Description

As a developer/operator of GC Notify, I would like to be able to review github actions logs that are more than 3 days old. Currently there is an org wide policy for CDS in Github that limits the retention period of Github actions logs to 3 days. This is due to security concerns around potential credential leaks. Github offers the possibility of sending logs to an AWS S3 bucket, which could/would be protected and thus safer to retain logs for longer.

WHY are we building?

This will allow the dev and core teams to review changes to our environments when troubleshooting issues. An example of when this would have been useful would be to review the logs of manually run production deployment pipelines to review what exactly was done. Since there is no PR for these runs, there is no documentation on the Github side to see exactly what was run and what changes were made.

WHAT are we building?

Enable sending github actions logs to an AWS s3 bucket

[ ] Look at leveraging the GitHubS3Backups AWS account owned by SRE team
[ ] If not doing the above, look into using OIDC authentication to push logs to Notify account
[ ] Investigate the ability to have these appear in our cloudwatch logs in addition to S3

VALUE created by our solution

This will provide better visibility into the operations of our various environments. It will provide a more cohesive audit trail to audit changes in these environments.

Acceptance Criteria

[ ] GitHub actions logs are sent to a centralized AWS S3 bucket for all GC Notify repositories
[ ] The s3 bucket is available only to CDS personnel

QA Steps

[ ] Tested that logs are successfully sent to the S3 bucket
[ ] Tested that the s3 bucket is not publicly available

cds-snc / notification-planning-core