Jamf Pro User Accounts Privileges Maintenance #17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Description: This pipeline maintains accurate Jamf Pro User Account privilege data across different versions. | |
| # It automatically fetches and validates the complete set of available User Account privileges from a running | |
| # Jamf Pro instance by: | |
| # 1. Creating a temporary admin account to export all possible privileges (JSS Objects, JSS Settings, JSS Actions) | |
| # 2. Removes the temporary admin account | |
| # 3. Organizing privileges by Jamf Pro version (maintaining N, N-1, N-2 versions) in go consts. | |
| # 4. Stores results as structured data as JSON for the Terraform provider's validation logic | |
| # | |
| # This automation ensures that: | |
| # - The Terraform provider can accurately validate privilege assignments | |
| # - Privilege validation stays in sync with Jamf Pro version updates | |
| # - Breaking changes in privileges between versions are tracked | |
| # - Administrators can confidently assign correct privileges through Terraform | |
| name: Jamf Pro User Accounts Privileges Maintenance | |
| on: | |
| schedule: | |
| - cron: '0 0 * * 0' # Run every Sunday at midnight UTC | |
| workflow_dispatch: # Allow manual triggering | |
| permissions: | |
| contents: write | |
| pull-requests: write # Needed to create a pull request | |
| jobs: | |
| update-user-account-privileges: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/[email protected] | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/[email protected] | |
| - name: Set up Go | |
| uses: actions/[email protected] | |
| with: | |
| go-version: '1.22.4' # current version used by the go-api-sdk-jamfpro package | |
| - name: Harden Runner | |
| uses: step-security/[email protected] | |
| with: | |
| egress-policy: audit | |
| - name: Install dependencies | |
| run: | | |
| go mod download | |
| go get github.com/deploymenttheory/go-api-sdk-jamfpro/sdk/jamfpro | |
| - name: '⚙️ Run User Account Privileges Fetcher' | |
| env: | |
| LOG_LEVEL: "debug" | |
| HIDE_SENSITIVE_DATA: "true" | |
| INSTANCE_DOMAIN: ${{ secrets.MAINTAINENCE_INSTANCE_DOMAIN }} | |
| AUTH_METHOD: "oauth2" | |
| CLIENT_ID: ${{ secrets.MAINTAINENCE_CLIENT_ID }} | |
| CLIENT_SECRET: ${{ secrets.MAINTAINENCE_CLIENT_SECRET }} | |
| EXPORT_LOGS: "false" | |
| JAMF_LOAD_BALANCER_LOCK: "true" | |
| MAX_RETRY_ATTEMPTS: "3" | |
| ENABLE_DYNAMIC_RATE_LIMITING: "false" | |
| MAX_CONCURRENT_REQUESTS: "1" | |
| TOKEN_REFRESH_BUFFER_PERIOD_SECONDS: "300" | |
| TOTAL_RETRY_DURATION_SECONDS: "60" | |
| CUSTOM_TIMEOUT_SECONDS: "60" | |
| FOLLOW_REDIRECTS: "true" | |
| MAX_REDIRECTS: "5" | |
| ENABLE_CONCURRENCY_MANAGEMENT: "true" | |
| CUSTOM_COOKIES: "" | |
| MANDATORY_REQUEST_DELAY_MILLISECONDS: "0" | |
| RETRY_ELIGIABLE_REQUESTS: "true" | |
| run: | | |
| echo "Current working directory: $(pwd)" | |
| SCRIPT_DIR="$GITHUB_WORKSPACE/scripts/maintainence/GetUserAccountPrivileges" | |
| if [ -d "$SCRIPT_DIR" ]; then | |
| cd "$SCRIPT_DIR" | |
| echo "Changed directory to: $(pwd)" | |
| if [ -f "GetUserAccountPrivileges.go" ]; then | |
| go run GetUserAccountPrivileges.go | |
| else | |
| echo "Error: GetUserAccountPrivileges.go not found in $SCRIPT_DIR" | |
| exit 1 | |
| fi | |
| else | |
| echo "Error: Directory $SCRIPT_DIR does not exist" | |
| exit 1 | |
| fi | |
| # Get the full version directory name and extract semantic version | |
| FULL_VERSION_DIR=$(find . -maxdepth 1 -type d -name "[0-9]*" -printf "%f\n" | head -n 1) | |
| if [ -z "$FULL_VERSION_DIR" ]; then | |
| echo "Error: Could not find version directory" | |
| exit 1 | |
| fi | |
| # Extract semantic version (e.g., 11.10.1 from 11.10.1-t1728656858) | |
| VERSION_DIR=$(echo "$FULL_VERSION_DIR" | grep -o '^[0-9]*\.[0-9]*\.[0-9]*') | |
| if [ -z "$VERSION_DIR" ]; then | |
| echo "Error: Could not extract semantic version from directory name" | |
| exit 1 | |
| fi | |
| echo "Extracted version: $VERSION_DIR from $FULL_VERSION_DIR" | |
| echo "VERSION_DIR=$VERSION_DIR" >> $GITHUB_ENV | |
| TARGET_BASE_DIR="$GITHUB_WORKSPACE/internal/resources/common/jamfprivileges/privileges" | |
| TARGET_VERSION_DIR="$TARGET_BASE_DIR/$VERSION_DIR" | |
| if [ ! -d "$TARGET_VERSION_DIR" ]; then | |
| mkdir -p "$TARGET_VERSION_DIR" | |
| echo "Created directory: $TARGET_VERSION_DIR" | |
| else | |
| echo "Directory already exists: $TARGET_VERSION_DIR" | |
| fi | |
| for json_file in "$FULL_VERSION_DIR"/*.json; do | |
| if [ -f "$json_file" ]; then | |
| mv "$json_file" "$TARGET_VERSION_DIR/" | |
| echo "Moved $json_file to $TARGET_VERSION_DIR/" | |
| fi | |
| done | |
| if [ ! -f "$TARGET_VERSION_DIR/jss_objects_privileges.json" ] || \ | |
| [ ! -f "$TARGET_VERSION_DIR/jss_settings_privileges.json" ] || \ | |
| [ ! -f "$TARGET_VERSION_DIR/jss_actions_privileges.json" ]; then | |
| echo "Error: Not all JSON files were moved successfully" | |
| exit 1 | |
| fi | |
| - name: Update Version Constants | |
| run: > | |
| VALIDATE_FILE="$GITHUB_WORKSPACE/internal/resources/common/jamfprivileges/validate.go"; | |
| if [ ! -f "$VALIDATE_FILE" ]; then | |
| echo "Error: validate.go not found at $VALIDATE_FILE"; | |
| exit 1; | |
| fi; | |
| CURRENT_LATEST=$(grep 'LatestVersion.*=.*"' "$VALIDATE_FILE" | grep -o '"[^"]*"' | tr -d '"'); | |
| CURRENT_NMINUS1=$(grep 'NMinus1Version.*=.*"' "$VALIDATE_FILE" | grep -o '"[^"]*"' | tr -d '"'); | |
| CURRENT_NMINUS2=$(grep 'NMinus2Version.*=.*"' "$VALIDATE_FILE" | grep -o '"[^"]*"' | tr -d '"'); | |
| echo "Current versions:"; | |
| echo "Latest: $CURRENT_LATEST"; | |
| echo "N-1: $CURRENT_NMINUS1"; | |
| echo "N-2: $CURRENT_NMINUS2"; | |
| echo "New version: $VERSION_DIR"; | |
| if [ "$VERSION_DIR" = "$CURRENT_LATEST" ] || [ "$VERSION_DIR" = "$CURRENT_NMINUS1" ] || [ "$VERSION_DIR" = "$CURRENT_NMINUS2" ]; then | |
| echo "Version $VERSION_DIR already exists in version constants. Skipping update."; | |
| exit 0; | |
| fi; | |
| tmp_file=$(mktemp); | |
| sed -E "s/(LatestVersion[[:space:]]*=[[:space:]]*\")[^\"]*(\")$/\1$VERSION_DIR\2/" "$VALIDATE_FILE" | | |
| sed -E "s/(NMinus1Version[[:space:]]*=[[:space:]]*\")[^\"]*(\")$/\1$CURRENT_LATEST\2/" | | |
| sed -E "s/(NMinus2Version[[:space:]]*=[[:space:]]*\")[^\"]*(\")$/\1$CURRENT_NMINUS1\2/" > "$tmp_file"; | |
| if [ $? -ne 0 ]; then | |
| echo "Error: Failed to update version constants"; | |
| rm "$tmp_file"; | |
| exit 1; | |
| fi; | |
| mv "$tmp_file" "$VALIDATE_FILE"; | |
| echo "Updated versions in validate.go:"; | |
| grep 'Version.*=.*"' "$VALIDATE_FILE" | |
| - name: Create Pull Request | |
| uses: peter-evans/[email protected] | |
| with: | |
| commit-message: | | |
| Update User Account Privileges data for Jamf Pro ${{ env.VERSION_DIR }} | |
| - Added privileges for version ${{ env.VERSION_DIR }} | |
| - Updated version constants in validate.go | |
| title: '[Automated] Update User Account Privileges data for Jamf Pro ${{ env.VERSION_DIR }}' | |
| body: | | |
| This is an automated PR to update the Jamf Pro API Privileges data for version ${{ env.VERSION_DIR }}. | |
| Changes include: | |
| - Added privileges data for version ${{ env.VERSION_DIR }}: | |
| - Updated JSS Objects Privileges | |
| - Updated JSS Settings Privileges | |
| - Updated JSS Actions Privileges | |
| - Updated version constants in validate.go: | |
| - LatestVersion: ${{ env.VERSION_DIR }} | |
| - NMinus1Version: Previous latest | |
| - NMinus2Version: Previous N-1 | |
| Please review the changes in the privileges JSON files and validate.go file. | |
| branch: update-user-account-privileges-${{ env.VERSION_DIR }} | |
| delete-branch: true |