Sanitised backup: replace artifacts with Azure storage

We have more controls in place around Azure storage

.github/workflows/database.yaml

@@ -78,6 +78,7 @@ jobs:
           fi
           echo "BACKUP_FILE=${BACKUP_FILE}" >> $GITHUB_ENV
           echo "KEYVAULT_NAME=${AZURE_RESOURCE_PREFIX}-${SERVICE_SHORT}-${CONFIG_SHORT}-inf-kv" >> $GITHUB_ENV
+          echo "SANITISED_FILE_NAME=afqts_sanitised_$(date +"%F")" >> $GITHUB_ENV
 
       - name: Fetch secrets from key vault
         uses: azure/CLI@v2
@@ -118,41 +119,46 @@ jobs:
           PGHOST: localhost
           PGPORT: 5432
 
-      - name: Upload sanitised backup
+      - name: Upload sanitised backup to Azure Storage
         if: github.event_name == 'schedule'
-        uses: actions/upload-artifact@v4
-        with:
-          name: backup-sanitised
-          path: backup-sanitised.sql.gz
-          retention-days: 3
+        run: |
+          STORAGE_CONN_STR=$(az storage account show-connection-string -g ${{ env.RESOURCE_GROUP_NAME }} -n ${{ env.STORAGE_ACCOUNT_NAME }} --query 'connectionString')
+          echo "::add-mask::$STORAGE_CONN_STR"
+
+          az storage blob upload --container-name database-backup \
+            --file ${SANITISED_FILE_NAME}.sql.gz --name ${SANITISED_FILE_NAME}.sql.gz --overwrite \
+            --connection-string "${STORAGE_CONN_STR}"
+          rm ${SANITISED_FILE_NAME}.sql.gz
 
   restore-preproduction:
     name: Restore preproduction
     needs: [backup]
     if: ${{ github.event_name == 'schedule' }}
     runs-on: ubuntu-latest
     environment: preproduction
+    env:
+      CONFIG: preprod
 
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Download sanitised backup
-        uses: actions/download-artifact@v4
-        with:
-          name: backup-sanitised
+      - name: Set environment variables
+        run: |
+          source global_config/${CONFIG}.sh
+          tf_vars_file=${TF_VARS_PATH}/${CONFIG}/variables.tfvars.json
+          echo "CLUSTER=$(jq -r '.cluster' ${tf_vars_file})" >> $GITHUB_ENV
+          echo "ENVIRONMENT=${ENVIRONMENT}" >> $GITHUB_ENV
+          echo "RESOURCE_GROUP_NAME=${AZURE_RESOURCE_PREFIX}-${SERVICE_SHORT}-${CONFIG_SHORT}-rg" >> $GITHUB_ENV
+          echo "STORAGE_ACCOUNT_NAME=${AZURE_RESOURCE_PREFIX}${SERVICE_SHORT}dbbkp${CONFIG_SHORT}sa" >> $GITHUB_ENV
+          echo "SANITISED_FILE_NAME=afqts_sanitised_$(date +"%F")" >> $GITHUB_ENV
 
-      - uses: ./.github/actions/set-kubernetes-credentials
+      - name: Restore sanitised backup to preproduction postgres
+        uses: DFE-Digital/github-actions/restore-postgres-backup@master
         with:
-          environment: preproduction
+          storage-account: ${{ env.STORAGE_ACCOUNT_NAME }}
+          resource-group: ${{ env.RESOURCE_GROUP_NAME }}
+          app-name: ${{ env.SERVICE_NAME }}-${{ env.ENVIRONMENT }}-web
+          cluster: ${{ env.CLUSTER }}
           azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
-
-      - name: Install kubectl
-        uses: DFE-Digital/github-actions/set-kubectl@master
-
-      - name: Install konduit
-        run: make install-konduit
-
-      - name: Restore sanitised backup
-        shell: bash
-        run: bin/konduit.sh -i backup-sanitised.sql.gz -c apply-for-qts-preproduction-web -- psql
+          backup-file: ${{ env.SANITISED_FILE_NAME }}