-
Notifications
You must be signed in to change notification settings - Fork 30
How to Manage Sonarqube Service Account
- Access to the BFD AWS Account
- IAM permissions to decrypt sensitive SSM parameters
- An installation of the AWS CLI that is configured properly for access to the BFD/CMS AWS account
- An installation of the
terraform
CLI- Using a tool like
tfenv
allows for multiple installations of Terraform and automatic version management
- Using a tool like
- Your
EDITOR
environment variable set to a proper editor- You can set this variable in your
.bashrc
(if you're usingbash
) or.zshrc
(if you're usingzsh
) like so:export EDITOR=<your editor executable here>
. Other shells may have a different syntax for setting environment variables or a different configuration file
- You can set this variable in your
- This repository,
beneficiary-fhir-data
, pulled down locally - An active connection to the cms.gov VPN
It is recommended that you read the following
README
s for more information on the SSM configuration scheme used by BFD before continuing:
-
In your terminal, navigate to the root of your local copy of the
beneficiary-fhir-data
repository usingcd
-
In your terminal, relative to the root of this repository,
cd
to the directory associated with themgmt
Terraform module:cd ops/terraform/env/mgmt
-
Initialize the Terraform state locally:
terraform init
-
Once initialized, view the Terraform plan and verify that Terraform is able to load state for all of the resources managed by the
mgmt
module and that no changes are necessary:terraform plan
-
Navigate into the
base_config
module's directory:cd base_config
-
Ensure you are authenticated with AWS and are able to run AWS CLI commands
-
View the encrypted yaml
mgmt.eyaml
using theread-and-decrypt-eyaml.sh
script using the commands below. This will decrypt the encryptedmgmt.eyaml
file and display the contents in your command line outputchmod +x scripts/read-and-decrypt-yaml.sh scripts/read-and-decrypt-yaml.sh mgmt
-
You will see the following keys shown below,
....
Each key represents the following:-
service_account_access_id
represents the sonarqube service account username to login in with -
service_account_access_password
represents the sonarqube access password to log in via UI or API
-
-
service_account_access_key
represents the sonarqube access key that is rotates every 90 days to manage the service account and resolve any downstream BFD SonarQube users' credential issues./bfd/mgmt/common/sensitive/service_accounts/sonar/service_account_access_id: "some.id" /bfd/mgmt/common/sensitive/service_accounts/sonar/service_account_access_password: "some.password" /bfd/mgmt/common/sensitive/service_accounts/sonar/service_account_access_key: "some.key"
-
Log in to SonarQube by copying and pasting the
service_account_access_id
andservice_account_access_password
from theread-and-decrypt-eyaml.sh
output and enter them at the Log in page -
View the security keys and generate a new 90 day access key via the security dashboard - follow the instructions. Copy the newly generated access key.
-
Open the encrypted yaml
mgmt.eyaml
for editing using theedit-eyaml.sh
script using the commands below. This will decrypt the encryptedmgmt.eyaml
file and open it in your definedEDITOR
. The script will wait until the file is closed by your editor, at which point it will re-encryptmgmt.eyaml
with your changes and save it
chmod +x scripts/edit-yaml.sh
scripts/edit-yaml.sh mgmt
-
Following the format outlined in step #8, update the
service_account_access_key
value -
Close the file. This should immediately update the encrypted
mgmt.yaml
with your new changes -
Return to the
mgmt
module:cd ..
-
Plan the changes to the Terraform state and verify that there are only additions to the state and that these additions correspond to the new SSM parameters defined in step #9:
terraform plan
-
Open a new Pull Request with the changes to all configuration in the associated branch
-
Once approved, the changes to
mgmt
can be applied:-
From the root of the repository,
cd
into themgmt
module:cd ops/terraform/env/mgmt
-
Apply the changes to configuration ensuring that there are no unexpected changes:
terraform apply
-
-
In the SonarQube security dashboard, go and revoke the expired/expiring access key
- Home
- For BFD Users
- Making Requests to BFD
- API Changelog
- Migrating to V2 FAQ
- Synthetic and Synthea Data
- BFD SAMHSA Filtering