Skip to content
delius-iaps-ad-admin-rotate

delius-iaps-ad-admin-rotate #509

Sign in to view logs

delius-iaps-ad-admin-rotate

delius-iaps-ad-admin-rotate #509

Workflow file for this run

.github/workflows/delius-iaps-ad-admin-rotate.yml at d690641
---
name: delius-iaps-ad-admin-rotate
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
on:
schedule:
# every day at 1am
- cron: '0 1 * * *'
# every day at 2am
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
environment:
type: choice
description: environment
options:
- PRODUCTION
- PREPRODUCTION
jobs:
rotate-password:
runs-on: ubuntu-latest
steps:
- name: install aws-cli
run: |
sudo apt-get update
sudo apt-get install -y python3-pip
sudo pip3 install awscli
- name: Configure AWS Credentials
if: github.event.inputs.environment == 'PREPRODUCTION' || github.event.schedule == '0 1 * * *'
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: "arn:aws:iam::${{ secrets.IAPS_PREPRODUCTION_ACCOUNT_ID }}:role/ci-secrets-rotator"
role-session-name: githubactionsrolesession
aws-region: "eu-west-2"
- name: Configure AWS Credentials
if: github.event.inputs.environment == 'PRODUCTION' || github.event.schedule == '0 2 * * *'
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: "arn:aws:iam::${{ secrets.IAPS_PRODUCTION_ACCOUNT_ID }}:role/ci-secrets-rotator"
role-session-name: githubactionsrolesession
aws-region: "eu-west-2"
- name: Generate new password
id: generate_password
run: |
PASSWORD=$(openssl rand -base64 32)
echo "::add-mask::$PASSWORD"
echo "PASSWORD=$PASSWORD" >> $GITHUB_ENV
- name: Reset admin password
run: |
DIRECTORY_ID=$(aws ds describe-directories --region eu-west-2 --query 'DirectoryDescriptions[0].DirectoryId' --output text) && aws ds reset-user-password --user-name Admin --new-password $PASSWORD --directory-id $DIRECTORY_ID
- name: Store password in secrets
run: |
aws secretsmanager put-secret-value --secret-id delius-iaps-ad-password --secret-string $PASSWORD