-
Notifications
You must be signed in to change notification settings - Fork 9
40 lines (37 loc) · 1.67 KB
/
check_sp.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
name: Check Service Principal
on:
workflow_dispatch:
schedule:
- cron: "35 6 * * *"
jobs:
check_expires:
name: ${{ matrix.principal }}
strategy:
matrix:
principal:
[
s121d01-keyvault-readonly-access,
s121t01-keyvault-readonly-access,
s121p01-keyvault-readonly-access,
]
runs-on: ubuntu-latest
steps:
- name: Check ${{ matrix.principal }}
uses: DFE-Digital/github-actions/CheckServicePrincipal@master
id: pwsh_check_expire
with:
AzureCredentials: ${{ secrets.AZURE_CREDENTIALS }}
ServicePrincipal: ${{ matrix.principal }}
ExpiresWithinDays: 30
- name: Slack Notification
if: fromJson(steps.pwsh_check_expire.outputs.json_data).data.Alert
uses: rtCamp/action-slack-notify@master
env:
SLACK_COLOR: ${{env.SLACK_ERROR}}
SLACK_TITLE: A Service Principal secret is expiring soon
SLACK_MESSAGE: |
The Service Principal *${{ fromJson(steps.pwsh_check_expire.outputs.json_data).data.Application }}*
secret *${{ fromJson(steps.pwsh_check_expire.outputs.json_data).data.Name }}* is due to expire in *${{fromJson(steps.pwsh_check_expire.outputs.json_data).data.ExpiresDays}}* days.
Please follow the <https://dfe-technical-guidance.london.cloudapps.digital/infrastructure/hosting/azure-cip/#use-the-service-principal-in-external-systems|Use the service principal in external systems> process to renew.
This secret is used by all BAT apps so be sure to update the publish, find and register secrets too.
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}