Oracle: hmpps-oem-development-oem-password-rotation #19
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Oracle: OEM Password Rotation" | |
| run-name: "Oracle: ${{ github.event.inputs.TargetOemEnvironment }}-oem-password-rotation" | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| TargetOemEnvironment: | |
| description: "Target OEM Environment" | |
| required: true | |
| type: choice | |
| options: | |
| - "hmpps-oem-development" | |
| - "hmpps-oem-test" | |
| - "hmpps-oem-preproduction" | |
| - "hmpps-oem-production" | |
| TargetEnvironmentName: | |
| description: "Target Environment Name" | |
| type: choice | |
| options: | |
| - "hmpps-oem-development" | |
| - "hmpps-oem-test" | |
| - "hmpps-oem-preproduction" | |
| - "hmpps-oem-production" | |
| - "delius-core-development" | |
| - "delius-core-test" | |
| - "delius-core-preproduction" | |
| - "delius-core-production" | |
| - "delius-mis-development" | |
| - "delius-mis-preproduction" | |
| - "delius-mis-production" | |
| SyncMonitoringPasswords: | |
| description: "Sync EM Cloud Control Target Monitoring Passwords with Secret Manager" | |
| type: choice | |
| default: "yes" | |
| options: | |
| - "yes" | |
| - "no" | |
| SyncAuditWalletPassword: | |
| description: "Sync Audited Interaction Wallet Password with Secret Manager" | |
| type: choice | |
| default: "yes" | |
| options: | |
| - "yes" | |
| - "no" | |
| RotateRMANPassword: | |
| description: "Rotate RMAN Catalog Password" | |
| type: choice | |
| default: "no" | |
| options: | |
| - "yes" | |
| - "no" | |
| RotateOEMPasswords: | |
| description: "Rotate EM Cloud Control Passwords" | |
| type: choice | |
| default: "no" | |
| options: | |
| - "yes" | |
| - "no" | |
| VerboseOutput: | |
| description: "Verbose Output level" | |
| type: choice | |
| default: "" | |
| options: | |
| - "" | |
| - "-vv" | |
| - "-vvv" | |
| - "-vvvv" | |
| SourceCodeVersion: | |
| description: "Source version for the hmpps-delius-operation-automation. Enter a pull request, branch, commit ID, tag, or reference." | |
| type: string | |
| default: "main" | |
| SourceConfigVersion: | |
| description: "Source version for the modernisation-platform-configuration-management. Enter a pull request, branch, commit ID, tag, or reference." | |
| type: string | |
| default: "main" | |
| env: | |
| ansible_config: operations/playbooks/ansible.cfg | |
| command: ansible-playbook operations/playbooks/oracle_password_rotation/oem_password_rotation.yml | |
| inventory: inventory/ansible | |
| # Allow permissions on repository and docker image and OIDC token | |
| permissions: | |
| contents: read | |
| packages: read | |
| id-token: write | |
| jobs: | |
| deployment: | |
| name: oracle-oem-password-rotation | |
| environment: ${{ github.event.inputs.TargetOemEnvironment}} | |
| runs-on: ubuntu-latest | |
| container: | |
| image: ghcr.io/ministryofjustice/hmpps-delius-operational-automation:0.1 | |
| timeout-minutes: 1440 | |
| continue-on-error: false | |
| steps: | |
| - name: Prepare Ansbile OEM Target Host | |
| id: prepareoemtargethost | |
| run: | | |
| TargetOemHost="environment_name_$(echo ${{ github.event.inputs.TargetOemEnvironment }} | sed 's/-/_/g')" | |
| echo "TargetOemHost=${TargetOemHost}" >> $GITHUB_OUTPUT | |
| - name: Checkout Ansible Playbooks and Roles From hmpps-delius-operation-automation | |
| uses: actions/checkout@v4 | |
| with: | |
| sparse-checkout-cone-mode: false | |
| sparse-checkout: | | |
| playbooks/oracle_password_rotation | |
| playbooks/ansible.cfg | |
| path: operations | |
| ref: ${{ github.event.inputs.SourceCodeVersion }} | |
| fetch-depth: 0 | |
| - name: Checkout Ansible Inventory From modernisation-platform-configuration-management | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: ministryofjustice/modernisation-platform-configuration-management | |
| sparse-checkout-cone-mode: false | |
| sparse-checkout: | | |
| ansible/hosts | |
| ansible/group_vars | |
| path: inventory | |
| ref: ${{ github.event.inputs.SourceConfigVersion }} | |
| fetch-depth: 0 | |
| - name: Checkout Ansible Required Roles From modernisation-platform-configuration-management | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: ministryofjustice/modernisation-platform-configuration-management | |
| sparse-checkout-cone-mode: false | |
| sparse-checkout: | | |
| ansible/roles/secretsmanager-passwords | |
| ansible/roles/get-modernisation-platform-facts | |
| path: roles | |
| ref: ${{ github.event.inputs.SourceConfigVersion }} | |
| fetch-depth: 0 | |
| - name: Configure AWS Credentials | |
| id: login-aws | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/modernisation-platform-oidc-cicd" | |
| role-session-name: "hmpps-delius-operational-automation-${{ github.run_number }}" | |
| aws-region: "eu-west-2" | |
| - name: Start Ansible OEM Password Rotation | |
| shell: bash | |
| run: | | |
| export ANSIBLE_CONFIG=$ansible_config | |
| ln -s $PWD/roles/ansible/roles $PWD/operations/playbooks/oracle_password_rotation/roles | |
| $command -i $inventory \ | |
| -e oem_target=${{ steps.prepareoemtargethost.outputs.TargetOemHost }} \ | |
| -e environment_name=${{ github.event.inputs.TargetEnvironmentName }} \ | |
| -e target_environment_name=${{ github.event.inputs.TargetEnvironmentName }} \ | |
| -e sync_monitoring_passwords=${{ github.event.inputs.SyncMonitoringPasswords }} \ | |
| -e sync_audit_wallet_password=${{ github.event.inputs.SyncAuditWalletPassword }} \ | |
| -e rotate_rman_password=${{ github.event.inputs.RotateRMANPassword }} \ | |
| -e rotate_oem_passwords=${{ github.event.inputs.RotateOEMPasswords }} ${{ github.event.inputs.VerboseOutput }} | |