Closed indytechcook closed 2 years ago
The Drupal username appears to be mostly in the devops repo under: https://github.com/department-of-veterans-affairs/devops/search?q=DRUPAL_USERNAME with the pw being in credstash under: 'vets_website.dev.drupal-password
Priority for this issue is based on severity and impact assessment - currently this is considered low severity and low priority. @indytechcook to follow up on severity/impact assessment.
Criteria used to determine priority;
The menu administration access will be addressed: https://github.com/department-of-veterans-affairs/va.gov-cms/issues/7137
Searching the VA Github organization provides a bit more comprehensive list of where DRUPAL_USERNAME is used: https://github.com/search?q=org%3Adepartment-of-veterans-affairs+DRUPAL_USERNAME&type=code
Repos where it's found:
content_build_api
forms_api
facility_api
chatbot_api
virtual_agent_api
datadog_api
AWS Parameter store: /cms/prod/drupal_api_users/content_build_api/username /cms/prod/drupal_api_users/content_build_api/password
/cms/prod/drupal_api_users/forms_api/username /cms/prod/drupal_api_users/forms_api/password
/cms/prod/drupal_api_users/facility_api/username /cms/prod/drupal_api_users/facility_api/password
/cms/prod/drupal_api_users/chatbot_api/username
/cms/prod/drupal_api_users/chatbot_api/password
/cms/prod/drupal_api_users/virtual_agent_api/username /cms/prod/drupal_api_users/virtual_agent_api/password
/cms/prod/drupal_api_users/datadog_api/username /cms/prod/drupal_api_users/datadog_api/password
https://dsva.slack.com/archives/C02HX4AQZ33/p1641492660015600
PoCs Contacted
https://dsva.slack.com/archives/CDHBKAL9W/p1641926324025200 Documentation Draft: https://docs.google.com/document/d/1Bp7Bf3DtWARsd8Qc_56adtsmWE-eW2l6bFKH0wsaDHE/edit# https://prod.cms.va.gov/help/content-api-cms-account-administration-policy
https://github.com/department-of-veterans-affairs/va.gov-cms/issues/7559
Update Datadog: https://github.com/department-of-veterans-affairs/va.gov-cms/issues/7561 Disable api user: https://github.com/department-of-veterans-affairs/va.gov-cms/issues/7562
https://github.com/department-of-veterans-affairs/va.gov-cms/blob/main/READMES/drupal_api_users.md
This document lists known services which depend on the CMS and the Drupal users required to consume content via Drupal's API. For a list of all of VA.gov-CMS's down stream dependencies look here.
Team | POC | Username | Usage |
---|---|---|---|
Release Tools | #vsp-tools-fe | content_build_api | Building content for VA.gov requires querying Drupal for that content in an authenticated way. |
Forms API | #va-forms | forms_api | Forms migration daily tasks must be authenticated |
Facilities | #vsa-facilities | facility_api | ? |
Virtual Agent | #va-virtual-agent-public | virtual_agent_api | ? |
CMS | #cms-platform | datadog_api | Datadog Synthetic metrics monitor GraphQL endpoint and require HTTP basic authentication |
@olivereri Here's the link to the draft policy on the KB where we keep the other policies. Please let me know if you need anything else.
@mchelen-gov Putting this in PO review. The main thing to review is the policy document created by the CMS Helpdesk team. https://prod.cms.va.gov/help/content-api-cms-account-administration-policy
Looks good, I see the followup ticket to deprecate the legacy credentials is here: https://github.com/department-of-veterans-affairs/va.gov-cms/issues/7562
Followup ticket for creating documentation on the password rotation process: https://github.com/department-of-veterans-affairs/va.gov-cms/issues/7603
Description
The user name and password used to access the GraphQL API needs to be rotated.
Ideally, a new user and pw can be created for each of the downstream systems:
Acceptance Criteria
api
current user