IAPS: Data Refresh #2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: "IAPS: Data Refresh" | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| manually_specified_snapshot_id: # This is the name of the input | |
| description: "Snapshot ID" | |
| required: false | |
| trigger_mp_workflow: | |
| type: choice | |
| description: "Trigger MP workflow for IAPS [true|false]" | |
| default: "true" | |
| options: | |
| - "true" | |
| - "false" | |
| required: true | |
| env: | |
| SOURCE_ACCOUNT_ID: "936195311149" # production | |
| DEST_ACCOUNT_ID: "247467087019" # preproduction | |
| jobs: | |
| share-latest-manual-snapshot: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| role-to-assume: "arn:aws:iam::${{ env.SOURCE_ACCOUNT_ID }}:role/modernisation-platform-oidc-cicd" | |
| role-session-name: "iaps-data-refresh-${{ github.run_number }}" | |
| aws-region: "eu-west-2" | |
| - name: Get latest overnight backup | |
| if: ${{ github.event.inputs.manually_specified_snapshot_id == '' }} | |
| run: | | |
| overnight_snapshot_identifier=$(aws rds describe-db-snapshots \ | |
| --snapshot-type "automated" \ | |
| --db-instance-identifier "iaps" \ | |
| --query "reverse(sort_by(DBSnapshots, &SnapshotCreateTime))[0].DBSnapshotIdentifier" \ | |
| --output text) | |
| if [ -z "$overnight_snapshot_identifier" ]; then | |
| echo "No snapshot found" | |
| exit 1 | |
| fi | |
| echo SOURCE_SNAPSHOT_IDENTIFIER=${overnight_snapshot_identifier} >> $GITHUB_ENV | |
| echo SOURCE_SNAPSHOT_IDENTIFIER=${overnight_snapshot_identifier} >> $GITHUB_OUTPUT | |
| - name: Snapshot ID provided | |
| if: ${{ github.event.inputs.manually_specified_snapshot_id != '' }} | |
| run: | | |
| echo SOURCE_SNAPSHOT_IDENTIFIER=${{ github.event.inputs.manually_specified_snapshot_id }} >> $GITHUB_ENV | |
| echo SOURCE_SNAPSHOT_IDENTIFIER=${{ github.event.inputs.manually_specified_snapshot_id }} >> $GITHUB_OUTPUT | |
| - name: Set snapshot name string | |
| run: | | |
| echo DATETIME_STRING="$(echo $SOURCE_SNAPSHOT_IDENTIFIER | sed s/"rds:iaps-"//)" >> $GITHUB_ENV | |
| echo SNAPSHOT_PROD_COPY_NAME="iaps-prod-snapshot-$(echo $SOURCE_SNAPSHOT_IDENTIFIER | sed s/"rds:iaps-"//)-${{ github.run_id }}" >> $GITHUB_ENV | |
| - name: Copy snapshot (prod-prod) | |
| run: | | |
| aws rds copy-db-snapshot \ | |
| --source-db-snapshot-identifier "${{ env.SOURCE_SNAPSHOT_IDENTIFIER }}" \ | |
| --target-db-snapshot-identifier "${{ env.SNAPSHOT_PROD_COPY_NAME }}" \ | |
| --region "eu-west-2" | |
| - name: Wait for RDS Snapshot to be ready | |
| run: | | |
| for run in {1..5}; do | |
| aws rds wait db-snapshot-available \ | |
| --db-snapshot-identifier "${{ env.SNAPSHOT_PROD_COPY_NAME }}" && break || sleep 10 * run | |
| done | |
| - name: Share RDS snapshot with Pre-Prod | |
| run: | | |
| aws rds modify-db-snapshot-attribute \ | |
| --db-snapshot-identifier "${{ env.SNAPSHOT_PROD_COPY_NAME }}" \ | |
| --attribute-name restore \ | |
| --values-to-add "${{ env.DEST_ACCOUNT_ID }}" | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| role-to-assume: "arn:aws:iam::${{ env.DEST_ACCOUNT_ID }}:role/modernisation-platform-oidc-cicd" | |
| role-session-name: "iaps-data-refresh-${{ github.run_number }}" | |
| aws-region: "eu-west-2" | |
| - name: Set final snapshot name string | |
| run: | | |
| echo FINAL_SNAPSHOT_PROD_COPY_NAME="iaps-refresh-ready-${{ env.DATETIME_STRING }}-${{ github.run_id }}" >> $GITHUB_ENV | |
| - name: Copy snapshot (prod[shared]-preprod) | |
| run: | | |
| aws rds copy-db-snapshot \ | |
| --source-db-snapshot-identifier "arn:aws:rds:eu-west-2:${{ env.SOURCE_ACCOUNT_ID }}:snapshot:${{ env.SNAPSHOT_PROD_COPY_NAME }}" \ | |
| --target-db-snapshot-identifier "${{ env.FINAL_SNAPSHOT_PROD_COPY_NAME }}" \ | |
| --kms-key-id "arn:aws:kms:eu-west-2:374269020027:alias/rds-hmpps" \ | |
| --region "eu-west-2" | |
| - name: Wait for RDS Snapshot to be ready in Pre-Prod | |
| run: | | |
| for run in {1..5}; do | |
| aws rds wait db-snapshot-available \ | |
| --db-snapshot-identifier "${{ env.FINAL_SNAPSHOT_PROD_COPY_NAME }}" && break || sleep 10 * run | |
| done | |
| - name: Store identifier in SSM parameter store | |
| run: | | |
| aws ssm put-parameter \ | |
| --name "/iaps/snapshot_id" \ | |
| --value "${{ env.FINAL_SNAPSHOT_PROD_COPY_NAME }}" \ | |
| --type "String" \ | |
| --overwrite \ | |
| --region "eu-west-2" | |
| - name: Output snapshot identifier | |
| run: | | |
| echo "Snapshot identifier: ${{env.FINAL_SNAPSHOT_PROD_COPY_NAME}}" | |
| - name: Generate token | |
| if: ${{ github.event.inputs.trigger_mp_workflow == 'true' }} | |
| id: generate_token | |
| uses: tibdex/[email protected] | |
| with: | |
| app_id: ${{ secrets.HMPPS_BOT_APP_ID }} | |
| private_key: ${{ secrets.HMPPS_BOT_PRIVATE_KEY }} | |
| - name: Trigger IAPS Workflow | |
| if: ${{ github.event.inputs.trigger_mp_workflow == 'true' }} | |
| env: | |
| GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} | |
| run: gh workflow run delius-iaps --ref main -F action=deploy --repo ministryofjustice/modernisation-platform-environments |