Skip to content

Check Service Principal #678

Check Service Principal

Check Service Principal #678

Workflow file for this run

name: Check Service Principal
on:
workflow_dispatch:
schedule:
- cron: "35 6 * * *"
jobs:
set-matrix:
runs-on: ubuntu-latest
outputs:
tests: ${{ steps.select-tests.outputs.tests }}
steps:
- name: Select Tests
id: select-tests
run: |
d="{'environment' :'Development' , 'principal': 's105d01-keyvault-readonly-access', 'keyvault': 's105d01-kv'}"
t="{'environment' :'Staging' , 'principal': 's105t01-keyvault-readonly-access', 'keyvault': 's105t01-kv'}"
p="{'environment' :'Production' , 'principal': 's105p01-keyvault-readonly-access', 'keyvault': 's105p01-kv'}"
tests="{ 'data':[ ${d} , ${t} , ${p} ]}"
echo "tests=${tests}" >> $GITHUB_OUTPUT
check_expires:
name: ${{matrix.data.environment}}/${{ matrix.data.principal }}
needs: set-matrix
strategy:
matrix: ${{ fromJson(needs.set-matrix.outputs.tests) }}
environment:
name: ${{ matrix.data.environment }}
runs-on: ubuntu-latest
steps:
- name: Check ${{ matrix.data.principal }}
uses: DFE-Digital/github-actions/CheckServicePrincipal@master
id: pwsh_check_expire
with:
AzureCredentials: ${{ secrets.AZURE_CREDENTIALS }}
ServicePrincipal: ${{ matrix.data.principal }}
ExpiresWithinDays: 30
- name: Processing ${{ matrix.data.principal }}
if: fromJson(steps.pwsh_check_expire.outputs.json_data).data.Alert
run: echo Expires in ${{fromJson(steps.pwsh_check_expire.outputs.json_data).data.ExpiresDays}} days
- name: Check out the repo
if: fromJson(steps.pwsh_check_expire.outputs.json_data).data.Alert
uses: actions/checkout@v4
- name: set-up-environment
if: fromJson(steps.pwsh_check_expire.outputs.json_data).data.Alert
uses: DFE-Digital/github-actions/set-up-environment@master
- uses: Azure/login@v1
if: fromJson(steps.pwsh_check_expire.outputs.json_data).data.Alert
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- uses: DfE-Digital/keyvault-yaml-secret@v1
if: fromJson(steps.pwsh_check_expire.outputs.json_data).data.Alert
id: keyvault-yaml-secret
with:
keyvault: ${{ matrix.data.keyvault }}
secret: SE-INFRA-SECRETS
key: SLACK-WEBHOOK
- name: Slack Notification
if: fromJson(steps.pwsh_check_expire.outputs.json_data).data.Alert
uses: rtCamp/action-slack-notify@v2
env:
SLACK_COLOR: ${{env.SLACK_ERROR}}
SLACK_TITLE: A Service Principal secret is expiring soon
SLACK_MESSAGE: |
The Service Principal *${{ fromJson(steps.pwsh_check_expire.outputs.json_data).data.Application }}*
secret *${{ fromJson(steps.pwsh_check_expire.outputs.json_data).data.Name }}* is due to expire in *${{fromJson(steps.pwsh_check_expire.outputs.json_data).data.ExpiresDays}}* days.
Please follow the <https://dfe-technical-guidance.london.cloudapps.digital/infrastructure/hosting/azure-cip/#service-principal|Use the service principal in external systems> process to renew.
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-WEBHOOK }}