Oracle: delius-core-dev-password-rotation #28
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Oracle: Password Rotation" | |
| run-name: "Oracle: ${{ github.event.inputs.TargetEnvironment }}-password-rotation" | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| TargetEnvironment: | |
| description: "Target environment" | |
| required: true | |
| type: choice | |
| options: | |
| - "delius-core-dev" | |
| - "delius-core-test" | |
| - "delius-core-training" | |
| - "delius-core-stage" | |
| - "delius-core-pre-prod" | |
| - "delius-core-prod" | |
| VerboseOutput: | |
| description: "Verbose Output level" | |
| type: choice | |
| default: "" | |
| options: | |
| - "" | |
| - "-vv" | |
| - "-vvv" | |
| - "-vvvv" | |
| AnsibleForks: | |
| description: "Number of Ansible Forks to Use" | |
| type: choice | |
| default: "" | |
| options: | |
| - "" | |
| - "-f 5" | |
| - "-f 10" | |
| - "-f 15" | |
| SourceCodeVersion: | |
| description: "Source version for the hmpps-delius-operation-automation. Enter a pull request, branch, commit ID, tag, or reference." | |
| type: string | |
| default: "main" | |
| SourceConfigVersion: | |
| description: "Source version for the modernisation-platform-configuration-management. Enter a pull request, branch, commit ID, tag, or reference." | |
| type: string | |
| default: "main" | |
| env: | |
| ansible_config: operations/playbooks/ansible.cfg | |
| command: ansible-playbook operations/playbooks/oracle_password_rotation/password_rotation.yml | |
| inventory: inventory/ansible | |
| # Allow permissions on repository and docker image and OIDC token | |
| permissions: | |
| contents: read | |
| packages: read | |
| id-token: write | |
| jobs: | |
| deployment: | |
| name: oracle-password-rotation | |
| environment: ${{ github.event.inputs.TargetEnvironment}} | |
| runs-on: ubuntu-latest | |
| container: | |
| image: ghcr.io/ministryofjustice/hmpps-delius-operational-automation:0.1 | |
| timeout-minutes: 1440 | |
| continue-on-error: false | |
| steps: | |
| - name: Checkout Ansible Playbooks and Roles From hmpps-delius-operation-automation | |
| uses: actions/checkout@v4 | |
| with: | |
| sparse-checkout-cone-mode: false | |
| sparse-checkout: | | |
| playbooks/oracle_password_rotation | |
| playbooks/oem_blackout | |
| playbooks/oracle_ha | |
| playbooks/alfresco_wallet | |
| playbooks/ansible.cfg | |
| path: operations | |
| ref: ${{ github.event.inputs.SourceCodeVersion }} | |
| fetch-depth: 0 | |
| - name: Checkout Ansible Inventory From modernisation-platform-configuration-management | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: ministryofjustice/modernisation-platform-configuration-management | |
| sparse-checkout-cone-mode: false | |
| sparse-checkout: | | |
| ansible/hosts | |
| ansible/group_vars | |
| path: inventory | |
| ref: ${{ github.event.inputs.SourceConfigVersion }} | |
| fetch-depth: 0 | |
| - name: Checkout Ansible Required Roles From modernisation-platform-configuration-management | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: ministryofjustice/modernisation-platform-configuration-management | |
| sparse-checkout-cone-mode: false | |
| sparse-checkout: | | |
| ansible/roles/secretsmanager-passwords | |
| ansible/roles/get-modernisation-platform-facts | |
| path: roles | |
| ref: ${{ github.event.inputs.SourceConfigVersion }} | |
| fetch-depth: 0 | |
| - name: Install yq | |
| uses: dcarbone/install-yq-action@v1.1.1 | |
| with: | |
| download-compressed: true | |
| version: "v4.35.1" | |
| force: true | |
| - name: Define Targets | |
| id: definetargets | |
| working-directory: ${{ env.inventory }} | |
| run: | | |
| targets="" | |
| prefix="environment_name_$(echo ${{ github.event.inputs.TargetEnvironment}} | sed 's/delius-core-dev/delius_core_development_dev/;s/delius-core-test/delius_core_test_test/;s/delius-core-training/delius_core_test_training/;s/delius-core-stage/delius_core_preproduction_stage/;s/delius-core-pre-prod/delius_core_preproduction_pre_prod/;s/delius-core-prod/delius_core_production_prod/')" | |
| build_targets() { | |
| databasetype=${1} | |
| if [[ -e group_vars/${prefix}_${databasetype}_primarydb.yml ]] | |
| then | |
| high_availability_count=$(yq .high_availability_count.${databasetype} group_vars/${prefix}_all.yml) | |
| [ $high_availability_count -le 2 ] && targets="${targets}${prefix}_${databasetype}_primarydb," | |
| [ $high_availability_count -eq 1 ] && targets="${targets}${prefix}_${databasetype}_standbydb1," | |
| [ $high_availability_count -eq 2 ] && targets="${targets}${prefix}_${databasetype}_standbydb1,${prefix}_${databasetype}_standbydb2," | |
| fi | |
| echo | |
| } | |
| build_targets delius | |
| build_targets mis | |
| build_targets misboe | |
| build_targets misdsd | |
| echo "targets=$targets" | |
| echo "targets=$targets" >> $GITHUB_OUTPUT | |
| - name: Configure AWS Credentials | |
| id: login-aws | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/modernisation-platform-oidc-cicd" | |
| role-session-name: "hmpps-delius-operational-automation-${{ github.run_number }}" | |
| aws-region: "eu-west-2" | |
| - name: Start Ansible Password Rotation | |
| shell: bash | |
| run: | | |
| export ANSIBLE_CONFIG=$ansible_config | |
| ln -s $PWD/roles/ansible/roles $PWD/operations/playbooks/oracle_password_rotation/roles | |
| $command -i $inventory \ | |
| -e rotate_groups=${{ steps.definetargets.outputs.targets }} \ | |
| -e environment_name ${{ github.events.inputs.TargetEnvironment }} ${{ github.events.inputs.VerboseOutput }} ${{ github.events.inputs.AnsibleForks }} | |