IAPS: AD Admin Password Rotate #516
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: "IAPS: AD Admin Password Rotate" | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| on: | |
| schedule: | |
| # every day at 1am | |
| - cron: "0 1 * * *" | |
| # every day at 2am | |
| - cron: "0 2 * * *" | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| type: choice | |
| description: environment | |
| options: | |
| - PRODUCTION | |
| - PREPRODUCTION | |
| env: | |
| IAPS_PREPRODUCTION_ACCOUNT_ID: "247467087019" | |
| IAPS_PRODUCTION_ACCOUNT_ID: "936195311149" | |
| jobs: | |
| rotate-password: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Configure AWS Credentials | |
| if: github.event.inputs.environment == 'PREPRODUCTION' || github.event.schedule == '0 1 * * *' | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| role-to-assume: "arn:aws:iam::${{ env.IAPS_PREPRODUCTION_ACCOUNT_ID }}:role/modernisation-platform-oidc-cicd" | |
| role-session-name: "iaps-data-refresh-${{ github.run_number }}" | |
| aws-region: "eu-west-2" | |
| - name: Configure AWS Credentials | |
| if: github.event.inputs.environment == 'PRODUCTION' || github.event.schedule == '0 2 * * *' | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| role-to-assume: "arn:aws:iam::${{ env.IAPS_PRODUCTION_ACCOUNT_ID }}:role/modernisation-platform-oidc-cicd" | |
| role-session-name: "iaps-data-refresh-${{ github.run_number }}" | |
| aws-region: "eu-west-2" | |
| - name: Generate new password | |
| id: generate_password | |
| run: | | |
| PASSWORD=$(openssl rand -base64 32) | |
| echo "::add-mask::$PASSWORD" | |
| echo "PASSWORD=$PASSWORD" >> $GITHUB_ENV | |
| - name: Reset admin password | |
| run: | | |
| DIRECTORY_ID=$(aws ds describe-directories --region eu-west-2 --query 'DirectoryDescriptions[0].DirectoryId' --output text) && aws ds reset-user-password --user-name Admin --new-password $PASSWORD --directory-id $DIRECTORY_ID | |
| - name: Store password in secrets | |
| run: | | |
| aws secretsmanager put-secret-value --secret-id delius-iaps-ad-password --secret-string $PASSWORD |