/$CLUSTER_NAME/enc-deployer-credentials.secret.json
+   ```
+
+1. `git add` the modified files and then commit them.
+
+   ```bash
+   git commit -m "nasa smce clusters: re-generate deployer credentials"
+   ```
+
+   You can then open a Pull Request and merge it.
+
+(nasa-smce:regenerate-user-password)=
+## Regenerate a password for a user in a NASA SMCE account
+
+The AWS accounts associated with NASA's [Science Managed Cloud Environment](https://smce.nasa.gov)
+have a 60 day password expiry policy. If someone on the team misses this
+deadline, we can actually reset passwords for each other!
+
+1. Someone in the team with access logs into the AWS console of the appropriate project
+2. Follow [AWS's user guide on resetting passwords](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html#id_credentials_passwords_admin-change-user_console)
+   for whoever's 60 day window has elpased
+3. In addition, a `AccountDisabled` IAM Group will be automatically added to the
+   user whenever their credentials expire, and this will show up as a "cannot
+   change password" error when the user logs in next. So the user should also be
+   removed from this group. You can do so from under the "Groups" tab in the
+   AWS console when looking at the details of this user.
diff --git a/docs/howto/regenerate-smce-password.md b/docs/howto/regenerate-smce-password.md
diff --git a/docs/hub-deployment-guide/new-cluster/smce.md b/docs/hub-deployment-guide/new-cluster/smce.md
@@ -53,10 +53,7 @@ Once this exemption has been processed, you can continue as usual with deploymen
 The `hub-continuous-deployer` has an access key and secret associated with it, this is how it
 authenticates with AWS to perform actions. SMCE accounts have a 60 day password/access key
 regeneration policy and so we need to prepare to regularly regenerate this access key.
-
-We track which clusters have had their `hub-continuous-deployer` access key regenerated
-and when in this issue <https://github.com/2i2c-org/infrastructure/issues/2434> which
-also includes the steps for regeneration. Make sure to add the new cluster to this issue.
+See [](nasa-smce:regenerate-deployer-creds) for how to reset the credentials.
 
 ```{warning}
 We only receive **5 days notice** that a password/access key will expire via email!
@@ -66,6 +63,6 @@ setup the cluster?
 ```
 
 ```{note}
-See [](nasa-smce:regenerate-password) for how to reset an expired password for
+See [](nasa-smce:regenerate-user-password) for how to reset an expired password for
 a _user_, e.g., a member of the engineering team.
-```
+```
diff --git a/docs/index.md b/docs/index.md
@@ -71,7 +71,7 @@ howto/grafana-github-auth.md
 howto/update-env.md
 howto/upgrade-cluster/index.md
 howto/troubleshoot/index.md
-howto/regenerate-smce-password.md
+howto/regenerate-smce-creds.md
 ```
 
 ## Topic guides