.github/workflows/support-update-ssl-cert-validation-implementation.yml

name: "Support - Update SSL Cert Validation - Implementation"

on:
  workflow_call:
    inputs:
      chosen_environment:
        required: true
        type: string

env:
  RESOURCE_GROUP_NAME: ${{ secrets.RESOURCE_GROUP_NAME }}

jobs:
  check_need_for_validation_update:
    runs-on: ubuntu-20.04

    environment: ${{ inputs.chosen_environment == 'az-production' && 'az-production-read-only' ||  inputs.chosen_environment }}

    outputs:
      customDomainName: ${{ steps.vars.outputs.customDomainName }}
      profileName: ${{ steps.vars.outputs.profileName }}
      zoneName: ${{ steps.vars.outputs.zoneName }}
      needsToReEvaluate: ${{ steps.checkValidationState.outputs.needsToReEvaluate }}

    steps:
      - name: Setup variables
        id: vars
        run: |
          # To avoid adding multiple variables into the environment when the names
          # are based on convention and therefor can be built programmatically

          if [[ "${{ inputs.chosen_environment }}" == "az-dev" ]]; then
            customDomainName="devghbscustom-domain0"
            profileName="devghbscdn"
            zoneName="dev.get-help-buying-for-schools.service.gov.uk"
          elif [[ "${{ inputs.chosen_environment }}" == "az-staging" ]]; then
            customDomainName="stagghbscustom-domain0"
            profileName="stagghbscdn"
            zoneName="staging.get-help-buying-for-schools.service.gov.uk"
          elif [[ "${{ inputs.chosen_environment }}" == "az-production" ]]; then
            customDomainName="prodghbscustom-domain0"
            profileName="prodghbscdn"
            zoneName="www.get-help-buying-for-schools.service.gov.uk"
          fi

          echo customDomainName=$customDomainName >> $GITHUB_OUTPUT
          echo profileName=$profileName >> $GITHUB_OUTPUT
          echo zoneName=$zoneName >> $GITHUB_OUTPUT

      - name: Azure login
        uses: azure/login@v2.1.1
        with:
          creds: ${{ secrets.AZURE_SP_CREDENTIALS }}

      - name: Check need for validation
        id: checkValidationState
        uses: azure/CLI@v2.0.0
        with:
          azcliversion: 2.51.0
          inlineScript: |
            domainValidationState=$(az afd custom-domain show \
              --profile-name ${{ steps.vars.outputs.profileName }} \
              --resource-group ${{ env.RESOURCE_GROUP_NAME }} \
              --custom-domain-name ${{ steps.vars.outputs.customDomainName }} \
              --only-show-errors | jq --raw-output .domainValidationState)

            needsToReEvaluate=$([ -z "$(echo $domainValidationState | grep "PendingRevalidation")" ] && echo "no" || echo "yes")
            echo needsToReEvaluate=$needsToReEvaluate >> $GITHUB_OUTPUT

  update_validation:
    runs-on: ubuntu-20.04

    needs: [check_need_for_validation_update]

    environment: ${{ inputs.chosen_environment }}

    if: needs.check_need_for_validation_update.outputs.needsToReEvaluate == 'yes'

    steps:
      - name: Setup variables
        id: vars
        run: |
          # Just to shorten the variable name paths
          echo customDomainName=${{ needs.check_need_for_validation_update.outputs.customDomainName }} >> $GITHUB_OUTPUT
          echo profileName=${{ needs.check_need_for_validation_update.outputs.profileName }} >> $GITHUB_OUTPUT
          echo zoneName=${{ needs.check_need_for_validation_update.outputs.zoneName }} >> $GITHUB_OUTPUT
          echo needsToReEvaluate=${{ needs.check_need_for_validation_update.outputs.needsToReEvaluate }} >> $GITHUB_OUTPUT

      - name: Azure login
        uses: azure/login@v2.1.1
        with:
          creds: ${{ secrets.AZURE_SP_CREDENTIALS }}

      - name: Regenerate validation token
        id: regenerateValidationToken
        uses: azure/CLI@v2.0.0
        with:
          azcliversion: 2.51.0
          inlineScript: |
            az afd custom-domain regenerate-validation-token \
              --profile-name ${{ steps.vars.outputs.profileName }} \
              --resource-group ${{ env.RESOURCE_GROUP_NAME }} \
              --custom-domain-name ${{ steps.vars.outputs.customDomainName }} \
              --only-show-errors

            newValidationToken=$(az afd custom-domain show \
              --profile-name ${{ steps.vars.outputs.profileName }} \
              --resource-group ${{ env.RESOURCE_GROUP_NAME }} \
              --custom-domain-name ${{ steps.vars.outputs.customDomainName }} \
              --only-show-errors | jq --raw-output .validationProperties.validationToken)

            echo newValidationToken=$newValidationToken >> $GITHUB_OUTPUT

      - name: Update dns auth TXT record
        uses: azure/CLI@v2.0.0
        with:
          azcliversion: 2.51.0
          inlineScript: |
            az network dns record-set txt update \
              --zone-name ${{ steps.vars.outputs.zoneName }} \
              --name "_dnsauth" \
              --resource-group ${{ env.RESOURCE_GROUP_NAME }} \
              --set "txt_records[0].value=['${{ steps.regenerateValidationToken.outputs.newValidationToken }}']"