Create ldap-remove-user-passwords.yaml (#279)

* Create ldap-remove-user-passwords.yaml

* change to workflow dispatch

* trigger the create backup job

* call flow from data refresh

.github/workflows/ldap-data-refresh.yml

@@ -496,3 +496,10 @@ jobs:
             echo "At least one step failed, marking the job as failed"
             exit 1
           fi
+  remove-passwords:
+    needs:
+      - cleanup
+    uses: ./.github/workflows/ldap-remove-user-passwords.yml
+    with:
+      environment: ${{ github.event.inputs.destination_env }}
+    secrets: inherit

.github/workflows/ldap-on-demand-bkp.yml

@@ -0,0 +1,72 @@
+---
+name: "LDAP: On Demand Backup"
+permissions:
+  id-token: write  # This is required for requesting the JWT
+on:
+  workflow_call:
+    inputs:
+      environment:
+        description: environment to create backup in [dev|test|preprod|prod]
+        required: true
+        type: string
+    secrets:
+        PWO_PUBLIC_SLACK_WEBHOOK_URL:
+            required: true
+
+jobs:
+  create-backup:
+    runs-on: ubuntu-latest
+    environment: delius-core-${{ inputs.environment }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Check environment
+        run: |
+          if [[ ! "${{ inputs.environment }}" =~ ^(dev|test|preprod|prod)$ ]]; then
+            echo "Invalid environment: ${{ inputs.environment }}"
+            exit 1
+          fi
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/modernisation-platform-oidc-cicd"
+          role-session-name: "hmpps-delius-operational-automation-${{ github.run_number }}"
+          aws-region: "eu-west-2"
+
+      - name: Get ldap EFS FS id
+        id: get-efs-id
+        run: |
+          echo "EFS_ID=$(aws efs describe-file-systems --query "FileSystems[]" --output json | jq -rj '.[] | select(.Name=="ldap") | .FileSystemId')" >> $GITHUB_OUTPUT
+
+      - name: Create backup
+        id: create-backup
+        run: |
+            echo BACKUP_JOB_ID=$(aws efs start-backup-job --resource-arn ${{ steps.get-efs-id.outputs.EFS_ID }} \
+            --iam-role-arn arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/${{ inputs.environment }}-ldap-efs-awsbackup-role \
+            --backup-vault-name "${{ inputs.environment }}-ldap-efs-vault") | jq -r '.BackupJobId' >> $GITHUB_OUTPUT
+
+      - name: Wait for backup to complete
+        timeout-minutes: 10
+        run: |
+            while [ "$(aws backup describe-backup-job --backup-job-id 646aa307-33c7-423b-aa33-9dfdf5db72f5 | jq -rj '.State)" != "\"COMPLETED\"" ]; do
+                sleep 10
+            done
+            echo "Backup completed"
+
+      - name: Notify Slack
+        uses: ministryofjustice/github-actions/slack-notify@main
+        if: success()
+        with:
+          status: "success"
+          message: "On-Demand LDAP backup completed successfully for ${{ inputs.environment }} environment"
+          webhook-url: ${{ secrets.PWO_PUBLIC_SLACK_WEBHOOK_URL }}
+
+      - name: Notify Slack
+        uses: ministryofjustice/github-actions/slack-notify@main
+        if: failure()
+        with:
+          status: "failure"
+          message: "On-Demand LDAP backup failed for ${{ inputs.environment }} environment"
+          webhook-url: ${{ secrets.PWO_PUBLIC_SLACK_WEBHOOK_URL }}

.github/workflows/ldap-remove-user-passwords.yaml

@@ -0,0 +1,109 @@
+name: "LDAP: User Expiry"
+on:
+   workflow_call:
+     inputs:
+       environment:
+         description: "The environment to run the task in"
+         required: true
+         type: string
+jobs:
+  create-backup:
+    name: Create LDAP EFS Backup in ${{ inputs.environment }}
+    uses: ./.github/workflows/ldap-on-demand-bkp.yml
+    with:
+      environment: ${{ inputs.environment }}
+    secrets:
+      PWO_PUBLIC_SLACK_WEBHOOK_URL: ${{ secrets.PWO_PUBLIC_SLACK_WEBHOOK_URL }}
+
+  deploy:
+    name: Create ECS Task in delius-core ${{ inputs.environment }}
+    needs:
+      - create-backup
+    runs-on: ubuntu-latest
+    environment: delius-core-${{ inputs.environment }}-preapproved
+    permissions:
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/modernisation-platform-oidc-cicd"
+          role-session-name: "hmpps-delius-operational-automation-${{ github.run_number }}"
+          aws-region: "eu-west-2"
+      - name: Set cluster ARN
+        id: set-cluster-arn
+        run: |
+          echo "CLUSTER_ARN=delius-core-${{ inputs.environment }}-cluster" >> $GITHUB_OUTPUT
+      - name: Get security groups and subnet ids
+        id: get-ids
+        run: |
+          echo "SEC_GROUPS=$(aws ec2 describe-security-groups --filters "Name=group-name,Values=*${{ inputs.environment }}-ldap-sg*" --query "SecurityGroups[].GroupId" --output json | jq -s -c '.[]')" >> $GITHUB_OUTPUT
+          echo "SUBNET_IDS=$(aws ec2 describe-subnets --filters "Name=tag:Name,Values=*-general-private-*" --query "Subnets[].SubnetId" --output json | jq -s -c '.[]')" >> $GITHUB_OUTPUT
+
+      - name: Template task def
+        uses: christherama/render-json-template@v1
+        id: render
+        with:
+          # Path to JSON file serving as the template for rendering an output file. Required.
+          json-file-path: docker/ldap-automation/task-def.json
+          # Multi-line string containing key/value pairs of JSON property paths and desired property values
+          field-value-pairs: |
+            $.containerDefinitions[0].command: ["ldap-automation", "remove-all-user-passwords"]
+
+            $.executionRoleArn: "arn:aws:iam::${{vars.AWS_ACCOUNT_ID}}:role/${{ inputs.environment }}-ldap-ecs-task-exec"
+            $.taskRoleArn: "arn:aws:iam::${{vars.AWS_ACCOUNT_ID}}:role/${{ inputs.environment }}-ldap-ecs-task"
+
+            $.containerDefinitions[0].image: "ghcr.io/ministryofjustice/hmpps-ldap-automation:${{ vars.LDAP_AUTOMATION_IMAGE_TAG }}"
+
+            $.containerDefinitions[0].containerName: "ldap-automation-task-${{ github.run_id }}"
+
+            $.containerDefinitions[0].secrets: [{"name": "VAR_LDAP_HOST", "valueFrom": "arn:aws:ssm:${{secrets.AWS_REGION}}:${{vars.AWS_ACCOUNT_ID}}:parameter/delius-core-${{ inputs.environment }}/LDAP_HOST"}, {"name": "VAR_LDAP_USER", "valueFrom": "arn:aws:ssm:${{secrets.AWS_REGION}}:${{vars.AWS_ACCOUNT_ID}}:parameter/delius-core-${{ inputs.environment }}/LDAP_PRINCIPAL"}, {"name": "SECRET_LDAP_BIND_PASSWORD", "valueFrom": "arn:aws:ssm:${{secrets.AWS_REGION}}:${{vars.AWS_ACCOUNT_ID}}:parameter/delius-core-${{ inputs.environment }}/LDAP_BIND_PASSWORD"}]
+
+            $.containerDefinitions[0].logConfiguration.logDriver.options."awslogs-group": "/ecs/ldap-automation"
+            $.containerDefinitions[0].logConfiguration.logDriver.options."awslogs-region": "${{secrets.AWS_REGION}}"
+            $.containerDefinitions[0].logConfiguration.logDriver.options."awslogs-stream-prefix": "${{ github.run_id }}"
+
+      - name: Show rendered user service task
+        if: github.ref != 'refs/heads/main'
+        run: cat ${{ steps.render.outputs.rendered-json-file }}
+      - name: Run Standalone ECS Task
+        id: run-task
+        run: |
+          task_definition=$(aws ecs register-task-definition --cli-input-json file://${{ steps.render.outputs.rendered-json-file }})
+          task_definition_arn=$(echo $task_definition | jq -r '.taskDefinition.taskDefinitionArn')
+
+          echo "TASK_DEF_ARN=$(echo $task_definition | jq -r '.taskDefinition.taskDefinitionArn') " >> $GITHUB_OUTPUT
+
+          # Run task and store task id for later use
+          echo "TASK_ID=$(aws ecs run-task --cluster ${{ steps.set-cluster-arn.outputs.CLUSTER_ARN }} --task-definition $task_definition_arn --network-configuration "awsvpcConfiguration={subnets=${{ steps.get-ids.outputs.SUBNET_IDS }},securityGroups=${{ steps.get-ids.outputs.SEC_GROUPS }},assignPublicIp=DISABLED}" --launch-type FARGATE --count 1 | jq -r '.tasks[0].taskArn' | cut -d '/' -f 3)" >> $GITHUB_OUTPUT
+      - name: Delete Task Definition
+        run: |
+          aws ecs deregister-task-definition --task-definition ${{steps.run-task.outputs.TASK_DEF_ARN}}
+      - name: Output Cloudwatch Logs
+        run: |
+          task_running=true
+          while [ "$task_running" = true ]; do
+
+              task_info=$(aws ecs describe-tasks --cluster ${{ steps.set-cluster-arn.outputs.CLUSTER_ARN }} --tasks ${{steps.run-task.outputs.TASK_ID}})
+              last_status=$(echo "$task_info" | jq -r '.tasks[0].lastStatus')
+
+              if [ "$last_status" == "STOPPED" ]; then
+                  task_running=false
+              else
+                  sleep 10
+              fi
+          done
+
+          aws logs tail /ecs/ldap-automation --log-stream-names "ecs/ldap-automation/${{steps.run-task.outputs.TASK_ID}}"
+      - name: Slack failure notification
+        if: ${{ failure() && github.ref == 'refs/heads/main' }}
+        uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
+        with:
+          payload: |
+            {"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]}
+            env:
+              SLACK_WEBHOOK_URL: ${{ secrets.PWO_PUBLIC_SLACK_WEBHOOK_URL }}
+              SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK