Check Service Principal #683
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Check Service Principal | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: "35 6 * * *" | |
| jobs: | |
| check_expires: | |
| name: ${{ matrix.principal }} | |
| strategy: | |
| matrix: | |
| principal: | |
| [ | |
| s121d01-keyvault-readonly-access, | |
| s121t01-keyvault-readonly-access, | |
| s121p01-keyvault-readonly-access, | |
| ] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check ${{ matrix.principal }} | |
| uses: DFE-Digital/github-actions/CheckServicePrincipal@master | |
| id: pwsh_check_expire | |
| with: | |
| AzureCredentials: ${{ secrets.AZURE_CREDENTIALS }} | |
| ServicePrincipal: ${{ matrix.principal }} | |
| ExpiresWithinDays: 30 | |
| - name: Slack Notification | |
| if: fromJson(steps.pwsh_check_expire.outputs.json_data).data.Alert | |
| uses: rtCamp/action-slack-notify@master | |
| env: | |
| SLACK_COLOR: ${{env.SLACK_ERROR}} | |
| SLACK_TITLE: A Service Principal secret is expiring soon | |
| SLACK_MESSAGE: | | |
| The Service Principal *${{ fromJson(steps.pwsh_check_expire.outputs.json_data).data.Application }}* | |
| secret *${{ fromJson(steps.pwsh_check_expire.outputs.json_data).data.Name }}* is due to expire in *${{fromJson(steps.pwsh_check_expire.outputs.json_data).data.ExpiresDays}}* days. | |
| Please follow the <https://dfe-technical-guidance.london.cloudapps.digital/infrastructure/hosting/azure-cip/#use-the-service-principal-in-external-systems|Use the service principal in external systems> process to renew. | |
| This secret is used by all BAT apps so be sure to update the publish, find and register secrets too. | |
| SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} |