Skip to content

Commit e0a6a32

Browse files
ranbeersingh1ranbeersingh1
authored
Dba 717 (#332)
* Additional jobs for preparation and slack notificiation * Runs-on missing * Exit failure to test slack notification * Remove double quote * Remove comments
1 parent a2c6ce9 commit e0a6a32

File tree

1 file changed

+129
-18
lines changed

1 file changed

+129
-18
lines changed

.github/workflows/oracle-db-oem-password-rotation.yml

+129-18
Original file line numberDiff line numberDiff line change
@@ -102,22 +102,28 @@ permissions:
102102
packages: read
103103
id-token: write
104104

105-
jobs:
106-
deployment:
107-
name: oracle-oem-password-rotation
108-
environment: ${{ github.event.inputs.TargetOemEnvironment }}-preapproved
105+
jobs:
106+
oracle-oem-password-preparation:
109107
runs-on: ubuntu-latest
110-
container:
111-
image: ghcr.io/ministryofjustice/hmpps-delius-operational-automation:0.41.0
112-
timeout-minutes: 1440
113108
continue-on-error: false
109+
outputs:
110+
TargetOemEnvironment: ${{ steps.prepare.outputs.TargetOemEnvironment }}
111+
TargetOemHost: ${{ steps.prepare.outputs.TargetOemHost }}
112+
TargetEnvironmentName: ${{ steps.prepare.outputs.TargetEnvironmentName }}
113+
SyncMonitoringPasswords: ${{ steps.prepare.outputs.SyncMonitoringPasswords }}
114+
RotateRMANPassword: ${{ steps.prepare.outputs.RotateRMANPassword }}
115+
RotateOEMPasswords: ${{ steps.prepare.outputs.RotateOEMPasswords }}
116+
VerboseOutput: ${{ steps.prepare.outputs.VerboseOutput }}
117+
SlackChannel: ${{ steps.prepare.outputs.SlackChannel }}
118+
JobId: ${{ github.job }}
114119
steps:
115120

116-
- name: Prepare Ansbile OEM Target Host
117-
id: prepareoemtargethost
121+
- name: Prepare Ansbile OEM Target Host And Slack Channel
122+
id: prepare
118123
run: |
119124
if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]
120125
then
126+
TargetOemEnvironment="${{ github.event.inputs.TargetOemEnvironment }}"
121127
TargetOemHost="environment_name_$(echo ${{ github.event.inputs.TargetOemEnvironment }} | sed 's/-/_/g')"
122128
TargetEnvironmentName="${{ github.event.inputs.TargetEnvironmentName }}"
123129
SyncMonitoringPasswords="${{ github.event.inputs.SyncMonitoringPasswords }}"
@@ -126,20 +132,41 @@ jobs:
126132
VerboseOutput="${{ github.event.inputs.VerboseOutput }}"
127133
elif [[ "${{ github.event_name }}" == "schedule" ]]
128134
then
135+
TargetOemEnvironment="${{ inputs.TargetOemEnvironment }}"
129136
TargetOemHost=="environment_name_$(echo ${{ inputs.TargetOemEnvironment }} | sed 's/-/_/g')"
130137
TargetEnvironmentName="${{ inputs.TargetEnvironmentName }}"
131138
SyncMonitoringPasswords="${{ inputs.SyncMonitoringPasswords }}"
132139
RotateRMANPassword="${{ inputs.RotateRMANPassword }}"
133140
RotateOEMPasswords="${{ inputs.RotateOEMPasswords }}"
134141
VerboseOutput=""
135142
fi
143+
echo "TargetOemEnvironment=${TargetOemEnvironment}" >> $GITHUB_OUTPUT
136144
echo "TargetOemHost=${TargetOemHost}" >> $GITHUB_OUTPUT
137145
echo "TargetEnvironmentName=${TargetEnvironmentName}" >> $GITHUB_OUTPUT
138146
echo "SyncMonitoringPasswords=${SyncMonitoringPasswords}" >> $GITHUB_OUTPUT
139147
echo "RotateRMANPassword=${RotateRMANPassword}" >> $GITHUB_OUTPUT
140148
echo "RotateOEMPasswords=${RotateOEMPasswords}" >> $GITHUB_OUTPUT
141149
echo "VerboseOutput=${VerboseOutput}" >> $GITHUB_OUTPUT
142150
151+
Environment=$(echo ${TargetOemHost} | rev | cut -d'_' -f1 | rev)
152+
if [[ "${Environment}" == "production" ]]; then
153+
echo "SlackChannel=delius-aws-oracle-prod-alerts" >> $GITHUB_OUTPUT
154+
else
155+
echo "SlackChannel=delius-aws-oracle-dev-alerts" >> $GITHUB_OUTPUT
156+
fi
157+
158+
oracle-oem-password-rotation:
159+
needs: oracle-oem-password-preparation
160+
environment: ${{ needs.oracle-oem-password-preparation.outputs.TargetOemEnvironment }}-preapproved
161+
runs-on: ubuntu-latest
162+
container:
163+
image: ghcr.io/ministryofjustice/hmpps-delius-operational-automation:0.41.0
164+
timeout-minutes: 1440
165+
continue-on-error: false
166+
outputs:
167+
JobId: ${{ github.job }}
168+
steps:
169+
143170
- name: Checkout Ansible Playbooks and Roles From hmpps-delius-operation-automation
144171
uses: actions/checkout@v4
145172
with:
@@ -148,7 +175,7 @@ jobs:
148175
playbooks/oracle_password_rotation
149176
playbooks/ansible.cfg
150177
path: operations
151-
ref: ${{ github.event.inputs.SourceCodeVersion }}
178+
ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.SourceCodeVersion || 'main' }}
152179
fetch-depth: 0
153180

154181
- name: Checkout Ansible Inventory From modernisation-platform-configuration-management
@@ -160,7 +187,7 @@ jobs:
160187
ansible/hosts
161188
ansible/group_vars
162189
path: inventory
163-
ref: ${{ github.event.inputs.SourceConfigVersion }}
190+
ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.SourceCodeVersion || 'main' }}
164191
fetch-depth: 0
165192

166193
- name: Checkout Ansible Required Roles From modernisation-platform-configuration-management
@@ -172,7 +199,7 @@ jobs:
172199
ansible/roles/secretsmanager-passwords
173200
ansible/roles/get-modernisation-platform-facts
174201
path: roles
175-
ref: ${{ github.event.inputs.SourceConfigVersion }}
202+
ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.SourceCodeVersion || 'main' }}
176203
fetch-depth: 0
177204

178205
- name: Configure AWS Credentials
@@ -189,10 +216,94 @@ jobs:
189216
export ANSIBLE_CONFIG=$ansible_config
190217
ln -s $PWD/roles/ansible/roles $PWD/operations/playbooks/oracle_password_rotation/roles
191218
$command -i $inventory \
192-
-e oem_target=${{ steps.prepareoemtargethost.outputs.TargetOemHost }} \
193-
-e environment_name=${{ steps.prepareoemtargethost.outputs.TargetEnvironmentName }} \
194-
-e target_environment_name=${{steps.prepareoemtargethost.outputs.TargetEnvironmentName }} \
195-
-e sync_monitoring_passwords=${{ steps.prepareoemtargethost.outputs.SyncMonitoringPasswords }} \
196-
-e rotate_rman_password=${{ steps.prepareoemtargethost.outputs.RotateRMANPassword }} \
197-
-e rotate_oem_passwords=${{ steps.prepareoemtargethost.outputs.RotateOEMPasswords }} ${{ steps.prepareoemtargethost.outputs.VerboseOutput }}
219+
-e oem_target=${{ needs.oracle-oem-password-preparation.outputs.TargetOemHost }} \
220+
-e environment_name=${{ needs.oracle-oem-password-preparation.outputs.TargetEnvironmentName }} \
221+
-e target_environment_name=${{ needs.oracle-oem-password-preparation.outputs.TargetEnvironmentName }} \
222+
-e sync_monitoring_passwords=${{ needs.oracle-oem-password-preparation.outputs.SyncMonitoringPasswords }} \
223+
-e rotate_rman_password=${{ needs.oracle-oem-password-preparation.outputs.RotateRMANPassword }} \
224+
-e rotate_oem_passwords=${{ needs.oracle-oem-password-preparation.outputs.RotateOEMPasswords }} ${{ needs.oracle-oem-password-preparation.outputs.VerboseOutput }}
225+
226+
slack-notification:
227+
if: ${{ failure() }}
228+
runs-on: ubuntu-latest
229+
container:
230+
image: ghcr.io/ministryofjustice/hmpps-delius-operational-automation:0.41.0
231+
needs: [oracle-oem-password-preparation,oracle-oem-password-rotation]
232+
environment: ${{ needs.oracle-oem-password-preparation.outputs.TargetOemEnvironment }}-preapproved
233+
env:
234+
TargetOemEnvironment: ${{ needs.oracle-oem-password-preparation.outputs.TargetOemEnvironment }}
235+
steps:
236+
237+
- name: Configure AWS Credentials
238+
id: login-aws
239+
uses: aws-actions/configure-aws-credentials@v4
240+
with:
241+
role-to-assume: "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/modernisation-platform-oidc-cicd"
242+
role-session-name: "hmpps-delius-operational-automation-${{ github.run_number }}"
243+
aws-region: "eu-west-2"
244+
245+
- name: Get Slack Token
246+
id: get-slack-token
247+
shell: bash
248+
run: |
249+
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
250+
OEM_ACCOUNT_ID=$(aws ssm get-parameter --name account_ids --region eu-west-2 --with-decryption --output json | \
251+
jq '.Parameter.Value' | tr -d '\' | sed 's/^\"//' | sed 's/\"$//' | \
252+
jq -r 'to_entries | map(select(.key | contains("hmpps-oem-"))) | first' | jq -r '.value' )
253+
SECRET_ARN="arn:aws:secretsmanager:eu-west-2:${OEM_ACCOUNT_ID}:secret:/oracle/database/EMREP/shared-passwords"
254+
SECRET_VALUE=$(aws secretsmanager get-secret-value --secret-id "${SECRET_ARN}" --query SecretString --output json)
255+
SLACK_TOKEN=$(echo ${SECRET_VALUE} | jq -r | jq -r 'to_entries[] | select(.key=="slack_token").value')
256+
echo "slack_token=${SLACK_TOKEN}" >> $GITHUB_OUTPUT
257+
258+
if [[ "${{ needs.oracle-oem-password-preparation.result }}" == "failure" ]]
259+
then
260+
echo "jobid=${{ needs.oracle-oem-password-preparation.outputs.JobId }}" >> $GITHUB_OUTPUT
261+
elif [[ "${{ needs.oracle-oem-password-rotation.result }}" == "failure" ]]
262+
then
263+
echo "jobid=${{ needs.oracle-oem-password-rotation.outputs.JobId }}" >> $GITHUB_OUTPUT
264+
fi
265+
266+
- name: Slack Failure Notification
267+
id: slack
268+
uses: slackapi/slack-github-action@v1.26.0
269+
with:
270+
channel-id: ${{ needs.oracle-oem-password-preparation.outputs.SlackChannel }}
271+
payload: |
272+
{
273+
"icon_emoji":"large_purple_circle",
274+
"text":"Failed OEM Password Rotation",
275+
"blocks":[
276+
{
277+
"type": "section",
278+
"text":
279+
{
280+
"type": "mrkdwn",
281+
"text": "Failed OEM Password Rotation:"}
282+
},
283+
{
284+
"type": "section",
285+
"fields":[
286+
{
287+
"type": "mrkdwn",
288+
"text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"
289+
},
290+
{
291+
"type": "mrkdwn",
292+
"text": "*Job:*\n${{ steps.get-slack-token.outputs.jobid }}"
293+
},
294+
{
295+
"type": "mrkdwn",
296+
"text": "*Repo:*\n${{ github.repository }}"
297+
},
298+
{
299+
"type": "mrkdwn",
300+
"text": "*OEM Environment:*\n${{ env.TargetOemEnvironment }}"
301+
}
302+
]
303+
}
304+
]
305+
}
306+
env:
307+
SLACK_BOT_TOKEN: ${{ steps.get-slack-token.outputs.slack_token }}
308+
198309

0 commit comments

Comments
 (0)