Rotate api user password

[indytechcook]

Description

The user name and password used to access the GraphQL API needs to be rotated.

Ideally, a new user and pw can be created for each of the downstream systems:

• Content Build
• Forms API
• Facility API / Lighthouse
• Chat App
• Datadog / SSM

Acceptance Criteria

• [x] New users created for each of the downstream systems.
• [x] Create followup issue to disable api current user
• [x] New user communicated with other teams
• [x] Documentation exists with user information
• [x] Create and Document the new api user request process.

[indytechcook]

The Drupal username appears to be mostly in the devops repo under: https://github.com/department-of-veterans-affairs/devops/search?q=DRUPAL_USERNAME with the pw being in credstash under: 'vets_website.dev.drupal-password

[ndouglas]

Username and password are also in SSM Parameter Store. These are the values that are used by Datadog for some synthetics tests. They should be used elsewhere as well.

[jkalexander7]

Priority for this issue is based on severity and impact assessment - currently this is considered low severity and low priority. @indytechcook to follow up on severity/impact assessment.

[indytechcook]

Criteria used to determine priority;

• Current access to the Drupal API requires SOCKS / VPN
• Current database is publicly accessible.
• Access allowed by user:
  • Read-Only Access to data
  • Manu Administration access: This allows for updating and deleting all menus and menu links in Drupal

The menu administration access will be addressed: https://github.com/department-of-veterans-affairs/va.gov-cms/issues/7137

[olivereri]

Searching the VA Github organization provides a bit more comprehensive list of where DRUPAL_USERNAME is used: https://github.com/search?q=org%3Adepartment-of-veterans-affairs+DRUPAL_USERNAME&type=code

Repos where it's found:

• department-of-veterans-affairs/devops
• department-of-veterans-affairs/vagov-content
• department-of-veterans-affairs/content-build
• department-of-veterans-affairs/vets-api

Other team:

• Content Build
• Forms API
• Facility API / Lighthouse
• Chat App

What we can control:

• Datadog
  • [CMS] Test /api/govdelivery_bulletins/queue?EndTime=1
  • [CMS] Test /graphql
  • SSM
  • Username
  • password

Proposed new usernames:

content_build_api forms_api facility_api chatbot_api virtual_agent_api datadog_api

Credential Storage

AWS Parameter store: /cms/prod/drupal_api_users/content_build_api/username /cms/prod/drupal_api_users/content_build_api/password

/cms/prod/drupal_api_users/forms_api/username /cms/prod/drupal_api_users/forms_api/password

/cms/prod/drupal_api_users/facility_api/username /cms/prod/drupal_api_users/facility_api/password

/cms/prod/drupal_api_users/chatbot_api/username /cms/prod/drupal_api_users/chatbot_api/password

/cms/prod/drupal_api_users/virtual_agent_api/username /cms/prod/drupal_api_users/virtual_agent_api/password

/cms/prod/drupal_api_users/datadog_api/username /cms/prod/drupal_api_users/datadog_api/password

POC Slack Thread

https://dsva.slack.com/archives/C02HX4AQZ33/p1641492660015600

PoCs Contacted

• [x] Content Build (Release Tools)
• [x] Virtual Agent (chatbot)
• [x] Forms API
• [x] Facilities API

New API User Request Documentation

https://dsva.slack.com/archives/CDHBKAL9W/p1641926324025200 Documentation Draft: https://docs.google.com/document/d/1Bp7Bf3DtWARsd8Qc_56adtsmWE-eW2l6bFKH0wsaDHE/edit# https://prod.cms.va.gov/help/content-api-cms-account-administration-policy

API User Password Rotation Process Documentation

https://github.com/department-of-veterans-affairs/va.gov-cms/issues/7559

Follow-on Issues:

Update Datadog: https://github.com/department-of-veterans-affairs/va.gov-cms/issues/7561 Disable api user: https://github.com/department-of-veterans-affairs/va.gov-cms/issues/7562

[olivereri]

WIP Documentation exists with user information

https://github.com/department-of-veterans-affairs/va.gov-cms/blob/main/READMES/drupal_api_users.md

Content API Consumers

Background

This document lists known services which depend on the CMS and the Drupal users required to consume content via Drupal's API. For a list of all of VA.gov-CMS's down stream dependencies look here.

Users

Team	POC	Username	Usage
Release Tools	#vsp-tools-fe	content_build_api	Building content for VA.gov requires querying Drupal for that content in an authenticated way.
Forms API	#va-forms	forms_api	Forms migration daily tasks must be authenticated
Facilities	#vsa-facilities	facility_api	?
Virtual Agent	#va-virtual-agent-public	virtual_agent_api	?
CMS	#cms-platform	datadog_api	Datadog Synthetic metrics monitor GraphQL endpoint and require HTTP basic authentication

[xiongjaneg]

@olivereri Here's the link to the draft policy on the KB where we keep the other policies. Please let me know if you need anything else.

[olivereri]

@mchelen-gov Putting this in PO review. The main thing to review is the policy document created by the CMS Helpdesk team. https://prod.cms.va.gov/help/content-api-cms-account-administration-policy

[mchelen-gov]

Looks good, I see the followup ticket to deprecate the legacy credentials is here: https://github.com/department-of-veterans-affairs/va.gov-cms/issues/7562

[jkalexander7]

Followup ticket for creating documentation on the password rotation process: https://github.com/department-of-veterans-affairs/va.gov-cms/issues/7603