OCI ISL update prototype: add random port #2
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ~OCI IP list update | ||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| ACTION: | ||
| type: string | ||
| required: true | ||
| description: Action to do for OCI IP list update. Can be either, "add" or "delete" | ||
| JOB_ID: | ||
| type: string | ||
| required: true | ||
| GLOBAL_CIDR: | ||
| type: string | ||
| required: true | ||
| description: Global CIDR to be added/deleted from security list of slurm cluster | ||
| outputs: | ||
| SSH_PORT: ${{ steps.new-ingress-list.outputs.SSH_PORT}} | ||
| description: SSH port to connect to | ||
| value: ${{ jobs.oci-sl-update.outputs.SSH_PORT }} | ||
| permissions: | ||
| contents: read # to fetch code | ||
| actions: read # to cancel previous workflows | ||
| packages: read # to upload container | ||
| jobs: | ||
| oci-sl-update: | ||
| runs-on: ubuntu-22.04 | ||
| name: Update security list on SLURM cluster | ||
| env: | ||
| OCI_CLI_USER: ${{ secrets.OCI_CLI_USER }} | ||
| OCI_CLI_TENANCY: ${{ secrets.OCI_CLI_TENANCY }} | ||
| OCI_CLI_FINGERPRINT: ${{ secrets.OCI_CLI_FINGERPRINT }} | ||
| OCI_CLI_KEY_CONTENT: ${{ secrets.OCI_CLI_KEY_CONTENT }} | ||
| OCI_CLI_REGION: ${{ secrets.OCI_CLI_REGION }} | ||
| outputs: | ||
| SSH_PORT: ${{ steps.new-ingress-list.outputs.SSH_PORT }} | ||
| steps: | ||
| - name: Retrieve the OCID of a named compartment in tenancy | ||
| uses: oracle-actions/run-oci-cli-command@v1.3.1 | ||
| id: find-compartment-id | ||
| with: | ||
| command: 'iam compartment list --compartment-id-in-subtree=true' | ||
| query: "data[?name=='jax'].id | [0]" | ||
| - name: Get security list from the compartment | ||
| uses: oracle-actions/run-oci-cli-command@v1.3.1 | ||
| id: slf | ||
| with: | ||
| command: 'network security-list list --compartment-id ${{ steps.find-compartment-id.outputs.output }}' | ||
| - name: Generate updated ingress list | ||
| id: new-ingress-list | ||
| run: | | ||
| description="JTB GitHub Runner ${{ inputs.JOB_ID }}" | ||
| port=$((RANDOM % 9000 + 1000)) # generate port in range [1000,10000] | ||
| if [[ "${{ inputs.ACTION }}" == "add" ]]; then | ||
| sl_update='{"description": "'$description'", | ||
| "icmp-options": null, | ||
| "is-stateless": false, | ||
| "protocol": "6", | ||
| "source": "'${{ inputs.GLOBAL_CIDR }}'", | ||
| "source-type": "CIDR_BLOCK", | ||
| "tcp-options": { | ||
| "destination-port-range": { | ||
| "max": '$port', | ||
| "min": '$port' | ||
| }, | ||
| "source-port-range": null | ||
| }, | ||
| "udp-options": null | ||
| }' | ||
| extract_pattern='(.data[] | select(.id=="'${{ secrets.OCI_SECURITY_LIST_ID }}'"))."ingress-security-rules"' | ||
| isr=$(jq "$extract_pattern" <<< ${{ steps.slf.outputs.output}}) | ||
| updated_isr=$(jq -c --argjson to_add "$sl_update" '. + [$to_add]' <<< ${isr}) | ||
| elif [[ "${{ inputs.ACTION }}" == "delete" ]]; then | ||
| delete_pattern='del(.data[] | select(.id=="'${{ secrets.OCI_SECURITY_LIST_ID }}'")."ingress-security-rules"[] | select(.description=="'$description'"))' | ||
| updated_slf=$(jq "$delete_pattern" <<< ${{ steps.slf.outputs.output }}) | ||
| extract_pattern='(.data[] | select(.id=="'${{ secrets.OCI_SECURITY_LIST_ID }}'"))."ingress-security-rules"' | ||
| updated_isr=$(jq -c "$extract_pattern" <<<$updated_slf) | ||
| else | ||
| echo "Unsupported parameter ${{ inputs.ACTION }}" | ||
| exit 1 | ||
| fi | ||
| oci network security-list update --force --security-list-id ${{ secrets.OCI_SECURITY_LIST_ID }} --ingress-security-rules "$updated_isr" >/dev/null 2>&1 | ||
| echo "SSH_PORT=$port" >> $GITHUB_OUTPUT | ||
