Merge pull request #670 from NHSDigital/feature/made14-NRL-762-rollback-pipeline

mattdean3-nhs · web-flow · commit 2fdd722b356b · 2024-07-02T19:03:05.000+01:00
[NRL-762] Create rollback pipeline for blue/green
diff --git a/.github/workflows/activate-stack.yml b/.github/workflows/activate-stack.yml
@@ -0,0 +1,67 @@
+name: Switch Active Stack
+run-name: Switch active stack to ${{ inputs.stack_name }} in ${{ inputs.environment }} by ${{ github.actor }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: "Environment to activate the stack in"
+        required: true
+        default: "dev"
+        type: environment
+
+      stack_name:
+        description: Name of stack to activate
+        required: true
+        type: string
+
+permissions:
+  id-token: write
+  contents: read
+  actions: write
+
+jobs:
+  activate-stack:
+    name: Activate ${{ inputs.stack_name }} for ${{ inputs.environment }}
+    runs-on: [self-hosted, ci]
+    environment: ${{ inputs.environment }}
+
+    steps:
+      - name: Git clone - ${{ github.ref }}
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+
+      - name: Setup asdf cache
+        uses: actions/cache@v4
+        with:
+          path: ~/.asdf
+          key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
+          restore-keys: |
+            ${{ runner.os }}-asdf-
+
+      - name: Install asdf
+        uses: asdf-vm/actions/install@v3.0.2
+
+      - name: Configure Management Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: eu-west-2
+          role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
+          role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}}
+
+      - name: Install zip
+        run: sudo apt-get install zip
+
+      - name: Setup Python environment
+        run: |
+          poetry install --no-root
+          source $(poetry env info --path)/bin/activate
+
+      - name: Get current environment config
+        run: |
+          poetry run python ./scripts/get_env_config.py all ${{ inputs.environment }}
+
+      - name: Activate Stack
+        run: |
+          poetry run python ./scripts/activate-stack.py ${{ inputs.stack_name }} ${{ inputs.environment }}
diff --git a/.github/workflows/persistent-environment.yml b/.github/workflows/persistent-environment.yml
@@ -339,4 +339,4 @@ jobs:
       - name: Deactivate Stack
         run: |
           inactive_stack_name=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }})
-          poetry run python ./scripts/activate-stack.py ${inactive_stack_name}
+          poetry run python ./scripts/activate-stack.py ${inactive_stack_name} ${{ inputs.environment }}
diff --git a/.github/workflows/rollback-stack.yml b/.github/workflows/rollback-stack.yml
@@ -0,0 +1,67 @@
+name: Rollback Stack
+run-name: Rollback to inactive stack in ${{ inputs.environment }} by ${{ github.actor }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: "Environment to rollback the stack in"
+        required: true
+        default: "dev"
+        type: environment
+
+permissions:
+  id-token: write
+  contents: read
+  actions: write
+
+jobs:
+  rollback-stack:
+    name: Rollback to inactive stack for ${{ inputs.environment }}
+    runs-on: [self-hosted, ci]
+    environment: ${{ inputs.environment }}
+
+    steps:
+      - name: Git clone - ${{ github.ref }}
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+
+      - name: Setup asdf cache
+        uses: actions/cache@v4
+        with:
+          path: ~/.asdf
+          key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
+          restore-keys: |
+            ${{ runner.os }}-asdf-
+
+      - name: Install asdf
+        uses: asdf-vm/actions/install@v3.0.2
+
+      - name: Configure Management Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: eu-west-2
+          role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
+          role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}}
+
+      - name: Install zip
+        run: sudo apt-get install zip
+
+      - name: Setup Python environment
+        run: |
+          poetry install --no-root
+          source $(poetry env info --path)/bin/activate
+
+      - name: Get current environment config
+        run: |
+          poetry run python ./scripts/get_env_config.py all ${{ inputs.environment }}
+
+      - name: Rollback
+        run: |
+          inactive_stack_name=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }})
+          poetry run python ./scripts/activate-stack.py ${inactive_stack_name} ${{ inputs.environment }}
+
+      - name: "Smoke Test"
+        run: |
+          make ENV=${{ inputs.environment }} test-smoke-external
diff --git a/scripts/activate_stack.py b/scripts/activate_stack.py
@@ -93,18 +93,18 @@ def activate_stack(stack_name: str, env: str, session: any):
     environment_config = json.loads(response["SecretString"])
     print(f"Got environment config for {env}: {environment_config}")
 
+    current_active_stack = environment_config[CONFIG_ACTIVE_STACK]
+    if current_active_stack == stack_name:
+        print("Cannot activate stack, stack is already active", file=sys.stderr)
+        sys.exit(1)
+
     lock_state = environment_config[CONFIG_LOCK_STATE]
     if lock_state != "open":
         print(
             f"Unable to activate stack as lock state is not open: {lock_state}",
             file=sys.stderr,
         )
-        return
-
-    current_active_stack = environment_config[CONFIG_ACTIVE_STACK]
-    if current_active_stack == stack_name:
-        print("Cannot activate stack, stack is already active", file=sys.stderr)
-        return
+        sys.exit(1)
 
     _set_lock_state(
         STATE_LOCKED,
@@ -131,7 +131,7 @@ def activate_stack(stack_name: str, env: str, session: any):
         )
         print(f"Failed to activate stack: {err}", file=sys.stderr)
         print(f"Stack trace: {traceback.format_exc()}", file=sys.stderr)
-        return
+        sys.exit(1)
 
     print("Updating environment config and unlocking....")
     environment_config[CONFIG_INACTIVE_STACK] = current_active_stack
diff --git a/scripts/get_env_config.py b/scripts/get_env_config.py
@@ -14,13 +14,16 @@ def main(parameter_name: str, env: str):
     response = sm.get_secret_value(SecretId=secret_key)
     parameters = json.loads(response["SecretString"])
 
-    if parameter_name in parameters:
+    if parameter_name == "all":
+        print(parameters)
+    elif parameter_name in parameters:
         print(parameters[parameter_name])
     else:
         print(
             f"Parameter {parameter_name} not found in environment config",
             file=sys.stderr,
         )
+        sys.exit(1)
 
 
 if __name__ == "__main__":
diff --git a/scripts/tests/test_activate_stack.py b/scripts/tests/test_activate_stack.py
@@ -103,8 +103,10 @@ def test_lock_state_not_open(mock_boto_session, mock_secretsmanager):
         Name="nhsd-nrlf--locked--env-config", SecretString=json.dumps(inital_env_config)
     )
 
-    activate_stack("test-stack-1", "locked", session=mock_boto_session)
+    with pytest.raises(SystemExit) as excinfo:
+        activate_stack("test-stack-1", "locked", session=mock_boto_session)
 
+    assert excinfo.value.code == 1
     result = mock_secretsmanager.get_secret_value(
         SecretId="nhsd-nrlf--locked--env-config"  # pragma: allowlist secret
     )
@@ -122,8 +124,10 @@ def test_stack_already_active(mock_boto_session, mock_secretsmanager):
         SecretString=json.dumps(intial_env_config),
     )
 
-    activate_stack("test-stack-2", "already-active", session=mock_boto_session)
+    with pytest.raises(SystemExit) as excinfo:
+        activate_stack("test-stack-2", "already-active", session=mock_boto_session)
 
+    assert excinfo.value.code == 1
     result = mock_secretsmanager.get_secret_value(
         SecretId="nhsd-nrlf--already-active--env-config"  # pragma: allowlist secret
     )
diff --git a/terraform/infrastructure/ephemeral-resources.tf b/terraform/infrastructure/ephemeral-resources.tf
@@ -1,7 +1,8 @@
 module "ephemeral-s3-permission-store" {
-  count       = var.use_shared_resources ? 0 : 1
-  source      = "./modules/permissions-store-bucket"
-  name_prefix = local.prefix
+  count                       = var.use_shared_resources ? 0 : 1
+  source                      = "./modules/permissions-store-bucket"
+  name_prefix                 = local.prefix
+  enable_bucket_force_destroy = true
 }
 
 module "ephemeral-pointers-table" {

Original file line number	Diff line number	Diff line change
`@@ -103,8 +103,10 @@ def test_lock_state_not_open(mock_boto_session, mock_secretsmanager):`
`103`	`103`	`Name="nhsd-nrlf--locked--env-config", SecretString=json.dumps(inital_env_config)`
`104`	`104`	`)`
`105`	`105`
`106`		`- activate_stack("test-stack-1", "locked", session=mock_boto_session)`
	`106`	`+ with pytest.raises(SystemExit) as excinfo:`
	`107`	`+ activate_stack("test-stack-1", "locked", session=mock_boto_session)`
`107`	`108`
	`109`	`+ assert excinfo.value.code == 1`
`108`	`110`	`result = mock_secretsmanager.get_secret_value(`
`109`	`111`	`SecretId="nhsd-nrlf--locked--env-config" # pragma: allowlist secret`
`110`	`112`	`)`
`@@ -122,8 +124,10 @@ def test_stack_already_active(mock_boto_session, mock_secretsmanager):`
`122`	`124`	`SecretString=json.dumps(intial_env_config),`
`123`	`125`	`)`
`124`	`126`
`125`		`- activate_stack("test-stack-2", "already-active", session=mock_boto_session)`
	`127`	`+ with pytest.raises(SystemExit) as excinfo:`
	`128`	`+ activate_stack("test-stack-2", "already-active", session=mock_boto_session)`
`126`	`129`
	`130`	`+ assert excinfo.value.code == 1`
`127`	`131`	`result = mock_secretsmanager.get_secret_value(`
`128`	`132`	`SecretId="nhsd-nrlf--already-active--env-config" # pragma: allowlist secret`
`129`	`133`	`)`