Access Key Monitoring and Cleanup #22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Access Key Monitoring and Cleanup | |
| on: | |
| schedule: | |
| - cron: '30 7 * * MON' # trigger every Monday at 07:30am | |
| workflow_dispatch: | |
| env: | |
| AWS_REGION: "eu-west-2" | |
| ENVIRONMENT_MANAGEMENT: ${{ secrets.MODERNISATION_PLATFORM_ENVIRONMENTS }} | |
| API_KEY: ${{ secrets.GOV_UK_NOTIFY_API_KEY }} | |
| TEMPLATE_ID: "1f0f5ccc-0f67-4ee2-942f-6e48804828ea" | |
| EXPECTED_TEMPLATE_VERSION: "1" # Update with your expected template version | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| issues: write # This is required to create issues | |
| jobs: | |
| delete-superadmin-access-keys: | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Step 1: Checkout Repository | |
| - name: Checkout Repository | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| # Step 2: Install Python | |
| - name: Install Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.10' | |
| # Step 3: Install the Notifications Client | |
| - name: Install the client | |
| run: pip install notifications-python-client | |
| # Step 4: Validate Notify Template Version | |
| - name: Validate Notify Template Version | |
| env: | |
| API_KEY: ${{ secrets.GOV_UK_NOTIFY_API_KEY }} | |
| TEMPLATE_ID: ${{ env.TEMPLATE_ID }} | |
| EXPECTED_TEMPLATE_VERSION: ${{ env.EXPECTED_TEMPLATE_VERSION }} | |
| run: | | |
| python <<EOF | |
| from notifications_python_client.notifications import NotificationsAPIClient | |
| import sys | |
| api_key = "${{ secrets.GOV_UK_NOTIFY_API_KEY }}" | |
| template_id = "${{ env.TEMPLATE_ID }}" | |
| expected_version = int("${{ env.EXPECTED_TEMPLATE_VERSION }}") | |
| client = NotificationsAPIClient(api_key) | |
| try: | |
| template_details = client.get_template(template_id) | |
| actual_version = template_details.get("version") | |
| if actual_version != expected_version: | |
| print(f"Error: Template version mismatch! Expected: {expected_version}, Actual: {actual_version}") | |
| sys.exit(1) | |
| print(f"Template version {actual_version} validated successfully.") | |
| except Exception as e: | |
| print(f"Failed to fetch template details: {e}") | |
| sys.exit(1) | |
| EOF | |
| # Step 5: Set Account Number | |
| - name: Set Account Number | |
| run: | | |
| ACCOUNT_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT) | |
| echo "::add-mask::$ACCOUNT_NUMBER" | |
| echo ACCOUNT_NUMBER=$ACCOUNT_NUMBER >> $GITHUB_ENV | |
| # Step 6: Configure AWS Credentials | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions-apply" | |
| role-session-name: githubactionsrolesession | |
| aws-region: ${{ env.AWS_REGION }} | |
| # Step 7: Remove Collaborator Access Keys | |
| - name: Remove Collaborator Access Keys | |
| run: bash ./scripts/iam-monitoring/access-key-monitoring/delete_access_keys.sh | |
| env: | |
| threshold: 90 | |
| group_name: "collaborators" | |
| # Step 8: Remove Superadmin Access Keys | |
| - name: Remove Superadmin Access Keys | |
| run: bash ./scripts/iam-monitoring/access-key-monitoring/delete_access_keys.sh | |
| env: | |
| threshold: 30 | |
| group_name: "superadmins" | |
| # Step 9: Send Notification | |
| - name: Send Notification | |
| run: | | |
| if [ -s superadmins.list ]; then | |
| python ./scripts/iam-monitoring/access-key-monitoring/notify_access_key_deletion.py superadmins.list | |
| else | |
| echo "No superadmin access keys found inactive for 30 days or more." | |
| fi |