Oracle: hmpps-oem-development-oem-password-rotation #17

Workflow file for this run

.github/workflows/oracle-db-oem-password-rotation.yml at 383bd14

	name: "Oracle: OEM Password Rotation"
	run-name: "Oracle: ${{ github.event.inputs.TargetOemEnvironment }}-oem-password-rotation"
	on:
	workflow_dispatch:
	inputs:
	TargetOemEnvironment:
	description: "Target OEM Environment"
	required: true
	type: choice
	options:
	- "hmpps-oem-development"
	- "hmpps-oem-test"
	- "hmpps-oem-preproduction"
	- "hmpps-oem-production"
	TargetEnvironmentName:
	description: "Target Environment Name"
	type: choice
	options:
	- "hmpps-oem-development"
	- "delius-core-development"
	- "delius-core-test"
	- "delius-core-preproduction"
	- "delius-core-production"
	- "delius-mis-development"
	- "delius-mis-preproduction"
	- "delius-mis-production"
	SyncMonitoringPasswords:
	description: "Sync EM Cloud Control Target Monitoring Passwords with Secret Manager"
	type: choice
	default: "yes"
	options:
	- "yes"
	- "no"
	SyncAuditWalletPassword:
	description: "Sync Audited Interaction Wallet Password with Secret Manager"
	type: choice
	default: "yes"
	options:
	- "yes"
	- "no"
	RotateRMANPassword:
	description: "Rotate RMAN Catalog Password"
	type: choice
	default: "no"
	options:
	- "yes"
	- "no"
	RotateOEMPasswords:
	description: "Rotate EM Cloud Control Passwords"
	type: choice
	default: "no"
	options:
	- "yes"
	- "no"
	RotateDatabasePasswords:
	description: "Rotate Database Passswords (sys, system, dbsnmp, delius_audit_pool)"
	type: choice
	default: "no"
	options:
	- "yes"
	- "no"
	VerboseOutput:
	description: "Verbose Output level"
	type: choice
	default: ""
	options:
	- ""
	- "-vv"
	- "-vvv"
	- "-vvvv"
	# AnsibleForks:
	# description: "Number of Ansible Forks to Use"
	# type: choice
	# default: ""
	# options:
	# - ""
	# - "-f 5"
	# - "-f 10"
	# - "-f 15"
	SourceCodeVersion:
	description: "Source version for the hmpps-delius-operation-automation. Enter a pull request, branch, commit ID, tag, or reference."
	type: string
	default: "main"
	SourceConfigVersion:
	description: "Source version for the modernisation-platform-configuration-management. Enter a pull request, branch, commit ID, tag, or reference."
	type: string
	default: "main"
	env:
	ansible_config: operations/playbooks/ansible.cfg
	command: ansible-playbook operations/playbooks/oracle_password_rotation/password_rotation.yml
	inventory: inventory/ansible

	# Allow permissions on repository and docker image and OIDC token
	permissions:
	contents: read
	packages: read
	id-token: write

	jobs:
	deployment:
	name: oracle-oem-password-rotation
	environment: ${{ github.event.inputs.TargetOemEnvironment}}
	runs-on: ubuntu-latest
	container:
	image: ghcr.io/ministryofjustice/hmpps-delius-operational-automation:0.1
	timeout-minutes: 1440
	continue-on-error: false
	steps:

	- name: Prepare Ansbile OEM Target Host And Rotate Groups
	id: prepareoemtargethost
	run: \|
	TargetOemHost="environment_name_$(echo ${{ github.event.inputs.TargetOemEnvironment }} \| sed 's/-/_/g')"
	echo "TargetOemHost=${TargetOemHost}" >> $GITHUB_OUTPUT
	[[ "${{ github.event.inputs.RotateDatabasePasswords }}" == "yes" ]] && RotateGroups=${TargetOemHost} \|\| RotateGroups=NOROTATEGROUPS
	echo "RotateGroups=${RotateGroups}" >> $GITHUB_OUTPUT
	- name: Checkout Ansible Playbooks and Roles From hmpps-delius-operation-automation
	uses: actions/checkout@v4
	with:
	sparse-checkout-cone-mode: false
	sparse-checkout: \|
	playbooks/oracle_password_rotation
	playbooks/oem_blackout
	playbooks/ansible.cfg
	path: operations
	ref: ${{ github.event.inputs.SourceCodeVersion }}
	fetch-depth: 0

	- name: Checkout Ansible Inventory From modernisation-platform-configuration-management
	uses: actions/checkout@v4
	with:
	repository: ministryofjustice/modernisation-platform-configuration-management
	sparse-checkout-cone-mode: false
	sparse-checkout: \|
	ansible/hosts
	ansible/group_vars
	path: inventory
	ref: ${{ github.event.inputs.SourceConfigVersion }}
	fetch-depth: 0

	- name: Checkout Ansible Required Roles From modernisation-platform-configuration-management
	uses: actions/checkout@v4
	with:
	repository: ministryofjustice/modernisation-platform-configuration-management
	sparse-checkout-cone-mode: false
	sparse-checkout: \|
	ansible/roles/secretsmanager-passwords
	ansible/roles/get-modernisation-platform-facts
	path: roles
	ref: ${{ github.event.inputs.SourceConfigVersion }}
	fetch-depth: 0

	- name: Configure AWS Credentials
	id: login-aws
	uses: aws-actions/configure-aws-credentials@v4
	with:
	role-to-assume: "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/modernisation-platform-oidc-cicd"
	role-session-name: "hmpps-delius-operational-automation-${{ github.run_number }}"
	aws-region: "eu-west-2"

	- name: Start Ansible Password Rotation
	shell: bash
	run: \|
	export ANSIBLE_CONFIG=$ansible_config
	ln -s $PWD/roles/ansible/roles $PWD/operations/playbooks/oracle_password_rotation/roles
	$command -i $inventory \
	-e rotate_groups=${{ steps.prepareoemtargethost.outputs.RotateGroups }} \
	-e oem_target=${{ steps.prepareoemtargethost.outputs.TargetOemHost }} \
	-e environment_name=${{ github.event.inputs.TargetEnvironmentName }} \
	-e target_environment_name=${{ github.event.inputs.TargetEnvironmentName }} \
	-e sync_monitoring_passwords=${{ github.event.inputs.SyncMonitoringPasswords }} \
	-e sync_audit_wallet_password=${{ github.event.inputs.SyncAuditWalletPassword }} \
	-e rotate_rman_password=${{ github.event.inputs.RotateRMANPassword }} \
	-e rotate_oem_passwords=${{ github.event.inputs.RotateOEMPasswords }} \
	-e rotate_database_passwords=${{ github.event.inputs.RotateDatabasePasswords }} ${{ github.event.inputs.VerboseOutput }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Oracle: hmpps-oem-development-oem-password-rotation #17

Workflow file

Oracle: hmpps-oem-development-oem-password-rotation #17

Jobs

Run details

Workflow file for this run