ministryofjustice
diff --git a/‎.github/workflows/oracle-db-backup.yml
+213-56 b/‎.github/workflows/oracle-db-backup.yml
+213-56
diff --git a/‎.github/workflows/oracle-db-delete-dbids-not-in-use.yml
+388 b/‎.github/workflows/oracle-db-delete-dbids-not-in-use.yml
+388
diff --git a/‎.github/workflows/oracle-db-validate-chunks.yml
+121 b/‎.github/workflows/oracle-db-validate-chunks.yml
+121
diff --git a/‎playbooks/oracle_backup/backup.yml
+21-3 b/‎playbooks/oracle_backup/backup.yml
+21-3
diff --git a/‎playbooks/oracle_backup/files/get_rman_backups.sh
+1-1 b/‎playbooks/oracle_backup/files/get_rman_backups.sh
+1-1
diff --git a/‎playbooks/oracle_backup/files/list_github_environments.py
+17 b/‎playbooks/oracle_backup/files/list_github_environments.py
+17
@@ -0,0 +1,121 @@
+name: "Oracle: Validate Chunks"
+run-name: "Oracle: ${{ github.event_name == 'workflow_dispatch' && format('{0}_{1}_{2}', github.event.inputs.TargetEnvironment, github.event.inputs.Period, github.event.inputs.TargetHost) }}_validate_chunks"
+on:
+  workflow_dispatch:
+    inputs:
+      TargetEnvironment:
+        description: "Target environment"
+        required: true
+        type: string
+      TargetHost:
+        description: "Backup target host"
+        required: true
+        type: string
+      VerboseOutput: 
+        description: "Verbose Output level"
+        required: false
+        type: string
+        default: ""    
+  workflow_call:
+    inputs:
+      TargetEnvironment:
+        description: "Target environment"
+        required: true
+        type: string
+      TargetHost:
+        description: "Backup target host"
+        required: true
+        type: string
+      VerboseOutput: 
+        description: "Verbose Output level"
+        required: false
+        type: string
+        default: ""
+
+# Allow permissions on repository and docker image and OIDC token
+permissions:
+  contents: read
+  packages: read
+  id-token: write  # This is required for requesting the JWT
+
+jobs:
+  # Start deployment container job based on the build delius-ansible-aws image
+  deployment:
+    name: oracle-backup
+    environment: ${{ github.event.inputs.TargetEnvironment }}
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/ministryofjustice/hmpps-delius-operational-automation:0.41.0
+    timeout-minutes: 1440
+    env:
+      validate_command: ansible-playbook operations/playbooks/oracle_backup/validate.yml
+      inventory: inventory/ansible
+      RmanTarget: "${{ github.event.inputs.TargetHost }}"
+      TargetEnvironment: "${{ github.event.inputs.TargetEnvironment }}"
+      SSMParameter: "/oracle-backups/${{ github.event.inputs.TargetHost }}"
+      ansible_config: operations/playbooks/ansible.cfg
+    continue-on-error: false
+    steps:
+
+      - name: Checkout hmpps-delius-operation-automation
+        uses: actions/checkout@v4
+        with:
+          sparse-checkout-cone-mode: false
+          sparse-checkout: |
+            playbooks/oracle_backup
+            playbooks/ansible.cfg
+          path: operations
+          ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.SourceCodeVersion || 'main' }}
+          fetch-depth: 0
+
+      - name: Checkout Ansible Inventory From modernisation-platform-configuration-management
+        uses: actions/checkout@v4
+        with:
+          repository: ministryofjustice/modernisation-platform-configuration-management
+          sparse-checkout-cone-mode: false
+          sparse-checkout: |
+            ansible/hosts
+            ansible/group_vars
+          path: inventory
+          ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.SourceConfigVersion || 'main' }}
+          fetch-depth: 0
+
+      - name: Checkout Ansible Required Roles From modernisation-platform-configuration-management
+        uses: actions/checkout@v4
+        with:
+          repository: ministryofjustice/modernisation-platform-configuration-management
+          sparse-checkout-cone-mode: false
+          sparse-checkout: |
+            ansible/roles/secretsmanager-passwords
+            ansible/roles/get-modernisation-platform-facts
+          path: roles
+          ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.SourceConfigVersion || 'main' }}
+          fetch-depth: 0
+
+      - name: Configure AWS Credentials
+        id: login-aws
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/modernisation-platform-oidc-cicd"
+          role-session-name: "hmpps-delius-operational-automation-${{ github.run_number }}"
+          aws-region: "eu-west-2"
+
+      - name: Check And Set Backup Runtime
+        id: check-and-set-backup-runtime
+        shell: bash
+        run: |
+            RUNTIME=$(aws ssm get-parameter --region ${AWS_REGION} --name "$SSMParameter" --query "Parameter.Value" --output text 2>&1) || true
+            PHASE=$(echo $RUNTIME | jq -r '.Phase')
+            STATUS=$(echo $RUNTIME | jq -r '.Status')
+            echo "Backup Phase and Status: $PHASE $STATUS"
+            if [[ $PHASE != 'Backup' ]] || [[ $STATUS != 'Success' ]]; then 
+               echo "Backup must be successful before running Chunk Validation." && exit 1
+            fi 
+            aws ssm put-parameter --region ${AWS_REGION} --name "$SSMParameter" --type String --overwrite \
+                --value "{\"Phase\":\"Validate Chunks\",\"Status\":\"Initializing\",\"Message\":\"Running on $RmanTarget\",\"TargetEnvironment\":\"$TargetEnvironment\",\"RmanTarget\":\"$RmanTarget\"}" \
+
+      - name: Start Ansible Validate And Fix Absent Chunks
+        run: |
+          export ANSIBLE_CONFIG=$ansible_config
+          ln -s $PWD/roles/ansible/roles $PWD/operations/playbooks/oracle_backup/roles
+          $validate_command -i $inventory -e ansible_aws_ssm_bucket_name=${{ vars.ANSIBLE_AWS_SSM_BUCKET_NAME }} -e rman_target=$RmanTarget -e fix_absent_chunks=yes ${{ github.event.inputs.VerboseOutput }}
@@ -9,6 +9,10 @@
   become_method: sudo
 
   tasks:
+    - name: Show Inputs
+      debug:
+        msg: "{{ json_inputs | string }}"
+
     - name: RMAN script
       block:
         - name: Set database_global_database
@@ -62,6 +66,11 @@
             catalog_options: "-n Y -c {{ catalog }}"
           when: (catalog is defined)
 
+        - name: Set SSM Parameter used for Runtime details when variable is not null
+          set_fact:
+            ssm_parameter_path: '-s "{{ ssm_parameter }}"'
+          when: (ssm_parameter is defined)
+
         - name: Set backup duration target when variable is not null
           set_fact:
             duration_options: "-m {{ rman_level_0_backup_duration_target }}"
@@ -90,6 +99,15 @@
             enable_trace_flag: "-e Y"
           when: enable_trace | default(false) | bool
 
+        # The quotes in the JSON inputs can get messed up by unwanted shell interpretation.
+        # To avoid this we send the JSON as an encoded string to be decoded by the shell script.
+        - name: Enable Repository Dispatch Event if supplied
+          set_fact:
+            repository_dispatch_flag: "-r {{ repository_dispatch }} -j {{ json_inputs | b64encode }}"
+          when:
+            - repository_dispatch is defined
+            - json_inputs is defined
+
         - block:
             - name: Get Current RMAN Retention
               script: get_rman_retention.sh {{ database_primary_sid | default(database_standby_sid) }}
@@ -133,16 +151,16 @@
 
         - name: Create RMAN Command
           set_fact:
-            rman_command: "/home/oracle/admin/rman_scripts/rman_backup.sh -d {{ database_primary_sid | default(database_standby_sid) }} -g {{ database_global_database }} {{ rman_options }} {{ duration_options|default() }} {{ uncompress_options|default() }} {{ catalog_options|default() }} {{ enable_trace_flag|default() }}"
+            rman_command: "/home/oracle/admin/rman_scripts/rman_backup.sh -d {{ database_primary_sid | default(database_standby_sid) }} -g {{ database_global_database }} {{ rman_options }} {{ ssm_parameter_path | default() }} {{ duration_options|default() }} {{ uncompress_options|default() }} {{ catalog_options|default() }} {{ enable_trace_flag|default() }} {{ repository_dispatch_flag|default() }}"
 
         - name: Show RMAN Command
           debug:
             msg: "About to run:  {{ rman_command }}"
 
-        - name: Running RMAN script
+        - name: Running RMAN script in Background
           shell: "{{ rman_command }}"
           async: "{{ allowable_duration|default(28800) }}"
-          poll: 60
+          poll: 0
           environment:
             ASSUME_ROLE_NAME: "{{ secretsmanager_passwords['catalog'].assume_role_name | default() }}"
             SECRET_ACCOUNT_ID: "{{ account_ids[secretsmanager_passwords['catalog'].account_name] | default() }}"
 
@@ -19,7 +19,7 @@ export NUM_OF_DAYS_BACK_TO_VALIDATE="${1:-0}"
 if [[ "${CATALOG}" != "NOCATALOG" ]]
 then
    get_rman_password
-   CONNECT_TO_CATALOG="connect catalog ${CATALOG_CREDENTIALS}"
+   CONNECT_TO_CATALOG="connect catalog rcvcatowner/${RMANPASS}@${CATALOG}"
 fi
 
 # Get list of RMAN backups from the Catalog; merge the Availability and Handle Lines
 
@@ -0,0 +1,17 @@
+import requests
+import os
+
+token = os.getenv('GITHUB_TOKEN')
+repository = os.getenv('GITHUB_REPOSITORY')
+
+url = f"https://api.github.com/repos/{repository}/environments"
+headers = {
+    'Authorization': f'token {token}',
+    'Accept': 'application/vnd.github+json',
+}
+
+response = requests.get(url, headers=headers)
+environments = response.json()
+
+for env in environments['environments']:
+    print(env['name'])