ministryofjustice · ranbeersingh1 · Jan 30, 2024 · Jan 30, 2024 · Jan 30, 2024 · Jan 30, 2024
@@ -17,6 +17,9 @@ on:
         type: choice
         options:
           - "hmpps-oem-development"
+          - "hmpps-oem-test"
+          - "hmpps-oem-preproduction"
+          - "hmpps-oem-production"
           - "delius-core-development"
           - "delius-core-test"
           - "delius-core-preproduction"
@@ -52,13 +55,6 @@ on:
         options:
           - "yes"
           - "no"
-      RotateDatabasePasswords:
-        description: "Rotate Database Passswords (sys, system, dbsnmp, delius_audit_pool)"
-        type: choice
-        default: "no"
-        options:
-          - "yes"
-          - "no"
       VerboseOutput:
         description: "Verbose Output level"
         type: choice
@@ -68,15 +64,6 @@ on:
           - "-vv"
           - "-vvv"
           - "-vvvv"
-      # AnsibleForks:
-      #   description: "Number of Ansible Forks to Use"
-      #   type: choice
-      #   default: ""
-      #   options: 
-      #     - ""
-      #     - "-f 5"
-      #     - "-f 10"
-      #     - "-f 15"
       SourceCodeVersion:
         description: "Source version for the hmpps-delius-operation-automation. Enter a pull request, branch, commit ID, tag, or reference."
         type: string
@@ -87,7 +74,7 @@ on:
         default: "main"
 env:
   ansible_config: operations/playbooks/ansible.cfg
-  command: ansible-playbook operations/playbooks/oracle_password_rotation/password_rotation.yml
+  command: ansible-playbook operations/playbooks/oracle_password_rotation/oem_password_rotation.yml
   inventory: inventory/ansible
 
 # Allow permissions on repository and docker image and OIDC token
@@ -107,20 +94,18 @@ jobs:
     continue-on-error: false
     steps:
 
-      - name: Prepare Ansbile OEM Target Host And Rotate Groups
+      - name: Prepare Ansbile OEM Target Host
         id: prepareoemtargethost
         run: |
           TargetOemHost="environment_name_$(echo ${{ github.event.inputs.TargetOemEnvironment }}  | sed 's/-/_/g')"
           echo "TargetOemHost=${TargetOemHost}" >> $GITHUB_OUTPUT
-          [[ "${{ github.event.inputs.RotateDatabasePasswords }}" == "yes" ]] && RotateGroups=${TargetOemHost} || RotateGroups=NOROTATEGROUPS
-          echo "RotateGroups=${RotateGroups}" >> $GITHUB_OUTPUT
+
       - name: Checkout Ansible Playbooks and Roles From hmpps-delius-operation-automation
         uses: actions/checkout@v4
         with:
           sparse-checkout-cone-mode: false
           sparse-checkout: |
             playbooks/oracle_password_rotation
-            playbooks/oem_blackout
             playbooks/ansible.cfg
           path: operations
           ref: ${{ github.event.inputs.SourceCodeVersion }}
@@ -158,13 +143,12 @@ jobs:
           role-session-name: "hmpps-delius-operational-automation-${{ github.run_number }}"
           aws-region: "eu-west-2"
 
-      - name: Start Ansible Password Rotation
+      - name: Start Ansible OEM Password Rotation
         shell: bash
         run: |
           export ANSIBLE_CONFIG=$ansible_config
           ln -s $PWD/roles/ansible/roles $PWD/operations/playbooks/oracle_password_rotation/roles
           $command -i $inventory \
-          -e rotate_groups=${{ steps.prepareoemtargethost.outputs.RotateGroups }} \
           -e oem_target=${{ steps.prepareoemtargethost.outputs.TargetOemHost }} \
           -e environment_name=${{ github.event.inputs.TargetEnvironmentName }}  \
           -e target_environment_name=${{ github.event.inputs.TargetEnvironmentName }} \

@@ -236,7 +236,6 @@ jobs:
           export ANSIBLE_CONFIG=$ansible_config
           ln -s $PWD/roles/ansible/roles $PWD/operations/playbooks/oracle_password_rotation/roles
           $oem_command -i $inventory \
-          -e rotate_groups=NONE \
           -e oem_target=environment_name_$(echo ${{ needs.oracle_password_rotation.outputs.TargetOemEnvironment }} | sed 's/-/_/g') \
           -e environment_name=${{ needs.oracle_password_rotation.outputs.TargetOemEnvironment }}  \
           -e target_environment_name=${{ needs.oracle_password_rotation.outputs.TargetEnvironmentName }} \

@@ -4,8 +4,14 @@
   no_log: true
 
 - name: Get Existing SYS Password
+  import_role:
+    name: secretsmanager-passwords
+  vars:
+    secretsmanager_passwords: "{{ oemdb_secretsmanager_passwords }}"
+
+- name: Set Variable For SYS Password
   set_fact:
-    sys_password: "{{ lookup('amazon.aws.aws_secret', '{{ secret_name }}', region='eu-west-2') | from_json | json_query('sys') }}"
+    sys_password: "{{ secretsmanager_passwords_dict['oemdb'].passwords['sys'] }}"
 
 - name: Check if the SYS Password Works
   script: get_sys_remote_lock.sh
@@ -15,7 +21,7 @@
   run_once: true
   environment:
     DB_NAME: "{{ db_configs['EMREP']['emrepo_db_name'] }}"
-    SECRET_ID: "{{ oem_secretsmanager_passwords['oem']['secret'] }}"
+    SECRET_ID: "{{ oemdb_secretsmanager_passwords['oemdb']['secret'] }}"
 
 - name: Abort if SYS Connection Fails
   fail:

@@ -1,20 +1,26 @@
-- name: Set RMAN Secret Name
-  set_fact:
-    secret_name: "{{ rman_secretsmanager_passwords['catalog']['secret'] }}"
-  no_log: true
+- name: Get Existing RMAN Password
+  import_role:
+    name: secretsmanager-passwords
+  vars:
+    secretsmanager_passwords: "{{ rman_secretsmanager_passwords }}"
 
 - name: Set Existing RMAN Password In Variable
   set_fact:
-    existing_rman_password: "{{ lookup('amazon.aws.aws_secret', '{{ secret_name }}', region='eu-west-2') | from_json | json_query('rcvcatowner') }}"
+    existing_rman_password: "{{ secretsmanager_passwords_dict['catalog'].passwords['rcvcatowner'] }}"
 
 - name: Get New Password for RMAN
   include_tasks: ../../all_password_rotation/tasks/create_random_password.yml
 
 - block:
-    - name: Update the secret for the RMAN password
-      include_tasks: set_rman_password.yml
+    - name: Add Password To RMAN secret dictionary
+      set_fact:
+        rman_secretsmanager_passwords: "{{ rman_secretsmanager_passwords |  combine({ 'catalog': { 'users': [{'rcvcatowner': new_password}] }}, recursive=true) }}"
+
+    - name: Update RMAN Password In Secrets
+      import_role:
+        name: secretsmanager-passwords
       vars:
-        rman_password: "{{ new_password }}"
+        secretsmanager_passwords: "{{ rman_secretsmanager_passwords }}"
 
     - name: Set RMAN Password in Catalog Database
       script: set_rman_password.sh