Database backup pipeline.

casey-rapnicki-bixal · casey-rapnicki-bixal · commit b7189369f90d · 2024-12-09T15:46:06.000-05:00
diff --git a/.github/workflows/database-backup.yml b/.github/workflows/database-backup.yml
@@ -0,0 +1,174 @@
+name: Database Backup
+
+on:
+  push:
+    branches:
+      - feature/DIGITAL-178-database-backup
+  workflow_call:
+    secrets:
+      CF_USER:
+        required: true
+      CF_PASSWORD:
+        required: true
+      CF_ORG:
+        required: true
+      PROJECT:
+        required: true
+      DATABASE_BACKUP_BASTION_NAME:
+        required: true
+  schedule:
+    - cron: "0 0 * * *"
+
+jobs:
+  backup-database:
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    #if: github.ref_protected == true
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set env
+        run: |
+          #BRANCH=$(echo $GITHUB_REF | cut -d'/' -f 3)
+          BRANCH=develop
+          COMPOSER_DEV=1
+          GSA_AUTH_KEY=${{ secrets.GSA_AUTH_DEVELOPMENT_KEY }}
+          case ${BRANCH} in
+            develop)
+              CF_SPACE="dev"
+              DRUPAL_MEMORY=${{ vars.DEVELOP_CMS_MEMORY }}
+              DRUPAL_INSTANCES=${{ vars.DEVELOP_INSTANCES }}
+              ;;
+            main)
+              CF_SPACE="prod"
+              COMPOSER_DEV=0
+              DRUPAL_MEMORY=${{ vars.MAIN_CMS_MEMORY }}
+              DRUPAL_INSTANCES=${{ vars.MAIN_INSTANCES }}
+              GSA_AUTH_KEY=${{ secrets.GSA_AUTH_PRODUCTION_KEY }}
+              ;;
+            stage)
+              CF_SPACE="staging"
+              COMPOSER_DEV=0
+              DRUPAL_MEMORY=${{ vars.STAGE_CMS_MEMORY }}
+              DRUPAL_INSTANCES=${{ vars.STAGE_INSTANCES }}
+              ;;
+          esac
+
+          echo "APP_NAME=drupal" | tee -a $GITHUB_ENV
+          echo "BRANCH=${BRANCH}" | tee -a $GITHUB_ENV
+          echo "BUILDPACK_PORT=${{ vars.BUILDPACK_PORT }}" | tee -a $GITHUB_ENV
+          echo "CF_SPACE=${CF_SPACE}" | tee -a $GITHUB_ENV
+          echo "COMPOSER_DEV=${COMPOSER_DEV}" | tee -a $GITHUB_ENV
+          echo "DRUPAL_INSTANCES=${DRUPAL_INSTANCES}" | tee -a $GITHUB_ENV
+          echo "DRUPAL_MEMORY=${DRUPAL_MEMORY}" | tee -a $GITHUB_ENV
+          echo "GSA_AUTH_KEY=${GSA_AUTH_KEY}" | tee -a $GITHUB_ENV
+          echo "HASH_SALT=${{ secrets.HASH_SALT }}" | tee -a $GITHUB_ENV
+          echo "WAF_NAME=waf"| tee -a $GITHUB_ENV
+
+          if [ "${COMPOSER_DEV}" = "1" ]; then
+            sed -i 's/--no-dev //' .bp-config/options.json || exit 0
+          fi
+      - name: Install basic dependancies
+        run: ./scripts/pipeline/deb-basic-deps.sh
+      - name: Install AWSCLI
+        run: ./scripts/pipeline/deb-awscli.sh
+      - name: Install MySQL Client
+        run: ./scripts/pipeline/deb-mysql-client-install.sh
+      - name: Install Cloudfoundry CLI
+        run: ./scripts/pipeline/deb-cf-install.sh
+      - name: Cloud.gov login
+        env:
+          CF_USER: "${{ secrets.CF_USER }}"
+          CF_PASSWORD: "${{ secrets.CF_PASSWORD }}"
+          CF_ORG: "${{ secrets.CF_ORG }}"
+          PROJECT: "${{ secrets.PROJECT }}"
+        run: |
+          source ./scripts/pipeline/cloud-gov-login.sh
+      - name: Start Bastion
+        env:
+          DATABASE_BACKUP_BASTION_NAME: "${{ secrets.DATABASE_BACKUP_BASTION_NAME }}"
+          PROJECT: "${{ secrets.PROJECT }}"
+        run: |
+          cf start "${PROJECT}-${DATABASE_BACKUP_BASTION_NAME}-${CF_SPACE}" >/dev/null 2>&1
+          ./scripts/pipeline/cloud-gov-wait-for-app-start.sh "${PROJECT}-${DATABASE_BACKUP_BASTION_NAME}-${CF_SPACE}"
+      - name: Backup Database (dev)
+        id: backup
+        shell: bash
+        env:
+          CF_USER: "${{ secrets.CF_USER }}"
+          CF_PASSWORD: "${{ secrets.CF_PASSWORD }}"
+          CF_ORG: "${{ secrets.CF_ORG }}"
+          PROJECT: "${{ secrets.PROJECT }}"
+          DATABASE_BACKUP_BASTION_NAME: "${{ secrets.DATABASE_BACKUP_BASTION_NAME }}"
+        run: |
+          export TIMESTAMP=$(date --utc +%FT%TZ | tr ':', '-')
+          source ./scripts/pipeline/database-backup.sh
+          source ./scripts/pipeline/s3-backup-upload.sh
+  stopBastion:
+    name: Stop Bastion
+    runs-on: ubuntu-latest
+    needs: backup-database
+    #if: github.ref_protected == true && ${{ always() }}
+    if: ${{ always() }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set env
+        run: |
+          #BRANCH=$(echo $GITHUB_REF | cut -d'/' -f 3)
+          BRANCH=develop
+          COMPOSER_DEV=1
+          GSA_AUTH_KEY=${{ secrets.GSA_AUTH_DEVELOPMENT_KEY }}
+          case ${BRANCH} in
+            develop)
+              CF_SPACE="dev"
+              DRUPAL_MEMORY=${{ vars.DEVELOP_CMS_MEMORY }}
+              DRUPAL_INSTANCES=${{ vars.DEVELOP_INSTANCES }}
+              ;;
+            main)
+              CF_SPACE="prod"
+              COMPOSER_DEV=0
+              DRUPAL_MEMORY=${{ vars.MAIN_CMS_MEMORY }}
+              DRUPAL_INSTANCES=${{ vars.MAIN_INSTANCES }}
+              GSA_AUTH_KEY=${{ secrets.GSA_AUTH_PRODUCTION_KEY }}
+              ;;
+            stage)
+              CF_SPACE="staging"
+              COMPOSER_DEV=0
+              DRUPAL_MEMORY=${{ vars.STAGE_CMS_MEMORY }}
+              DRUPAL_INSTANCES=${{ vars.STAGE_INSTANCES }}
+              ;;
+          esac
+
+          echo "APP_NAME=drupal" | tee -a $GITHUB_ENV
+          echo "BRANCH=${BRANCH}" | tee -a $GITHUB_ENV
+          echo "BUILDPACK_PORT=${{ vars.BUILDPACK_PORT }}" | tee -a $GITHUB_ENV
+          echo "CF_SPACE=${CF_SPACE}" | tee -a $GITHUB_ENV
+          echo "COMPOSER_DEV=${COMPOSER_DEV}" | tee -a $GITHUB_ENV
+          echo "DRUPAL_INSTANCES=${DRUPAL_INSTANCES}" | tee -a $GITHUB_ENV
+          echo "DRUPAL_MEMORY=${DRUPAL_MEMORY}" | tee -a $GITHUB_ENV
+          echo "GSA_AUTH_KEY=${GSA_AUTH_KEY}" | tee -a $GITHUB_ENV
+          echo "HASH_SALT=${{ secrets.HASH_SALT }}" | tee -a $GITHUB_ENV
+          echo "WAF_NAME=waf"| tee -a $GITHUB_ENV
+
+          if [ "${COMPOSER_DEV}" = "1" ]; then
+            sed -i 's/--no-dev //' .bp-config/options.json || exit 0
+          fi
+      - name: Install basic dependancies
+        run: ./scripts/pipeline/deb-basic-deps.sh
+      - name: Install Cloudfoundry CLI
+        run: ./scripts/pipeline/deb-cf-install.sh
+      - name: Cloud.gov login
+        env:
+          CF_USER: "${{ secrets.CF_USER }}"
+          CF_PASSWORD: "${{ secrets.CF_PASSWORD }}"
+          CF_ORG: "${{ secrets.CF_ORG }}"
+          PROJECT: "${{ secrets.PROJECT }}"
+        run: |
+          source ./scripts/pipeline/cloud-gov-login.sh
+      - name: Stop Bastion
+        env:
+          PROJECT: "${{ secrets.PROJECT }}"
+          DATABASE_BACKUP_BASTION_NAME: "${{ secrets.DATABASE_BACKUP_BASTION_NAME }}"
+        run: |
+          cf stop "${PROJECT}-${DATABASE_BACKUP_BASTION_NAME}-${CF_SPACE}" >/dev/null 2>&1
diff --git a/scripts/pipeline/database-backup.sh b/scripts/pipeline/database-backup.sh
@@ -0,0 +1,164 @@
+#!/bin/bash
+
+kill_pids() {
+  app=$1
+  ids=$(ps aux | grep "${app}" | grep -v grep | awk '{print $2}')
+  for id in ${ids}; do
+    disown "${id}"
+    kill -9 "${id}" >/dev/null 2>&1
+  done
+}
+
+## Wait for the tunnel to finish connecting.
+wait_for_tunnel() {
+  while : ; do
+    [ -n "$(grep 'Press Control-C to stop.' backup.txt)" ] && break
+    echo "Waiting for tunnel..."
+    sleep 1
+  done
+}
+
+date
+
+## Create a tunnel through the application to pull the database.
+echo "Creating tunnel to database..."
+#cf enable-ssh "${PROJECT}-${DATABASE_BACKUP_BASTION_NAME}-${CF_SPACE}"
+#cf restart --strategy rolling "${PROJECT}-${DATABASE_BACKUP_BASTION_NAME}-${CF_SPACE}"
+cf connect-to-service --no-client "${PROJECT}-${DATABASE_BACKUP_BASTION_NAME}-${CF_SPACE}" "${PROJECT}-mysql-${CF_SPACE}" > backup.txt &
+
+wait_for_tunnel
+
+date
+
+## Create variables and credential file for MySQL login.
+echo "Backing up '${CF_SPACE}' database..."
+{
+  host=$(cat backup.txt | grep -i host | awk '{print $2}')
+  port=$(cat backup.txt | grep -i port | awk '{print $2}')
+  username=$(cat backup.txt | grep -i username | awk '{print $2}')
+  password=$(cat backup.txt | grep -i password | awk '{print $2}')
+  dbname=$(cat backup.txt | grep -i '^name' | awk '{print $2}')
+
+  mkdir ~/.mysql && chmod 0700 ~/.mysql
+
+  echo "[mysqldump]" > ~/.mysql/mysqldump.cnf
+  echo "user=${username}" >> ~/.mysql/mysqldump.cnf
+  echo "password=${password}" >> ~/.mysql/mysqldump.cnf
+  chmod 400 ~/.mysql/mysqldump.cnf
+
+  ## Exclude tables without data
+  declare -a excluded_tables=(
+    "cache_access_policy"
+    "cache_bootstrap"
+    "cache_config"
+    "cache_container"
+    "cache_default"
+    "cache_discovery"
+    "cache_dynamic_page_cache"
+    "cache_entity"
+    "cache_menu"
+    "cache_page"
+    "cache_render"
+    "cache_tome_static"
+    "cache_toolbar"
+    "sessions"
+    "watchdog"
+  )
+
+  ignored_tables_string=''
+  for table in "${excluded_tables[@]}"
+  do
+    ignored_tables_string+=" --ignore-table=${dbname}.${table}"
+  done
+} >/dev/null 2>&1
+
+echo "Dumping structure..."
+{
+  ## Dump structure
+  mysqldump \
+    --defaults-extra-file=~/.mysql/mysqldump.cnf \
+    --host="${host}" \
+    --port="${port}" \
+    --protocol=TCP \
+    --no-data \
+    "${dbname}" > "backup_${CF_SPACE}.sql"
+} >/dev/null 2>&1
+
+echo "Dumping content..."
+{
+  ## Dump content
+  mysqldump \
+    --defaults-extra-file=~/.mysql/mysqldump.cnf \
+    --host="${host}" \
+    --port="${port}" \
+    --protocol=TCP \
+    --no-create-info \
+    --skip-triggers \
+    ${ignored_tables_string} \
+    "${dbname}" >> "backup_${CF_SPACE}.sql"
+
+  ## Patch out any MySQL 'SET' commands that require admin.
+  sed -i 's/^SET /-- &/' "backup_${CF_SPACE}.sql"
+} >/dev/null 2>&1
+
+date
+
+## Kill the backgrounded SSH tunnel.
+echo "Cleaning up old connections..."
+{
+  kill_pids "connect-to-service"
+}
+
+## Disable ssh.
+#echo "Disabling ssh..."
+#cf disable-ssh "${PROJECT}-drupal-${CF_SPACE}"
+
+rm -rf backup.txt ~/.mysql
+
+echo "Compressing '${CF_SPACE}' database..."
+{
+  mv "backup_${BRANCH}.sql" "${TIMESTAMP}.sql"
+  gzip "${TIMESTAMP}.sql"
+} &> /dev/null
+
+echo "Creating S3 credentials..."
+{
+  cf target -s "${PROJECT}-${CF_SPACE}" >/dev/null 2>&1
+
+  export service="${PROJECT}-backup-${CF_SPACE}"
+  export service_key="${service}-key"
+  cf delete-service-key "${service}" "${service_key}" -f >/dev/null 2>&1
+  cf create-service-key "${service}" "${service_key}" >/dev/null 2>&1
+  sleep 2
+
+  s3_credentials=$(cf service-key "${service}" "${service_key}" | tail -n +2)
+  export s3_credentials
+  
+  AWS_ACCESS_KEY_ID=$(echo "${s3_credentials}" | jq -r '.credentials.access_key_id')
+  export AWS_ACCESS_KEY_ID
+
+  bucket=$(echo "${s3_credentials}" | jq -r '.credentials.bucket')
+  export bucket
+
+  AWS_DEFAULT_REGION=$(echo "${s3_credentials}" | jq -r '.credentials.region')
+  export AWS_DEFAULT_REGION
+
+  AWS_SECRET_ACCESS_KEY=$(echo "${s3_credentials}" | jq -r '.credentials.secret_access_key')
+  export AWS_SECRET_ACCESS_KEY
+} >/dev/null 2>&1
+
+echo "Saving to backup bucket..."
+{
+  # copy latest database to top level
+  #gzip "backup_${CF_SPACE}.sql"
+  #aws s3 cp "./backup_${CF_SPACE}.sql.gz" "s3://${bucket}/${CF_SPACE}/latest.sql.gz"  --no-verify-ssl >/dev/null 2>&1 && echo "Successfully copied latest.sql.gz to S3!" || echo "Failed to copy latest.sql.gz to S3!"
+  aws s3 cp "${TIMESTAMP}.sql.gz" "s3://${bucket}/$(date +%Y)/$(date +%m)/$(date +%d)/" --no-verify-ssl 2>/dev/null
+  aws s3 cp "${TIMESTAMP}.sql.gz" "s3://${bucket}/latest.sql.gz" --no-verify-ssl 2>/dev/null
+} >/dev/null 2>&1
+
+echo "Cleaning up credentials..."
+{
+  cf delete-service-key "${service}" "${service_key}" -f >/dev/null 2>&1
+} >/dev/null 2>&1
+
+date
diff --git a/scripts/pipeline/deb-cf-install.sh b/scripts/pipeline/deb-cf-install.sh
@@ -14,4 +14,7 @@ echo "Installing CloudFoundry repository..."
   else
     mv cf cf8 /usr/local/bin
   fi
+
+  cf install-plugin -f https://github.com/cloud-gov/cf-service-connect/releases/download/v1.1.4/cf-service-connect_linux_amd64
+  
 } >/dev/null 2>&1
diff --git a/scripts/pipeline/github-exports.sh b/scripts/pipeline/github-exports.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+#BRANCH=$(echo $GITHUB_REF | cut -d'/' -f 3)
+BRANCH=develop
+COMPOSER_DEV=1
+GSA_AUTH_KEY=${{ secrets.GSA_AUTH_DEVELOPMENT_KEY }}
+case ${BRANCH} in
+  develop)
+    CF_SPACE="dev"
+    DRUPAL_MEMORY=${{ vars.DEVELOP_CMS_MEMORY }}
+    DRUPAL_INSTANCES=${{ vars.DEVELOP_INSTANCES }}
+    ;;
+  main)
+    CF_SPACE="prod"
+    COMPOSER_DEV=0
+    DRUPAL_MEMORY=${{ vars.MAIN_CMS_MEMORY }}
+    DRUPAL_INSTANCES=${{ vars.MAIN_INSTANCES }}
+    GSA_AUTH_KEY=${{ secrets.GSA_AUTH_PRODUCTION_KEY }}
+    ;;
+  stage)
+    CF_SPACE="staging"
+    COMPOSER_DEV=0
+    DRUPAL_MEMORY=${{ vars.STAGE_CMS_MEMORY }}
+    DRUPAL_INSTANCES=${{ vars.STAGE_INSTANCES }}
+    ;;
+esac
+
+echo "APP_NAME=drupal" | tee -a $GITHUB_ENV
+echo "BRANCH=${BRANCH}" | tee -a $GITHUB_ENV
+echo "BUILDPACK_PORT=${{ vars.BUILDPACK_PORT }}" | tee -a $GITHUB_ENV
+echo "CF_SPACE=${CF_SPACE}" | tee -a $GITHUB_ENV
+echo "COMPOSER_DEV=${COMPOSER_DEV}" | tee -a $GITHUB_ENV
+echo "DRUPAL_INSTANCES=${DRUPAL_INSTANCES}" | tee -a $GITHUB_ENV
+echo "DRUPAL_MEMORY=${DRUPAL_MEMORY}" | tee -a $GITHUB_ENV
+echo "GSA_AUTH_KEY=${GSA_AUTH_KEY}" | tee -a $GITHUB_ENV
+echo "HASH_SALT=${{ secrets.HASH_SALT }}" | tee -a $GITHUB_ENV
+echo "WAF_NAME=waf"| tee -a $GITHUB_ENV
+
+if [ "${COMPOSER_DEV}" = "1" ]; then
+  sed -i 's/--no-dev //' .bp-config/options.json || exit 0
+fi
