Merge pull request #668 from NHSDigital/feature/made14-NRL-760-deploy-bluegreen

[NRL-760] Deployment changes for blue/green arch

Author: mattdean3-nhs

.github/workflows/persistent-environment.yml

@@ -117,11 +117,20 @@ jobs:
           name: build-artifacts
           path: dist
 
+      - name: Install zip
+        run: sudo apt-get install zip
+
+      - name: Setup Python environment
+        run: |
+          poetry install --no-root
+          source $(poetry env info --path)/bin/activate
+
       - name: Terraform Init
         run: |
+          inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }})
           terraform -chdir=terraform/infrastructure init
-          terraform -chdir=terraform/infrastructure workspace new ${{ inputs.environment }} || \
-          terraform -chdir=terraform/infrastructure workspace select ${{ inputs.environment }}
+          terraform -chdir=terraform/infrastructure workspace new ${inactive_stack} || \
+            terraform -chdir=terraform/infrastructure workspace select ${inactive_stack}
 
       - name: Terraform Plan
         run: |
@@ -180,11 +189,152 @@ jobs:
           account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1)
           make truststore-pull-server ENV=${account}
 
+      - name: Install zip
+        run: sudo apt-get install zip
+
+      - name: Setup Python environment
+        run: |
+          poetry install --no-root
+          source $(poetry env info --path)/bin/activate
+
       - name: Terraform Init
         run: |
+          inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }})
           terraform -chdir=terraform/infrastructure init
-          terraform -chdir=terraform/infrastructure workspace new ${{ inputs.environment }} || \
-          terraform -chdir=terraform/infrastructure workspace select ${{ inputs.environment }}
+          terraform -chdir=terraform/infrastructure workspace new ${inactive_stack} || \
+            terraform -chdir=terraform/infrastructure workspace select ${inactive_stack}
 
       - name: Terraform Apply
         run: terraform -chdir=terraform/infrastructure apply tfplan
+
+      - name: Smoke Test
+        run: make ENV=${{ inputs.environment }} test-smoke-internal
+
+  activate-stack:
+    name: Activate - ${{ inputs.environment }}
+    needs: [terraform-apply]
+    runs-on: [self-hosted, ci]
+    environment: ${{ inputs.environment }}
+
+    steps:
+      - name: Git clone - ${{ inputs.branch_name }}
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.branch_name }}
+
+      - name: Setup asdf cache
+        uses: actions/cache@v4
+        with:
+          path: ~/.asdf
+          key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
+          restore-keys: |
+            ${{ runner.os }}-asdf-
+
+      - name: Install asdf
+        uses: asdf-vm/actions/[email protected]
+
+      - name: Configure Management Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: eu-west-2
+          role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
+          role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}}
+
+      - name: Install zip
+        run: sudo apt-get install zip
+
+      - name: Setup Python environment
+        run: |
+          poetry install --no-root
+          source $(poetry env info --path)/bin/activate
+
+      - name: Activate Stack
+        run: |
+          inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }})
+          poetry run python ./scripts/activate_stack.py ${inactive_stack} ${{ inputs.environment }}
+
+  post-release-verify:
+    name: Verify - ${{ inputs.environment }}
+    needs: [activate-stack]
+    runs-on: [self-hosted, ci]
+    environment: ${{ inputs.environment }}
+
+    steps:
+      - name: Git clone - ${{ inputs.branch_name }}
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.branch_name }}
+
+      - name: Setup asdf cache
+        uses: actions/cache@v4
+        with:
+          path: ~/.asdf
+          key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
+          restore-keys: |
+            ${{ runner.os }}-asdf-
+
+      - name: Install asdf
+        uses: asdf-vm/actions/[email protected]
+
+      - name: Configure Management Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: eu-west-2
+          role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
+          role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}}
+
+      - name: Install zip
+        run: sudo apt-get install zip
+
+      - name: Setup Python environment
+        run: |
+          poetry install --no-root
+          source $(poetry env info --path)/bin/activate
+
+      - name: "Smoke Test"
+        run: |
+          make ENV=${{ inputs.environment }} test-smoke-external
+
+  rollback-stack:
+    name: Rollback - ${{ inputs.environment }}
+    needs: [post-release-verify]
+    if: ${{ needs.post-release-verify.result == 'failure' }}
+    runs-on: [self-hosted, ci]
+    environment: ${{ inputs.environment }}
+
+    steps:
+      - name: Git clone - ${{ inputs.branch_name }}
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.branch_name }}
+
+      - name: Setup asdf cache
+        uses: actions/cache@v4
+        with:
+          path: ~/.asdf
+          key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
+          restore-keys: |
+            ${{ runner.os }}-asdf-
+
+      - name: Install asdf
+        uses: asdf-vm/actions/[email protected]
+
+      - name: Configure Management Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: eu-west-2
+          role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
+          role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}}
+
+      - name: Install zip
+        run: sudo apt-get install zip
+
+      - name: Setup Python environment
+        run: |
+          poetry install --no-root
+          source $(poetry env info --path)/bin/activate
+
+      - name: Deactivate Stack
+        run: |
+          inactive_stack_name=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }})
+          poetry run python ./scripts/activate-stack.py ${inactive_stack_name}

Makefile

@@ -36,6 +36,7 @@ asdf-install: ## Install the required tools via ASDF
 configure: asdf-install check-warn ## Configure this project repo, including install dependencies
 	cp scripts/commit-msg.py .git/hooks/prepare-commit-msg && chmod ug+x .git/hooks/*
 	poetry install
+	poetry run pre-commit install
 
 check: ## Check the build environment is setup correctly
 	@./scripts/check-build-environment.sh
@@ -80,6 +81,16 @@ test-features-integration: check-warn ## Run the BDD feature tests in the integr
 	@echo "Running feature tests in the integration environment"
 	behave --define="integration_test=true" --define="env=$(TF_WORKSPACE_NAME)" $(FEATURE_TEST_ARGS)
 
+test-smoke-internal: check-warn ## Run the smoke tests against the internal environment
+	@echo "Running smoke tests against the internal environment"
+	#ENV=$(TF_WORKSPACE_NAME) SMOKE_TEST_MODE=mtls pytest ./tests/smoke $(SMOKE_TEST_ARGS)
+	@echo "Skipping internal smoke tests (not yet implemented)"
+
+test-smoke-external: check-warn ## Run the smoke tests for the external access points
+	@echo "Running smoke tests for the external access points"
+	#ENV=$(ENV) SMOKE_TEST_MODE=apigee pytest ./tests/smoke $(SMOKE_TEST_ARGS)
+	@echo "Skipping external smoke tests (not yet implemented)"
+
 test-performance-prepare:
 	mkdir -p $(DIST_PATH)
 	poetry run python tests/performance/environment.py setup $(TF_WORKSPACE_NAME)

pyproject.toml

@@ -105,4 +105,4 @@ env = [
     "AUTH_STORE=auth-store",
     "TABLE_NAME=unit-test-document-pointer"
 ]
-pythonpath = ["."]
+pythonpath = [".", "./scripts"]

scripts/activate_stack.py

@@ -0,0 +1,150 @@
+#!/usr/bin/env python
+import json
+import sys
+import traceback
+
+import aws_session_assume
+import fire
+
+CONFIG_LOCK_STATE = "lock-state"
+CONFIG_INACTIVE_STACK = "inactive-stack"
+CONFIG_ACTIVE_STACK = "active-stack"
+CONFIG_DOMAIN_NAME = "domain-name"
+
+STATE_LOCKED = "locked"
+STATE_OPEN = "open"
+VALID_LOCK_STATES = [STATE_LOCKED, STATE_OPEN]
+
+
+def _set_lock_state(
+    lock_state: str, environment_config: dict, parameters_key: str, sm: any
+):
+    if lock_state not in VALID_LOCK_STATES:
+        raise ValueError(f"Invalid lock state: {lock_state}")
+
+    print(f"Setting environment config lock state to {lock_state}....")
+    environment_config[CONFIG_LOCK_STATE] = lock_state
+    sm.put_secret_value(
+        SecretId=parameters_key, SecretString=json.dumps(environment_config)
+    )
+    print(f"Environment config lock state is now {lock_state}")
+
+
+def _update_and_unlock(environment_config: dict, parameters_key: str, sm: any):
+    environment_config[CONFIG_LOCK_STATE] = STATE_OPEN
+
+    print(f"Updating environment config to: {environment_config}")
+    sm.put_secret_value(
+        SecretId=parameters_key, SecretString=json.dumps(environment_config)
+    )
+
+
+def _switch_active_stack(stack_name: str, env_domain_name: str, session: any):
+    # Change API mappings for APIGW
+    print(f"Gathering data about APIs for {env_domain_name} for {stack_name}....")
+    api_gw = session.client("apigateway")
+    env_apis = {
+        api["name"]: api["id"]
+        for api in api_gw.get_rest_apis(limit=100)["items"]
+        if api["name"].startswith(f"nhsd-nrlf--{stack_name}--")
+    }
+
+    if len(env_apis) != 2:
+        raise ValueError(
+            f"Expected 2 APIs for stack {stack_name}, got {env_apis.keys()}"
+        )
+
+    api_gwv2 = session.client("apigatewayv2")
+    existing_mappings = {
+        mapping["ApiMappingKey"]: mapping["ApiMappingId"]
+        for mapping in api_gwv2.get_api_mappings(DomainName=env_domain_name)["Items"]
+    }
+
+    if len(existing_mappings) != 2:
+        raise ValueError(
+            f"Expected 2 API mappings for domain {env_domain_name}, got {len(existing_mappings)}"
+        )
+    if "consumer" not in existing_mappings or "producer" not in existing_mappings:
+        raise ValueError(
+            f"Expected API mappings for consumer and producer, got {existing_mappings.keys()}"
+        )
+
+    print(f"Switching APIGW for {env_domain_name} to point to {stack_name}")
+    api_gwv2.update_api_mapping(
+        ApiId=env_apis[f"nhsd-nrlf--{stack_name}--consumer"],
+        DomainName=env_domain_name,
+        ApiMappingId=existing_mappings["consumer"],
+        Stage="production",
+    )
+    api_gwv2.update_api_mapping(
+        ApiId=env_apis[f"nhsd-nrlf--{stack_name}--producer"],
+        DomainName=env_domain_name,
+        ApiMappingId=existing_mappings["producer"],
+        Stage="production",
+    )
+
+
+def activate_stack(stack_name: str, env: str, session: any):
+    sm = session.client("secretsmanager")
+
+    parameters_key = f"nhsd-nrlf--{env}--env-config"
+    response = sm.get_secret_value(SecretId=parameters_key)
+
+    environment_config = json.loads(response["SecretString"])
+    print(f"Got environment config for {env}: {environment_config}")
+
+    lock_state = environment_config[CONFIG_LOCK_STATE]
+    if lock_state != "open":
+        print(
+            f"Unable to activate stack as lock state is not open: {lock_state}",
+            file=sys.stderr,
+        )
+        return
+
+    current_active_stack = environment_config[CONFIG_ACTIVE_STACK]
+    if current_active_stack == stack_name:
+        print("Cannot activate stack, stack is already active", file=sys.stderr)
+        return
+
+    _set_lock_state(
+        STATE_LOCKED,
+        environment_config=environment_config,
+        parameters_key=parameters_key,
+        sm=sm,
+    )
+
+    try:
+        domain_name = environment_config[CONFIG_DOMAIN_NAME]
+
+        print(f"Activating stack {stack_name} for {domain_name}....")
+        _switch_active_stack(stack_name, env_domain_name=domain_name, session=session)
+    except Exception as err:
+        print(
+            "Failed to switch active stack. Unlocking and bailing out....",
+            file=sys.stderr,
+        )
+        _set_lock_state(
+            STATE_OPEN,
+            environment_config=environment_config,
+            parameters_key=parameters_key,
+            sm=sm,
+        )
+        print(f"Failed to activate stack: {err}", file=sys.stderr)
+        print(f"Stack trace: {traceback.format_exc()}", file=sys.stderr)
+        return
+
+    print("Updating environment config and unlocking....")
+    environment_config[CONFIG_INACTIVE_STACK] = current_active_stack
+    environment_config[CONFIG_ACTIVE_STACK] = stack_name
+    _update_and_unlock(environment_config, parameters_key=parameters_key, sm=sm)
+
+    print(f"Complete. Stack {stack_name} is now the active stack for {env}")
+
+
+def main(stack_name: str, env: str):
+    boto_session = aws_session_assume.get_boto_session(env)
+    activate_stack(stack_name, env=env, session=boto_session)
+
+
+if __name__ == "__main__":
+    fire.Fire(main)