Oracle: delius-core-dev-password-rotation #38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Oracle: Password Rotation" | |
| run-name: "Oracle: ${{ github.event.inputs.TargetEnvironment }}-password-rotation" | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| TargetEnvironment: | |
| description: "Target environment" | |
| required: true | |
| type: choice | |
| options: | |
| - "hmpps-oem-development" | |
| - "hmpps-oem-test" | |
| - "hmpps-oem-preproduction" | |
| - "hmpps-oem-production" | |
| - "delius-core-dev" | |
| - "delius-core-test" | |
| - "delius-core-training" | |
| - "delius-core-stage" | |
| - "delius-core-pre-prod" | |
| - "delius-core-prod" | |
| VerboseOutput: | |
| description: "Verbose Output level" | |
| type: choice | |
| default: "" | |
| options: | |
| - "" | |
| - "-vv" | |
| - "-vvv" | |
| - "-vvvv" | |
| AnsibleForks: | |
| description: "Number of Ansible Forks to Use" | |
| type: choice | |
| default: "" | |
| options: | |
| - "" | |
| - "-f 5" | |
| - "-f 10" | |
| - "-f 15" | |
| SourceCodeVersion: | |
| description: "Source version for the hmpps-delius-operation-automation. Enter a pull request, branch, commit ID, tag, or reference." | |
| type: string | |
| default: "main" | |
| SourceConfigVersion: | |
| description: "Source version for the modernisation-platform-configuration-management. Enter a pull request, branch, commit ID, tag, or reference." | |
| type: string | |
| default: "main" | |
| env: | |
| ansible_config: operations/playbooks/ansible.cfg | |
| database_command: ansible-playbook operations/playbooks/oracle_password_rotation/database_password_rotation.yml | |
| oem_command: ansible-playbook operations/playbooks/oracle_password_rotation/oem_password_rotation.yml | |
| inventory: inventory/ansible | |
| # Allow permissions on repository and docker image and OIDC token | |
| permissions: | |
| contents: read | |
| packages: read | |
| id-token: write | |
| jobs: | |
| oracle_password_rotation: | |
| name: oracle-password-rotation | |
| environment: ${{ github.event.inputs.TargetEnvironment }} | |
| runs-on: ubuntu-latest | |
| container: | |
| image: ghcr.io/ministryofjustice/hmpps-delius-operational-automation:0.1 | |
| timeout-minutes: 1440 | |
| continue-on-error: false | |
| outputs: | |
| TargetOemEnvironment: ${{ steps.definetargets.outputs.TargetOemEnvironment }} | |
| TargetEnvironmentName: ${{ steps.definetargets.outputs.TargetEnvironmentName }} | |
| RotateGroups: ${{ steps.definetargets.outputs.targets }} | |
| steps: | |
| - name: Checkout Ansible Playbooks and Roles From hmpps-delius-operation-automation | |
| uses: actions/checkout@v4 | |
| with: | |
| sparse-checkout-cone-mode: false | |
| sparse-checkout: | | |
| playbooks/oracle_password_rotation | |
| playbooks/oem_blackout | |
| playbooks/oracle_ha | |
| playbooks/alfresco_wallet | |
| playbooks/ansible.cfg | |
| path: operations | |
| ref: ${{ github.event.inputs.SourceCodeVersion }} | |
| fetch-depth: 0 | |
| - name: Checkout Ansible Inventory From modernisation-platform-configuration-management | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: ministryofjustice/modernisation-platform-configuration-management | |
| sparse-checkout-cone-mode: false | |
| sparse-checkout: | | |
| ansible/hosts | |
| ansible/group_vars | |
| path: inventory | |
| ref: ${{ github.event.inputs.SourceConfigVersion }} | |
| fetch-depth: 0 | |
| - name: Checkout Ansible Required Roles From modernisation-platform-configuration-management | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: ministryofjustice/modernisation-platform-configuration-management | |
| sparse-checkout-cone-mode: false | |
| sparse-checkout: | | |
| ansible/roles/secretsmanager-passwords | |
| ansible/roles/get-modernisation-platform-facts | |
| path: roles | |
| ref: ${{ github.event.inputs.SourceConfigVersion }} | |
| fetch-depth: 0 | |
| - name: Define Targets | |
| id: definetargets | |
| working-directory: ${{ env.inventory }} | |
| run: | | |
| targets="" | |
| prefix="environment_name_$(echo ${{ github.event.inputs.TargetEnvironment}} | sed 's/delius-core-dev/delius_core_development_dev/;s/delius-core-test/delius_core_test_test/;s/delius-core-training/delius_core_test_training/;s/delius-core-stage/delius_core_preproduction_stage/;s/delius-core-pre-prod/delius_core_preproduction_pre_prod/;s/delius-core-prod/delius_core_production_prod/;s/-/_/g')" | |
| build_targets() { | |
| databasetype=${1} | |
| if [[ -e group_vars/${prefix}_${databasetype}_primarydb.yml ]] | |
| then | |
| targets="${targets}${prefix}_${databasetype}_dbs," | |
| elif [[ "${databasetype}" == "oem" ]] | |
| then | |
| targets="${prefix}" | |
| fi | |
| echo | |
| } | |
| build_targets delius | |
| build_targets mis | |
| build_targets misboe | |
| build_targets misdsd | |
| build_targets oem | |
| echo "targets=$targets" | |
| echo "targets=$targets" >> $GITHUB_OUTPUT | |
| case ${{ github.event.inputs.TargetEnvironment }} in | |
| delius-core-dev) | |
| TargetOemEnvironment=hmpps-oem-development | |
| TargetEnvironmentName=delius-core-development | |
| ;; | |
| delius-core-test|delius-core-training) | |
| TargetOemEnvironment=hmpps-oem-test | |
| TargetEnvironmentName=delius-core-test | |
| ;; | |
| delius-core-stage|delius-core-pre-prod) | |
| TargetOemEnvironment=hmpps-oem-preproduction | |
| TargetEnvironmentName=delius-core-preproduction | |
| ;; | |
| delius-core-prod) | |
| TargetOemEnvironment=hmpps-oem-production | |
| TargetEnvironmentName=delius-core-production | |
| ;; | |
| *oem*) | |
| TargetOemEnvironment=${{ github.event.inputs.TargetEnvironment }} | |
| TargetEnvironmentName=${{ github.event.inputs.TargetEnvironment }} | |
| ;; | |
| esac | |
| echo "TargetOemEnvironment=${TargetOemEnvironment}" >> $GITHUB_OUTPUT | |
| echo "TargetEnvironmentName=${TargetEnvironmentName}" >> $GITHUB_OUTPUT | |
| - name: Configure AWS Credentials | |
| id: login-aws | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/modernisation-platform-oidc-cicd" | |
| role-session-name: "hmpps-delius-operational-automation-${{ github.run_number }}" | |
| aws-region: "eu-west-2" | |
| - name: Start Ansible Database Password Rotation | |
| shell: bash | |
| run: | | |
| export ANSIBLE_CONFIG=$ansible_config | |
| ln -s $PWD/roles/ansible/roles $PWD/operations/playbooks/oracle_password_rotation/roles | |
| $database_command -i $inventory \ | |
| -e rotate_groups=${{ steps.definetargets.outputs.targets }} \ | |
| -e environment_name=${{ github.event.inputs.TargetEnvironment }} ${{ github.event.inputs.VerboseOutput }} ${{ github.event.inputs.AnsibleForks }} | |
| oracle_update_oem_targets: | |
| name: oracle-update-oem-targets | |
| needs: oracle_password_rotation | |
| environment: ${{ needs.oracle_password_rotation.outputs.TargetOEMEnvironment }} | |
| runs-on: ubuntu-latest | |
| container: | |
| image: ghcr.io/ministryofjustice/hmpps-delius-operational-automation:0.1 | |
| timeout-minutes: 1440 | |
| continue-on-error: false | |
| steps: | |
| - name: Checkout Ansible Playbooks and Roles From hmpps-delius-operation-automation | |
| uses: actions/checkout@v4 | |
| with: | |
| sparse-checkout-cone-mode: false | |
| sparse-checkout: | | |
| playbooks/oracle_password_rotation | |
| playbooks/ansible.cfg | |
| path: operations | |
| ref: ${{ github.event.inputs.SourceCodeVersion }} | |
| fetch-depth: 0 | |
| - name: Checkout Ansible Inventory From modernisation-platform-configuration-management | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: ministryofjustice/modernisation-platform-configuration-management | |
| sparse-checkout-cone-mode: false | |
| sparse-checkout: | | |
| ansible/hosts | |
| ansible/group_vars | |
| path: inventory | |
| ref: ${{ github.event.inputs.SourceConfigVersion }} | |
| fetch-depth: 0 | |
| - name: Checkout Ansible Required Roles From modernisation-platform-configuration-management | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: ministryofjustice/modernisation-platform-configuration-management | |
| sparse-checkout-cone-mode: false | |
| sparse-checkout: | | |
| ansible/roles/secretsmanager-passwords | |
| ansible/roles/get-modernisation-platform-facts | |
| path: roles | |
| ref: ${{ github.event.inputs.SourceConfigVersion }} | |
| fetch-depth: 0 | |
| - name: Configure AWS Credentials | |
| id: login-aws | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/modernisation-platform-oidc-cicd" | |
| role-session-name: "hmpps-delius-operational-automation-${{ github.run_number }}" | |
| aws-region: "eu-west-2" | |
| - name: Start Ansible Update OEM Targets | |
| shell: bash | |
| run: | | |
| export ANSIBLE_CONFIG=$ansible_config | |
| ln -s $PWD/roles/ansible/roles $PWD/operations/playbooks/oracle_password_rotation/roles | |
| $oem_command -i $inventory \ | |
| -e oem_target=environment_name_$(echo ${{ needs.oracle_password_rotation.outputs.TargetOemEnvironment }} | sed 's/-/_/g') \ | |
| -e environment_name=${{ needs.oracle_password_rotation.outputs.TargetOemEnvironment }} \ | |
| -e target_environment_name=${{ needs.oracle_password_rotation.outputs.TargetEnvironmentName }} \ | |
| -e sync_monitoring_passwords=yes \ | |
| -e sync_audit_wallet_password=no \ | |
| -e rotate_rman_password=no \ | |
| -e rotate_oem_passwords=no ${{ github.event.inputs.VerboseOutput }} | |
| oracle_unlock_system_users: | |
| name: oracle-unlock-system-users | |
| needs: [oracle_password_rotation, oracle_update_oem_targets] | |
| environment: ${{ github.event.inputs.TargetEnvironment }} | |
| runs-on: ubuntu-latest | |
| container: | |
| image: ghcr.io/ministryofjustice/hmpps-delius-operational-automation:0.1 | |
| timeout-minutes: 1440 | |
| continue-on-error: false | |
| steps: | |
| - name: Checkout Ansible Playbooks and Roles From hmpps-delius-operation-automation | |
| uses: actions/checkout@v4 | |
| with: | |
| sparse-checkout-cone-mode: false | |
| sparse-checkout: | | |
| playbooks/oracle_password_rotation | |
| playbooks/ansible.cfg | |
| path: operations | |
| ref: ${{ github.event.inputs.SourceCodeVersion }} | |
| fetch-depth: 0 | |
| - name: Checkout Ansible Inventory From modernisation-platform-configuration-management | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: ministryofjustice/modernisation-platform-configuration-management | |
| sparse-checkout-cone-mode: false | |
| sparse-checkout: | | |
| ansible/hosts | |
| ansible/group_vars | |
| path: inventory | |
| ref: ${{ github.event.inputs.SourceConfigVersion }} | |
| fetch-depth: 0 | |
| - name: Configure AWS Credentials | |
| id: login-aws | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/modernisation-platform-oidc-cicd" | |
| role-session-name: "hmpps-delius-operational-automation-${{ github.run_number }}" | |
| aws-region: "eu-west-2" | |
| - name: Start Ansible Unlock System Users | |
| shell: bash | |
| run: | | |
| export ANSIBLE_CONFIG=$ansible_config | |
| $database_command -i $inventory \ | |
| -e rotate_groups=${{ needs.oracle_password_rotation.outputs.RotateGroups }} \ | |
| -e environment_name=${{ github.event.inputs.TargetEnvironment }} \ | |
| -e unlock_system_passwords=yes ${{ github.event.inputs.VerboseOutput }} ${{ github.event.inputs.AnsibleForks }} |