feat: allow qa environment to use prod database contents (#1153)

jcpitre · web-flow · commit 369c0040a760 · 2025-04-30T23:40:41.000-04:00
diff --git a/.github/workflows/duplicate-prod-db.yml b/.github/workflows/duplicate-prod-db.yml
@@ -0,0 +1,99 @@
+name: Copy PROD DB to QA
+on:
+  workflow_dispatch:  # Supports manual deployment
+    inputs:
+      dest_database_name:
+        description: 'The name of the destination database (using MobilityDatabase will overwrite the current QA DB)'
+        required: false
+        default: 'MobilityDatabaseProdDuplicate'
+      backup_db:
+        description: 'Backup the current QA DB before importing the dump'
+        required: false
+        default: 'true'
+
+jobs:
+  run-script:
+    runs-on: ubuntu-latest
+    env:
+      SOURCE_PROJECT_ID: ${{ vars.PROD_MOBILITY_FEEDS_PROJECT_ID }}
+      DEST_PROJECT_ID: ${{ vars.QA_MOBILITY_FEEDS_PROJECT_ID }}
+      DUMP_BUCKET_NAME: "mobilitydata-database-dump-qa"
+      BUCKET_PROJECT_ID: ${{ vars.QA_MOBILITY_FEEDS_PROJECT_ID }}
+      GCP_REGION: ${{ vars.MOBILITY_FEEDS_REGION }}
+      DB_INSTANCE_NAME: ${{ secrets.DB_INSTANCE_NAME }}
+      DEST_DATABASE_PASSWORD: ${{ secrets.QA_POSTGRE_USER_PASSWORD }}
+      DUMP_FILE_NAME: "prod-db-dump.sql"
+      SOURCE_DATABASE_NAME: ${{ vars.PROD_POSTGRE_SQL_DB_NAME }}
+      DEST_DATABASE_NAME: ${{ inputs.dest_database_name || 'MobilityDatabaseProdDuplicate' }}
+      DEST_DATABASE_USER: ${{ secrets.QA_POSTGRE_USER_NAME }}
+      DEST_DATABASE_IMPORT_USER: ${{ secrets.PROD_POSTGRE_USER_NAME }}
+      GCP_FEED_BASTION_SSH_KEY: ${{ secrets.GCP_FEED_BASTION_SSH_KEY }}
+      BACKUP_DB: ${{ inputs.backup_db || 'true' }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Authenticate to Google Cloud PROD project
+        id: gcloud_auth_prod
+        uses: google-github-actions/auth@v2
+        with:
+          credentials_json: ${{ secrets.PROD_GCP_MOBILITY_FEEDS_SA_KEY }}
+
+      - name: GCloud Setup PROD
+        uses: google-github-actions/setup-gcloud@v2
+
+      - name: Get PROD SQL service account
+        run: |
+          SERVICE_ACCOUNT=$(gcloud sql instances describe "mobilitydata-database-instance" --project=$SOURCE_PROJECT_ID --format="value(serviceAccountEmailAddress)")
+          echo "SOURCE_SQL_SERVICE_ACCOUNT=$SERVICE_ACCOUNT" >> $GITHUB_ENV
+          echo "Destination SQL Service Account: $SERVICE_ACCOUNT"
+
+      - name: Authenticate to Google Cloud QA project
+        id: gcloud_auth_qa
+        uses: google-github-actions/auth@v2
+        with:
+          credentials_json: ${{ secrets.QA_GCP_MOBILITY_FEEDS_SA_KEY }}
+
+      - name: GCloud Setup QA
+        uses: google-github-actions/setup-gcloud@v2
+
+      - name: Create DB dump bucket and give permissions
+        run: bash scripts/duplicate-prod-db/create-dump-bucket.sh
+
+      - name: Authenticate to Google Cloud PROD project Again
+        uses: google-github-actions/auth@v2
+        with:
+          credentials_json: ${{ secrets.PROD_GCP_MOBILITY_FEEDS_SA_KEY }}
+
+      - name: GCloud Setup PROD again
+        uses: google-github-actions/setup-gcloud@v2
+
+      - name: Dump the PROD DB
+        run: |
+          gcloud sql export sql $DB_INSTANCE_NAME gs://$DUMP_BUCKET_NAME/$DUMP_FILE_NAME --database=$SOURCE_DATABASE_NAME --quiet
+
+      - name: Authenticate to Google Cloud QA project Again
+        uses: google-github-actions/auth@v2
+        with:
+          credentials_json: ${{ secrets.QA_GCP_MOBILITY_FEEDS_SA_KEY }}
+
+      - name: GCloud Setup QA Again
+        uses: google-github-actions/setup-gcloud@v2
+
+      - name: QA backup and import dump into the QA DB
+        run: bash scripts/duplicate-prod-db/copy-prod-db-to-qa.sh
+
+      - name: Load secrets from 1Password
+        uses: 1password/load-secrets-action@v2.0.0
+        with:
+          export-env: true # Export loaded secrets as environment variables
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          GCP_FEED_SSH_USER: "op://rbiv7rvkkrsdlpcrz3bmv7nmcu/GCP_FEED_SSH_USER/username"
+          GCP_FEED_BASTION_NAME: "op://rbiv7rvkkrsdlpcrz3bmv7nmcu/GCP_FEED_BASTION_NAME/username"
+          GCP_FEED_BASTION_SSH_KEY: "op://rbiv7rvkkrsdlpcrz3bmv7nmcu/GCP_FEED_BASTION_SSH_KEY/private key"
+
+      - name: Tunnel and run SQL scripts on imported database
+        run: bash scripts/duplicate-prod-db/post-import.sh
+
diff --git a/scripts/duplicate-prod-db/copy-prod-db-to-qa.sh b/scripts/duplicate-prod-db/copy-prod-db-to-qa.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+# This script is used by the duplicate-prod-db.yml workflow.
+# It exports the PROD DB to a bucket, then imports it to the QA DB.
+# It also makes a backup of the QA DB.
+
+# Validate required environment variables
+REQUIRED_VARS=(
+  "DB_INSTANCE_NAME"
+  "DUMP_BUCKET_NAME"
+  "SOURCE_DATABASE_NAME"
+  "DEST_DATABASE_NAME"
+  "DEST_DATABASE_PASSWORD"
+  "DEST_DATABASE_IMPORT_USER"
+  "DUMP_FILE_NAME"
+  "BACKUP_DB"
+
+)
+
+for VAR in "${REQUIRED_VARS[@]}"; do
+  if [ -z "${!VAR}" ]; then
+    echo "Error: Environment variable $VAR is not set."
+    exit 1
+  fi
+done
+
+if [ "$BACKUP_DB" == "true" ]; then
+  echo "Dump the QA database as a backup"
+  # According to chatgpt,
+  # This is Google's recommended, safe method and doesn’t require direct access to the DB. It runs the export
+  # in a way that avoids locking the database and works from GCP itself (so no traffic leaves GCP).
+  gcloud sql export sql $DB_INSTANCE_NAME gs://$DUMP_BUCKET_NAME/qa-db-dump-backup.sql --database=$SOURCE_DATABASE_NAME --quiet
+else
+  echo "Skipping backup of the QA database as it was not requested"
+fi
+
+echo "Deleting the existing $DEST_DATABASE_NAME database"
+gcloud sql databases delete $DEST_DATABASE_NAME --instance=$DB_INSTANCE_NAME --quiet
+
+echo "Recreating the $DEST_DATABASE_NAME database"
+gcloud sql databases create $DEST_DATABASE_NAME --instance=$DB_INSTANCE_NAME
+
+echo "Importing the dump into the QA database"
+# The exported sql contains statements that require authentication as user postgres.
+# In theory we could dump the DB without these statements, with:
+# pg_dump --no-owner --no-privileges -d your_database > clean_dump.sql.
+
+# The dumped DB refers to the PROD database user (data_feeds_user), so we need to be this user when importing.
+export PGPASSWORD=$DEST_DATABASE_PASSWORD
+gcloud sql import sql $DB_INSTANCE_NAME gs://$DUMP_BUCKET_NAME/$DUMP_FILE_NAME --database=$DEST_DATABASE_NAME --user=$DEST_DATABASE_IMPORT_USER --quiet
+
+echo "Deleting the dump file from the bucket"
+gsutil rm gs://$DUMP_BUCKET_NAME/$DUMP_FILE_NAME
diff --git a/scripts/duplicate-prod-db/create-dump-bucket.sh b/scripts/duplicate-prod-db/create-dump-bucket.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+# This script is used by the duplicate-prod-db.yml workflow.
+# It creates a bucket to house the dump of the production database.
+# It also gives permission to the dump bucket so the SQL instances in PROD and QA can use it.
+
+# Validate required environment variables
+REQUIRED_VARS=(
+  "DEST_PROJECT_ID"
+  "DUMP_BUCKET_NAME"
+  "GCP_REGION"
+  "BUCKET_PROJECT_ID"
+  "SOURCE_SQL_SERVICE_ACCOUNT"
+  "DB_INSTANCE_NAME"
+)
+
+for VAR in "${REQUIRED_VARS[@]}"; do
+  if [ -z "${!VAR}" ]; then
+    echo "Error: Environment variable $VAR is not set."
+    exit 1
+  fi
+done
+
+BUCKET_PROJECT_ID=$DEST_PROJECT_ID
+
+echo "Checking if bucket exists..."
+if ! gsutil ls -b "gs://${DUMP_BUCKET_NAME}" &> /dev/null; then
+  echo "Bucket doesn't exist. Creating..."
+  gsutil mb -l $GCP_REGION -p $BUCKET_PROJECT_ID "gs://${DUMP_BUCKET_NAME}"
+else
+  echo "Bucket already exists."
+fi
+
+echo "Giving permission for the source sql instance to read-write to the bucket"
+gsutil iam ch serviceAccount:$SOURCE_SQL_SERVICE_ACCOUNT:objectAdmin gs://$DUMP_BUCKET_NAME
+
+echo "Getting the service account for the QA DB to give permission to the bucket"
+DEST_SQL_SERVICE_ACCOUNT=$(gcloud sql instances describe $DB_INSTANCE_NAME --format="value(serviceAccountEmailAddress)")
+echo "Destination SQL Service Account: $DEST_SQL_SERVICE_ACCOUNT"
+
+echo "Giving permission for the dest sql instance to read-write to the bucket"
+gsutil iam ch serviceAccount:$DEST_SQL_SERVICE_ACCOUNT:objectAdmin gs://$DUMP_BUCKET_NAME
diff --git a/scripts/duplicate-prod-db/post-import.sh b/scripts/duplicate-prod-db/post-import.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+# This script is used by the duplicate-prod-db.yml workflow.
+# It execute some SQL scripts on the imported DBL
+#   - Give permission to the tables to the postgres user.
+#   - Modify the email addresses in the DB so we can't accidentally email real people.
+
+REQUIRED_VARS=(
+  "GCP_FEED_BASTION_SSH_KEY"
+  "DEST_PROJECT_ID"
+  "GCP_REGION"
+  "GCP_FEED_BASTION_NAME"
+  "GCP_FEED_SSH_USER"
+  "DB_INSTANCE_NAME"
+  "DEST_DATABASE_PASSWORD"
+  "DEST_DATABASE_IMPORT_USER"
+  "DEST_DATABASE_NAME"
+)
+echo "Tunelling"
+mkdir -p ~/.ssh
+echo "$GCP_FEED_BASTION_SSH_KEY" > ~/.ssh/id_rsa
+chmod 600 ~/.ssh/id_rsa
+./scripts/tunnel-create.sh -project_id $DEST_PROJECT_ID -zone ${GCP_REGION}-a -instance ${GCP_FEED_BASTION_NAME}-qa -target_account ${GCP_FEED_SSH_USER} -db_instance ${DB_INSTANCE_NAME} -port 5454
+sleep 10 # Wait for the tunnel to establish
+
+echo "Giving new role to postgres user"
+export PGPASSWORD=$DEST_DATABASE_PASSWORD
+psql -h localhost -p 5454 -U $DEST_DATABASE_IMPORT_USER -d $DEST_DATABASE_NAME -c "GRANT data_feeds_user TO postgres;"
+
+echo "Redirecting email addresses to mobilitydata.org"
+cat <<'EOF' | psql -h localhost -p 5454 -U postgres -d $DEST_DATABASE_NAME
+  UPDATE feed
+  SET feed_contact_email = REPLACE(feed_contact_email, '@', '_at_') || '@mobilitydata.org'
+  WHERE feed_contact_email IS NOT NULL
+    AND TRIM(feed_contact_email) <> '';
+EOF
