generated from ministryofjustice/template-repository
-
Notifications
You must be signed in to change notification settings - Fork 0
134 lines (118 loc) · 5.55 KB
/
iaps-data-refresh.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
---
name: "IAPS: Data Refresh"
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
on:
workflow_dispatch:
inputs:
manually_specified_snapshot_id: # This is the name of the input
description: "Snapshot ID"
required: false
trigger_mp_workflow:
type: choice
description: "Trigger MP workflow for IAPS [true|false]"
default: "true"
options:
- "true"
- "false"
required: true
env:
SOURCE_ACCOUNT_ID: "936195311149" # production
DEST_ACCOUNT_ID: "247467087019" # preproduction
jobs:
share-latest-manual-snapshot:
runs-on: ubuntu-latest
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: "arn:aws:iam::${{ env.SOURCE_ACCOUNT_ID }}:role/modernisation-platform-oidc-cicd"
role-session-name: "iaps-data-refresh-${{ github.run_number }}"
aws-region: "eu-west-2"
- name: Get latest overnight backup
if: ${{ github.event.inputs.manually_specified_snapshot_id == '' }}
run: |
overnight_snapshot_identifier=$(aws rds describe-db-snapshots \
--snapshot-type "automated" \
--db-instance-identifier "iaps" \
--query "reverse(sort_by(DBSnapshots, &SnapshotCreateTime))[0].DBSnapshotIdentifier" \
--output text)
if [ -z "$overnight_snapshot_identifier" ]; then
echo "No snapshot found"
exit 1
fi
echo SOURCE_SNAPSHOT_IDENTIFIER=${overnight_snapshot_identifier} >> $GITHUB_ENV
echo SOURCE_SNAPSHOT_IDENTIFIER=${overnight_snapshot_identifier} >> $GITHUB_OUTPUT
- name: Snapshot ID provided
if: ${{ github.event.inputs.manually_specified_snapshot_id != '' }}
run: |
echo SOURCE_SNAPSHOT_IDENTIFIER=${{ github.event.inputs.manually_specified_snapshot_id }} >> $GITHUB_ENV
echo SOURCE_SNAPSHOT_IDENTIFIER=${{ github.event.inputs.manually_specified_snapshot_id }} >> $GITHUB_OUTPUT
- name: Set snapshot name string
run: |
echo DATETIME_STRING="$(echo $SOURCE_SNAPSHOT_IDENTIFIER | sed s/"rds:iaps-"//)" >> $GITHUB_ENV
echo SNAPSHOT_PROD_COPY_NAME="iaps-prod-snapshot-$(echo $SOURCE_SNAPSHOT_IDENTIFIER | sed s/"rds:iaps-"//)-${{ github.run_id }}" >> $GITHUB_ENV
- name: Copy snapshot (prod-prod)
run: |
aws rds copy-db-snapshot \
--source-db-snapshot-identifier "${{ env.SOURCE_SNAPSHOT_IDENTIFIER }}" \
--target-db-snapshot-identifier "${{ env.SNAPSHOT_PROD_COPY_NAME }}" \
--region "eu-west-2"
- name: Wait for RDS Snapshot to be ready
run: |
for run in {1..5}; do
aws rds wait db-snapshot-available \
--db-snapshot-identifier "${{ env.SNAPSHOT_PROD_COPY_NAME }}" && break || sleep 10 * run
done
- name: Share RDS snapshot with Pre-Prod
run: |
aws rds modify-db-snapshot-attribute \
--db-snapshot-identifier "${{ env.SNAPSHOT_PROD_COPY_NAME }}" \
--attribute-name restore \
--values-to-add "${{ env.DEST_ACCOUNT_ID }}"
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: "arn:aws:iam::${{ env.DEST_ACCOUNT_ID }}:role/modernisation-platform-oidc-cicd"
role-session-name: "iaps-data-refresh-${{ github.run_number }}"
aws-region: "eu-west-2"
- name: Set final snapshot name string
run: |
echo FINAL_SNAPSHOT_PROD_COPY_NAME="iaps-refresh-ready-${{ env.DATETIME_STRING }}-${{ github.run_id }}" >> $GITHUB_ENV
- name: Copy snapshot (prod[shared]-preprod)
run: |
aws rds copy-db-snapshot \
--source-db-snapshot-identifier "arn:aws:rds:eu-west-2:${{ env.SOURCE_ACCOUNT_ID }}:snapshot:${{ env.SNAPSHOT_PROD_COPY_NAME }}" \
--target-db-snapshot-identifier "${{ env.FINAL_SNAPSHOT_PROD_COPY_NAME }}" \
--kms-key-id "arn:aws:kms:eu-west-2:374269020027:alias/rds-hmpps" \
--region "eu-west-2"
- name: Wait for RDS Snapshot to be ready in Pre-Prod
run: |
for run in {1..5}; do
aws rds wait db-snapshot-available \
--db-snapshot-identifier "${{ env.FINAL_SNAPSHOT_PROD_COPY_NAME }}" && break || sleep 10 * run
done
- name: Store identifier in SSM parameter store
run: |
aws ssm put-parameter \
--name "/iaps/snapshot_id" \
--value "${{ env.FINAL_SNAPSHOT_PROD_COPY_NAME }}" \
--type "String" \
--overwrite \
--region "eu-west-2"
- name: Output snapshot identifier
run: |
echo "Snapshot identifier: ${{env.FINAL_SNAPSHOT_PROD_COPY_NAME}}"
- name: Generate token
if: ${{ github.event.inputs.trigger_mp_workflow == 'true' }}
id: generate_token
uses: tibdex/[email protected]
with:
app_id: ${{ secrets.HMPPS_BOT_APP_ID }}
private_key: ${{ secrets.HMPPS_BOT_PRIVATE_KEY }}
- name: Trigger IAPS Workflow
if: ${{ github.event.inputs.trigger_mp_workflow == 'true' }}
env:
GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
run: gh workflow run delius-iaps --ref main -F action=deploy --repo ministryofjustice/modernisation-platform-environments