-
Notifications
You must be signed in to change notification settings - Fork 2
/
deploy.sh
executable file
·379 lines (313 loc) · 14.2 KB
/
deploy.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
#!/bin/bash
set -euo pipefail
IFS=$'\n\t'
# -e: immediately exit if any command has a non-zero exit status
# -o: prevents errors in a pipeline from being masked
# IFS new value is less likely to cause confusing bugs when looping arrays or arguments (e.g. $@)
usage() { echo "Usage: $0 -i <subscriptionId> -g <resourceGroupName> -n <deploymentName> -l <resourceGroupLocation> -m <imageName> -o <vaultResourceGroup> -p <vaultName> -q <databaseServerName> -r <databaseName> -s <servicePlanName> -w <sitesName> -t <redisName> -v <environmentName> -b <branch> " 1>&2; exit 1; }
source common.sh
declare subscriptionId=""
declare resourceGroupName=""
declare deploymentName=""
declare resourceGroupLocation=""
declare imageName=""
declare vaultResourceGroup=""
declare vaultName=""
declare databaseServerName=""
declare databaseName=""
declare servicePlanName=""
declare sitesName=""
declare redisName=""
declare environmentName=""
declare branch=""
# Initialize parameters specified from command line
while getopts ":i:g:n:l:m:o:p:q:r:s:w:t:v:b:c:" arg; do
case "${arg}" in
i)
subscriptionId=${OPTARG}
;;
g)
resourceGroupName=${OPTARG}
;;
n)
deploymentName=${OPTARG}
;;
l)
resourceGroupLocation=${OPTARG}
;;
m)
imageName=${OPTARG}
;;
o)
vaultResourceGroup=${OPTARG}
;;
p)
vaultName=${OPTARG}
;;
q)
databaseServerName=${OPTARG}
;;
r)
databaseName=${OPTARG}
;;
s)
servicePlanName=${OPTARG}
;;
w)
sitesName=${OPTARG}
;;
t)
redisName=${OPTARG}
;;
v)
environmentName=${OPTARG}
;;
b)
branch=${OPTARG}
;;
esac
done
shift $((OPTIND-1))
#Prompt for parameters is some required parameters are missing
if [[ -z "$subscriptionId" ]]; then
echo "Your subscription ID can be looked up with the CLI using: az account show --out json "
echo "Enter your subscription ID:"
read subscriptionId
[[ "${subscriptionId:?}" ]]
fi
if [[ -z "$resourceGroupName" ]]; then
echo "This script will look for an existing resource group, otherwise a new one will be created "
echo "You can create new resource groups with the CLI using: az group create "
echo "Enter a resource group name"
read resourceGroupName
[[ "${resourceGroupName:?}" ]]
fi
if [[ -z "$deploymentName" ]]; then
echo "Enter a name for this deployment:"
read deploymentName
fi
if [[ -z "$resourceGroupLocation" ]]; then
echo "If creating a *new* resource group, you need to set a location "
echo "You can lookup locations with the CLI using: az account list-locations "
echo "Enter resource group location:"
read resourceGroupLocation
fi
if [[ -z "$imageName" ]]; then
echo "Enter a name for the image name:"
read imageName
fi
if [[ -z "$vaultResourceGroup" ]]; then
echo "Enter the name of the (already existing) vault resource group:"
read vaultResourceGroup
fi
if [[ -z "$vaultName" ]]; then
echo "Enter the name of the (already existing) vault:"
read vaultName
fi
if [[ -z "$databaseServerName" ]]; then
echo "Enter a name for the database server:"
read databaseServerName
fi
if [[ -z "$databaseName" ]]; then
echo "Enter a name for the database:"
read databaseName
fi
if [[ -z "$servicePlanName" ]]; then
echo "Enter a name for the service plan:"
read servicePlanName
fi
if [[ -z "$sitesName" ]]; then
echo "Enter a name for the School Experience web site:"
read sitesName
fi
if [[ -z "$redisName" ]]; then
echo "Enter a name for the Redis instance (will be result in a hostname <name>.redis.cache.windows.net):"
read redisName
fi
if [[ -z "$environmentName" ]]; then
echo "Enter a value for the environment name ('dev', 'staging' or 'prod'):"
read environmentName
fi
#parameter file path
parametersFilePath="parameters.json"
echo
if [ ! -f "$parametersFilePath" ]; then
echo "$parametersFilePath not supplied, this can be useful when (re)creating non development environments..."
else
echo "Using $parametersFilePath for additional parameter values"
parametersFileString="@${parametersFilePath}"
fi
if [ -z "$subscriptionId" ] || [ -z "$resourceGroupName" ] || [ -z "$deploymentName" ]; then
echo "Either one of subscriptionId, resourceGroupName, deploymentName is empty"
usage
fi
if [[ -z "$branch" ]]; then
echo "Enter a value for the branch:"
read branch
fi
#login to azure using your credentials
az account show 1> /dev/null
if [ $? != 0 ];
then
az login
fi
#set the default subscription id
az account set --subscription $subscriptionId
##################################################
#RESOURCE GROUP CREATION
##################################################
echo
set +e
#Check for existing RG
az group show --name $resourceGroupName 1> /dev/null
if [ $? != 0 ]; then
echo "Resource group with name $resourceGroupName could not be found. Creating new resource group to hold website, db, redis."
set -e
(
set -x
az group create --name $resourceGroupName --location $resourceGroupLocation 1> /dev/null
)
else
echo "Using existing resource group to hold website, db amnd redis ..."
fi
##################################################
#VAULT RESOURCE GROUP CREATION
##################################################
echo
set +e
#Check for existing Vault RG
az group show --name $vaultResourceGroup 1> /dev/null
if [ $? != 0 ]; then
echo "Resource group with name $vaultResourceGroup could not be found. Creating new resource group to hold Key Vault.."
set -e
(
set -x
az group create --name $vaultResourceGroup --location $resourceGroupLocation 1> /dev/null
)
else
echo "Using existing resource group to hold Key Vault..."
fi
####################################################
#VAULT CREATION
####################################################
echo
set +e
az keyvault show -g $vaultResourceGroup -n $vaultName 1> /dev/null
if [ $? != 0 ]; then
echo "Vault with name $vaultName could not be found. Creating new Vault.."
set -e
(
set -x
az keyvault create \
--name $vaultName \
--resource-group $vaultResourceGroup \
--location $resourceGroupLocation \
--enabled-for-template-deployment true 1> /dev/null
set +x
read -s -p "Enter value for DfE Signin secret (set to 'rubbish' if not supplied)?" dfeSigninSecret
echo
read -s -p "Enter value for Sentry DSN secret (set to 'rubbish' if not supplied)?" sentryDsn
echo
read -s -p "Enter value for Slack webhook secret (set to 'rubbish' if not supplied)?" slackWebhook
echo
read -s -p "Enter value for CRM client secret (set to 'rubbish' if not supplied)?" crmClientSecret
echo
read -s -p "Enter value for Azure Support Group (slack) webhook secret (set to 'rubbish' if not supplied)?" supportWebhook
echo
setsecret dfeSigninSecret $vaultName ${dfeSigninSecret:-rubbish}
setsecret postgresAdminPassword $vaultName $(randomalpha 1)$(randomstring 15)
setsecret postgresUserPassword $vaultName $(randomalpha 1)$(randomstring 15)
setsecret sentryDsn $vaultName ${sentryDsn:-rubbish}
setsecret slackWebhook $vaultName ${slackWebhook:-rubbish}
setsecret crmClientSecret $vaultName ${crmClientSecret:-rubbish}
setsecret supportWebhook $vaultName ${supportWebhook:-rubbish}
setsecret deploymentPassword $vaultName $(randomalpha 16)
MICROSOFT_AZURE_APP_SERVICE_SPN=abfa0a7c-a6b6-4736-8310-5855508787cd
az keyvault set-policy --name $vaultName --spn $MICROSOFT_AZURE_APP_SERVICE_SPN --secret-permissions get
read -s -p "Azure DevOps service connection service principal (leave blank if you don't know or is not relevant)?" serviceConnectionPrincipal
echo
if [[ ! -z "$serviceConnectionPrincipal" ]]; then
az keyvault set-policy --name $vaultName --spn $serviceConnectionPrincipal --secret-permissions get list
az keyvault set-policy --name $vaultName --spn $serviceConnectionPrincipal --certificate-permissions get list
fi
)
else
echo "Using existing Vault..."
fi
VAULT_NAME_LOWER_CASE="$(echo $vaultName | tr '[:upper:]' '[:lower:]')"
echo 'A secret has already been generated for the postgres user password with a secret name of postgresUserPassword.'
read -p "Do you want to create (if it doesn't exist) and use a secret with a different name (Y/N)?" useDifferentUserPasswordSecret
postgresUserPasswordSecretName=postgresUserPassword
if [ 'Y' == "$useDifferentUserPasswordSecret" ]; then
read -p "Enter value for postgres user password secret name and generate a value (defaults to postgresUserPassword if not supplied)?" postgresUserPasswordSecretName
if [ "$(az keyvault secret show --id https://${VAULT_NAME_LOWER_CASE}.vault.azure.net/secrets/${postgresUserPasswordSecretName} -o tsv --query value)" != "" ]; then
echo 'secret already exists'
else
setsecret ${postgresUserPasswordSecretName} $vaultName $(randomalpha 1)$(randomstring 15)
fi
fi
set -e
#####################################################
#DOCKER COMPOSE FILE CREATION
#####################################################
export IMAGE_NAME=$imageName
export IMAGE_TAG=bootstrap
export REGISTRY_HOST="registry-1.docker.io"
./compose-school-experience.sh
sleep 10
####################################################
#START DEPLOYMENT
####################################################
export DATABASE_NAME=$databaseName
echo "Starting deployment..."
(
set -x
az group deployment create --name ${deploymentName} \
--resource-group ${resourceGroupName} \
--template-uri https://raw.githubusercontent.com/DFE-Digital/school-experience-devops/${branch}/template.json \
--parameters ${parametersFileString:-} [email protected] databases_school_experience_name=${DATABASE_NAME} servers_db_name=${databaseServerName} vaultName=${vaultName} vaultResourceGroupName=${vaultResourceGroup} serverfarms_serviceplan_name=${servicePlanName} sites_school_experience_name=${sitesName} redis_name=${redisName} environmentName=${environmentName} _artifactsLocation=https://raw.githubusercontent.com/DFE-Digital/school-experience-devops/${branch}/ servers_db_createMode=Default
)
if [ $? == 0 ];
then
echo "Template has been successfully deployed"
fi
rm compose-school-experience.yml
####################################################
#SET UP DATABASE
####################################################
echo "The postgres user password secret name is ${postgresUserPasswordSecretName}"
postgresAdminPassword=$(az keyvault secret show --id https://${VAULT_NAME_LOWER_CASE}.vault.azure.net/secrets/postgresAdminPassword -o tsv --query value)
export postgresUserPassword=$(az keyvault secret show --id https://${VAULT_NAME_LOWER_CASE}.vault.azure.net/secrets/${postgresUserPasswordSecretName} -o tsv --query value)
read -p "Enter value for postgres username (defaults to railsappuser if not supplied)?" dbusersupplied
export dbuser=${dbusersupplied:-railsappuser}
if [ 'dev' != "$environmentName" ]; then
echo 'adding firewall rule for deploy script'
clientIpAddress=$(curl -s https://api.ipify.org)
az postgres server firewall-rule create -g ${resourceGroupName} -s ${databaseServerName} -n allow-deploy-script --start-ip-address ${clientIpAddress} --end-ip-address ${clientIpAddress}
fi
PGPASSWORD=$postgresAdminPassword psql -U adminuser@"${databaseServerName}" -h "${databaseServerName}".postgres.database.azure.com postgres -f createdb.sql
####################################################
#BOOTSTRAP IMAGE
####################################################
if [ -n "${BUILD_APP+set}" ]; then
read -rsp $'Deleting the /tmp/schools-experience folder, press any key to continue...\n' -n1 key
rm -rf /tmp/schools-experience
git clone https://github.com/DFE-Digital/schools-experience.git /tmp/schools-experience
cd /tmp/schools-experience
docker build -f Dockerfile -t $REGISTRY_HOST/$IMAGE_NAME:$IMAGE_TAG .
read -p "Enter value for Docker registry username?" REGISTRY_USERNAME
read -s -p "Enter value for Docker registry password?" REGISTRY_PASSWORD
echo "$REGISTRY_PASSWORD" | docker login $REGISTRY_HOST -u $REGISTRY_USERNAME --password-stdin
docker push $REGISTRY_HOST/$IMAGE_NAME:$IMAGE_TAG
rm -rf /tmp/schools-experience
fi
echo 'RUNNING db:migrate'
docker run -e RAILS_ENV=production -e DB_HOST="${databaseServerName}.postgres.database.azure.com" -e DB_DATABASE=${DATABASE_NAME} -e DB_USERNAME="${dbuser}@${databaseServerName}" -e DB_PASSWORD=$postgresUserPassword -e SECRET_KEY_BASE=stubbed -e SKIP_REDIS=true --rm $REGISTRY_HOST/$IMAGE_NAME:$IMAGE_TAG rails db:migrate
read -p "To seed database (Y) otherwise will be left empty, a database can only be seeded once?" SEED_DATABASE
if [ 'Y' == "$SEED_DATABASE" ]; then
docker run -e RAILS_ENV=production -e DB_HOST="${databaseServerName}.postgres.database.azure.com" -e DB_DATABASE=${DATABASE_NAME} -e DB_USERNAME="${dbuser}@${databaseServerName}" -e DB_PASSWORD=$postgresUserPassword -e SECRET_KEY_BASE=stubbed -e SKIP_REDIS=true --rm $REGISTRY_HOST/$IMAGE_NAME:$IMAGE_TAG rails db:seed
fi
if [ 'dev' != "$environmentName" ]; then
echo 'removing firewall rule for deploy script'
az postgres server firewall-rule delete -g ${resourceGroupName} -s ${databaseServerName} -n allow-deploy-script --yes
fi