From 06370c34bc439fa222fca183eb32da728644ca5a Mon Sep 17 00:00:00 2001 From: Colin Saliceti Date: Wed, 27 Nov 2024 17:26:36 +0000 Subject: [PATCH] Sanitised backup: replace artifacts with Azure storage We have more controls in place around Azure storage --- .github/workflows/database.yaml | 50 ++++++++++++++++++--------------- 1 file changed, 28 insertions(+), 22 deletions(-) diff --git a/.github/workflows/database.yaml b/.github/workflows/database.yaml index 400116ccc..375304e5d 100644 --- a/.github/workflows/database.yaml +++ b/.github/workflows/database.yaml @@ -78,6 +78,7 @@ jobs: fi echo "BACKUP_FILE=${BACKUP_FILE}" >> $GITHUB_ENV echo "KEYVAULT_NAME=${AZURE_RESOURCE_PREFIX}-${SERVICE_SHORT}-${CONFIG_SHORT}-inf-kv" >> $GITHUB_ENV + echo "SANITISED_FILE_NAME=afqts_sanitised_$(date +"%F")" >> $GITHUB_ENV - name: Fetch secrets from key vault uses: azure/CLI@v2 @@ -118,13 +119,16 @@ jobs: PGHOST: localhost PGPORT: 5432 - - name: Upload sanitised backup + - name: Upload sanitised backup to Azure Storage if: github.event_name == 'schedule' - uses: actions/upload-artifact@v4 - with: - name: backup-sanitised - path: backup-sanitised.sql.gz - retention-days: 3 + run: | + STORAGE_CONN_STR=$(az storage account show-connection-string -g ${{ env.RESOURCE_GROUP_NAME }} -n ${{ env.STORAGE_ACCOUNT_NAME }} --query 'connectionString') + echo "::add-mask::$STORAGE_CONN_STR" + + az storage blob upload --container-name database-backup \ + --file ${SANITISED_FILE_NAME}.sql.gz --name ${SANITISED_FILE_NAME}.sql.gz --overwrite \ + --connection-string "${STORAGE_CONN_STR}" + rm ${SANITISED_FILE_NAME}.sql.gz restore-preproduction: name: Restore preproduction @@ -132,27 +136,29 @@ jobs: if: ${{ github.event_name == 'schedule' }} runs-on: ubuntu-latest environment: preproduction + env: + CONFIG: preprod steps: - name: Checkout code uses: actions/checkout@v4 - - name: Download sanitised backup - uses: actions/download-artifact@v4 - with: - name: backup-sanitised + - name: Set environment variables + run: | + source global_config/${CONFIG}.sh + tf_vars_file=${TF_VARS_PATH}/${CONFIG}/variables.tfvars.json + echo "CLUSTER=$(jq -r '.cluster' ${tf_vars_file})" >> $GITHUB_ENV + echo "ENVIRONMENT=${ENVIRONMENT}" >> $GITHUB_ENV + echo "RESOURCE_GROUP_NAME=${AZURE_RESOURCE_PREFIX}-${SERVICE_SHORT}-${CONFIG_SHORT}-rg" >> $GITHUB_ENV + echo "STORAGE_ACCOUNT_NAME=${AZURE_RESOURCE_PREFIX}${SERVICE_SHORT}dbbkp${CONFIG_SHORT}sa" >> $GITHUB_ENV + echo "SANITISED_FILE_NAME=afqts_sanitised_$(date +"%F")" >> $GITHUB_ENV - - uses: ./.github/actions/set-kubernetes-credentials + - name: Restore sanitised backup to preproduction postgres + uses: DFE-Digital/github-actions/restore-postgres-backup@master with: - environment: preproduction + storage-account: ${{ env.STORAGE_ACCOUNT_NAME }} + resource-group: ${{ env.RESOURCE_GROUP_NAME }} + app-name: ${{ env.SERVICE_NAME }}-${{ env.ENVIRONMENT }}-web + cluster: ${{ env.CLUSTER }} azure-credentials: ${{ secrets.AZURE_CREDENTIALS }} - - - name: Install kubectl - uses: DFE-Digital/github-actions/set-kubectl@master - - - name: Install konduit - run: make install-konduit - - - name: Restore sanitised backup - shell: bash - run: bin/konduit.sh -i backup-sanitised.sql.gz -c apply-for-qts-preproduction-web -- psql + backup-file: ${{ env.SANITISED_FILE_NAME }}