Rotating Secrets - ustaxcourt/ef-cms GitHub Wiki
In order to maintain the security of any environment that contains production like data, we are enforcing a credential rotation every quarter. We will rotate the account passwords for any of the test users in any of the environments that contain production-like data.
Account Level Users
Circle CI Users
The CircleCI user is an IAM user that needs to be rotated in both the Production and Staging AWS Accounts. To help simplify this process, we have made a script that deletes old access keys and outputs new keys to enter into the CircleCI interface.
-
Run the following script:
npm run secrets:rotate-circleci
-
The script outputs new keys to copy and paste into the CircleCI web interface.
Environment Users
All Environments
Every environment will have a USTC_ADMIN_USER
and USTC_ADMIN_PASS
associated with it that is used to create users and perform admin-level operations. These passwords are stored in AWS Secrets Manager.
The following script rotates these secrets:
CI=false npm run secrets:rotate-environment
This updates the password in Cognito for the USTC_ADMIN_USER
, and then it updates the Secrets value with that new USTC_ADMIN_PASS
so that subsequent deploys will make use of the new credentials. For environments with production-like data, it also generates a new DEFAULT_ACCOUNT_PASS
and updates that Secrets value as well.
Be sure to run the environment switcher after rotating the secrets to retrieve the new values.
Production
The production environment has a single test user: [email protected]
, for the execution of load tests. After rotating passwords in production, you'll need to set that user's password in cognito:
aws cognito-idp admin-set-user-password \
--user-pool-id "$COGNITO_USER_POOL" \
--username [email protected] \
--password "$DEFAULT_ACCOUNT_PASS" \
--permanent
Development Environment with Production-like Data
In development environments with production-like data, after running the rotation script above you will need to run the setup-test-users.ts
script to update the test users, and the setup-glued-judges.ts
script to update the judge users.
DEPLOYING_COLOR="$CURRENT_COLOR" DESTINATION_TABLE="$SOURCE_TABLE" ./scripts/user/setup-test-users.ts
DEPLOYING_COLOR="$CURRENT_COLOR" DESTINATION_TABLE="$SOURCE_TABLE" ./scripts/user/setup-glued-judges.ts