-
Notifications
You must be signed in to change notification settings - Fork 9
129 lines (110 loc) · 4.23 KB
/
database-restore.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: Database Backup and Restore
on:
schedule: # 03:00 UTC
- cron: "0 3 * * *"
workflow_dispatch:
inputs:
overwriteThisMorningsBackup:
required: true
type: boolean
default: false
jobs:
backup:
name: Sanitise Production Database Backup
if: ${{ github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.overwriteThisMorningsBackup == 'true') }}
runs-on: ubuntu-latest
services:
postgres:
image: postgres:14.7
env:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_DB: postgres
ports:
- 5432:5432
options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set KV environment variables
run: |
tf_vars_file=terraform/aks/workspace_variables/production_aks.tfvars.json
echo "key_vault_name=$(jq -r '.key_vault_name' ${tf_vars_file})" >> $GITHUB_ENV
- uses: azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS_PRODUCTION_AKS }}
- name: Install kubectl
uses: azure/setup-kubectl@v3
with:
version: "v1.26.1" # default is latest stable
- uses: DFE-Digital/github-actions/set-kubelogin-environment@master
with:
azure-credentials: ${{ secrets.AZURE_CREDENTIALS_PRODUCTION_AKS }}
- name: K8 & konduit setup
shell: bash
run: |
make ci production_aks get-cluster-credentials
make install-konduit
- name: Backup Publish Teacher Training Prod Database
run: |
now=$(date +"%F")
PROD_BACKUP=prod_backup-$now.sql
bin/konduit.sh publish-production -- pg_dump -E utf8 --clean --no-owner --if-exists -f $PROD_BACKUP
tar -cvzf ${PROD_BACKUP}.tar.gz ${PROD_BACKUP}
echo "PROD_BACKUP=$PROD_BACKUP" >> $GITHUB_ENV
- name: Set Connection String
run: |
STORAGE_CONN_STR="$(az keyvault secret show --name PUBLISH-STORAGE-ACCOUNT-CONNECTION-STRING-PRODUCTION --vault-name ${{ env.key_vault_name }} | jq -r .value)"
echo "::add-mask::$STORAGE_CONN_STR"
echo "STORAGE_CONN_STR=$STORAGE_CONN_STR" >> $GITHUB_ENV
- name: Upload Backup to Azure Storage
run: |
az storage blob upload --container-name database-backup \
--file ${PROD_BACKUP}.tar.gz --name ${PROD_BACKUP}.tar.gz \
--connection-string '${{ env.STORAGE_CONN_STR }}'
- name: Sanitise the Database backup
run: |
echo "::group::Restore backup to intermediate database"
createdb ${DATABASE_NAME} && psql -f ${{ env.PROD_BACKUP }} -d ${DATABASE_NAME}
echo "::endgroup::"
echo "::group::Clear user data"
psql -d ${DATABASE_NAME} -f db/scripts/sanitise.sql
echo "::endgroup::"
echo "::group::Integration setup"
psql -d ${DATABASE_NAME} -f db/scripts/integration_setup.sql
echo "::endgroup::"
echo "::debug::Remove ${{ env.PROD_BACKUP }}"
rm ${{ env.PROD_BACKUP }}
echo "::group::Backup Sanitised Database"
pg_dump --encoding utf8 --clean --no-owner --if-exists -d ${DATABASE_NAME} -f backup_sanitised.sql
echo "::endgroup::"
env:
DATABASE_NAME: teacher_training_api
PGUSER: postgres
PGPASSWORD: postgres
PGHOST: localhost
PGPORT: 5432
- name: Upload Sanitised Backup
uses: actions/upload-artifact@v4
with:
name: backup_sanitised
path: backup_sanitised.sql
retention-days: 7
restore-aks:
needs: [backup]
runs-on: ubuntu-latest
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
strategy:
fail-fast: false
matrix:
environment: [qa_aks, staging_aks]
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Restore AKS database
id: restore_aks
uses: ./.github/actions/restore/
with:
azure-credentials: ${{ secrets[format('AZURE_CREDENTIALS_{0}', matrix.environment)] }}
environment: ${{ matrix.environment }}