Skip to content

lock-resources

lock-resources #2

name: lock-resources
on:
schedule:
- cron: '0 18 * * *'
workflow_dispatch:
pull_request:
permissions:
id-token: write
contents: read
jobs:
lock-clusters:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
target:
- name: "platform"
zoneFile: "radix_zone_prod.env"
subscription: "s940"
- name: "c2"
zoneFile: "radix_zone_c2.env"
subscription: "s940"
environment: ${{matrix.target.name }}
env:
PROD_ENV: "radix_zone_prod.env"
C2_ENV: "radix_zone_c2.env"
steps:
- uses: actions/checkout@v4
- name: 'Az login'
uses: azure/login@v2
with:
client-id: ${{ vars.AZURE_CLIENT_ID }}
tenant-id: ${{ vars.AZURE_TENANT_ID }}
subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Get GitHub Public IP
id: github_public_ip
run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT
- name: Add GitHub IP to KeyVault in Prod
id: update_firewall
run: |
az keyvault network-rule add --name "radix-keyv-${{matrix.target.name}}" \
--resource-group "common-${{matrix.target.name}}" \
--ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null
- name: lock-resources
run: RADIX_ZONE_ENV=./scripts/radix-zone/${{matrix.target.zoneFile}} .github/workflows/scripts/check_resource_lock.sh
- name: Revoke GitHub IP on KeyVault
if: ${{ steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed
run: |
az keyvault network-rule remove --name "radix-keyv-${{matrix.target.name}}" \
--resource-group "common-${{matrix.target.name}}" \
--ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null