Add aks backup #1
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Backup production database | ||
| on: | ||
| schedule: | ||
| # The schedule is in UTC and uses cron syntax | ||
| # * is a special character in YAML so you have to quote this string | ||
| workflow_call: | ||
| inputs: | ||
| environment: | ||
| type: string | ||
| workflow_dispatch: | ||
| inputs: | ||
| environment: | ||
| type: choice | ||
| options: | ||
| - review | ||
| - production | ||
| env: | ||
| BACKUP_ARTIFACT_NAME: ${{ inputs.environment }}-backup | ||
| ENVIRONMENT_NAME: ${{ inputs.environment }} | ||
| jobs: | ||
| backup: | ||
| name: Backup from AKS | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: DFE-Digital/github-actions/install-postgres-client@master | ||
| - name: Prepare application environment | ||
| uses: ./.github/actions/prepare-app-env | ||
| - name: Set environment variables | ||
| shell: bash | ||
| id: set_env_vars | ||
| run: | | ||
| tf_vars_file=terraform/aks/workspace_variables/${{ inputs.environment }}.tfvars.json | ||
| cat $tf_vars_file | ||
| NAMESPACE=$(jq -r '.namespace' ${tf_vars_file}) | ||
| APP_ENVIRONMENT=$(jq -r '.app_environment' ${tf_vars_file}) | ||
| CLUSTER=$(jq -r '.cluster' ${tf_vars_file}) | ||
| echo "NAMESPACE=$NAMESPACE" >> $GITHUB_ENV | ||
| echo "CLUSTER=$CLUSTER" >> $GITHUB_ENV | ||
| echo "APP_ENVIRONMENT=$APP_ENVIRONMENT" >> $GITHUB_ENV | ||
| echo "envs are: ${{ env.NAMESPACE }} ${{ env.APP_ENVIRONMENT }} ${{ env.CLUSTER }}" | ||
| - name: Install kubectl | ||
| uses: azure/setup-kubectl@v3 | ||
| with: | ||
| version: "v1.26.1" | ||
| - name: Get environment variables | ||
| shell: bash | ||
| run: | | ||
| review_cluster_rg=s189t01-tv-rv-rg | ||
| review_cluster_name=s189t01-tsc-test-aks | ||
| production_cluster_rg=s189p01-tsc-pd-rg | ||
| production_cluster_name=s189p01-tsc-production-aks | ||
| BACKUP_FILE_NAME=teaching-vacancies_${{ inputs.environment }}_$(date +"%F") | ||
| echo "BACKUP_FILE_NAME=$BACKUP_FILE_NAME" >> $GITHUB_ENV | ||
| case "${{ inputs.environment }}" in | ||
| review) | ||
| echo "cluster_rg=$test_cluster_rg" >> $GITHUB_ENV | ||
| echo "cluster_name=$test_cluster_name" >> $GITHUB_ENV | ||
| echo "app_name=tv-review" >> $GITHUB_ENV | ||
| echo "storage_account=s189t01tvdbbkprvsa" >> $GITHUB_ENV | ||
| ;; | ||
| production) | ||
| echo "cluster_rg=$production_cluster_rg" >> $GITHUB_ENV | ||
| echo "cluster_name=$production_cluster_name" >> $GITHUB_ENV | ||
| echo "app_name=tv-production" >> $GITHUB_ENV | ||
| echo "storage_account=s189p01tvdbbkppdsa" >> $GITHUB_ENV | ||
| ;; | ||
| *) | ||
| echo "unknown cluster" | ||
| ;; | ||
| esac | ||
| - name: K8 setup | ||
| shell: bash | ||
| run: | | ||
| az aks get-credentials -g ${{ env.cluster_rg }} -n ${{ env.cluster_name }} | ||
| make bin/konduit.sh | ||
| - name: Setup postgres client | ||
| uses: DFE-Digital/github-actions/install-postgres-client@master | ||
| - name: Set environment variable | ||
| shell: bash | ||
| run: | | ||
| BACKUP_FILE_NAME=tv_${{ inputs.environment }}_$(date +"%F") | ||
| - name: Backup ${{ inputs.environment }} DB | ||
| shell: bash | ||
| run: | | ||
| bin/konduit.sh tv-${{ inputs.environment }} -- pg_dump -E utf8 --clean --if-exists --no-owner --verbose --no-password -f ${BACKUP_FILE_NAME}.sql | ||
| tar -cvzf ${BACKUP_FILE_NAME}.tar.gz ${BACKUP_FILE_NAME}.sql | ||
| - name: Set Connection String | ||
| shell: bash | ||
| run: | | ||
| STORAGE_CONN_STR=$(az storage account show-connection-string -g $STORAGE_ACCOUNT_RG -n $STORAGE_ACCOUNT_NAME --query 'connectionString') | ||
| echo "::add-mask::$STORAGE_CONN_STR" | ||
| echo "STORAGE_CONN_STR=$STORAGE_CONN_STR" >> $GITHUB_ENV | ||
| - name: Upload Backup to Azure Storage | ||
| shell: bash | ||
| run: | | ||
| az storage blob upload --account-name ${{ env.storage_account }} --container-name database-backup \ | ||
| --file ${{ env.BACKUP_FILE_NAME }}.tar.gz --name ${{ env.BACKUP_FILE_NAME }}.tar.gz --overwrite \ | ||
| --account-key '${{ env.STORAGE_CONN_STR }}' | ||
| rm ${BACKUP_FILE_NAME}.tar.gz | ||
| - name: Disk cleanup | ||
| shell: bash | ||
| run: | | ||
| sudo rm -rf /usr/local/lib/android || true | ||
| sudo rm -rf /usr/share/dotnet || true | ||
| sudo rm -rf /opt/ghc || true | ||
| - name: Remove backup file | ||
| shell: bash | ||
| run: | | ||
| rm ${{ env.BACKUP_FILE_NAME }}.sql | ||
| - name: Sanitise the Database backup | ||
| run: | | ||
| echo "::group::Restore backup to intermediate database" | ||
| createdb ${DATABASE_NAME} && psql -f full.sql -d ${DATABASE_NAME} | ||
| echo "::endgroup::" | ||
| echo "::group::Sanitise data" | ||
| psql -d ${DATABASE_NAME} -f db/scripts/sanitise.sql | ||
| echo "::endgroup::" | ||
| echo "::group::Backup Sanitised Database" | ||
| pg_dump --encoding utf8 --clean --no-owner --if-exists -d ${DATABASE_NAME} -f sanitised.sql | ||
| echo "::endgroup::" | ||
| env: | ||
| DATABASE_NAME: teaching-vacancies | ||
| PGUSER: postgres | ||
| PGPASSWORD: postgres | ||
| PGHOST: localhost | ||
| PGPORT: 5432 | ||
| - name: Upload sanitised backup to S3 | ||
| run: bin/upload-db-backup | ||
| env: | ||
| BACKUP_TYPE: sanitised | ||
| - name: Send job status message to twd_tv_dev channel | ||
| if: always() && github.ref == 'refs/heads/main' | ||
| uses: rtCamp/[email protected] | ||
| env: | ||
| SLACK_CHANNEL: twd_tv_dev | ||
| SLACK_USERNAME: CI Deployment | ||
| SLACK_TITLE: Deployment ${{ job.status }} | ||
| SLACK_MESSAGE: 'Backup production database - ${{ job.status }}' | ||
| SLACK_WEBHOOK: ${{env.SLACK_WEBHOOK}} | ||
