From 772e3c701157bff84cbd4e34db475a37017173fb Mon Sep 17 00:00:00 2001 From: Michaela Iorga Date: Mon, 6 May 2024 16:26:15 -0400 Subject: [PATCH 1/7] Adding account templates to main --- ...account_management_authorization_form.yaml | 92 +++++++++++++++ .../account_management_request_form.yaml | 109 ++++++++++++++++++ 2 files changed, 201 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/account_management_authorization_form.yaml create mode 100644 .github/ISSUE_TEMPLATE/account_management_request_form.yaml diff --git a/.github/ISSUE_TEMPLATE/account_management_authorization_form.yaml b/.github/ISSUE_TEMPLATE/account_management_authorization_form.yaml new file mode 100644 index 0000000..7d9d29c --- /dev/null +++ b/.github/ISSUE_TEMPLATE/account_management_authorization_form.yaml @@ -0,0 +1,92 @@ +name: Account Management Authorization Form +description: Submit an account related authorization +labels: ['icam'] +body: + - type: dropdown + id: account-authorized + attributes: + label: Account authorization + description: Select the action from the drop-down + options: + - Approved + - Not approved + multiple: false + validations: + required: true + - type: input + id: account-holder-full-name + attributes: + label: Account holder full name + placeholder: Type here account holder full name as it appears in his/her ID. + validations: + required: true + - type: dropdown + id: account-type + attributes: + label: What role/attribute is requested for the account holder + description: Select the action from the drop-down + options: + - System Owner + - License Owner + - Authorizing Official + - System Sec Assessor + - System Administrator + - Technical Point of Contact + multiple: false + validations: + required: true + - type: dropdown + id: account-privilege + attributes: + label: What account privilege is requested + description: Select the action from the drop-down + options: + - non-privileged (user:read/write) + - privileged (root:read/write/execute) + multiple: false + validations: + required: true + - type: dropdown + id: account-created + attributes: + label: Account creation + description: Select the action from the drop-down + options: + - Created + - Modified + - Disabled + - Enabled + - Deleted + - Not done + multiple: false + validations: + required: true + - type: dropdown + id: account-created-by + attributes: + label: Account creation by + description: Select the action from the drop-down + options: + - System Administrator + - Accounts Manager + multiple: false + validations: + required: true + - type: dropdown + id: account-approved-by + attributes: + label: Account approved by + description: Select the action from the drop-down + options: + - Program Manager (for privileged accounts) + - System Owner (for non-privileged accounts) + multiple: false + validations: + required: true + - type: textarea + id: comments + attributes: + label: Comments + placeholder: (optional) Type in here any additional information related to this authorization. + validations: + required: false diff --git a/.github/ISSUE_TEMPLATE/account_management_request_form.yaml b/.github/ISSUE_TEMPLATE/account_management_request_form.yaml new file mode 100644 index 0000000..ec0f6d9 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/account_management_request_form.yaml @@ -0,0 +1,109 @@ +name: Account Request Form +description: Submit an account related request +labels: ['icam'] +body: + - type: input + id: first-name + attributes: + label: Account Holder First Name + placeholder: Type here user's first name as it appears in his/her ID. + validations: + required: true + - type: input + id: last-name + attributes: + label: Account Holder Last Name + placeholder: Type here user's last name as it appears in his/her ID. + validations: + required: true + - type: input + id: requester-name + attributes: + label: Requester's Full Name + placeholder: Type here requester's full name. + validations: + required: true + - type: dropdown + id: account-requested-by + attributes: + label: Requester's currently role + description: Select from the drop-down the current role of the requester + options: + - Accounts Manager + - System Owner + - License Owner + - Authorizing Official + - System Sec Assessor + - System Administrator + - Technical Point of Contact + - No current role + multiple: false + validations: + required: true + - type: dropdown + id: account-type + attributes: + label: What role/attribute is requested for the account holder + description: Select the action from the drop-down + options: + - System Owner + - License Owner + - Authorizing Official + - System Sec Assessor + - System Administrator + - Technical Point of Contact + multiple: false + validations: + required: true + - type: dropdown + id: account-managers + attributes: + label: Account approvers + description: Select the action from the drop-down + options: + - Program Manager (for privileged accounts) + - System Owner (for non-privileged accounts) + multiple: false + validations: + required: true + - type: dropdown + id: account-privilege + attributes: + label: What account privilege is requested + description: Select the action from the drop-down + options: + - non-privileged (user:read/write) + - privileged (root:read/write/execute) + multiple: false + validations: + required: true + - type: dropdown + id: account-modification + attributes: + label: What account modification is requested + description: Select the action from the drop-down + options: + - Create + - Modify + - Disable + - Enable + - Delete + multiple: true + validations: + required: true + - type: checkboxes + id: attestation + attributes: + label: attestation + description: Ensure all previously submitted forms are reviewed and no similar request has been submitted earlier + options: + - label: I attest that there is no other active form for a similar request + required: true + - type: textarea + id: comments + attributes: + label: Comments + placeholder: (optional) Type in here any additional information related to this request + validations: + required: false + From 4327652076aadd8d09941adf031eb665b48d5f49 Mon Sep 17 00:00:00 2001 From: selenaxiao-nist Date: Thu, 9 May 2024 17:03:52 -0400 Subject: [PATCH 2/7] Work in progress account management workflows --- ...account_management_authorization_form.yaml | 2 +- .../account_management_request_form.yaml | 2 +- .../workflows/account_request_authorize.yaml | 29 +++++++++++++ .github/workflows/account_request_close.yaml | 42 +++++++++++++++++++ .github/workflows/account_request_open.yaml | 27 ++++++++++++ 5 files changed, 100 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/account_request_authorize.yaml create mode 100644 .github/workflows/account_request_close.yaml create mode 100644 .github/workflows/account_request_open.yaml diff --git a/.github/ISSUE_TEMPLATE/account_management_authorization_form.yaml b/.github/ISSUE_TEMPLATE/account_management_authorization_form.yaml index 7d9d29c..8394e29 100644 --- a/.github/ISSUE_TEMPLATE/account_management_authorization_form.yaml +++ b/.github/ISSUE_TEMPLATE/account_management_authorization_form.yaml @@ -1,6 +1,6 @@ name: Account Management Authorization Form description: Submit an account related authorization -labels: ['icam'] +labels: ['ACCOUNT_AUTHORIZED_RECORD'] body: - type: dropdown id: account-authorized diff --git a/.github/ISSUE_TEMPLATE/account_management_request_form.yaml b/.github/ISSUE_TEMPLATE/account_management_request_form.yaml index ec0f6d9..d8c225e 100644 --- a/.github/ISSUE_TEMPLATE/account_management_request_form.yaml +++ b/.github/ISSUE_TEMPLATE/account_management_request_form.yaml @@ -1,6 +1,6 @@ name: Account Request Form description: Submit an account related request -labels: ['icam'] +labels: ['ACCOUNT_REQUEST_RECORD'] body: - type: input id: first-name diff --git a/.github/workflows/account_request_authorize.yaml b/.github/workflows/account_request_authorize.yaml new file mode 100644 index 0000000..99ac0f2 --- /dev/null +++ b/.github/workflows/account_request_authorize.yaml @@ -0,0 +1,29 @@ +name: Account Request Authorize + +on: + issues: + types: + - labeled + +jobs: + # When an issue is created by account management authorization form + # Label of account management request form is ACCOUNT_AUTHORIZED_RECORD + request-approved: + if: github.event.label.name == 'ACCOUNT_AUTHORIZED_RECORD' + runs-on: ubuntu-20.04 + steps: + permissions: + issues: write + steps: + - name: Add comment + run: gh issue comment "$NUMBER" --body "$BODY" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPO: ${{ github.repository }} + NUMBER: ${{ github.event.issue.number }} + BODY: > + Account management AUTHORIZED + + +# Contact AWS Cognito to show users +# Check is user contained in ACL is in AWS response with grep diff --git a/.github/workflows/account_request_close.yaml b/.github/workflows/account_request_close.yaml new file mode 100644 index 0000000..ed9452c --- /dev/null +++ b/.github/workflows/account_request_close.yaml @@ -0,0 +1,42 @@ +name: Account Request Close + +on: + issues: + types: + - labeled + +jobs: + # When an issue created by account management authorization form is updated with label + # ACCOUNT_APPROVED or ACCOUNT_REJECTED - # Account was approved or rejected + request-approve: + if: github.event.label.name == 'ACCOUNT_APPROVED' + runs-on: ubuntu-20.04 + steps: + permissions: + issues: write + steps: + - name: Add comment + run: gh issue comment "$NUMBER" --body "$BODY" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPO: ${{ github.repository }} + NUMBER: ${{ github.event.issue.number }} + BODY: > + Account management APPROVED + # Auto close issue with comment + + request-reject: + if: github.event.label.name == 'ACCOUNT_REJECTED' + runs-on: ubuntu-20.04 + steps: + permissions: + issues: write + steps: + - name: Add comment + run: gh issue comment "$NUMBER" --body "$BODY" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPO: ${{ github.repository }} + NUMBER: ${{ github.event.issue.number }} + BODY: > + Account management REJECTED diff --git a/.github/workflows/account_request_open.yaml b/.github/workflows/account_request_open.yaml new file mode 100644 index 0000000..6238f4b --- /dev/null +++ b/.github/workflows/account_request_open.yaml @@ -0,0 +1,27 @@ +name: Account Request Open + +on: + issues: + types: + - labeled + +jobs: + # When an issue is created by account management request form + # Label of account management request form is ACCOUNT_REQUEST_RECORD + request-opened: + if: github.event.label.name == 'ACCOUNT_REQUEST_RECORD' + runs-on: ubuntu-20.04 + steps: + permissions: + issues: write + steps: + - name: Add comment + run: gh issue comment "$NUMBER" --body "$BODY" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPO: ${{ github.repository }} + NUMBER: ${{ github.event.issue.number }} + BODY: > + Account management request CREATED + + From da66aadc4e4156020dc5adb6cbc696946747f906 Mon Sep 17 00:00:00 2001 From: selenaxiao-nist Date: Mon, 13 May 2024 11:57:26 -0400 Subject: [PATCH 3/7] Workflow syntax issue --- .github/workflows/account_request_authorize.yaml | 1 - .github/workflows/account_request_close.yaml | 1 - .github/workflows/account_request_open.yaml | 1 - 3 files changed, 3 deletions(-) diff --git a/.github/workflows/account_request_authorize.yaml b/.github/workflows/account_request_authorize.yaml index 99ac0f2..d8fde7b 100644 --- a/.github/workflows/account_request_authorize.yaml +++ b/.github/workflows/account_request_authorize.yaml @@ -11,7 +11,6 @@ jobs: request-approved: if: github.event.label.name == 'ACCOUNT_AUTHORIZED_RECORD' runs-on: ubuntu-20.04 - steps: permissions: issues: write steps: diff --git a/.github/workflows/account_request_close.yaml b/.github/workflows/account_request_close.yaml index ed9452c..6d64143 100644 --- a/.github/workflows/account_request_close.yaml +++ b/.github/workflows/account_request_close.yaml @@ -11,7 +11,6 @@ jobs: request-approve: if: github.event.label.name == 'ACCOUNT_APPROVED' runs-on: ubuntu-20.04 - steps: permissions: issues: write steps: diff --git a/.github/workflows/account_request_open.yaml b/.github/workflows/account_request_open.yaml index 6238f4b..1035fa1 100644 --- a/.github/workflows/account_request_open.yaml +++ b/.github/workflows/account_request_open.yaml @@ -11,7 +11,6 @@ jobs: request-opened: if: github.event.label.name == 'ACCOUNT_REQUEST_RECORD' runs-on: ubuntu-20.04 - steps: permissions: issues: write steps: From 47fe9f8b4d2ff614119a6a5c91ad59a4d4993548 Mon Sep 17 00:00:00 2001 From: selenaxiao-nist Date: Mon, 13 May 2024 12:09:16 -0400 Subject: [PATCH 4/7] Another workflow syntax issue --- .github/workflows/account_request_close.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/account_request_close.yaml b/.github/workflows/account_request_close.yaml index 6d64143..dfd200f 100644 --- a/.github/workflows/account_request_close.yaml +++ b/.github/workflows/account_request_close.yaml @@ -27,7 +27,6 @@ jobs: request-reject: if: github.event.label.name == 'ACCOUNT_REJECTED' runs-on: ubuntu-20.04 - steps: permissions: issues: write steps: From 3587436d0c38c344df12864284b64a259868b8f4 Mon Sep 17 00:00:00 2001 From: selenaxiao-nist Date: Tue, 14 May 2024 17:03:18 -0400 Subject: [PATCH 5/7] Team mentions and improved workflow lifecycle --- .../workflows/account_request_approve.yaml | 24 +++++++++++ .../workflows/account_request_authorize.yaml | 2 +- .github/workflows/account_request_close.yaml | 40 ------------------- .github/workflows/account_request_open.yaml | 8 ++-- .github/workflows/account_request_reject.yaml | 24 +++++++++++ 5 files changed, 53 insertions(+), 45 deletions(-) create mode 100644 .github/workflows/account_request_approve.yaml delete mode 100644 .github/workflows/account_request_close.yaml create mode 100644 .github/workflows/account_request_reject.yaml diff --git a/.github/workflows/account_request_approve.yaml b/.github/workflows/account_request_approve.yaml new file mode 100644 index 0000000..a729ebc --- /dev/null +++ b/.github/workflows/account_request_approve.yaml @@ -0,0 +1,24 @@ +name: Account Request Approved + +on: + issues: + types: + - labeled + +jobs: + # When ACCOUNT_APPROVED label is added to account management request + request-approved: + if: github.event.label.name == 'ACCOUNT_APPROVED' + runs-on: ubuntu-20.04 + permissions: + issues: write + steps: + - name: Notify Blossom Sysdevs about Approved Account + run: gh issue comment "$NUMBER" --body "$BODY" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPO: ${{ github.repository }} + NUMBER: ${{ github.event.issue.number }} + BODY: > + Account management request APPROVED by Blossom Management. + @blossom-sysdevs please review and submit Account Management Authorization Form. \ No newline at end of file diff --git a/.github/workflows/account_request_authorize.yaml b/.github/workflows/account_request_authorize.yaml index d8fde7b..4753e0a 100644 --- a/.github/workflows/account_request_authorize.yaml +++ b/.github/workflows/account_request_authorize.yaml @@ -8,7 +8,7 @@ on: jobs: # When an issue is created by account management authorization form # Label of account management request form is ACCOUNT_AUTHORIZED_RECORD - request-approved: + request-authorized: if: github.event.label.name == 'ACCOUNT_AUTHORIZED_RECORD' runs-on: ubuntu-20.04 permissions: diff --git a/.github/workflows/account_request_close.yaml b/.github/workflows/account_request_close.yaml deleted file mode 100644 index dfd200f..0000000 --- a/.github/workflows/account_request_close.yaml +++ /dev/null @@ -1,40 +0,0 @@ -name: Account Request Close - -on: - issues: - types: - - labeled - -jobs: - # When an issue created by account management authorization form is updated with label - # ACCOUNT_APPROVED or ACCOUNT_REJECTED - # Account was approved or rejected - request-approve: - if: github.event.label.name == 'ACCOUNT_APPROVED' - runs-on: ubuntu-20.04 - permissions: - issues: write - steps: - - name: Add comment - run: gh issue comment "$NUMBER" --body "$BODY" - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GH_REPO: ${{ github.repository }} - NUMBER: ${{ github.event.issue.number }} - BODY: > - Account management APPROVED - # Auto close issue with comment - - request-reject: - if: github.event.label.name == 'ACCOUNT_REJECTED' - runs-on: ubuntu-20.04 - permissions: - issues: write - steps: - - name: Add comment - run: gh issue comment "$NUMBER" --body "$BODY" - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GH_REPO: ${{ github.repository }} - NUMBER: ${{ github.event.issue.number }} - BODY: > - Account management REJECTED diff --git a/.github/workflows/account_request_open.yaml b/.github/workflows/account_request_open.yaml index 1035fa1..35d4fa2 100644 --- a/.github/workflows/account_request_open.yaml +++ b/.github/workflows/account_request_open.yaml @@ -14,13 +14,13 @@ jobs: permissions: issues: write steps: - - name: Add comment + - name: Notify Blossom Management about Account Request run: gh issue comment "$NUMBER" --body "$BODY" env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_REPO: ${{ github.repository }} NUMBER: ${{ github.event.issue.number }} BODY: > - Account management request CREATED - - + Account management request CREATED. + @blossom-management please review and approve/reject this request + by adding ACCOUNT_APPROVED or ACCOUNT_REJECTED label. \ No newline at end of file diff --git a/.github/workflows/account_request_reject.yaml b/.github/workflows/account_request_reject.yaml new file mode 100644 index 0000000..5454ca2 --- /dev/null +++ b/.github/workflows/account_request_reject.yaml @@ -0,0 +1,24 @@ +name: Account Request Reject + +on: + issues: + types: + - labeled + +jobs: + # When ACCOUNT_REJECTED label is added to account management request + request-rejected: + if: github.event.label.name == 'ACCOUNT_REJECTED' + runs-on: ubuntu-20.04 + permissions: + issues: write + steps: + - name: Close rejected account request + run: gh issue close "$NUMBER" --comment "$COMMENT" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPO: ${{ github.repository }} + NUMBER: ${{ github.event.issue.number }} + COMMENT: > + Account management request REJECTED by Blossom Management. + Closing request. From 3fb82fa46b228ee15f4b38e532f6c7340570b6e6 Mon Sep 17 00:00:00 2001 From: selenaxiao-nist Date: Thu, 16 May 2024 11:29:56 -0400 Subject: [PATCH 6/7] Add workflow readme --- account_workflow.md | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 account_workflow.md diff --git a/account_workflow.md b/account_workflow.md new file mode 100644 index 0000000..f3f7244 --- /dev/null +++ b/account_workflow.md @@ -0,0 +1,8 @@ +# Account Management Workflow +Document that explains the workflow of GitHub actions used to automate account management. + +The requester creates a new GitHub issue (Account Request Form) to request an account for the Account Holder. +The Blossom Management group is automatically notified to review this request through GitHub. +A Blossom Management member reviews the request and adds a new label to the issue: ACCOUNT_APPROVED or ACCOUNT_REJECTED +If ACCOUNT_APPROVED, the Blossom Sysdevs group is automatically notified to implement the account and submit a new issue (Account Management Authorization Form) for the Account Holder. +If ACCOUNT_REJECTED, the account request issue is automatically closed. \ No newline at end of file From 80572499b05cbdaf4f9bfd6b985bb2d7dbf630b2 Mon Sep 17 00:00:00 2001 From: selenaxiao-nist Date: Thu, 16 May 2024 11:32:13 -0400 Subject: [PATCH 7/7] Edit issue templates --- .../account_management_authorization_form.yaml | 11 ----------- .../account_management_request_form.yaml | 6 +++--- 2 files changed, 3 insertions(+), 14 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/account_management_authorization_form.yaml b/.github/ISSUE_TEMPLATE/account_management_authorization_form.yaml index 8394e29..2d26f8e 100644 --- a/.github/ISSUE_TEMPLATE/account_management_authorization_form.yaml +++ b/.github/ISSUE_TEMPLATE/account_management_authorization_form.yaml @@ -2,17 +2,6 @@ name: Account Management Authorization Form description: Submit an account related authorization labels: ['ACCOUNT_AUTHORIZED_RECORD'] body: - - type: dropdown - id: account-authorized - attributes: - label: Account authorization - description: Select the action from the drop-down - options: - - Approved - - Not approved - multiple: false - validations: - required: true - type: input id: account-holder-full-name attributes: diff --git a/.github/ISSUE_TEMPLATE/account_management_request_form.yaml b/.github/ISSUE_TEMPLATE/account_management_request_form.yaml index d8c225e..2c4ebfd 100644 --- a/.github/ISSUE_TEMPLATE/account_management_request_form.yaml +++ b/.github/ISSUE_TEMPLATE/account_management_request_form.yaml @@ -26,7 +26,7 @@ body: - type: dropdown id: account-requested-by attributes: - label: Requester's currently role + label: Requester's current role description: Select from the drop-down the current role of the requester options: - Accounts Manager @@ -88,13 +88,13 @@ body: - Disable - Enable - Delete - multiple: true + multiple: false validations: required: true - type: checkboxes id: attestation attributes: - label: attestation + label: Attestation description: Ensure all previously submitted forms are reviewed and no similar request has been submitted earlier options: - label: I attest that there is no other active form for a similar request