Skip to content

Check Service Principal #406

Check Service Principal

Check Service Principal #406

Workflow file for this run

name: Check Service Principal
on:
workflow_dispatch:
schedule:
- cron: "35 6 * * *"
jobs:
set-matrix:
runs-on: ubuntu-latest
outputs:
tests: ${{ steps.select-tests.outputs.tests }}
steps:
- name: Select Tests
id: select-tests
run: |
d="{'environment':'dev', 'principal': 's165d01-faltrn-keyvault-readonly-access', 'keyvault': 's165d01-faltrn-dv-kv'}"
t="{'environment':'test', 'principal': 's165t01-faltrn-keyvault-readonly-access', 'keyvault': 's165t01-faltr-ts-kv'}"
pp="{'environment':'preprod', 'principal': 's165t01-preprod-faltrn-keyvault-readonly-access', 'keyvault': 's165t01-faltrn-pp-kv'}"
p="{'environment':'production', 'principal': 's165p01-faltrn-keyvault-readonly-access', 'keyvault': 's165p01-faltrn-pd-kv'}"
tests="{ 'data':[ ${d}, ${t}, ${pp}, ${p} ]}"
echo "tests=${tests}" >> $GITHUB_OUTPUT
check_expires:
name: ${{matrix.data.environment}}/${{ matrix.data.principal }}
needs: set-matrix
strategy:
matrix: ${{ fromJson(needs.set-matrix.outputs.tests) }}
environment:
name: ${{ matrix.data.environment }}
runs-on: ubuntu-latest
steps:
- name: Check ${{ steps.serviceprincipal.outputs.name }}
uses: DFE-Digital/github-actions/CheckServicePrincipal@master
id: pwsh_check_expire
with:
AzureCredentials: ${{ secrets.AZURE_CREDENTIALS }}
ServicePrincipal: ${{ matrix.data.principal }}
ExpiresWithinDays: 30
- name: Processing
run: echo "${{fromJson(steps.pwsh_check_expire.outputs.json_data).data.Application}} expires in ${{fromJson(steps.pwsh_check_expire.outputs.json_data).data.ExpiresDays}} days"
- name: Check out the repo
if: fromJson(steps.pwsh_check_expire.outputs.json_data).data.Alert
uses: actions/checkout@v3
- uses: Azure/login@v1
if: fromJson(steps.pwsh_check_expire.outputs.json_data).data.Alert
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- uses: DfE-Digital/keyvault-yaml-secret@v1
if: fromJson(steps.pwsh_check_expire.outputs.json_data).data.Alert
id: keyvault-yaml-secret
with:
keyvault: ${{ matrix.data.keyvault }}
secret: MONITORING
key: SLACK_WEBHOOK
env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
- name: Slack Notification
if: fromJson(steps.pwsh_check_expire.outputs.json_data).data.Alert
uses: rtCamp/action-slack-notify@v2
env:
SLACK_COLOR: "#ff0000"
SLACK_TITLE: ${{ fromJson(steps.pwsh_check_expire.outputs.json_data).data.Application }} ${{ fromJson(steps.pwsh_check_expire.outputs.json_data).data.Name }}
SLACK_MESSAGE: |
The Service Principal ${{ fromJson(steps.pwsh_check_expire.outputs.json_data).data.Application }}
key ${{ fromJson(steps.pwsh_check_expire.outputs.json_data).data.Name }} is due to expire in ${{fromJson(steps.pwsh_check_expire.outputs.json_data).data.ExpiresDays}} days
Please follow the process in https://dfe-technical-guidance.london.cloudapps.digital/how-to/security/managing-secrets/#access-key-expiration to renew.
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }}