Delius Core: RDS instance Data Refresh #3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: "Delius Core: RDS instance Data Refresh" | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| manually_specified_snapshot_id: # This is the name of the input | |
| description: "Snapshot ID" | |
| required: false | |
| trigger_mp_workflow: | |
| type: choice | |
| description: "Trigger MP workflow for gdpr [true|false]" | |
| default: "true" | |
| options: | |
| - "true" | |
| - "false" | |
| required: true | |
| source_environment: | |
| type: choice | |
| description: "Select source environment" | |
| default: "true" | |
| options: | |
| - "test" | |
| - "stage" | |
| - "preprod" | |
| - "prod" | |
| required: true | |
| dest_environment: | |
| type: choice | |
| description: "Select destination environment" | |
| default: "true" | |
| options: | |
| - "dev" | |
| - "test" | |
| - "stage" | |
| - "preprod" | |
| required: true | |
| rds_instance: | |
| type: choice | |
| description: "Select rds instance for refreshing" | |
| default: "true" | |
| options: | |
| - "merge" | |
| - "gdpr" | |
| required: true | |
| jobs: | |
| get_source_account_id: | |
| runs-on: ubuntu-latest | |
| environment: delius-core-${{ inputs.source_environment }} | |
| outputs: | |
| account_id: "${{ steps.output_account_id.account_id}}" | |
| steps: | |
| - name: output account id | |
| id: output_account_id | |
| run: echo "account_id=${{ vars.AWS_ACCOUNT_ID }}" >> $GITHUB_OUTPUT | |
| get_dest_account_id: | |
| runs-on: ubuntu-latest | |
| environment: delius-core-${{ inputs.dest_environment }} | |
| outputs: | |
| account_id: "${{ steps.output_account_id.outputs.account_id}}" | |
| steps: | |
| - name: output account id | |
| id: output_account_id | |
| run: echo "account_id=${{ vars.AWS_ACCOUNT_ID }}" >> $GITHUB_OUTPUT | |
| source_environment: | |
| needs: [get_source_account_id, get_dest_account_id] | |
| runs-on: ubuntu-latest | |
| environment: delius-core-${{ inputs.source_environment }} | |
| outputs: | |
| DATETIME_STRING: "${{ steps.name.outputs.DATETIME_STRING }}" | |
| SNAPSHOT_SOURCE_COPY_NAME": "${{ steps.name.outputs.SNAPSHOT_SOURCE_COPY_NAME }}" | |
| steps: | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| role-to-assume: "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/modernisation-platform-oidc-cicd" | |
| role-session-name: "${{ inputs.rds_instance }}-data-refresh-${{ github.run_number }}" | |
| aws-region: "eu-west-2" | |
| - name: Get latest overnight backup | |
| if: ${{ github.event.inputs.manually_specified_snapshot_id == '' }} | |
| run: | | |
| overnight_snapshot_identifier=$(aws rds describe-db-snapshots \ | |
| --snapshot-type "automated" \ | |
| --db-instance-identifier "${{ inputs.rds_instance }}" \ | |
| --query "reverse(sort_by(DBSnapshots, &SnapshotCreateTime))[0].DBSnapshotIdentifier" \ | |
| --output text) | |
| if [ -z "$overnight_snapshot_identifier" ]; then | |
| echo "No snapshot found" | |
| exit 1 | |
| fi | |
| echo SOURCE_SNAPSHOT_IDENTIFIER=${overnight_snapshot_identifier} >> $GITHUB_ENV | |
| echo SOURCE_SNAPSHOT_IDENTIFIER=${overnight_snapshot_identifier} >> $GITHUB_OUTPUT | |
| - name: Snapshot ID provided | |
| if: ${{ github.event.inputs.manually_specified_snapshot_id != '' }} | |
| run: | | |
| echo SOURCE_SNAPSHOT_IDENTIFIER=${{ github.event.inputs.manually_specified_snapshot_id }} >> $GITHUB_ENV | |
| echo SOURCE_SNAPSHOT_IDENTIFIER=${{ github.event.inputs.manually_specified_snapshot_id }} >> $GITHUB_OUTPUT | |
| - name: Set snapshot name string | |
| id: name | |
| run: | | |
| echo DATETIME_STRING="$(echo $SOURCE_SNAPSHOT_IDENTIFIER | sed s/"rds:${{ inputs.rds_instance }}-"//)" >> $GITHUB_ENV | |
| echo DATETIME_STRING="$(echo $SOURCE_SNAPSHOT_IDENTIFIER | sed s/"rds:${{ inputs.rds_instance }}-"//)" >> $GITHUB_OUTPUT | |
| echo SNAPSHOT_SOURCE_COPY_NAME="${{ inputs.rds_instance }}-${{ inputs.source_environment }}-snapshot-$(echo $SOURCE_SNAPSHOT_IDENTIFIER | sed s/"rds:delius-${{ inputs.rds_instance}}-"//)-${{ github.run_id }}" >> $GITHUB_ENV | |
| echo SNAPSHOT_SOURCE_COPY_NAME="${{ inputs.rds_instance }}-${{ inputs.source_environment }}-snapshot-$(echo $SOURCE_SNAPSHOT_IDENTIFIER | sed s/"rds:delius-${{ inputs.rds_instance}}-"//)-${{ github.run_id }}" >> $GITHUB_OUTPUT | |
| - name: Copy snapshot (within ${{ inputs.source_account }}) | |
| run: | | |
| aws rds copy-db-snapshot \ | |
| --source-db-snapshot-identifier "${{ env.SOURCE_SNAPSHOT_IDENTIFIER }}" \ | |
| --target-db-snapshot-identifier "${{ env.SNAPSHOT_SOURCE_COPY_NAME }}" \ | |
| --region "eu-west-2" | |
| - name: Wait for RDS Snapshot to be ready | |
| run: | | |
| for run in {1..5}; do | |
| aws rds wait db-snapshot-available \ | |
| --db-snapshot-identifier "${{ env.SNAPSHOT_SOURCE_COPY_NAME }}" && break || sleep 10 * run | |
| done | |
| - name: Share RDS snapshot with Pre-Prod | |
| run: | | |
| aws rds modify-db-snapshot-attribute \ | |
| --db-snapshot-identifier "${{ env.SNAPSHOT_SOURCE_COPY_NAME }}" \ | |
| --attribute-name restore \ | |
| --values-to-add "${{ needs.get_dest_account_id.outputs.account_id }}" | |
| destination_environment: | |
| runs-on: ubuntu-latest | |
| environment: delius-core-${{ inputs.dest_environment }} | |
| needs: [source_environment, get_source_account_id, get_dest_account_id] | |
| steps: | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| role-to-assume: "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/modernisation-platform-oidc-cicd" | |
| role-session-name: "${{ inputs.rds_instance }}-data-refresh-${{ github.run_number }}" | |
| aws-region: "eu-west-2" | |
| - name: Set final snapshot name string | |
| run: | | |
| echo FINAL_SNAPSHOT_DEST_COPY_NAME="${{ inputs.rds_instance }}-refresh-ready-${{ needs.source_environment.outputs.DATETIME_STRING }}-${{ github.run_id }}" >> $GITHUB_ENV | |
| - name: Copy snapshot (${{ inputs.source_environment }}[shared]-${{ inputs.dest_environment }}) | |
| run: | | |
| aws rds copy-db-snapshot \ | |
| --source-db-snapshot-identifier "arn:aws:rds:eu-west-2:${{ needs.get_source_account_id.outputs.account_id }}:snapshot:${{ needs.source_environment.outputs.SNAPSHOT_PROD_COPY_NAME }}" \ | |
| --target-db-snapshot-identifier "${{ env.FINAL_SNAPSHOT_DEST_COPY_NAME }}" \ | |
| --kms-key-id "arn:aws:kms:eu-west-2:374269020027:alias/rds-hmpps" \ | |
| --region "eu-west-2" | |
| - name: Wait for RDS Snapshot to be ready in ${{ inputs.dest_environment }} | |
| run: | | |
| for run in {1..5}; do | |
| aws rds wait db-snapshot-available \ | |
| --db-snapshot-identifier "${{ env.FINAL_SNAPSHOT_DEST_COPY_NAME }}" && break || sleep 10 * run | |
| done | |
| - name: Store identifier in SSM parameter store | |
| run: | | |
| aws ssm put-parameter \ | |
| --name "/${{ inputs.rds_instance }}/snapshot_id" \ | |
| --value "${{ env.FINAL_SNAPSHOT_DEST_COPY_NAME }}" \ | |
| --type "String" \ | |
| --overwrite \ | |
| --region "eu-west-2" | |
| - name: Output snapshot identifier | |
| run: | | |
| echo "Snapshot identifier: ${{env.FINAL_SNAPSHOT_DEST_COPY_NAME}}" | |
| - name: Generate token | |
| if: ${{ github.event.inputs.trigger_mp_workflow == 'true' }} | |
| id: generate_token | |
| uses: tibdex/[email protected] | |
| with: | |
| app_id: ${{ secrets.HMPPS_BOT_APP_ID }} | |
| private_key: ${{ secrets.HMPPS_BOT_PRIVATE_KEY }} | |
| - name: Trigger mp delius-core workflow | |
| if: ${{ github.event.inputs.trigger_mp_workflow == 'true' }} | |
| env: | |
| GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} | |
| run: gh workflow run delius-core --ref main -F action=deploy --repo ministryofjustice/modernisation-platform-environments |