-
Notifications
You must be signed in to change notification settings - Fork 2
59 lines (54 loc) · 2.21 KB
/
delius-iaps-ad-admin-rotate.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
---
name: delius-iaps-ad-admin-rotate
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
on:
schedule:
# every day at 1am
- cron: '0 1 * * *'
# every day at 2am
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
environment:
type: choice
description: environment
options:
- PRODUCTION
- PREPRODUCTION
jobs:
rotate-password:
runs-on: ubuntu-latest
steps:
- name: install aws-cli
run: |
sudo apt-get update
sudo apt-get install -y python3-pip
sudo pip3 install awscli
- name: Configure AWS Credentials
if: github.event.inputs.environment == 'PREPRODUCTION' || github.event.schedule == '0 1 * * *'
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
with:
role-to-assume: "arn:aws:iam::${{ secrets.IAPS_PREPRODUCTION_ACCOUNT_ID }}:role/ci-secrets-rotator"
role-session-name: githubactionsrolesession
aws-region: "eu-west-2"
- name: Configure AWS Credentials
if: github.event.inputs.environment == 'PRODUCTION' || github.event.schedule == '0 2 * * *'
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
with:
role-to-assume: "arn:aws:iam::${{ secrets.IAPS_PRODUCTION_ACCOUNT_ID }}:role/ci-secrets-rotator"
role-session-name: githubactionsrolesession
aws-region: "eu-west-2"
- name: Generate new password
id: generate_password
run: |
PASSWORD=$(openssl rand -base64 32)
echo "::add-mask::$PASSWORD"
echo "PASSWORD=$PASSWORD" >> $GITHUB_ENV
- name: Reset admin password
run: |
DIRECTORY_ID=$(aws ds describe-directories --region eu-west-2 --query 'DirectoryDescriptions[0].DirectoryId' --output text) && aws ds reset-user-password --user-name Admin --new-password $PASSWORD --directory-id $DIRECTORY_ID
- name: Store password in secrets
run: |
aws secretsmanager put-secret-value --secret-id delius-iaps-ad-password --secret-string $PASSWORD