Merge pull request #82 from usnistgov/ac2-automation

AC-02 control automation - part 1 (actions) completed

Author: iMichaela

.github/ISSUE_TEMPLATE/account_management_authorization_form.yaml

@@ -3,19 +3,33 @@ description: Submit an account related request
 labels: ['ACCOUNT_REQUEST_RECORD']
 body:
   - type: input
-    id: first-name
+    id: user-first-name
     attributes:
       label: Account Holder First Name
       placeholder: Type here user's first name as it appears in his/her ID.
     validations:
       required: true
   - type: input
-    id: last-name
+    id: user-last-name
     attributes:
       label: Account Holder Last Name
       placeholder: Type here user's last name as it appears in his/her ID.
     validations:
       required: true
+  - type: input
+    id: user-email
+    attributes:
+      label: Account Holder Email
+      placeholder: Type here user's email
+    validations:
+      required: true
+  - type: input
+    id: user-username
+    attributes:
+      label: Account Holder Username
+      placeholder: Type here user's username
+    validations:
+      required: true
   - type: input
     id: requester-name
     attributes:

.github/ISSUE_TEMPLATE/account_management_request_form.yaml

@@ -21,4 +21,82 @@ jobs:
           NUMBER: ${{ github.event.issue.number }}
           BODY: >
             Account management request APPROVED by Blossom Management.
-            @blossom-sysdevs please review and submit Account Management Authorization Form.
+            @usnistgov/blossom-sysdevs please ensure the ACL and/or Cognito are updated and the SSP is in sync with the update.
+            When implemented, add the ACCOUNT_IMPLEMENTED label and 
+            link this account request issue to the PR with the implementation.
+
+  parse-issue:
+    needs: request-approved
+    runs-on: ubuntu-20.04
+    outputs:
+      account-modification: ${{ steps.issue-parser.outputs.issueparser_account-modification }}
+      user-first-name: ${{ steps.issue-parser.outputs.issueparser_user-first-name }}
+      user-last-name: ${{ steps.issue-parser.outputs.issueparser_user-last-name }}
+      user-username: ${{ steps.issue-parser.outputs.issueparser_user-username }}
+      user-email: ${{ steps.issue-parser.outputs.issueparser_user-email }}
+      account-type: ${{ steps.issue-parser.outputs.issueparser_account-type }}
+    steps:        
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          sparse-checkout: |
+            .github/ISSUE_TEMPLATE/account_management_request_form.yaml
+          sparse-checkout-cone-mode: false
+
+      - name: Parse issue body
+        uses: stefanbuck/[email protected]
+        id: issue-parser
+        with:
+          template-path: ".github/ISSUE_TEMPLATE/account_management_request_form.yaml"
+
+  create-user:
+    needs: parse-issue
+    if: ${{ needs.parse-issue.outputs.account-modification == 'Create' }}
+    runs-on: ubuntu-20.04
+    steps: 
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Ensure directory exists for created users
+        run: |
+          mkdir -p ato/oscal-artifacts/created_users/
+      
+      - name: Ensure directory exists for created users references
+        run: |
+          mkdir -p ato/oscal-artifacts/reference_created_users/
+
+      - name: Create yaml file for automated user creation
+        env:
+          USER_NAME: "${{ needs.parse-issue.outputs.user-first-name }} ${{ needs.parse-issue.outputs.user-last-name }}"
+          USER_USERNAME: ${{ needs.parse-issue.outputs.user-username }}
+          USER_EMAIL: ${{ needs.parse-issue.outputs.user-email }}
+          USER_ROLE: ${{ needs.parse-issue.outputs.account-type }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+        run: |
+          python ato/secops/create_user.py --user-name "$USER_NAME" --user-username "$USER_USERNAME" --user-email "$USER_EMAIL" --user-role "$USER_ROLE" --issue-number "$ISSUE_NUMBER"
+
+      - name: Store user yaml in repo
+        run: |
+          git config --global user.name "create-user-action[bot]"
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git checkout -b "$BRANCH_NAME"
+          git add "ato/oscal-artifacts/created_users/*"
+          git add "ato/oscal-artifacts/reference_created_users/*"
+          git commit -m "Create user request #$ISSUE_NUMBER"
+          git push origin "$BRANCH_NAME"
+        env:
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+          BRANCH_NAME: "account-request-${{ github.event.issue.number }}"
+  
+      - name: Configure AWS CLI
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_KEY }}
+      
+      - name: Copy reference yaml to bucket
+        run: |
+          aws s3 cp --recursive ato/oscal-artifacts/reference_created_users/ s3://"$AWS_BUCKET"
+        env:
+          AWS_BUCKET: ${{ secrets.AWS_BUCKET }}

.github/workflows/account_request_approve.yaml

@@ -0,0 +1,20 @@
+name: Account Request Assessment
+
+on:
+  pull_request:
+    types:
+      - closed
+    paths:
+      - 'blossom_admin_member_ssp.xml'
+
+# If a Pull Request updating the SSP is merged
+jobs:
+  if_merged:
+    if: github.event.pull_request.merged == true
+    runs-on: ubuntu-20.04
+#     permissions:
+#       issues: write
+    steps:
+    - name: Run automated assessment
+      run: echo "assessment"
+      # query chaincode, code to execute on chaincode for list of supported roles, API command

.github/workflows/account_request_assessment.yaml

@@ -0,0 +1,24 @@
+name: Account Request Implement
+
+on:
+  issues:
+    types:
+      - labeled
+
+jobs:
+  # When ACCOUNT_IMPLEMENTED label is added to account management request
+  request-implemented:
+    if: github.event.label.name == 'ACCOUNT_IMPLEMENTED'
+    runs-on: ubuntu-20.04
+    permissions:
+      issues: write
+    steps:
+      - name: Notify Blossom Assessors about Implemented Account
+        run: gh issue comment "$NUMBER" --body "$BODY"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+          NUMBER: ${{ github.event.issue.number }}
+          BODY: >
+            @usnistgov/blossom-assessors An edit to the ACL and/or SSP has been implemented.
+            Please monitor the automated assessment.

.github/workflows/account_request_authorize.yaml

@@ -22,5 +22,5 @@ jobs:
           NUMBER: ${{ github.event.issue.number }}
           BODY: >
             Account management request CREATED.
-            @blossom-management please review and approve/reject this request 
-            by adding ACCOUNT_APPROVED or ACCOUNT_REJECTED label.
+            @usnistgov/blossom-management please review and approve/reject this request 
+            by adding ACCOUNT_APPROVED or ACCOUNT_REJECTED label to this issue.

.github/workflows/account_request_implement.yaml

@@ -14,11 +14,11 @@ jobs:
       issues: write
     steps:
       - name: Close rejected account request
-        run: gh issue close "$NUMBER" --comment "$COMMENT"
+        run: gh issue close "$NUMBER" --comment "$COMMENT" --reason "not planned"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GH_REPO: ${{ github.repository }}
           NUMBER: ${{ github.event.issue.number }}
           COMMENT: >
             Account management request REJECTED by Blossom Management.
-            Closing request.
+            Closing request as "not planned".

.github/workflows/account_request_open.yaml

@@ -0,0 +1,32 @@
+# Account Management Workflow
+
+This document explains the workflow of GitHub actions used to automate Blossom service's accounts management.
+
+## Requirements to run Actions
+- [ ] Repository secrets: AWS_ACCESS_KEY, AWS_SECRET_KEY, AWS_REGION, AWS_BUCKET
+- [ ] Issue labels: ACCOUNT_REQUEST_RECORD, ACCOUNT_APPROVED, ACCOUNT_REJECTED, ACCOUNT_IMPLEMENTED
+
+## Account Request and Creation
+- [ ] The requester requests an account for the Account Holder by creating a new GitHub issue using the Account Request Form.
+- [ ] The Blossom Management group is automatically notified to review the request through GitHub.
+- [ ] One of the Blossom Management (a member of the Blossom Management group) reviews the request and adds a new label to the issue: ACCOUNT_APPROVED or ACCOUNT_REJECTED
+- [ ] If ACCOUNT_REJECTED, the account request issue is automatically closed.
+- [ ] If the account is approved and the label ACCOUNT_APPROVED is added, the Blossom Sysdevs group is automatically notified about implementation.
+- [ ] A YAML file is automatically created from information submitted through the Account Request Form, which is pushed to the GitHub repo as a new branch and a condensed version is sent to S3 bucket.
+- [ ] S3 bucket receives the file about the new user to create and sends a trigger to EC2, which implements the new user in Cognito, SSM, ACL, AMB as necessary.
+- [ ] The new user is inserted into the SSP, which is pushed into the GitHub repo to the new branch.
+- [ ] Upon completion of creating the account requested, a Pull Request is automatically created, to link the branch with the Account Request issue.
+- [ ] Upon merging the Pull Request that implements the account, the relevant updated controls are re-assessed automatically. The Blossom Assessors group is then notified to monitor the automated assessment.
+- [ ] TBD: STEPS FOR AUTOMATED ASSESSMENT
+
+## Account Disable
+[TBD]
+
+## Account Enable
+[TBD]
+
+## Account Change
+[TBD]
+
+## Account Deletion
+[TBD]

.github/workflows/account_request_reject.yaml

@@ -1,5 +1,6 @@
 .DS_Store
 .vscode/*
+.history/*
 *.pyc
 __pycache__/
 draft-*
@@ -9,3 +10,5 @@ draft-*
 .pyenv*
 .env*
 oscal-cli.txt
+# Ignore validation tool oscal-cli 
+build/oscal-cli