From a7f818f0b9a278d93482b2849535edcd0edf5ee7 Mon Sep 17 00:00:00 2001 From: mikereiddigital Date: Wed, 15 Jan 2025 16:47:43 +0000 Subject: [PATCH 01/11] Adds a runbook for excluding accounts from the instance-scheduler. --- source/runbooks/index.html.md.erb | 160 ++++++++++++++++++ ...e-scheduler-excluding-accounts.html.md.erb | 85 ++++++++++ 2 files changed, 245 insertions(+) create mode 100644 source/runbooks/index.html.md.erb create mode 100644 source/runbooks/instance-scheduler-excluding-accounts.html.md.erb diff --git a/source/runbooks/index.html.md.erb b/source/runbooks/index.html.md.erb new file mode 100644 index 000000000..57a37635c --- /dev/null +++ b/source/runbooks/index.html.md.erb @@ -0,0 +1,160 @@ +--- +owner_slack: "#modernisation-platform" +title: Modernisation Platform +last_reviewed_on: 2025-01-06 +review_in: 6 months +weight: 0 +--- + + + + + +# <%= current_page.data.title %> + + +The Modernisation Platform is a hosting platform where Ministry of Justice teams can host and modernise applications which are not suitable for the [Cloud Platform](https://user-guide.cloud-platform.service.justice.gov.uk/#cloud-platform-user-guide). + +This repository holds the Ministry of Justice's Modernisation Platform concepts, team information, team guide, and user guide to help onboard and support the users of our service. + + +## Who is this for? + +This documentation is for anyone interested in the Modernisation Platform and its core concepts; for users of the Modernisation Platform; and for the team. + +## User guide + +- [Should I use the Cloud Platform, or the Modernisation Platform?](user-guide/cloud-platform-or-modernisation-platform.html) +- [Our offer to you](user-guide/our-offer-to-you.html) +- [Sustainability](user-guide/sustainability.html) + +### Getting started +- [Creating environments (aka AWS accounts)](user-guide/creating-environments.html) +- [Creating networking resources](user-guide/creating-networking.html) +- [Accessing the AWS Console](user-guide/accessing-the-aws-console.html) +- [Getting AWS Credentials](user-guide/getting-aws-credentials.html) +- [Creating resources](user-guide/creating-resources.html) +- [Deploying your infrastructure](user-guide/deploying-your-infrastructure.html) +- [Deploying your application](user-guide/deploying-your-application.html) +- [Standard environment diagram](user-guide/environment-diagram.html) +- [Working as a Collaborator](user-guide/working-as-a-collaborator.html) +- [Production Ready Checklist](user-guide/production-ready-checklist.html) + +### How to guides +- [Running Terraform plan locally](user-guide/running-terraform-plan-locally.html) +- [Accessing EC2s](user-guide/accessing-ec2s.html) +- [Wider MoJ Connectivity](user-guide/wider-moj-connectivity.html) +- [How to add VPC endpoints](user-guide/adding-vpc-endpoints.html) +- [How to configure DNS for public services](user-guide/how-to-configure-dns.html) +- [How to import a public SSL certificate into AWS Certificate Manager](user-guide/certificate-import.html) +- [How to view core account/shared resources as a Member Developer](user-guide/member-read-only-core-accounts.html) +- [How to use shared KMS keys](user-guide/how-to-use-shared-kms-keys.html) +- [How to integrate CloudWatch Alarms with PagerDuty and Slack](user-guide/integrating-alarms-with-pagerduty-with-slack.html) +- [How to set up automated patching](user-guide/automated-patching.html) +- [How to add an ECR for shared Docker images](user-guide/add-an-ecr-for-docker-images.html) +- [How to setup code scanning locally](user-guide/how-to-setup-code-scanning-locally.html) +- [How to setup secure commit for git hub](/user-guide/how-to-setup-secure-commit.html) + +## Concepts + +### Environments (AWS Accounts) +- [The problem and our solution](concepts/environments/problem-and-solution.html) +- [Environment Architecture](concepts/environments/architecture.html) +- [Security](concepts/environments/security.html) +- [Single Sign On](concepts/environments/single-sign-on.html) +- [Backups](concepts/environments/backups.html) + +### Shared services and tools + +- [Auto-nuke](concepts/environments/auto-nuke.html) +- [Instance Scheduling - automatically stop non-production instances overnight](concepts/environments/instance-scheduling.html) +- [Platform user roles](user-guide/platform-user-roles.html) + +### Networking +- [Networking approach](concepts/networking/networking-approach.html) +- [Networking Architecture Diagram](concepts/networking/networking-diagram.html) +- [Subnet CIDR Allocation](concepts/networking/subnet-allocation.html) +- [Subnet NACLs](concepts/networking/subnet-nacls.html) +- [Bastions and Instance Access](concepts/networking/instance-access-and-bastions.html) +- [DNS](concepts/networking/dns.html) +- [Certificate Services](concepts/networking/certificate-services.html) +- [Network Firewall](concepts/networking/network-firewall.html) + +### Software Development Lifecycle +- [Repositories](concepts/sdlc/repositories.html) +- [Core Workflows (CI/CD)](concepts/sdlc/core-workflow.html) +- [User Workflows (CI/CD)](concepts/sdlc/user-workflow.html) +- [Testing Strategy](concepts/sdlc/testing-strategy.html) +- [Sandbox and testing environments](concepts/sdlc/sandbox-testing-environments.html) +- [Patching](concepts/sdlc/patching.html) + +## Modernisation Platform Team information +- [Our alliance](team/alliance.html) +- [Our roadmap](team/roadmap.html) +- [Our team](team/team.html) +- [Our vision](team/vision.html) +- [Operational Processes](team/operational-processes.html) +- [Our ways of working](team/ways-of-working.html) + +## Runbooks +- [Accessing AWS accounts](runbooks/accessing-aws-accounts.html) +- [Accessing the Observability Platform](runbooks/accessing-the-observability-platform.html) +- [Adding a new SSO user role](runbooks/adding-a-new-sso-user-role.html) +- [Adding a new team member to the Modernisation Platform](runbooks/adding-a-new-team-member.html) +- [Adding collaborators](runbooks/adding-collaborators.html) +- [Adding wider connectivity](runbooks/adding-wider-connectivity.html) +- [Backup and Restore of Terraform Statefile & EC2](runbooks/backup-restore-process.html) +- [Changing environment (AWS account) details](runbooks/changing-environment-details.html) +- [CloudWatch networking alarms](runbooks/cloudwatch-networking-alarms.html) +- [Creating Automated Terraform Documentation](user-guide/creating-automated-terraform-documentation.html) +- [Creating new DNS zones](runbooks/creating-new-dns-zones.html) +- [Creating new Private DNS zones](runbooks/creating-new-private-dns-zones.html) +- [Creating VPCs](runbooks/creating-vpcs.html) +- [Deleting an environment (AWS account)](runbooks/deleting-an-environment.html) +- [Disaster recovery offering](runbooks/disaster-recovery.html) +- [Disaster recovery steps](runbooks/dr-process.html) +- [DoS Attack](runbooks/dos-attack.html) +- [Duty Rota](runbooks/duty-rota.html) +- [Enabling AWS Shield Advanced](runbooks/enabling-shield-advanced.html) +- [Environments-networks json explained](user-guide/environments-networks-json-explained.html) +- [How to create an AWS account for end users](runbooks/creating-accounts-for-end-users.html) +- [How to rotate secrets](runbooks/rotating-secrets.html) +- [How to update external status page](user-guide/how-to-update-pagerduty-status-page.html) +- [How VPCs access the internet](runbooks/how-vpcs-access-the-internet.html) +- [Joining the team](runbooks/joining-the-team.html) +- [Manage an incident](runbooks/manage-an-incident.html) +- [Main Platform Runbook](runbooks/runbook.html) +- [Migrating an existing AWS account into the Modernisation Platform](runbooks/migrating-an-account-into-the-modernisation-platform.html) +- [Modifying Service Control Policies (SCPs)](runbooks/modifying-scps.html) +- [Querying CloudTrail logs with Athena](runbooks/using-athena.html) +- [Querying VPC flow logs](runbooks/querying-vpc-flow-logs.html) +- [Recreating the core-logging-production account](runbooks/recreate-core-logging-production-account.html) +- [Recreating the core-network-services account](runbooks/recreate-core-network-services-account.html) +- [Recreating the core-shared-services account](runbooks/recreate-core-shared-services-production.html) +- [Recreating the core-vpc-$environments accounts](runbooks/recreate-core-vpc-$environment-accounts.html) +- [Recreating the modernisation-platform account](runbooks/recreate-modernisation-platform-account.html) +- [Removing a team member from the Modernisation Platform](runbooks/removing-a-team-member.html) +- [Reviewing Dependabot PRs](runbooks/reviewing-dependabot-prs.html) +- [Reviewing MP Environments PRs](runbooks/reviewing-mp-environments-prs.html) +- [Revoke Network Access](runbooks/revoke-network-access.html) +- [Revoking User Access](runbooks/revoking-user-access.html) +- [Security Monitoring](runbooks/security-monitoring.html) +- [Security Testing and ITHC](user-guide/security-testing-and-ithc.html) +- [Excluding accounts from the Instance Scheduler](runbooks/instance-scheduler-excluding-accounts.html) +- [Sharing of platform operational data with Security Operations](runbooks/integration-with-protective-monitoring.html) +- [Terraform](runbooks/terraform.html) +- [Useful scripts](runbooks/useful-scripts.html) +- [Oracle License Discovery](runbooks/oracle-license-discovery.html) + +## Getting help +- [Ask for help](getting-help) + +## Checking Modernisation platform status +To check the operational status of the Modernisation Platform click on the link below, this page will display the current status of any incidents as well as any planned maintenance windows. + +[External status page](https://status.modernisation-platform.service.justice.gov.uk) diff --git a/source/runbooks/instance-scheduler-excluding-accounts.html.md.erb b/source/runbooks/instance-scheduler-excluding-accounts.html.md.erb new file mode 100644 index 000000000..22b8e1a2b --- /dev/null +++ b/source/runbooks/instance-scheduler-excluding-accounts.html.md.erb @@ -0,0 +1,85 @@ +--- +owner_slack: "#modernisation-platform" +title: Setting Accounts to be excluded from the Instance Scheduler +last_reviewed_on: 2025-01-15 +review_in: 6 months +--- + + + + + +# <%= current_page.data.title %> + +## Background + +There are some categories of Modernisation Platform accounts that are meant to be excluded from the Instance Scheduler: + +- Non-member accounts which do not have the cross-account role & policies added during deployment. Any attempt by the scheduler to access these accounts would fail with an AccessDenied error and as such they are excluded. + +- Production member accounts. These are out of the scope of the scheduler to avoid loss of service availability. + +- Those member accounts that users have requested are skipped by the scheduler. + +## How Instance Scheduler Determines which accounts are in scope + +Previously, the Instance Scheduler used a variable containing all of the account names that were to be skipped, including non-member accounts. That method has been changed so instead of a "skip list", this information is obtained form the /environments/*.json files in the Modernisation Platform repository. + +The scheduler parses the each of the json files & from that data can identify those accounts that are excluded, namely: + +- If the "account-type" field is not "member" + +- If the environment "name" is "production" + +- The field "instance_scheduler_skip": ["true"] exists in the environment list for the account in question. + +### Setting an Account to be skipped by the Scheduler + +Below is an example of an account .json file with the scheduler skip field added: + +``` +{ + "account-type": "member", + "environments": [ + { + "name": "development", + "access": [ + { + "sso_group_name": "modernisation-platform", + "level": "developer", + "nuke": "rebuild" + }, + --- + ], + "instance_scheduler_skip": ["true"] + } + ], + "tags": { + "application": "modernisation-platform", + --- + }, + "github-oidc-team-repositories": [""], + "go-live-date": "" +} + +``` + +### Checking whether an Account was Skipped + +The workflow "Build-test-push" workflow of the Instance Scheduler [repository](https://github.com/ministryofjustice/modernisation-platform-instance-scheduler) will show the log output of any unit tests of the Go source and specifically details of any accounts that were excluded & why. + +For example: + +``` +Account is of type member: nomis +extractNames - Found name: nomis.development +extractNames - Found name: nomis.test +extractNames - Skipping due to instance_scheduler_skip: nomis.preproduction +extractNames - Skipping due to production: nomis.production +``` + From 42b7dea1bcf6465da1793e933e5a53e6ee41690b Mon Sep 17 00:00:00 2001 From: mikereiddigital Date: Wed, 15 Jan 2025 16:56:38 +0000 Subject: [PATCH 02/11] Minor text changes --- .../instance-scheduler-excluding-accounts.html.md.erb | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/source/runbooks/instance-scheduler-excluding-accounts.html.md.erb b/source/runbooks/instance-scheduler-excluding-accounts.html.md.erb index 22b8e1a2b..243a86f04 100644 --- a/source/runbooks/instance-scheduler-excluding-accounts.html.md.erb +++ b/source/runbooks/instance-scheduler-excluding-accounts.html.md.erb @@ -18,13 +18,13 @@ review_in: 6 months ## Background -There are some categories of Modernisation Platform accounts that are meant to be excluded from the Instance Scheduler: +There are some Modernisation Platform accounts that should be excluded from the Instance Scheduler: - Non-member accounts which do not have the cross-account role & policies added during deployment. Any attempt by the scheduler to access these accounts would fail with an AccessDenied error and as such they are excluded. - Production member accounts. These are out of the scope of the scheduler to avoid loss of service availability. -- Those member accounts that users have requested are skipped by the scheduler. +- Those non-production member accounts that users have requested are skipped by the scheduler. ## How Instance Scheduler Determines which accounts are in scope @@ -38,7 +38,7 @@ The scheduler parses the each of the json files & from that data can identify th - The field "instance_scheduler_skip": ["true"] exists in the environment list for the account in question. -### Setting an Account to be skipped by the Scheduler +## Setting an Account to be skipped by the Scheduler Below is an example of an account .json file with the scheduler skip field added: @@ -69,7 +69,7 @@ Below is an example of an account .json file with the scheduler skip field added ``` -### Checking whether an Account was Skipped +## Checking whether an Account was Skipped The workflow "Build-test-push" workflow of the Instance Scheduler [repository](https://github.com/ministryofjustice/modernisation-platform-instance-scheduler) will show the log output of any unit tests of the Go source and specifically details of any accounts that were excluded & why. @@ -83,3 +83,6 @@ extractNames - Skipping due to instance_scheduler_skip: nomis.preproduction extractNames - Skipping due to production: nomis.production ``` +## References: + +- https://github.com/ministryofjustice/modernisation-platform-instance-scheduler \ No newline at end of file From 173eab6066856f96e3919a14214cc95f1e4358a6 Mon Sep 17 00:00:00 2001 From: mikereiddigital Date: Wed, 15 Jan 2025 17:00:03 +0000 Subject: [PATCH 03/11] File location. --- source/index.html.md.erb | 1 + source/runbooks/index.html.md.erb | 160 ------------------------------ 2 files changed, 1 insertion(+), 160 deletions(-) delete mode 100644 source/runbooks/index.html.md.erb diff --git a/source/index.html.md.erb b/source/index.html.md.erb index e405d1d80..57a37635c 100644 --- a/source/index.html.md.erb +++ b/source/index.html.md.erb @@ -145,6 +145,7 @@ This documentation is for anyone interested in the Modernisation Platform and it - [Revoking User Access](runbooks/revoking-user-access.html) - [Security Monitoring](runbooks/security-monitoring.html) - [Security Testing and ITHC](user-guide/security-testing-and-ithc.html) +- [Excluding accounts from the Instance Scheduler](runbooks/instance-scheduler-excluding-accounts.html) - [Sharing of platform operational data with Security Operations](runbooks/integration-with-protective-monitoring.html) - [Terraform](runbooks/terraform.html) - [Useful scripts](runbooks/useful-scripts.html) diff --git a/source/runbooks/index.html.md.erb b/source/runbooks/index.html.md.erb deleted file mode 100644 index 57a37635c..000000000 --- a/source/runbooks/index.html.md.erb +++ /dev/null @@ -1,160 +0,0 @@ ---- -owner_slack: "#modernisation-platform" -title: Modernisation Platform -last_reviewed_on: 2025-01-06 -review_in: 6 months -weight: 0 ---- - - - - - -# <%= current_page.data.title %> - - -The Modernisation Platform is a hosting platform where Ministry of Justice teams can host and modernise applications which are not suitable for the [Cloud Platform](https://user-guide.cloud-platform.service.justice.gov.uk/#cloud-platform-user-guide). - -This repository holds the Ministry of Justice's Modernisation Platform concepts, team information, team guide, and user guide to help onboard and support the users of our service. - - -## Who is this for? - -This documentation is for anyone interested in the Modernisation Platform and its core concepts; for users of the Modernisation Platform; and for the team. - -## User guide - -- [Should I use the Cloud Platform, or the Modernisation Platform?](user-guide/cloud-platform-or-modernisation-platform.html) -- [Our offer to you](user-guide/our-offer-to-you.html) -- [Sustainability](user-guide/sustainability.html) - -### Getting started -- [Creating environments (aka AWS accounts)](user-guide/creating-environments.html) -- [Creating networking resources](user-guide/creating-networking.html) -- [Accessing the AWS Console](user-guide/accessing-the-aws-console.html) -- [Getting AWS Credentials](user-guide/getting-aws-credentials.html) -- [Creating resources](user-guide/creating-resources.html) -- [Deploying your infrastructure](user-guide/deploying-your-infrastructure.html) -- [Deploying your application](user-guide/deploying-your-application.html) -- [Standard environment diagram](user-guide/environment-diagram.html) -- [Working as a Collaborator](user-guide/working-as-a-collaborator.html) -- [Production Ready Checklist](user-guide/production-ready-checklist.html) - -### How to guides -- [Running Terraform plan locally](user-guide/running-terraform-plan-locally.html) -- [Accessing EC2s](user-guide/accessing-ec2s.html) -- [Wider MoJ Connectivity](user-guide/wider-moj-connectivity.html) -- [How to add VPC endpoints](user-guide/adding-vpc-endpoints.html) -- [How to configure DNS for public services](user-guide/how-to-configure-dns.html) -- [How to import a public SSL certificate into AWS Certificate Manager](user-guide/certificate-import.html) -- [How to view core account/shared resources as a Member Developer](user-guide/member-read-only-core-accounts.html) -- [How to use shared KMS keys](user-guide/how-to-use-shared-kms-keys.html) -- [How to integrate CloudWatch Alarms with PagerDuty and Slack](user-guide/integrating-alarms-with-pagerduty-with-slack.html) -- [How to set up automated patching](user-guide/automated-patching.html) -- [How to add an ECR for shared Docker images](user-guide/add-an-ecr-for-docker-images.html) -- [How to setup code scanning locally](user-guide/how-to-setup-code-scanning-locally.html) -- [How to setup secure commit for git hub](/user-guide/how-to-setup-secure-commit.html) - -## Concepts - -### Environments (AWS Accounts) -- [The problem and our solution](concepts/environments/problem-and-solution.html) -- [Environment Architecture](concepts/environments/architecture.html) -- [Security](concepts/environments/security.html) -- [Single Sign On](concepts/environments/single-sign-on.html) -- [Backups](concepts/environments/backups.html) - -### Shared services and tools - -- [Auto-nuke](concepts/environments/auto-nuke.html) -- [Instance Scheduling - automatically stop non-production instances overnight](concepts/environments/instance-scheduling.html) -- [Platform user roles](user-guide/platform-user-roles.html) - -### Networking -- [Networking approach](concepts/networking/networking-approach.html) -- [Networking Architecture Diagram](concepts/networking/networking-diagram.html) -- [Subnet CIDR Allocation](concepts/networking/subnet-allocation.html) -- [Subnet NACLs](concepts/networking/subnet-nacls.html) -- [Bastions and Instance Access](concepts/networking/instance-access-and-bastions.html) -- [DNS](concepts/networking/dns.html) -- [Certificate Services](concepts/networking/certificate-services.html) -- [Network Firewall](concepts/networking/network-firewall.html) - -### Software Development Lifecycle -- [Repositories](concepts/sdlc/repositories.html) -- [Core Workflows (CI/CD)](concepts/sdlc/core-workflow.html) -- [User Workflows (CI/CD)](concepts/sdlc/user-workflow.html) -- [Testing Strategy](concepts/sdlc/testing-strategy.html) -- [Sandbox and testing environments](concepts/sdlc/sandbox-testing-environments.html) -- [Patching](concepts/sdlc/patching.html) - -## Modernisation Platform Team information -- [Our alliance](team/alliance.html) -- [Our roadmap](team/roadmap.html) -- [Our team](team/team.html) -- [Our vision](team/vision.html) -- [Operational Processes](team/operational-processes.html) -- [Our ways of working](team/ways-of-working.html) - -## Runbooks -- [Accessing AWS accounts](runbooks/accessing-aws-accounts.html) -- [Accessing the Observability Platform](runbooks/accessing-the-observability-platform.html) -- [Adding a new SSO user role](runbooks/adding-a-new-sso-user-role.html) -- [Adding a new team member to the Modernisation Platform](runbooks/adding-a-new-team-member.html) -- [Adding collaborators](runbooks/adding-collaborators.html) -- [Adding wider connectivity](runbooks/adding-wider-connectivity.html) -- [Backup and Restore of Terraform Statefile & EC2](runbooks/backup-restore-process.html) -- [Changing environment (AWS account) details](runbooks/changing-environment-details.html) -- [CloudWatch networking alarms](runbooks/cloudwatch-networking-alarms.html) -- [Creating Automated Terraform Documentation](user-guide/creating-automated-terraform-documentation.html) -- [Creating new DNS zones](runbooks/creating-new-dns-zones.html) -- [Creating new Private DNS zones](runbooks/creating-new-private-dns-zones.html) -- [Creating VPCs](runbooks/creating-vpcs.html) -- [Deleting an environment (AWS account)](runbooks/deleting-an-environment.html) -- [Disaster recovery offering](runbooks/disaster-recovery.html) -- [Disaster recovery steps](runbooks/dr-process.html) -- [DoS Attack](runbooks/dos-attack.html) -- [Duty Rota](runbooks/duty-rota.html) -- [Enabling AWS Shield Advanced](runbooks/enabling-shield-advanced.html) -- [Environments-networks json explained](user-guide/environments-networks-json-explained.html) -- [How to create an AWS account for end users](runbooks/creating-accounts-for-end-users.html) -- [How to rotate secrets](runbooks/rotating-secrets.html) -- [How to update external status page](user-guide/how-to-update-pagerduty-status-page.html) -- [How VPCs access the internet](runbooks/how-vpcs-access-the-internet.html) -- [Joining the team](runbooks/joining-the-team.html) -- [Manage an incident](runbooks/manage-an-incident.html) -- [Main Platform Runbook](runbooks/runbook.html) -- [Migrating an existing AWS account into the Modernisation Platform](runbooks/migrating-an-account-into-the-modernisation-platform.html) -- [Modifying Service Control Policies (SCPs)](runbooks/modifying-scps.html) -- [Querying CloudTrail logs with Athena](runbooks/using-athena.html) -- [Querying VPC flow logs](runbooks/querying-vpc-flow-logs.html) -- [Recreating the core-logging-production account](runbooks/recreate-core-logging-production-account.html) -- [Recreating the core-network-services account](runbooks/recreate-core-network-services-account.html) -- [Recreating the core-shared-services account](runbooks/recreate-core-shared-services-production.html) -- [Recreating the core-vpc-$environments accounts](runbooks/recreate-core-vpc-$environment-accounts.html) -- [Recreating the modernisation-platform account](runbooks/recreate-modernisation-platform-account.html) -- [Removing a team member from the Modernisation Platform](runbooks/removing-a-team-member.html) -- [Reviewing Dependabot PRs](runbooks/reviewing-dependabot-prs.html) -- [Reviewing MP Environments PRs](runbooks/reviewing-mp-environments-prs.html) -- [Revoke Network Access](runbooks/revoke-network-access.html) -- [Revoking User Access](runbooks/revoking-user-access.html) -- [Security Monitoring](runbooks/security-monitoring.html) -- [Security Testing and ITHC](user-guide/security-testing-and-ithc.html) -- [Excluding accounts from the Instance Scheduler](runbooks/instance-scheduler-excluding-accounts.html) -- [Sharing of platform operational data with Security Operations](runbooks/integration-with-protective-monitoring.html) -- [Terraform](runbooks/terraform.html) -- [Useful scripts](runbooks/useful-scripts.html) -- [Oracle License Discovery](runbooks/oracle-license-discovery.html) - -## Getting help -- [Ask for help](getting-help) - -## Checking Modernisation platform status -To check the operational status of the Modernisation Platform click on the link below, this page will display the current status of any incidents as well as any planned maintenance windows. - -[External status page](https://status.modernisation-platform.service.justice.gov.uk) From 1f65b3fc4cd7de131565152f01534be71a752530 Mon Sep 17 00:00:00 2001 From: mikereiddigital Date: Thu, 16 Jan 2025 08:52:11 +0000 Subject: [PATCH 04/11] Merged the key elements of the changes with the existing instance-scheduler doc as requested. --- .../instance-scheduling.html.md.erb | 46 ++++++++++ source/index.html.md.erb | 1 - ...e-scheduler-excluding-accounts.html.md.erb | 88 ------------------- 3 files changed, 46 insertions(+), 89 deletions(-) delete mode 100644 source/runbooks/instance-scheduler-excluding-accounts.html.md.erb diff --git a/source/concepts/environments/instance-scheduling.html.md.erb b/source/concepts/environments/instance-scheduling.html.md.erb index ee8af3f5a..02e481325 100644 --- a/source/concepts/environments/instance-scheduling.html.md.erb +++ b/source/concepts/environments/instance-scheduling.html.md.erb @@ -40,6 +40,52 @@ Here's a Terraform example of how to add the relevant tag for any EC2 and RDS in Ordering instances and automatically stopping them on public holidays is not supported using this option. +## Setting non-production Member Accounts to the Skipped + +For convenience, it is possible to flag an entire non-production member account to be skipped. This is done via the addition of the field "instance_scheduler_skip": ["true"] to the environment list in the account .json file in modernisation-platform/environments. + +The example below shows this: + +``` +{ + "account-type": "member", + "environments": [ + { + "name": "development", + "access": [ + { + "sso_group_name": "modernisation-platform", + "level": "developer", + "nuke": "rebuild" + }, + --- + ], + "instance_scheduler_skip": ["true"] + } + ], + "tags": { + "application": "modernisation-platform", + --- + }, + "github-oidc-team-repositories": [""], + "go-live-date": "" +} + +``` + +To check whether an account being skipped or not, check the logs of the latest workflow "Build-test-push" in the Instance Scheduler [repository](https://github.com/ministryofjustice/modernisation-platform-instance-scheduler). It will show the log output of any unit tests of the Go source and specifically details of any accounts that were excluded & why. + +For example: + +``` +Account is of type member: nomis +extractNames - Found name: nomis.development +extractNames - Found name: nomis.test +extractNames - Skipping due to instance_scheduler_skip: nomis.preproduction +extractNames - Skipping due to production: nomis.production +``` + + ## Custom Shutdown & Startup Schedules For those teams that require the shutdown & startup of ec2 & rds resources in a specific order or at different times, the option exists to make use of github workflows & cron schedules to stop & start services. diff --git a/source/index.html.md.erb b/source/index.html.md.erb index 57a37635c..e405d1d80 100644 --- a/source/index.html.md.erb +++ b/source/index.html.md.erb @@ -145,7 +145,6 @@ This documentation is for anyone interested in the Modernisation Platform and it - [Revoking User Access](runbooks/revoking-user-access.html) - [Security Monitoring](runbooks/security-monitoring.html) - [Security Testing and ITHC](user-guide/security-testing-and-ithc.html) -- [Excluding accounts from the Instance Scheduler](runbooks/instance-scheduler-excluding-accounts.html) - [Sharing of platform operational data with Security Operations](runbooks/integration-with-protective-monitoring.html) - [Terraform](runbooks/terraform.html) - [Useful scripts](runbooks/useful-scripts.html) diff --git a/source/runbooks/instance-scheduler-excluding-accounts.html.md.erb b/source/runbooks/instance-scheduler-excluding-accounts.html.md.erb deleted file mode 100644 index 243a86f04..000000000 --- a/source/runbooks/instance-scheduler-excluding-accounts.html.md.erb +++ /dev/null @@ -1,88 +0,0 @@ ---- -owner_slack: "#modernisation-platform" -title: Setting Accounts to be excluded from the Instance Scheduler -last_reviewed_on: 2025-01-15 -review_in: 6 months ---- - - - - - -# <%= current_page.data.title %> - -## Background - -There are some Modernisation Platform accounts that should be excluded from the Instance Scheduler: - -- Non-member accounts which do not have the cross-account role & policies added during deployment. Any attempt by the scheduler to access these accounts would fail with an AccessDenied error and as such they are excluded. - -- Production member accounts. These are out of the scope of the scheduler to avoid loss of service availability. - -- Those non-production member accounts that users have requested are skipped by the scheduler. - -## How Instance Scheduler Determines which accounts are in scope - -Previously, the Instance Scheduler used a variable containing all of the account names that were to be skipped, including non-member accounts. That method has been changed so instead of a "skip list", this information is obtained form the /environments/*.json files in the Modernisation Platform repository. - -The scheduler parses the each of the json files & from that data can identify those accounts that are excluded, namely: - -- If the "account-type" field is not "member" - -- If the environment "name" is "production" - -- The field "instance_scheduler_skip": ["true"] exists in the environment list for the account in question. - -## Setting an Account to be skipped by the Scheduler - -Below is an example of an account .json file with the scheduler skip field added: - -``` -{ - "account-type": "member", - "environments": [ - { - "name": "development", - "access": [ - { - "sso_group_name": "modernisation-platform", - "level": "developer", - "nuke": "rebuild" - }, - --- - ], - "instance_scheduler_skip": ["true"] - } - ], - "tags": { - "application": "modernisation-platform", - --- - }, - "github-oidc-team-repositories": [""], - "go-live-date": "" -} - -``` - -## Checking whether an Account was Skipped - -The workflow "Build-test-push" workflow of the Instance Scheduler [repository](https://github.com/ministryofjustice/modernisation-platform-instance-scheduler) will show the log output of any unit tests of the Go source and specifically details of any accounts that were excluded & why. - -For example: - -``` -Account is of type member: nomis -extractNames - Found name: nomis.development -extractNames - Found name: nomis.test -extractNames - Skipping due to instance_scheduler_skip: nomis.preproduction -extractNames - Skipping due to production: nomis.production -``` - -## References: - -- https://github.com/ministryofjustice/modernisation-platform-instance-scheduler \ No newline at end of file From 2dca3f01d863441a44204d4ec512cd1f20761e0e Mon Sep 17 00:00:00 2001 From: ep-93 <109581241+ep-93@users.noreply.github.com> Date: Thu, 16 Jan 2025 09:04:55 +0000 Subject: [PATCH 05/11] Update iam.tf --- terraform/environments/youth-justice-app-framework/iam.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/environments/youth-justice-app-framework/iam.tf b/terraform/environments/youth-justice-app-framework/iam.tf index 8c40699ad..ea95e97a1 100644 --- a/terraform/environments/youth-justice-app-framework/iam.tf +++ b/terraform/environments/youth-justice-app-framework/iam.tf @@ -27,6 +27,7 @@ data "aws_iam_policy_document" "circleci_iam_policy" { #checkov:skip=CKV_AWS_111 statement { actions = [ + "codedeploy:CreateDeployment", "ecs:RegisterTaskDefinition", "ecs:UpdateService", "ecs:deregisterTaskDefinition", From 221d06f4827f3c00f299eecb6826fed8efa147b6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 16 Jan 2025 09:08:30 +0000 Subject: [PATCH 06/11] Bump github.com/aws/aws-sdk-go-v2 Bumps [github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2) from 1.32.8 to 1.33.0. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.32.8...v1.33.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- scripts/internal/get-security-hub-findings/go.mod | 2 +- scripts/internal/get-security-hub-findings/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/internal/get-security-hub-findings/go.mod b/scripts/internal/get-security-hub-findings/go.mod index d54c66708..b0fc3da5b 100644 --- a/scripts/internal/get-security-hub-findings/go.mod +++ b/scripts/internal/get-security-hub-findings/go.mod @@ -3,7 +3,7 @@ module modernisation-platform/get-security-hub-findings go 1.23 require ( - github.com/aws/aws-sdk-go-v2 v1.32.8 + github.com/aws/aws-sdk-go-v2 v1.33.0 github.com/aws/aws-sdk-go-v2/config v1.28.11 github.com/aws/aws-sdk-go-v2/credentials v1.17.52 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.11 diff --git a/scripts/internal/get-security-hub-findings/go.sum b/scripts/internal/get-security-hub-findings/go.sum index 2ff4099c1..a94179e33 100644 --- a/scripts/internal/get-security-hub-findings/go.sum +++ b/scripts/internal/get-security-hub-findings/go.sum @@ -1,5 +1,5 @@ -github.com/aws/aws-sdk-go-v2 v1.32.8 h1:cZV+NUS/eGxKXMtmyhtYPJ7Z4YLoI/V8bkTdRZfYhGo= -github.com/aws/aws-sdk-go-v2 v1.32.8/go.mod h1:P5WJBrYqqbWVaOxgH0X/FYYD47/nooaPOZPlQdmiN2U= +github.com/aws/aws-sdk-go-v2 v1.33.0 h1:Evgm4DI9imD81V0WwD+TN4DCwjUMdc94TrduMLbgZJs= +github.com/aws/aws-sdk-go-v2 v1.33.0/go.mod h1:P5WJBrYqqbWVaOxgH0X/FYYD47/nooaPOZPlQdmiN2U= github.com/aws/aws-sdk-go-v2/config v1.28.11 h1:7Ekru0IkRHRnSRWGQLnLN6i0o1Jncd0rHo2T130+tEQ= github.com/aws/aws-sdk-go-v2/config v1.28.11/go.mod h1:x78TpPvBfHH16hi5tE3OCWQ0pzNfyXA349p5/Wp82Yo= github.com/aws/aws-sdk-go-v2/credentials v1.17.52 h1:I4ymSk35LHogx2Re2Wu6LOHNTRaRWkLVoJgWS5Wd40M= From 546875afffa9ea4b34fc6d5ca181cf5b770d0829 Mon Sep 17 00:00:00 2001 From: David Sibley Date: Thu, 16 Jan 2025 10:52:23 +0000 Subject: [PATCH 07/11] update ADR list and add ADR for workspace use --- .../0032-ncsc-pdns-not-at-platform-level.md | 2 +- .../0034-use-cloud-map.md | 2 +- .../0035-terraform-workspaces.md | 20 +++++++++++++++++++ architecture-decision-record/README.md | 6 ++++-- 4 files changed, 26 insertions(+), 4 deletions(-) create mode 100644 architecture-decision-record/0035-terraform-workspaces.md diff --git a/architecture-decision-record/0032-ncsc-pdns-not-at-platform-level.md b/architecture-decision-record/0032-ncsc-pdns-not-at-platform-level.md index 9d63841fa..f94123801 100644 --- a/architecture-decision-record/0032-ncsc-pdns-not-at-platform-level.md +++ b/architecture-decision-record/0032-ncsc-pdns-not-at-platform-level.md @@ -4,7 +4,7 @@ Date: 2024-07-10 ## Status -🤔 Proposed +✅ Accepted ## Context diff --git a/architecture-decision-record/0034-use-cloud-map.md b/architecture-decision-record/0034-use-cloud-map.md index 282bade36..174a70481 100644 --- a/architecture-decision-record/0034-use-cloud-map.md +++ b/architecture-decision-record/0034-use-cloud-map.md @@ -1,4 +1,4 @@ -# 33. Use of AWS Cloud Map +# 34. Use of AWS Cloud Map Date: 2024-12-01 diff --git a/architecture-decision-record/0035-terraform-workspaces.md b/architecture-decision-record/0035-terraform-workspaces.md new file mode 100644 index 000000000..28b1214b9 --- /dev/null +++ b/architecture-decision-record/0035-terraform-workspaces.md @@ -0,0 +1,20 @@ +# 35. Use of Terraform Workspaces + +Date: 2024-12-01 + +## Status + +✅ Accepted + +## Context + +Terraform [workspaces](https://developer.hashicorp.com/terraform/language/state/workspaces) allow us to use code consistently across environments while maintain separation of state files. + +## Decision + +We will continue the use of workspaces for separation. Code which uses the `default` workspace will be documented here as an exception. + +## Exceptions + +* `terraform/modernisation-platform-account` +* `terraform/github` diff --git a/architecture-decision-record/README.md b/architecture-decision-record/README.md index 2c6a6fbeb..dd48b184e 100644 --- a/architecture-decision-record/README.md +++ b/architecture-decision-record/README.md @@ -35,8 +35,10 @@ This is our architecture decision log, made during the design and build of the M 1. ♻ [How we deploy shared Active Directory controllers](0029-how-we-deploy-shared-active-directory-controllers.md) 1. ✅ [Cross environment network access](0030-cross-environment-network-access.md) 1. ✅ [LLMs will be hosted on the Analytical Platform](0031-llms-will-be-hosted-on-the-analytical-platform.md) -1. 🤔 [NCSC PDNS will not be applied at platform level](0032-ncsc-pdns-not-at-platform-level.md) - +1. ✅ [NCSC PDNS will not be applied at platform level](0032-ncsc-pdns-not-at-platform-level.md) +1. ❌ [Increase security of sensitive S3 objects (state bucket)](0033-s3-state-bucket-condition-security.md) +1. ❌ [Use of AWS Cloud Map](0034-use-cloud-map.md) +1. ✅ [Use of Terraform Workspaces](0035-terraform-workspaces.md) ## Statuses From 95c8818599953839d5e03134af520d7106f057e6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 16 Jan 2025 14:34:04 +0000 Subject: [PATCH 08/11] Bump github.com/aws/aws-sdk-go-v2/service/secretsmanager Bumps [github.com/aws/aws-sdk-go-v2/service/secretsmanager](https://github.com/aws/aws-sdk-go-v2) from 1.34.11 to 1.34.12. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/textract/v1.34.11...service/textract/v1.34.12) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/secretsmanager dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- scripts/internal/get-security-hub-findings/go.mod | 6 +++--- scripts/internal/get-security-hub-findings/go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/scripts/internal/get-security-hub-findings/go.mod b/scripts/internal/get-security-hub-findings/go.mod index b0fc3da5b..e20da3058 100644 --- a/scripts/internal/get-security-hub-findings/go.mod +++ b/scripts/internal/get-security-hub-findings/go.mod @@ -6,15 +6,15 @@ require ( github.com/aws/aws-sdk-go-v2 v1.33.0 github.com/aws/aws-sdk-go-v2/config v1.28.11 github.com/aws/aws-sdk-go-v2/credentials v1.17.52 - github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.11 + github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.12 github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.3 github.com/aws/aws-sdk-go-v2/service/sts v1.33.7 ) require ( github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.23 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.27 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.27 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.28 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.28 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.8 // indirect diff --git a/scripts/internal/get-security-hub-findings/go.sum b/scripts/internal/get-security-hub-findings/go.sum index a94179e33..d8bedf727 100644 --- a/scripts/internal/get-security-hub-findings/go.sum +++ b/scripts/internal/get-security-hub-findings/go.sum @@ -6,18 +6,18 @@ github.com/aws/aws-sdk-go-v2/credentials v1.17.52 h1:I4ymSk35LHogx2Re2Wu6LOHNTRa github.com/aws/aws-sdk-go-v2/credentials v1.17.52/go.mod h1:vAkqKbMNUcher8fDXP2Ge2qFXKMkcD74qvk1lJRMemM= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.23 h1:IBAoD/1d8A8/1aA8g4MBVtTRHhXRiNAgwdbo/xRM2DI= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.23/go.mod h1:vfENuCM7dofkgKpYzuzf1VT1UKkA/YL3qanfBn7HCaA= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.27 h1:jSJjSBzw8VDIbWv+mmvBSP8ezsztMYJGH+eKqi9AmNs= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.27/go.mod h1:/DAhLbFRgwhmvJdOfSm+WwikZrCuUJiA4WgJG0fTNSw= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.27 h1:l+X4K77Dui85pIj5foXDhPlnqcNRG2QUyvca300lXh8= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.27/go.mod h1:KvZXSFEXm6x84yE8qffKvT3x8J5clWnVFXphpohhzJ8= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.28 h1:igORFSiH3bfq4lxKFkTSYDhJEUCYo6C8VKiWJjYwQuQ= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.28/go.mod h1:3So8EA/aAYm36L7XIvCVwLa0s5N0P7o2b1oqnx/2R4g= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.28 h1:1mOW9zAUMhTSrMDssEHS/ajx8JcAj/IcftzcmNlmVLI= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.28/go.mod h1:kGlXVIWDfvt2Ox5zEaNglmq0hXPHgQFNMix33Tw22jA= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 h1:iXtILhvDxB6kPvEXgsDhGaZCSC6LQET5ZHSdJozeI0Y= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1/go.mod h1:9nu0fVANtYiAePIBh2/pFUSwtJ402hLnp854CNoDOeE= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.8 h1:cWno7lefSH6Pp+mSznagKCgfDGeZRin66UvYUqAkyeA= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.8/go.mod h1:tPD+VjU3ABTBoEJ3nctu5Nyg4P4yjqSH5bJGGkY4+XE= -github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.11 h1:mM0wdUneVZdE00Tg4v75rabRdZPzX8BH+zN0HF+Suc4= -github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.11/go.mod h1:2Hp1QzEIaEw6v25llGTlGM+Xx7FRiCIS90Tb+iqVEfo= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.12 h1:ySWassPBVhrtg96atdKlpUJkxvbYTpi9YnweIjDkGz0= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.12/go.mod h1:l+Fboycn+g9RMQcYbTfpqF/d3qZn90q5PYmO7Biu+WM= github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.3 h1:TQ0sua3BwzGqHgEao1IwvJ8PAJ+OZPgJ5ByVU7vm314= github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.3/go.mod h1:6qzlBXc2heuoYIo9eU7/6klKvZKqhADl7Ceh0gp5jCg= github.com/aws/aws-sdk-go-v2/service/sso v1.24.9 h1:YqtxripbjWb2QLyzRK9pByfEDvgg95gpC2AyDq4hFE8= From 0c9150ca4a2d70ff3d40bb89783308163276497d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 16 Jan 2025 14:38:53 +0000 Subject: [PATCH 09/11] Bump github.com/aws/aws-sdk-go-v2/service/securityhub Bumps [github.com/aws/aws-sdk-go-v2/service/securityhub](https://github.com/aws/aws-sdk-go-v2) from 1.55.3 to 1.55.4. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/iot/v1.55.3...service/iot/v1.55.4) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/securityhub dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- scripts/internal/get-security-hub-findings/go.mod | 2 +- scripts/internal/get-security-hub-findings/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/internal/get-security-hub-findings/go.mod b/scripts/internal/get-security-hub-findings/go.mod index e20da3058..a9a3aca02 100644 --- a/scripts/internal/get-security-hub-findings/go.mod +++ b/scripts/internal/get-security-hub-findings/go.mod @@ -7,7 +7,7 @@ require ( github.com/aws/aws-sdk-go-v2/config v1.28.11 github.com/aws/aws-sdk-go-v2/credentials v1.17.52 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.12 - github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.3 + github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.4 github.com/aws/aws-sdk-go-v2/service/sts v1.33.7 ) diff --git a/scripts/internal/get-security-hub-findings/go.sum b/scripts/internal/get-security-hub-findings/go.sum index d8bedf727..e61d799af 100644 --- a/scripts/internal/get-security-hub-findings/go.sum +++ b/scripts/internal/get-security-hub-findings/go.sum @@ -18,8 +18,8 @@ github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.8 h1:cWno7lefS github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.8/go.mod h1:tPD+VjU3ABTBoEJ3nctu5Nyg4P4yjqSH5bJGGkY4+XE= github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.12 h1:ySWassPBVhrtg96atdKlpUJkxvbYTpi9YnweIjDkGz0= github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.12/go.mod h1:l+Fboycn+g9RMQcYbTfpqF/d3qZn90q5PYmO7Biu+WM= -github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.3 h1:TQ0sua3BwzGqHgEao1IwvJ8PAJ+OZPgJ5ByVU7vm314= -github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.3/go.mod h1:6qzlBXc2heuoYIo9eU7/6klKvZKqhADl7Ceh0gp5jCg= +github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.4 h1:zFglcUjphRYNX9++btAajm4lkFHUqEEFam6S9Pb73/U= +github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.4/go.mod h1:8IYDBdfP7wR5P1hZ9WacHyV97Fnvrvbz/LvDjSOynKM= github.com/aws/aws-sdk-go-v2/service/sso v1.24.9 h1:YqtxripbjWb2QLyzRK9pByfEDvgg95gpC2AyDq4hFE8= github.com/aws/aws-sdk-go-v2/service/sso v1.24.9/go.mod h1:lV8iQpg6OLOfBnqbGMBKYjilBlf633qwHnBEiMSPoHY= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.8 h1:6dBT1Lz8fK11m22R+AqfRsFn8320K0T5DTGxxOQBSMw= From a440e7f0b648629c5bad533cec868992756a02e3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 16 Jan 2025 14:43:30 +0000 Subject: [PATCH 10/11] Bump github.com/aws/aws-sdk-go-v2/service/sts Bumps [github.com/aws/aws-sdk-go-v2/service/sts](https://github.com/aws/aws-sdk-go-v2) from 1.33.7 to 1.33.8. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/sts/v1.33.7...service/fms/v1.33.8) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/sts dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- scripts/internal/get-security-hub-findings/go.mod | 4 ++-- scripts/internal/get-security-hub-findings/go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/scripts/internal/get-security-hub-findings/go.mod b/scripts/internal/get-security-hub-findings/go.mod index a9a3aca02..4590c7f8b 100644 --- a/scripts/internal/get-security-hub-findings/go.mod +++ b/scripts/internal/get-security-hub-findings/go.mod @@ -8,7 +8,7 @@ require ( github.com/aws/aws-sdk-go-v2/credentials v1.17.52 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.12 github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.4 - github.com/aws/aws-sdk-go-v2/service/sts v1.33.7 + github.com/aws/aws-sdk-go-v2/service/sts v1.33.8 ) require ( @@ -17,7 +17,7 @@ require ( github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.28 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.8 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.9 // indirect github.com/aws/aws-sdk-go-v2/service/sso v1.24.9 // indirect github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.8 // indirect github.com/aws/smithy-go v1.22.1 // indirect diff --git a/scripts/internal/get-security-hub-findings/go.sum b/scripts/internal/get-security-hub-findings/go.sum index e61d799af..4efa54cb0 100644 --- a/scripts/internal/get-security-hub-findings/go.sum +++ b/scripts/internal/get-security-hub-findings/go.sum @@ -14,8 +14,8 @@ github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvK github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 h1:iXtILhvDxB6kPvEXgsDhGaZCSC6LQET5ZHSdJozeI0Y= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1/go.mod h1:9nu0fVANtYiAePIBh2/pFUSwtJ402hLnp854CNoDOeE= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.8 h1:cWno7lefSH6Pp+mSznagKCgfDGeZRin66UvYUqAkyeA= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.8/go.mod h1:tPD+VjU3ABTBoEJ3nctu5Nyg4P4yjqSH5bJGGkY4+XE= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.9 h1:TQmKDyETFGiXVhZfQ/I0cCFziqqX58pi4tKJGYGFSz0= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.9/go.mod h1:HVLPK2iHQBUx7HfZeOQSEu3v2ubZaAY2YPbAm5/WUyY= github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.12 h1:ySWassPBVhrtg96atdKlpUJkxvbYTpi9YnweIjDkGz0= github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.12/go.mod h1:l+Fboycn+g9RMQcYbTfpqF/d3qZn90q5PYmO7Biu+WM= github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.4 h1:zFglcUjphRYNX9++btAajm4lkFHUqEEFam6S9Pb73/U= @@ -24,7 +24,7 @@ github.com/aws/aws-sdk-go-v2/service/sso v1.24.9 h1:YqtxripbjWb2QLyzRK9pByfEDvgg github.com/aws/aws-sdk-go-v2/service/sso v1.24.9/go.mod h1:lV8iQpg6OLOfBnqbGMBKYjilBlf633qwHnBEiMSPoHY= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.8 h1:6dBT1Lz8fK11m22R+AqfRsFn8320K0T5DTGxxOQBSMw= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.8/go.mod h1:/kiBvRQXBc6xeJTYzhSdGvJ5vm1tjaDEjH+MSeRJnlY= -github.com/aws/aws-sdk-go-v2/service/sts v1.33.7 h1:qwGa9MA8G7mBq2YphHFaygdPe5t9OA7SvaJdwWTlEds= -github.com/aws/aws-sdk-go-v2/service/sts v1.33.7/go.mod h1:+8h7PZb3yY5ftmVLD7ocEoE98hdc8PoKS0H3wfx1dlc= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.8 h1:pqEJQtlKWvnv3B6VRt60ZmsHy3SotlEBvfUBPB1KVcM= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.8/go.mod h1:f6vjfZER1M17Fokn0IzssOTMT2N8ZSq+7jnNF0tArvw= github.com/aws/smithy-go v1.22.1 h1:/HPHZQ0g7f4eUeK6HKglFz8uwVfZKgoI25rb/J+dnro= github.com/aws/smithy-go v1.22.1/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= From b3c11763bc19d164f033d19d011b7f2aaca141d8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 16 Jan 2025 14:48:09 +0000 Subject: [PATCH 11/11] Bump github.com/aws/aws-sdk-go-v2/config Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.28.11 to 1.29.0. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.28.11...v1.29.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .../internal/get-security-hub-findings/go.mod | 10 +++++----- .../internal/get-security-hub-findings/go.sum | 20 +++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/scripts/internal/get-security-hub-findings/go.mod b/scripts/internal/get-security-hub-findings/go.mod index 4590c7f8b..50b80a7a9 100644 --- a/scripts/internal/get-security-hub-findings/go.mod +++ b/scripts/internal/get-security-hub-findings/go.mod @@ -4,21 +4,21 @@ go 1.23 require ( github.com/aws/aws-sdk-go-v2 v1.33.0 - github.com/aws/aws-sdk-go-v2/config v1.28.11 - github.com/aws/aws-sdk-go-v2/credentials v1.17.52 + github.com/aws/aws-sdk-go-v2/config v1.29.0 + github.com/aws/aws-sdk-go-v2/credentials v1.17.53 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.12 github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.4 github.com/aws/aws-sdk-go-v2/service/sts v1.33.8 ) require ( - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.23 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.24 // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.28 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.28 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.9 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.24.9 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.8 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.24.10 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.9 // indirect github.com/aws/smithy-go v1.22.1 // indirect ) diff --git a/scripts/internal/get-security-hub-findings/go.sum b/scripts/internal/get-security-hub-findings/go.sum index 4efa54cb0..7916debb5 100644 --- a/scripts/internal/get-security-hub-findings/go.sum +++ b/scripts/internal/get-security-hub-findings/go.sum @@ -1,11 +1,11 @@ github.com/aws/aws-sdk-go-v2 v1.33.0 h1:Evgm4DI9imD81V0WwD+TN4DCwjUMdc94TrduMLbgZJs= github.com/aws/aws-sdk-go-v2 v1.33.0/go.mod h1:P5WJBrYqqbWVaOxgH0X/FYYD47/nooaPOZPlQdmiN2U= -github.com/aws/aws-sdk-go-v2/config v1.28.11 h1:7Ekru0IkRHRnSRWGQLnLN6i0o1Jncd0rHo2T130+tEQ= -github.com/aws/aws-sdk-go-v2/config v1.28.11/go.mod h1:x78TpPvBfHH16hi5tE3OCWQ0pzNfyXA349p5/Wp82Yo= -github.com/aws/aws-sdk-go-v2/credentials v1.17.52 h1:I4ymSk35LHogx2Re2Wu6LOHNTRaRWkLVoJgWS5Wd40M= -github.com/aws/aws-sdk-go-v2/credentials v1.17.52/go.mod h1:vAkqKbMNUcher8fDXP2Ge2qFXKMkcD74qvk1lJRMemM= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.23 h1:IBAoD/1d8A8/1aA8g4MBVtTRHhXRiNAgwdbo/xRM2DI= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.23/go.mod h1:vfENuCM7dofkgKpYzuzf1VT1UKkA/YL3qanfBn7HCaA= +github.com/aws/aws-sdk-go-v2/config v1.29.0 h1:Vk/u4jof33or1qAQLdofpjKV7mQQT7DcUpnYx8kdmxY= +github.com/aws/aws-sdk-go-v2/config v1.29.0/go.mod h1:iXAZK3Gxvpq3tA+B9WaDYpZis7M8KFgdrDPMmHrgbJM= +github.com/aws/aws-sdk-go-v2/credentials v1.17.53 h1:lwrVhiEDW5yXsuVKlFVUnR2R50zt2DklhOyeLETqDuE= +github.com/aws/aws-sdk-go-v2/credentials v1.17.53/go.mod h1:CkqM1bIw/xjEpBMhBnvqUXYZbpCFuj6dnCAyDk2AtAY= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.24 h1:5grmdTdMsovn9kPZPI23Hhvp0ZyNm5cRO+IZFIYiAfw= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.24/go.mod h1:zqi7TVKTswH3Ozq28PkmBmgzG1tona7mo9G2IJg4Cis= github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.28 h1:igORFSiH3bfq4lxKFkTSYDhJEUCYo6C8VKiWJjYwQuQ= github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.28/go.mod h1:3So8EA/aAYm36L7XIvCVwLa0s5N0P7o2b1oqnx/2R4g= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.28 h1:1mOW9zAUMhTSrMDssEHS/ajx8JcAj/IcftzcmNlmVLI= @@ -20,10 +20,10 @@ github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.12 h1:ySWassPBVhrtg96a github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.12/go.mod h1:l+Fboycn+g9RMQcYbTfpqF/d3qZn90q5PYmO7Biu+WM= github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.4 h1:zFglcUjphRYNX9++btAajm4lkFHUqEEFam6S9Pb73/U= github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.4/go.mod h1:8IYDBdfP7wR5P1hZ9WacHyV97Fnvrvbz/LvDjSOynKM= -github.com/aws/aws-sdk-go-v2/service/sso v1.24.9 h1:YqtxripbjWb2QLyzRK9pByfEDvgg95gpC2AyDq4hFE8= -github.com/aws/aws-sdk-go-v2/service/sso v1.24.9/go.mod h1:lV8iQpg6OLOfBnqbGMBKYjilBlf633qwHnBEiMSPoHY= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.8 h1:6dBT1Lz8fK11m22R+AqfRsFn8320K0T5DTGxxOQBSMw= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.8/go.mod h1:/kiBvRQXBc6xeJTYzhSdGvJ5vm1tjaDEjH+MSeRJnlY= +github.com/aws/aws-sdk-go-v2/service/sso v1.24.10 h1:DyZUj3xSw3FR3TXSwDhPhuZkkT14QHBiacdbUVcD0Dg= +github.com/aws/aws-sdk-go-v2/service/sso v1.24.10/go.mod h1:Ro744S4fKiCCuZECXgOi760TiYylUM8ZBf6OGiZzJtY= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.9 h1:I1TsPEs34vbpOnR81GIcAq4/3Ud+jRHVGwx6qLQUHLs= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.9/go.mod h1:Fzsj6lZEb8AkTE5S68OhcbBqeWPsR8RnGuKPr8Todl8= github.com/aws/aws-sdk-go-v2/service/sts v1.33.8 h1:pqEJQtlKWvnv3B6VRt60ZmsHy3SotlEBvfUBPB1KVcM= github.com/aws/aws-sdk-go-v2/service/sts v1.33.8/go.mod h1:f6vjfZER1M17Fokn0IzssOTMT2N8ZSq+7jnNF0tArvw= github.com/aws/smithy-go v1.22.1 h1:/HPHZQ0g7f4eUeK6HKglFz8uwVfZKgoI25rb/J+dnro=