Skip to content

IAPS: AD Admin Password Rotate #527

IAPS: AD Admin Password Rotate

IAPS: AD Admin Password Rotate #527

---
name: "IAPS: AD Admin Password Rotate"
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
on:
schedule:
# every day at 1am
- cron: "0 1 * * *"
# every day at 2am
- cron: "0 2 * * *"
workflow_dispatch:
inputs:
environment:
type: choice
description: environment
options:
- PRODUCTION
- PREPRODUCTION
env:
IAPS_PREPRODUCTION_ACCOUNT_ID: "247467087019"
IAPS_PRODUCTION_ACCOUNT_ID: "936195311149"
jobs:
rotate-password:
runs-on: ubuntu-latest
steps:
- name: Configure AWS Credentials
if: github.event.inputs.environment == 'PREPRODUCTION' || github.event.schedule == '0 1 * * *'
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: "arn:aws:iam::${{ env.IAPS_PREPRODUCTION_ACCOUNT_ID }}:role/modernisation-platform-oidc-cicd"
role-session-name: "iaps-data-refresh-${{ github.run_number }}"
aws-region: "eu-west-2"
- name: Configure AWS Credentials
if: github.event.inputs.environment == 'PRODUCTION' || github.event.schedule == '0 2 * * *'
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: "arn:aws:iam::${{ env.IAPS_PRODUCTION_ACCOUNT_ID }}:role/modernisation-platform-oidc-cicd"
role-session-name: "iaps-data-refresh-${{ github.run_number }}"
aws-region: "eu-west-2"
- name: Generate new password
id: generate_password
run: |
PASSWORD=$(openssl rand -base64 32)
echo "::add-mask::$PASSWORD"
echo "PASSWORD=$PASSWORD" >> $GITHUB_ENV
- name: Reset admin password
run: |
DIRECTORY_ID=$(aws ds describe-directories --region eu-west-2 --query 'DirectoryDescriptions[0].DirectoryId' --output text) && aws ds reset-user-password --user-name Admin --new-password $PASSWORD --directory-id $DIRECTORY_ID
- name: Store password in secrets
run: |
aws secretsmanager put-secret-value --secret-id delius-iaps-ad-password --secret-string $PASSWORD