Skip to content

Access Key Monitoring and Cleanup #3

Access Key Monitoring and Cleanup

Access Key Monitoring and Cleanup #3

name: Access Key Monitoring and Cleanup
on:
schedule:
- cron: '30 7 * * MON' # trigger every Monday at 07:30am
workflow_dispatch:
env:
AWS_REGION: "eu-west-2"
ENVIRONMENT_MANAGEMENT: ${{ secrets.MODERNISATION_PLATFORM_ENVIRONMENTS }}
API_KEY: ${{ secrets.GOV_UK_NOTIFY_API_KEY }}
TEMPLATE_ID: "59394802-1a11-4e79-9943-3e9ecb5b3913"
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
issues: write # This is required to create issues
jobs:
delete-superadmin-access-keys:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Install Python
uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: Set Account Number
run: |
ACCOUNT_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT)
echo "::add-mask::$ACCOUNT_NUMBER"
echo ACCOUNT_NUMBER=$ACCOUNT_NUMBER >> $GITHUB_ENV
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions"
role-session-name: githubactionsrolesession
aws-region: ${{ env.AWS_REGION }}
- name: Install the client
run: pip install notifications-python-client
- name: Remove Collaborator Access Keys
run: bash ./scripts/iam-monitoring/access-key-monitoring/delete_access_keys.sh
env:
threshold: 90
group_name: "collaborators"
- name: Remove Superadmin Access Keys
run: bash ./scripts/iam-monitoring/access-key-monitoring/delete_access_keys.sh
env:
threshold: 30
group_name: "superadmins"
- name: Send Notification
run: |
if [ -s superadmins.list ]; then
python ./scripts/iam-monitoring/access-key-monitoring/notify_access_key_deletion.py superadmins.list
else
echo "No superadmin access keys found inactive for 30 days or more."
fi