request delete of old MVI/MPI PS objects

[joeniquette]

The following should be removed from PS related to the most recent MPI Cert changes. We were able to do this because we consolidated the references to the certs to fewer values. We also reduced our lower environment certs to a single cert (down from 4). Finally we removed the PS value pointers to cert paths that can just be hardcoded paths inside the config files. We did not change anything for production yet but we will in the next ticket.

• [ ] 1. /devops/certificates/mvi_int_cert_dev.pem
• [ ] 2. /devops/certificates/mvi_int_dev.key
• [ ] 3. /devops/certificates/mvi_qa_cert_dev.pem
• [ ] 4. /devops/certificates/mvi_qa_dev.key
• [ ] 5. /dsva-vagov/fwdproxy/int/mvi_key
• [ ] 6. /dsva-vagov/fwdproxy/pint/mvi_key
• [ ] 7. /dsva-vagov/fwdproxy/preprod/mvi_key
• [ ] 8. /dsva-vagov/fwdproxy/qa/mvi_key
• [x] 9. /dsva-vagov/vets-api/common/mvi/client_cert_path
• [x] 10. /dsva-vagov/vets-api/common/mvi/client_key_path
• [x] 11. /dsva-vagov/vets-api/common/mvi/hca_client_key_path
• [x] 12. /dsva-vagov/vets-api/common/mvi_hca/client_cert_path
• [x] 13. /dsva-vagov/vets-api/dev/mvi/client_cert_path
• [x] 14. /dsva-vagov/vets-api/dev/mvi_hca/url
• [x] 15. /dsva-vagov/vets-api/dev/vetsgov-mvi-int-cert.pem
• [x] 16. /dsva-vagov/vets-api/dev/vetsgov-mvi-qa-cert.pem
• [x] 17. /dsva-vagov/vets-api/prod/mvi_hca/url
• [x] 18. /dsva-vagov/vets-api/sandbox/mvi/client_key_path
• [x] 19. /dsva-vagov/vets-api/sandbox/mvi/hca_client_key_path
• [ ] 20. /dsva-vagov/vets-api/sandbox/mvi/url (this should not be deleted, as validated by the devops crew)
• [x] 21. /dsva-vagov/vets-api/sandbox/mvi_hca/client_cert_path
• [x] 22. /dsva-vagov/vets-api/sandbox/mvi_hca/url
• [x] 23. /dsva-vagov/vets-api/staging/mvi_hca/url
• [x] 24. /dsva-vagov/vets-api/staging/vetsgov-mvi-int-cert.pem
• [x] 25. /dsva-vagov/vets-api/staging/vetsgov-mvi-preprod-cert.pem
• [x] 26. /dsva-vagov/vets-api/staging/vetsgov-mvi-preprod.key
• [x] 27. /dsva-vagov/vets-api/staging/vetsgov-mvi-qa-cert.pem

Already Removed (Identity team has permission in AWS):

1. /dsva-vagov/identity-team/fwdproxy/int/mvi_key
2. /dsva-vagov/identity-team/fwdproxy/preprod/mvi_key
3. /dsva-vagov/identity-team/fwdproxy/qa/mvi_key
4. /dsva-vagov/identity-team/lowers/mvi_qa_cert_dev.pem
5. /dsva-vagov/identity-team/lowers/vetsgov-mvi-int-cert.pem
6. /dsva-vagov/identity-team/lowers/vetsgov-mvi-preprod-cert.pem

[joeniquette]

I also retired the int, preprod, and pint certs in venafi for this connection.

[ph-One]

@barbarello may be interested in this work

[barbarello]

looking into this

[barbarello]

Manually deleted 6 (managed) via terraform and 21 (unmansged) via aws console.

[barbarello]

turns out #20 (/dsva-vagov/vets-api/sandbox/mvi/url) should not haven listed in the first place as it is being used in https://github.com/department-of-veterans-affairs/vsp-infra-application-manifests/

[rmtolmach]

@joeniquette @barbarello /dsva-vagov/vets-api/sandbox/mvi/url was deleted from AWS, but it wasn't deleted from the manifest repo (maybe it was supposed to be done in this PR? https://github.com/department-of-veterans-affairs/vsp-infra-application-manifests/pull/2368). We discovered this when vets-api sandbox wouldn't deploy yesterday 😟. @LindseySaari added it back to AWS so we could deploy. If it does need to be deleted, can you remove it from the manifest repo and then after the 3pm ET deploy, ping me or a Platform devops eng to delete it from AWS.

[rmtolmach]

jinx @barbarello 😆

[barbarello]

@rmtolmach it wouldn't make sense to delete it from parameter store if pods are using it.

[rmtolmach]

@barbarello the value would need to be deleted from here first and then deleted from Param store, if that's what Joe wants. Or we just leave it in both places. The scenario yesterday was that it was only removed from PS but it was still in the manifest.

[barbarello]

@rmtolmach agreed on the cleanup process. What i'm trying to communicate here is that if there remains an operational need for a key, which is from a pod's perspective, it should not be deleted from paramter store.
So , just saying keys are no longer needed is not enough.

[rmtolmach]

@barbarello got it. Looks like it is used https://github.com/department-of-veterans-affairs/vets-api/blob/master/lib/mpi/configuration.rb#L25

https://github.com/search?q=repo%3Adepartment-of-veterans-affairs%2Fvets-api%20MPI%3A%3AService.new&type=code

[barbarello]

unchecked items 1. through 8. as they are used in https://github.com/department-of-veterans-affairs/devops

[joeniquette]

@barbarello The sandbox mvi url was likely a miss-paste sorry about that. Good to know its actually being used, even if deleting it was the validation something used it.

As for 1-8, those values have not been updated with the new cert values, and all the systems are working even though the old certs have now expired. We also consolidated all the certs in lowers to one, its the qa one. So anything that points to an "int", "pint", or "preprod" no longer has a valid cert. As for the others, the only places I could find that uses them are in the staging worker and server api configs. Which the file says its archived and to not make updates. The PS values in this list:

1. /devops/certificates/mvi_int_cert_dev.pem
   2. /devops/certificates/mvi_int_dev.key
   3. /devops/certificates/mvi_qa_cert_dev.pem
   4. /devops/certificates/mvi_qa_dev.key
   5. /dsva-vagov/fwdproxy/int/mvi_key
   6. /dsva-vagov/fwdproxy/pint/mvi_key
   7. /dsva-vagov/fwdproxy/preprod/mvi_key
   8. /dsva-vagov/fwdproxy/qa/mvi_key

did not get updates to new cert values which I think validates they aren't needed since we have working systems. I am in favor of validating this theory, but if proved true, I do not want values in PS which contain the term "mvi" that are orphaned. They make cert changes problematic because then we have folks trying to figure out why they weren't updated, what should they do, etc.

[joeniquette]

@rmtolmach it looks like @barbarello isnt on the project team anymore. Is this something someone else can finish?

[rmtolmach]

👋 Passing along to the DevOps CoP lead @pjhill

[jwoodman5]

@pjhill to add to DevOps CoP meeting agenda 2/15.

[pjhill]

@stoiven -- will address this as he has time during the current support rotation and hand off any remaining items when the next devops support person comes on

[pjhill]

Per Joel -- beware possibility of accidentally removing items that are actually still in use.

• of note, we need to be sure that these keys are removed from all terraform code as well, or they may be re-created

We need additional clarity around how to coordinate this effort before we can work this more.

[joeniquette]

@pjhill any updates on this ticket?

[pjhill]

No updates in a while -- I'll need to dig up an appropriate summary of recent activity.

[joeniquette]

@pjhill just doing my monthly check-in on this ticket, any updates?

[pjhill]

Parameter store and certificate contained within it are being cleaned up as a low priority item as members of DevOps COP scattered across various Platform teams come into contact with aspects of it. I will bring up this list in the DevOps COP meeting this Thursday -- 6/27.