FIREBREAK: Automate the Operations Engineering Leavers Process

[PepperMoJ]

User Need

As a Operations Engineer I want to automate the leavers process so that there is minimal input from the team in order to remove a user from the appropriate systems

Value We can save the team time when is comes to processing leavers.

Functional Requirements:

1. A system has been set up with the ability to remove a user from a service by email address.
2. We have multiple services that a user is able to be removed from.

Non-Functional Requirements:

1. A UI has been built around the functionality

Acceptance Criteria:

1. We have a method of removing a user from a selection of the services we manage.

Notes:

[vijaykannan21]

Do we need to remove the leavers from both accounts?

1. ministry of justice 2.moj-analytical-services

[vijaykannan21]

List of services from which we need to remove users. 1.Github 2.Sentry 3.circle CI 4.Docker

5. Auth O Tenant
6. 1 password
7. Pager Duty
8. Aws
9. Gandi If there are any services that I should add to the list, do let me know.

[vijaykannan21]

I just added the draft PR, for which i prepared code: https://github.com/ministryofjustice/operations-engineering/pull/4435

[vijaykannan21]

1. PagerDuty API-- https://developer.pagerduty.com/api-reference/e65c5833eeb07-pager-duty-api
2. Sentry API-- https://stackoverflow.com/questions/73666362/need-help-to-understand-the-documentation-of-sentry-api https://docs.sentry.io/api/auth/
3. Gandi API -- https://api.gandi.net/docs/reference/. https://api.gandi.net/docs/domains/

[vijaykannan21]

https://runbooks.operations-engineering.service.justice.gov.uk/documentation/internal/team/leavers.html#leavers-guide Modified the leaver process as per the Operations Engineering Runbook https://github.com/ministryofjustice/operations-engineering/commit/d54689f20011fe2d2efb24986489ef8e2516f2f4

[vijaykannan21]

Note: Note: Removal from 1Password will remove access to shared team credentials for most services not sure from which services will remove the access need to check on that.

[vijaykannan21]

https://github.com/ministryofjustice/operations-engineering/pull/4435/commits/6a4d640cce12b9e839164faa88ea7ce18d292173

[vijaykannan21]

While checking using Github SSO, we can sign into the five applications.

1. Docker
2. AuthO
3. Amazon Web Services 4.Sentry.io
4. Page Duty So if we revoke Github access, it will also revoke access to these applications.

We are not using Github SSO for the remaining four applications:

1. Gandi.net
2. Os Data Hub
3. 1 password.

https://github.com/ministryofjustice/operations-engineering/commit/d095b8eedfcacbb2123bdf3af7435b563a28e0dc

https://github.com/ministryofjustice/operations-engineering/commit/4c1d573ef2e6fc902673aa314499c08e9d81f051

[vijaykannan21]

1.https://developer.pagerduty.com/docs/ZG9jOjExMDI5NTUx-authentication 2.https://api.gandi.net/docs/authentication/

[vijaykannan21]

https://github.com/ministryofjustice/operations-engineering/pull/4435/commits/558b9135cabfc1768d8487194aa82e35493a331a

[vijaykannan21]

https://github.com/ministryofjustice/operations-engineering/pull/4435/files

[vijaykannan21]

https://github.com/ministryofjustice/operations-engineering/pull/4435/files#diff-278d46a527ec63d9141ceb89156ed9cb4c3c09a47f7ba7202e091f33e270cdcf

[vijaykannan21]

• [ ] While checking using Github SSO, we can sign in into the five applications using Github SSO

Docker AuthO Amazon Web Services Sentry.io Page Duty So if we revoke Github access, it will also revoke access to these applications. https://docs.google.com/document/d/1xqeYGt39yKMWCd6CLjyxodj_8GpdPkyQnS_3kjeN018/edit

[vijaykannan21]

https://github.com/ministryofjustice/operations-engineering/pull/4435/files

[vijaykannan21]

https://github.com/ministryofjustice/operations-engineering/commit/448fa1781f04a8d946ee4f3c8aa4426e910d4d0d

[vijaykannan21]

It appears that further API and security details are required to complete the Automate Leaver procedure, which we intend to test one at a time before deciding how to proceed.