IL-582 Notify when ARM_CLIENT_SECRET is going to expire

hashicorp · Apr 11, 2023 · d38dc41 · d38dc41
1 parent 6cc1158
commit d38dc41
Showing 1 changed file with 80 additions and 4 deletions.
diff --git a/.github/workflows/secret-expiration.yml b/.github/workflows/secret-expiration.yml
@@ -1,9 +1,85 @@
 # Copyright (c) HashiCorp, Inc.
-# SPDX-License-Identifier: MPL-2.0
+# SPDX-License-Identifier: Apache-2.0
+#
+# See IL-574 for secret and variables definitions
 name: hashicorp/hashicat-azure/secret-expiration
-on: workflow_dispatch
+on:
+  workflow_dispatch:
+  schedule:
+  # This is UTC
+  - cron: 37 4 * * *
+permissions: {}
 jobs:
-  this-is-so-stupid:
+  check-arm-client-secret:
     runs-on: ubuntu-latest
     steps:
-      - run: echo "this is so stupid"
+      - name: Build Message
+        id: build-message
+        shell: python
+        continue-on-error: true
+        run: |-
+          import datetime
+          import os
+          expiry_date = datetime.datetime.fromisoformat("${{ vars.ARM_CLIENT_SECRET_EXPIRY }}")
+          now = datetime.date.today()
+          time_left = expiry_date.date() - now
+          days_left = time_left.days
+          print(f"ARM_CLIENT_SECRET has {days_left} days left")
+          # Set some output to trigger the Slack step
+          gho = open(os.environ.get('GITHUB_OUTPUT'), 'a')
+          gho.writelines([f'days_left={days_left}\n'])
+          if days_left <= ${{ vars.ARM_CLIENT_SECRET_MIN_DAYS_REMAINING }}:
+            gho.writelines(['do_notify=true\n'])
+          else:
+            gho.writelines(['do_notify=false\n'])
+          gho.close()
+      - name: Notify Slack on Build Message Error
+        id: notify-build-message-error
+        if: ${{ steps.build-message.outcome == 'failure' }}
+        uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0
+        with:
+          channel-id: ${{ vars.SLACK_NOTIFICATION_CHANNELS_FAIL_ONLY }}
+          payload: |-
+            {
+              "blocks": [
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": ":exclamation: Workflow <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }} #${{ github.run_number }}> *FAILED*"
+                  }
+                }
+              ]
+            }
+        env:
+          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
+      - name: Notify Slack
+        id: notify-slack
+        if: ${{ steps.build-message.outputs.do_notify == 'true' }}
+        uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0
+        with:
+          channel-id: ${{ vars.SLACK_NOTIFICATION_CHANNELS_FAIL_ONLY }}
+          payload: |-
+            {
+              "blocks": [
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": ":exclamation:  Workflow <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }} #${{ github.run_number }}> *ALERT*"
+                  }
+                },
+                {
+                  "type": "divider"
+                },
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": "The secret ARM_CLIENT_SECRET has ${{ steps.build-message.outputs.days_left }} days left, less than ${{ vars.ARM_CLIENT_SECRET_MIN_DAYS_REMAINING }}. See IL-574 for information on how to renew it"
+                  }
+                }
+              ]
+            }
+        env:
+          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}