Provision production #6
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Provision environment | |
run-name: Provision ${{ github.event.inputs.environment }} | |
on: | |
workflow_dispatch: | |
inputs: | |
environment: | |
type: choice | |
description: Machine to provision | |
default: qa | |
required: true | |
options: | |
- development | |
- staging | |
- qa | |
- production | |
- backup | |
- jump | |
tag: | |
type: choice | |
description: Select group tag you want to execute | |
default: all | |
options: | |
- all | |
- application | |
- backups | |
- checks | |
- crontab | |
- data-partition | |
- decrypt | |
- deployment | |
- docker | |
- elasticsearch | |
- fail2ban | |
- jump | |
- mongodb | |
- swap | |
- swarm | |
- tools | |
- traefik | |
- ufw | |
- updates | |
- users | |
jobs: | |
get-backup-ssh-key: | |
name: Get backup SSH key | |
uses: ./.github/workflows/get-secret-from-environment.yml | |
with: | |
secret_name: 'SSH_KEY' | |
env_name: 'backup' | |
secrets: | |
gh_token: ${{ secrets.GH_TOKEN }} | |
encryption_key: ${{ secrets.GH_ENCRYPTION_PASSWORD }} | |
SSH_KEY: ${{ secrets.SSH_KEY }} | |
get-jump-ssh-key: | |
name: Get jump SSH key | |
uses: ./.github/workflows/get-secret-from-environment.yml | |
with: | |
secret_name: 'SSH_KEY' | |
env_name: 'jump' | |
secrets: | |
gh_token: ${{ secrets.GH_TOKEN }} | |
encryption_key: ${{ secrets.GH_ENCRYPTION_PASSWORD }} | |
SSH_KEY: ${{ secrets.SSH_KEY }} | |
get-production-encryption-key: | |
name: Get production backup encryption key | |
if: github.event.inputs.environment == 'staging' | |
uses: ./.github/workflows/get-secret-from-environment.yml | |
with: | |
secret_name: 'BACKUP_ENCRYPTION_PASSPHRASE' | |
env_name: 'production' | |
secrets: | |
gh_token: ${{ secrets.GH_TOKEN }} | |
encryption_key: ${{ secrets.GH_ENCRYPTION_PASSWORD }} | |
BACKUP_ENCRYPTION_PASSPHRASE: ${{ secrets.BACKUP_ENCRYPTION_PASSPHRASE }} | |
provision: | |
name: Provision ${{ github.event.inputs.environment }} | |
environment: ${{ github.event.inputs.environment }} | |
needs: [get-backup-ssh-key, get-production-encryption-key, get-jump-ssh-key] | |
if: always() | |
runs-on: ubuntu-22.04 | |
outputs: | |
outcome: ${{ steps.deploy.outcome }} | |
timeout-minutes: 60 | |
steps: | |
- name: Clone country config resource package | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
path: './${{ github.event.repository.name }}' | |
- name: Insert production encryption key to environment variables | |
if: github.event.inputs.environment == 'staging' && needs.get-production-encryption-key.outputs.environment_exists == 'true' | |
run: | | |
echo "${{ needs.get-production-encryption-key.outputs.secret_value }}" | base64 --decode | \ | |
openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.GH_ENCRYPTION_PASSWORD }}" -out /tmp/backup_encryption_key | |
BACKUP_RESTORE_ENCRYPTION_PASSPHRASE=$(cat /tmp/backup_encryption_key) | |
echo "backup_restore_encryption_passphrase=$BACKUP_RESTORE_ENCRYPTION_PASSPHRASE" >> $GITHUB_ENV | |
echo "::add-mask::$BACKUP_RESTORE_ENCRYPTION_PASSPHRASE" | |
- name: Set variables for ansible | |
id: ansible-variables | |
run: | | |
JSON_WITH_NEWLINES=$(cat<<EOF | |
${{ toJSON(env) }} | |
EOF) | |
JSON_WITHOUT_NEWLINES=$(echo $JSON_WITH_NEWLINES | jq -R -c .) | |
echo "EXTRA_VARS=$JSON_WITHOUT_NEWLINES" >> $GITHUB_OUTPUT | |
env: | |
encrypted_disk_size: ${{ vars.DISK_SPACE }} | |
disk_encryption_key: ${{ secrets.ENCRYPTION_KEY }} | |
dockerhub_username: ${{ secrets.DOCKER_USERNAME }} | |
dockerhub_password: ${{ secrets.DOCKER_TOKEN }} | |
mongodb_admin_username: ${{ secrets.MONGODB_ADMIN_USER }} | |
mongodb_admin_password: ${{ secrets.MONGODB_ADMIN_PASSWORD }} | |
backup_encryption_passphrase: ${{ secrets.BACKUP_ENCRYPTION_PASSPHRASE }} | |
elasticsearch_superuser_password: ${{ secrets.ELASTICSEARCH_SUPERUSER_PASSWORD }} | |
# SSH_HOST was moved from a secret to a variable in OpenCRVS 1.5.0 | |
# @todo @deprecated remove the fallback to secrets.SSH_HOST in OpenCRVS 1.7.0 | |
manager_production_server_ip: ${{ vars.SSH_HOST || secrets.SSH_HOST }} | |
ansible_user: ${{ secrets.SSH_USER }} | |
- name: Read known hosts | |
run: | | |
cd ${{ github.event.repository.name }} | |
echo "KNOWN_HOSTS<<EOF" >> $GITHUB_ENV | |
sed -i -e '$a\' ./infrastructure/known-hosts | |
cat ./infrastructure/known-hosts >> $GITHUB_ENV | |
echo "EOF" >> $GITHUB_ENV | |
- name: Install SSH Key | |
uses: shimataro/ssh-key-action@v2 | |
with: | |
key: ${{ secrets.SSH_KEY }} | |
known_hosts: ${{ env.KNOWN_HOSTS }} | |
- name: Write backup SSH key to file | |
if: needs.get-backup-ssh-key.outputs.environment_exists == 'true' | |
run: | | |
echo "${{ needs.get-backup-ssh-key.outputs.secret_value }}" | base64 --decode | \ | |
openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.GH_ENCRYPTION_PASSWORD }}" -out /tmp/backup_ssh_private_key | |
chmod 600 /tmp/backup_ssh_private_key | |
- name: Write jump server SSH key to file | |
if: needs.get-jump-ssh-key.outputs.environment_exists == 'true' | |
run: | | |
echo "${{ needs.get-jump-ssh-key.outputs.secret_value }}" | base64 --decode | \ | |
openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.GH_ENCRYPTION_PASSWORD }}" -out /tmp/jump_ssh_private_key | |
chmod 600 /tmp/jump_ssh_private_key | |
- name: Check if backup environment if configured in inventory file | |
if: needs.get-backup-ssh-key.outputs.environment_exists != 'true' | |
run: | | |
FILE=./${{ github.event.repository.name }}/infrastructure/server-setup/inventory/${{ github.event.inputs.environment }}.yml | |
if grep -q '^[[:blank:]]*backups:[[:blank:]]*$' "$FILE"; then | |
echo "Your inventory contains configuration for either a backup target or backup source." | |
echo "If you are upgrading OpenCRVS, please start by running environment creator script for the backup server" | |
echo "" | |
echo "yarn environment:init" | |
echo "" | |
echo "And after that, run this provisioning pipeline again but first to your backup server" | |
echo "After that you can proceed with (re)provisioning your staging and production servers." | |
exit 1 | |
fi | |
- name: Run playbook | |
uses: dawidd6/[email protected] | |
env: | |
ANSIBLE_PERSISTENT_COMMAND_TIMEOUT: 10 | |
ANSIBLE_SSH_TIMEOUT: 10 | |
ANSIBLE_SSH_RETRIES: 5 | |
with: | |
playbook: playbook.yml | |
directory: ${{ github.event.repository.name }}/infrastructure/server-setup | |
options: | | |
--verbose | |
--inventory inventory/${{ github.event.inputs.environment }}.yml | |
${{ inputs.tag != 'all' && format('--tags={0}', inputs.tag) || ''}} | |
--extra-vars ""${{ steps.ansible-variables.outputs.EXTRA_VARS }}"" |