Open ben851 opened 1 year ago
Good idea. We already have an AWS account called GitHubS3Backups
which can be accessed through global GitHub secrets. Consider leveraging that or setting up an OIDC provider. Here is an example of it backing up our code.
https://github.com/cds-snc/notification-api/blob/main/.github/workflows/s3-backup.yml#L17-L22
Description
As a developer/operator of GC Notify, I would like to be able to review github actions logs that are more than 3 days old. Currently there is an org wide policy for CDS in Github that limits the retention period of Github actions logs to 3 days. This is due to security concerns around potential credential leaks. Github offers the possibility of sending logs to an AWS S3 bucket, which could/would be protected and thus safer to retain logs for longer.
WHY are we building?
This will allow the dev and core teams to review changes to our environments when troubleshooting issues. An example of when this would have been useful would be to review the logs of manually run production deployment pipelines to review what exactly was done. Since there is no PR for these runs, there is no documentation on the Github side to see exactly what was run and what changes were made.
WHAT are we building?
Enable sending github actions logs to an AWS s3 bucket
VALUE created by our solution
This will provide better visibility into the operations of our various environments. It will provide a more cohesive audit trail to audit changes in these environments.
Acceptance Criteria
QA Steps