-
Notifications
You must be signed in to change notification settings - Fork 48
90 lines (82 loc) · 3.64 KB
/
_oci.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
name: ~OCI IP list update
on:
workflow_call:
inputs:
ACTION:
type: string
required: true
description: Action to do for OCI IP list update. Can be either, "add" or "delete"
JOB_ID:
type: string
required: true
GLOBAL_CIDR:
type: string
required: true
description: Global CIDR to be added/deleted from security list of slurm cluster
outputs:
SSH_PORT: ${{ steps.new-ingress-list.outputs.SSH_PORT}}
description: SSH port to connect to
value: ${{ jobs.oci-sl-update.outputs.SSH_PORT }}
permissions:
contents: read # to fetch code
actions: read # to cancel previous workflows
packages: read # to upload container
jobs:
oci-sl-update:
runs-on: ubuntu-22.04
name: Update security list on SLURM cluster
env:
OCI_CLI_USER: ${{ secrets.OCI_CLI_USER }}
OCI_CLI_TENANCY: ${{ secrets.OCI_CLI_TENANCY }}
OCI_CLI_FINGERPRINT: ${{ secrets.OCI_CLI_FINGERPRINT }}
OCI_CLI_KEY_CONTENT: ${{ secrets.OCI_CLI_KEY_CONTENT }}
OCI_CLI_REGION: ${{ secrets.OCI_CLI_REGION }}
outputs:
SSH_PORT: ${{ steps.new-ingress-list.outputs.SSH_PORT }}
steps:
- name: Retrieve the OCID of a named compartment in tenancy
uses: oracle-actions/[email protected]
id: find-compartment-id
with:
command: 'iam compartment list --compartment-id-in-subtree=true'
query: "data[?name=='jax'].id | [0]"
- name: Get security list from the compartment
uses: oracle-actions/[email protected]
id: slf
with:
command: 'network security-list list --compartment-id ${{ steps.find-compartment-id.outputs.output }}'
- name: Generate updated ingress list
id: new-ingress-list
run: |
description="JTB GitHub Runner ${{ inputs.JOB_ID }}"
port=$((RANDOM % 9000 + 1000)) # generate port in range [1000,10000]
if [[ "${{ inputs.ACTION }}" == "add" ]]; then
sl_update='{"description": "'$description'",
"icmp-options": null,
"is-stateless": false,
"protocol": "6",
"source": "'${{ inputs.GLOBAL_CIDR }}'",
"source-type": "CIDR_BLOCK",
"tcp-options": {
"destination-port-range": {
"max": '$port',
"min": '$port'
},
"source-port-range": null
},
"udp-options": null
}'
extract_pattern='(.data[] | select(.id=="'${{ secrets.OCI_SECURITY_LIST_ID }}'"))."ingress-security-rules"'
isr=$(jq "$extract_pattern" <<< ${{ steps.slf.outputs.output}})
updated_isr=$(jq -c --argjson to_add "$sl_update" '. + [$to_add]' <<< ${isr})
elif [[ "${{ inputs.ACTION }}" == "delete" ]]; then
delete_pattern='del(.data[] | select(.id=="'${{ secrets.OCI_SECURITY_LIST_ID }}'")."ingress-security-rules"[] | select(.description=="'$description'"))'
updated_slf=$(jq "$delete_pattern" <<< ${{ steps.slf.outputs.output }})
extract_pattern='(.data[] | select(.id=="'${{ secrets.OCI_SECURITY_LIST_ID }}'"))."ingress-security-rules"'
updated_isr=$(jq -c "$extract_pattern" <<<$updated_slf)
else
echo "Unsupported parameter ${{ inputs.ACTION }}"
exit 1
fi
oci network security-list update --force --security-list-id ${{ secrets.OCI_SECURITY_LIST_ID }} --ingress-security-rules "$updated_isr" >/dev/null 2>&1
echo "SSH_PORT=$port" >> $GITHUB_OUTPUT