-
Notifications
You must be signed in to change notification settings - Fork 1
151 lines (123 loc) · 4.94 KB
/
database.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
name: Database
on:
workflow_dispatch:
schedule:
- cron: "0 4 * * *" # 04:00 UTC
jobs:
backup-production:
name: Backup production
runs-on: ubuntu-latest
environment: production
services:
postgres:
image: postgres:14
env:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_DB: postgres
ports:
- 5432:5432
options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Get resource group name
id: resource-group-name
run: echo "value=$(make -s production print-resource-group-name)" >> $GITHUB_OUTPUT
- uses: ./.github/actions/set-kubernetes-credentials
with:
environment: production
azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
- name: Refresh Terraform
run: make ci production terraform-refresh
env:
TF_VAR_azure_sp_credentials_json: ${{ secrets.AZURE_CREDENTIALS }}
DOCKER_IMAGE: "ghcr.io/dfe-digital/apply-for-qualified-teacher-status:no-tag"
- name: Get Azure backup storage details
id: azure-backup-storage
working-directory: terraform/application
run: |
echo "account-name=$(terraform output -raw postgres_azure_backup_storage_account_name)" >> $GITHUB_OUTPUT
echo "container-name=$(terraform output -raw postgres_azure_backup_storage_container_name)" >> $GITHUB_OUTPUT
- name: Install kubectl
uses: azure/setup-kubectl@v3
- name: Install konduit
run: make install-konduit
- name: Dump database
run: bin/konduit.sh apply-for-qts-production-web -- pg_dump -E utf8 --compress=1 --clean --if-exists --no-owner --verbose -f backup.sql.gz
- name: Set connection string
run: |
STORAGE_CONN_STR=$(az storage account show-connection-string -g ${{ steps.resource-group-name.outputs.value }} -n ${{ steps.azure-backup-storage.outputs.account-name }} --query 'connectionString')
echo "::add-mask::$STORAGE_CONN_STR"
echo "AZURE_STORAGE_CONNECTION_STRING=$STORAGE_CONN_STR" >> $GITHUB_ENV
- name: Upload backup
run: |
az config set extension.use_dynamic_install=yes_without_prompt
az config set core.only_show_errors=true
az storage azcopy blob upload \
--container ${{ steps.azure-backup-storage.outputs.container-name }} \
--source backup.sql.gz \
--destination $(date +"%F-%H").sql.gz
- name: Install postgres client
uses: DFE-Digital/github-actions/install-postgres-client@master
with:
version: 14
- name: Sanitise dump
run: |
gzip -d --to-stdout backup.sql.gz | psql -d postgres
psql -d postgres -f db/scripts/sanitise.sql
pg_dump -E utf8 --compress=1 --clean --if-exists --no-owner --verbose --no-password -f backup-sanitised.sql.gz
env:
PGUSER: postgres
PGPASSWORD: postgres
PGHOST: localhost
PGPORT: 5432
- name: Upload sanitised backup
uses: actions/upload-artifact@v4
with:
name: backup-sanitised
path: backup-sanitised.sql.gz
retention-days: 3
- id: key-vault-name
if: failure()
shell: bash
run: echo "value=$(make -s production print-infrastructure-key-vault-name)" >> $GITHUB_OUTPUT
- uses: Azure/get-keyvault-secrets@v1
if: failure()
id: key-vault-secrets
with:
keyvault: ${{ steps.key-vault-name.outputs.value }}
secrets: "SLACK-WEBHOOK"
- name: Notify Slack channel on job failure
if: failure()
uses: rtCamp/action-slack-notify@v2
env:
SLACK_USERNAME: CI Deployment
SLACK_TITLE: Database backup failure
SLACK_MESSAGE: Production database backup job failed
SLACK_WEBHOOK: ${{ steps.key-vault-secrets.outputs.SLACK-WEBHOOK }}
SLACK_COLOR: failure
SLACK_FOOTER: Sent from backup-production job in database-backups workflow
restore-preproduction:
name: Restore preproduction
needs: [backup-production]
runs-on: ubuntu-latest
environment: preproduction
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Download sanitised backup
uses: actions/download-artifact@v4
with:
name: backup-sanitised
- uses: ./.github/actions/set-kubernetes-credentials
with:
environment: preproduction
azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
- name: Install kubectl
uses: azure/setup-kubectl@v3
- name: Install konduit
run: make install-konduit
- name: Restore sanitised backup
shell: bash
run: bin/konduit.sh -i backup-sanitised.sql.gz -c apply-for-qts-preproduction-web -- psql