Skip to content

Commit

Permalink
Sanitised backup: replace artifacts with Azure storage
Browse files Browse the repository at this point in the history
We have more controls in place around Azure storage
  • Loading branch information
saliceti committed Nov 28, 2024
1 parent 3198cb4 commit cb5efbe
Showing 1 changed file with 74 additions and 20 deletions.
94 changes: 74 additions & 20 deletions .github/workflows/database.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ jobs:
fi
echo "BACKUP_FILE=${BACKUP_FILE}" >> $GITHUB_ENV
echo "KEYVAULT_NAME=${AZURE_RESOURCE_PREFIX}-${SERVICE_SHORT}-${CONFIG_SHORT}-inf-kv" >> $GITHUB_ENV
echo "SANITISED_FILE_NAME=afqts_sanitised_$(date +"%F")" >> $GITHUB_ENV
- name: Fetch secrets from key vault
uses: azure/CLI@v2
Expand Down Expand Up @@ -109,50 +110,103 @@ jobs:
- name: Sanitise dump
if: github.event_name == 'schedule'
run: |
gzip -d --to-stdout backup.sql.gz | psql -d postgres
gzip -d --to-stdout ${{ env.BACKUP_FILE }}.sql.gz | psql -d postgres
psql -d postgres -f db/scripts/sanitise.sql
pg_dump -E utf8 --compress=1 --clean --if-exists --no-owner --verbose --no-password -f backup-sanitised.sql.gz
pg_dump -E utf8 --compress=1 --clean --if-exists --no-owner --verbose --no-password -f ${SANITISED_FILE_NAME}.sql.gz
env:
PGUSER: postgres
PGPASSWORD: postgres
PGHOST: localhost
PGPORT: 5432

- name: Upload sanitised backup
- name: Upload sanitised backup to Azure Storage
if: github.event_name == 'schedule'
uses: actions/upload-artifact@v4
with:
name: backup-sanitised
path: backup-sanitised.sql.gz
retention-days: 3
run: |
STORAGE_CONN_STR=$(az storage account show-connection-string -g ${{ env.RESOURCE_GROUP_NAME }} -n ${{ env.STORAGE_ACCOUNT_NAME }} --query 'connectionString')
echo "::add-mask::$STORAGE_CONN_STR"
az storage blob upload --container-name database-backup \
--file ${SANITISED_FILE_NAME}.sql.gz --name ${SANITISED_FILE_NAME}.sql.gz --overwrite \
--connection-string "${STORAGE_CONN_STR}"
rm ${SANITISED_FILE_NAME}.sql.gz
restore-preproduction:
name: Restore preproduction
needs: [backup]
if: ${{ github.event_name == 'schedule' }}
runs-on: ubuntu-latest
environment: preproduction
environment: production
env:
GLOBAL_CONFIG: preprod

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Download sanitised backup
uses: actions/download-artifact@v4
- name: Set environment variables
run: |
source global_config/${GLOBAL_CONFIG}.sh
tf_vars_file=${TF_VARS_PATH}/${CONFIG}/variables.tfvars.json
APP_ENVIRONMENT=$(jq -r '.app_environment' ${tf_vars_file})
echo "APP_NAME=${SERVICE_NAME}-${APP_ENVIRONMENT}-web" >> $GITHUB_ENV
echo "SANITISED_FILE_NAME=afqts_sanitised_$(date +"%F").sql.gz" >> $GITHUB_ENV
echo "CLUSTER_RG=s189t01-tsc-ts-rg" >> $GITHUB_ENV
echo "CLUSTER_NAME=s189t01-tsc-test-aks" >> $GITHUB_ENV
echo "RESOURCE_GROUP_NAME=s189p01-afqts-pd-rg" >> $GITHUB_ENV
echo "STORAGE_ACCOUNT_NAME=s189p01afqtsdbbkppdsa" >> $GITHUB_ENV
# Download backup from production storage account
- uses: azure/login@v2
with:
name: backup-sanitised
creds: ${{ secrets.AZURE_CREDENTIALS }}

- name: Set Connection String
run: |
STORAGE_CONN_STR=$(az storage account show-connection-string -g ${RESOURCE_GROUP_NAME} -n ${STORAGE_ACCOUNT_NAME} --query 'connectionString')
echo "::add-mask::$STORAGE_CONN_STR"
echo "AZURE_STORAGE_CONNECTION_STRING=$STORAGE_CONN_STR" >> $GITHUB_ENV
- name: Download Backup from Azure Storage
run: |
az config set extension.use_dynamic_install=yes_without_prompt
az config set core.only_show_errors=true
az storage azcopy blob download --container database-backup \
--source ${{ env.SANITISED_FILE_NAME }} --destination ${{ env.SANITISED_FILE_NAME }}
- uses: ./.github/actions/set-kubernetes-credentials
# Restore backup to preproduction database
- uses: azure/login@v2
with:
environment: preproduction
azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
creds: ${{ secrets.AZURE_CREDENTIALS_PREPRODUCTION }}

- name: Setup postgres client
uses: DFE-Digital/github-actions/install-postgres-client@master
with:
version: 14

- name: Install kubectl
uses: DFE-Digital/github-actions/set-kubectl@master

- name: Install konduit
run: make install-konduit
- uses: DFE-Digital/github-actions/set-kubelogin-environment@master
with:
azure-credentials: ${{ secrets.AZURE_CREDENTIALS_PREPRODUCTION }}

- name: K8 setup
run: |
az aks get-credentials --overwrite-existing -g ${CLUSTER_RG} -n ${CLUSTER_NAME}
kubelogin convert-kubeconfig -l spn
# install konduit
curl -s https://raw.githubusercontent.com/DFE-Digital/teacher-services-cloud/master/scripts/konduit.sh -o ./konduit.sh
chmod +x ./konduit.sh
- name: Restore sanitised backup
shell: bash
run: bin/konduit.sh -i backup-sanitised.sql.gz -c apply-for-qts-preproduction-web -- psql
- name: Restore backup to aks env database
run: |
./konduit.sh -i ${SANITISED_FILE_NAME} -c -t 7200 -x ${APP_NAME} -- psql
- name: Restore Summary
if: success()
run: |
NOW=$(TZ=Europe/London date +"%F %R")
echo "RESTORE SUCCESSFUL!" >> $GITHUB_STEP_SUMMARY
echo "APP: ${APP_NAME}" >> $GITHUB_STEP_SUMMARY
echo "BACKUP FILE RESTORED: ${STORAGE_ACCOUNT_NAME} / database-backup / ${SANITISED_FILE_NAME}" >> $GITHUB_STEP_SUMMARY
echo "AT: ${NOW}" >> $GITHUB_STEP_SUMMARY

0 comments on commit cb5efbe

Please sign in to comment.