Skip to content

Provision production #6

Provision production

Provision production #6

Workflow file for this run

name: Provision environment
run-name: Provision ${{ github.event.inputs.environment }}
on:
workflow_dispatch:
inputs:
environment:
type: choice
description: Machine to provision
default: qa
required: true
options:
- development
- staging
- qa
- production
- backup
- jump
tag:
type: choice
description: Select group tag you want to execute
default: all
options:
- all
- application
- backups
- checks
- crontab
- data-partition
- decrypt
- deployment
- docker
- elasticsearch
- fail2ban
- jump
- mongodb
- swap
- swarm
- tools
- traefik
- ufw
- updates
- users
jobs:
get-backup-ssh-key:
name: Get backup SSH key
uses: ./.github/workflows/get-secret-from-environment.yml
with:
secret_name: 'SSH_KEY'
env_name: 'backup'
secrets:
gh_token: ${{ secrets.GH_TOKEN }}
encryption_key: ${{ secrets.GH_ENCRYPTION_PASSWORD }}
SSH_KEY: ${{ secrets.SSH_KEY }}
get-jump-ssh-key:
name: Get jump SSH key
uses: ./.github/workflows/get-secret-from-environment.yml
with:
secret_name: 'SSH_KEY'
env_name: 'jump'
secrets:
gh_token: ${{ secrets.GH_TOKEN }}
encryption_key: ${{ secrets.GH_ENCRYPTION_PASSWORD }}
SSH_KEY: ${{ secrets.SSH_KEY }}
get-production-encryption-key:
name: Get production backup encryption key
if: github.event.inputs.environment == 'staging'
uses: ./.github/workflows/get-secret-from-environment.yml
with:
secret_name: 'BACKUP_ENCRYPTION_PASSPHRASE'
env_name: 'production'
secrets:
gh_token: ${{ secrets.GH_TOKEN }}
encryption_key: ${{ secrets.GH_ENCRYPTION_PASSWORD }}
BACKUP_ENCRYPTION_PASSPHRASE: ${{ secrets.BACKUP_ENCRYPTION_PASSPHRASE }}
provision:
name: Provision ${{ github.event.inputs.environment }}
environment: ${{ github.event.inputs.environment }}
needs: [get-backup-ssh-key, get-production-encryption-key, get-jump-ssh-key]
if: always()
runs-on: ubuntu-22.04
outputs:
outcome: ${{ steps.deploy.outcome }}
timeout-minutes: 60
steps:
- name: Clone country config resource package
uses: actions/checkout@v3
with:
fetch-depth: 0
path: './${{ github.event.repository.name }}'
- name: Insert production encryption key to environment variables
if: github.event.inputs.environment == 'staging' && needs.get-production-encryption-key.outputs.environment_exists == 'true'
run: |
echo "${{ needs.get-production-encryption-key.outputs.secret_value }}" | base64 --decode | \
openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.GH_ENCRYPTION_PASSWORD }}" -out /tmp/backup_encryption_key
BACKUP_RESTORE_ENCRYPTION_PASSPHRASE=$(cat /tmp/backup_encryption_key)
echo "backup_restore_encryption_passphrase=$BACKUP_RESTORE_ENCRYPTION_PASSPHRASE" >> $GITHUB_ENV
echo "::add-mask::$BACKUP_RESTORE_ENCRYPTION_PASSPHRASE"
- name: Set variables for ansible
id: ansible-variables
run: |
JSON_WITH_NEWLINES=$(cat<<EOF
${{ toJSON(env) }}
EOF)
JSON_WITHOUT_NEWLINES=$(echo $JSON_WITH_NEWLINES | jq -R -c .)
echo "EXTRA_VARS=$JSON_WITHOUT_NEWLINES" >> $GITHUB_OUTPUT
env:
encrypted_disk_size: ${{ vars.DISK_SPACE }}
disk_encryption_key: ${{ secrets.ENCRYPTION_KEY }}
dockerhub_username: ${{ secrets.DOCKER_USERNAME }}
dockerhub_password: ${{ secrets.DOCKER_TOKEN }}
mongodb_admin_username: ${{ secrets.MONGODB_ADMIN_USER }}
mongodb_admin_password: ${{ secrets.MONGODB_ADMIN_PASSWORD }}
backup_encryption_passphrase: ${{ secrets.BACKUP_ENCRYPTION_PASSPHRASE }}
elasticsearch_superuser_password: ${{ secrets.ELASTICSEARCH_SUPERUSER_PASSWORD }}
# SSH_HOST was moved from a secret to a variable in OpenCRVS 1.5.0
# @todo @deprecated remove the fallback to secrets.SSH_HOST in OpenCRVS 1.7.0
manager_production_server_ip: ${{ vars.SSH_HOST || secrets.SSH_HOST }}
ansible_user: ${{ secrets.SSH_USER }}
- name: Read known hosts
run: |
cd ${{ github.event.repository.name }}
echo "KNOWN_HOSTS<<EOF" >> $GITHUB_ENV
sed -i -e '$a\' ./infrastructure/known-hosts
cat ./infrastructure/known-hosts >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
- name: Install SSH Key
uses: shimataro/ssh-key-action@v2
with:
key: ${{ secrets.SSH_KEY }}
known_hosts: ${{ env.KNOWN_HOSTS }}
- name: Write backup SSH key to file
if: needs.get-backup-ssh-key.outputs.environment_exists == 'true'
run: |
echo "${{ needs.get-backup-ssh-key.outputs.secret_value }}" | base64 --decode | \
openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.GH_ENCRYPTION_PASSWORD }}" -out /tmp/backup_ssh_private_key
chmod 600 /tmp/backup_ssh_private_key
- name: Write jump server SSH key to file
if: needs.get-jump-ssh-key.outputs.environment_exists == 'true'
run: |
echo "${{ needs.get-jump-ssh-key.outputs.secret_value }}" | base64 --decode | \
openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.GH_ENCRYPTION_PASSWORD }}" -out /tmp/jump_ssh_private_key
chmod 600 /tmp/jump_ssh_private_key
- name: Check if backup environment if configured in inventory file
if: needs.get-backup-ssh-key.outputs.environment_exists != 'true'
run: |
FILE=./${{ github.event.repository.name }}/infrastructure/server-setup/inventory/${{ github.event.inputs.environment }}.yml
if grep -q '^[[:blank:]]*backups:[[:blank:]]*$' "$FILE"; then
echo "Your inventory contains configuration for either a backup target or backup source."
echo "If you are upgrading OpenCRVS, please start by running environment creator script for the backup server"
echo ""
echo "yarn environment:init"
echo ""
echo "And after that, run this provisioning pipeline again but first to your backup server"
echo "After that you can proceed with (re)provisioning your staging and production servers."
exit 1
fi
- name: Run playbook
uses: dawidd6/[email protected]
env:
ANSIBLE_PERSISTENT_COMMAND_TIMEOUT: 10
ANSIBLE_SSH_TIMEOUT: 10
ANSIBLE_SSH_RETRIES: 5
with:
playbook: playbook.yml
directory: ${{ github.event.repository.name }}/infrastructure/server-setup
options: |
--verbose
--inventory inventory/${{ github.event.inputs.environment }}.yml
${{ inputs.tag != 'all' && format('--tags={0}', inputs.tag) || ''}}
--extra-vars ""${{ steps.ansible-variables.outputs.EXTRA_VARS }}""