Merge pull request #7918 from ministryofjustice/feature/access-key-mo…

…nitoring Enhance access key cleanup for superadmins and collaborators
ministryofjustice · Sep 13, 2024 · 5a8107f · 5a8107f
2 parents 947ce05 + ddffc50
commit 5a8107f
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 12 deletions.
diff --git a/...lows/superadmin-access-key-monitoring.yml → .github/workflows/access-keys-monitoring.yml b/...lows/superadmin-access-key-monitoring.yml → .github/workflows/access-keys-monitoring.yml
@@ -1,8 +1,8 @@
-name: Superadmin Access Key Deletion
+name: Access Key Monitoring and Cleanup
 
 on:
   schedule:
-    - cron: '30 7 1-15/14 * *'  # trigger every 15 days at 07:30am
+    - cron: '30 7 * * MON'  # trigger every Monday at 07:30am
   workflow_dispatch:
 
 env:
@@ -43,15 +43,22 @@ jobs:
       - name: Install the client
         run: pip install notifications-python-client
 
+      - name: Remove Collaborator Access Keys
+        run: bash ./scripts/iam-monitoring/access-key-monitoring/delete_access_keys.sh
+        env:
+          threshold: 90
+          group_name: "collaborators"
+
       - name: Remove Superadmin Access Keys
-        run: bash ./scripts/iam-monitoring/superadmin-access-key-monitoring/delete_superadmin_access_keys.sh
+        run: bash ./scripts/iam-monitoring/access-key-monitoring/delete_access_keys.sh
         env:
           threshold: 30
+          group_name: "superadmins"
 
       - name: Send Notification
         run: |
-          if [ -f unique_inactive_users.list ]; then
-            python ./scripts/iam-monitoring/superadmin-access-key-monitoring/notify_access_key_deletion.py unique_inactive_users.list
+          if [ -s superadmins.list ]; then
+            python ./scripts/iam-monitoring/access-key-monitoring/notify_access_key_deletion.py superadmins.list
           else
             echo "No superadmin access keys found inactive for 30 days or more."
           fi
diff --git a/...nitoring/delete_superadmin_access_keys.sh → ...cess-key-monitoring/delete_access_keys.sh b/...nitoring/delete_superadmin_access_keys.sh → ...cess-key-monitoring/delete_access_keys.sh
@@ -1,8 +1,8 @@
 #!/bin/bash
-# Get IAM users in the "superadmins" group along with their last console login activity
-superadmin_users=$(aws iam get-group --group-name superadmins --query 'Users[*].[UserName,PasswordLastUsed]' --output text)
+# Get IAM users in the $group_name group along with their last console login activity
+users=$(aws iam get-group --group-name $group_name --query 'Users[*].[UserName,PasswordLastUsed]' --output text)
 if [ $? -ne 0 ]; then
-  echo "Error: Failed to retrieve IAM users from the 'superadmins' group. Please check AWS CLI configuration and permissions." >&2
+  echo "Error: Failed to retrieve IAM users from the ${group_name} group. Please check AWS CLI configuration and permissions." >&2
   exit 1
 fi
 
@@ -25,10 +25,14 @@ while read -r username lastactivity; do
         fi
        done
     fi
-done <<< "$superadmin_users"
+done <<< "$users"
 
 # Remove duplicates from the list of inactive users and strip any suffixes
 unique_inactive_users=$(echo "$inactive_users" | tr ' ' '\n' | sed 's/-superadmin$//' | sort -u)
-
-# Save the list of unique inactive users to a file
-echo $unique_inactive_users | xargs -n 1 > unique_inactive_users.list
+if [ -n "$unique_inactive_users" ]; then
+  # Save the list of unique inactive users to a file
+  echo $unique_inactive_users | xargs -n 1 > "${group_name}.list"
+else
+  echo "No inactive users found."
+  > "${group_name}.list"  # Ensure the file is empty, but not deleted
+fi
diff --git a/...-monitoring/notify_access_key_deletion.py → ...-monitoring/notify_access_key_deletion.py b/...-monitoring/notify_access_key_deletion.py → ...-monitoring/notify_access_key_deletion.py