365 enable daily database refresh from paas to aks

.github/workflows/build-and-deploy.yml

@@ -109,7 +109,7 @@ jobs:
       - uses: ./.github/workflows/actions/smoke-test-v2
         id: smoke-test
         with:
-          environment: development
+          environment: development_aks
           azure_credentials: ${{ secrets.AZURE_CREDENTIALS }}
 
   deploy_nonprod:

.github/workflows/restore-paas-db-to-aks.yml

@@ -0,0 +1,138 @@
+name: Backup and restore Postgres DB from PAAS to AKS
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        type: choice
+        options:
+          - dev
+
+env:
+  BACKUP_ARTIFACT_NAME: dev-backup
+
+jobs:
+  backup:
+    name: Backup from PAAS
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+
+    outputs:
+      ENVIRONMENT_NAME: ${{ env.ENVIRONMENT_NAME }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: Azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+
+      - uses: DFE-Digital/github-actions/install-postgres-client@master
+
+      - name: Set environment variables
+        shell: bash
+        run: |
+          tf_vars_file=terraform/paas/workspace_variables/${{ inputs.environment }}.tfvars.json
+          echo "KEY_VAULT_NAME=$(jq -r '.key_vault_name' ${tf_vars_file})" >> $GITHUB_ENV
+          echo "PAAS_SPACE=$(jq -r '.paas_space' ${tf_vars_file})" >> $GITHUB_ENV
+
+      - name: Retrieve Cloudfoundry credentials from KV
+        uses: azure/CLI@v1
+        id: fetch-cf-creds
+        with:
+          inlineScript: |
+            SECRET_VALUE=$(az keyvault secret show --name "PAAS-USER" --vault-name "${{ env.KEY_VAULT_NAME}}" --query "value" -o tsv)
+            echo "::add-mask::$SECRET_VALUE"
+            echo "PAAS-USER=$SECRET_VALUE" >> $GITHUB_OUTPUT
+
+            SECRET_VALUE=$(az keyvault secret show --name "PAAS-PASSWORD" --vault-name "${{ env.KEY_VAULT_NAME}}" --query "value" -o tsv)
+            echo "::add-mask::$SECRET_VALUE"
+            echo "PAAS-PASSWORD=$SECRET_VALUE" >> $GITHUB_OUTPUT
+
+      - uses: DFE-Digital/github-actions/setup-cf-cli@master
+        with:
+          CF_USERNAME: ${{ steps.fetch-cf-creds.outputs.PAAS-USER }}
+          CF_PASSWORD: ${{ steps.fetch-cf-creds.outputs.PAAS-PASSWORD }}
+          CF_SPACE_NAME: ${{ env.PAAS_SPACE }}
+          INSTALL_CONDUIT: true
+
+      - name: Backup database
+        run: |
+          cf conduit find-a-lost-trn-${{ inputs.environment }}-pg-svc -- pg_dump -E utf8 --clean --compress=1 --if-exists --no-owner --no-privileges --verbose -f backup.sql.gz
+
+      - name: Upload backup
+        uses: actions/upload-artifact@v3
+        with:
+          name: ${{ env.BACKUP_ARTIFACT_NAME }}
+          path: backup.sql.gz
+          retention-days: 1
+
+      - run: |
+          case "${ENVIRONMENT_NAME}" in
+          dev)
+            echo "ENVIRONMENT_NAME=development_aks" >> $GITHUB_ENV
+            ;;
+          *)
+            echo "unknown cluster"
+            ;;
+          esac
+
+  restore:
+    name: Restore to AKS
+    runs-on: ubuntu-latest
+    needs: backup
+
+    environment: ${{ needs.backup.outputs.ENVIRONMENT_NAME }}
+
+    env:
+      ENVIRONMENT_NAME: ${{ needs.backup.outputs.ENVIRONMENT_NAME }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: Azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+
+      - name: Set environment variables
+        shell: bash
+        run: |
+          tf_vars_file=terraform/aks/workspace_variables/${{ env.ENVIRONMENT_NAME }}.tfvars.json
+
+      - run: |
+          test_cluster_rg=s189t01-tsc-ts-rg
+          test_cluster_name=s189t01-tsc-test-aks
+
+          case "${ENVIRONMENT_NAME}" in
+          development_aks)
+            echo "cluster_rg=$test_cluster_rg" >> $GITHUB_ENV
+            echo "cluster_name=$test_cluster_name" >> $GITHUB_ENV
+            echo "app_name=find-a-lost-trn-development" >> $GITHUB_ENV
+            ;;
+          *)
+            echo "unknown cluster"
+            ;;
+          esac
+
+      - uses: azure/setup-kubectl@v3
+
+      - run: |
+          az aks get-credentials -g ${{ env.cluster_rg }} -n ${{ env.cluster_name }}
+          make bin/konduit.sh
+
+      - name: Download backup
+        uses: actions/download-artifact@v3
+        with:
+          name: ${{ env.BACKUP_ARTIFACT_NAME }}
+
+      - name: Restore database
+        run: bin/konduit.sh -i backup.sql.gz -c ${{ env.app_name }} -- psql
+
+      - name: Remove PaaS event triggers
+        shell: bash
+        run: |
+          bin/konduit.sh ${{ env.app_name }} -- psql -c 'drop event trigger forbid_ddl_reader; drop event trigger make_readable; drop event trigger reassign_owned;'
+
+      - uses: geekyeggo/delete-artifact@v2
+        with:
+          name: ${{ env.BACKUP_ARTIFACT_NAME }}

.gitignore

@@ -72,6 +72,7 @@ terraform/*token*
 terraform/*/vendor
 terraform/*/.terraform
 bin/terrafile
+bin/konduit.sh
 
 # Local .terraform directories
 **/.terraform/*

Makefile

@@ -92,6 +92,10 @@ ci:	## Run in automation environment
 	$(eval AUTO_APPROVE=-auto-approve)
 	$(eval SP_AUTH=true)
 
+bin/konduit.sh:
+	curl -s https://raw.githubusercontent.com/DFE-Digital/teacher-services-cloud/main/scripts/konduit.sh -o bin/konduit.sh \
+		&& chmod +x bin/konduit.sh
+
 bin/terrafile: ## Install terrafile to manage terraform modules
 	curl -sL https://github.com/coretech/terrafile/releases/download/v${TERRAFILE_VERSION}/terrafile_${TERRAFILE_VERSION}_$$(uname)_x86_64.tar.gz \
 		| tar xz -C ./bin terrafile