forked from hms-dbmi-cellenics/iac
-
Notifications
You must be signed in to change notification settings - Fork 0
211 lines (183 loc) · 7.64 KB
/
remove-staging.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
name: Remove a staging environment
on:
workflow_dispatch:
inputs:
sandbox-id:
description: 'The sandbox ID to remove'
required: true
secrets:
description: 'Encrypted secrets to use for this task'
required: true
env:
region: 'eu-west-1'
jobs:
remove-staging:
name: Remove staging environment
runs-on: ubuntu-20.04
steps:
- id: setup-aws
name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.region }}
- id: install-aws-cli
name: Install AWS CLI
uses: unfor19/install-aws-cli-action@v1
with:
version: 2
- id: decrypt-secrets
name: Decrypt credentials from user.
run: |-
SECRETS="$(aws kms decrypt \
--key-id arn:aws:kms:${REGION}:242905224710:alias/iac-secret-key \
--ciphertext-blob fileb://<(echo $CIPHERTEXT | base64 --decode) \
--output text --query Plaintext)"
DEPLOYMENT_AWS_ACCESS_KEY_ID="$(echo $SECRETS | base64 --decode | jq -r '.access_key')"
DEPLOYMENT_AWS_SECRET_ACCESS_KEY="$(echo $SECRETS | base64 --decode | jq -r '.secret_key')"
DEPLOYMENT_GITHUB_API_TOKEN="$(echo $SECRETS | base64 --decode | jq -r '.github_api_token')"
echo "::add-mask::$SECRETS"
echo "::add-mask::$DEPLOYMENT_AWS_ACCESS_KEY_ID"
echo "::add-mask::$DEPLOYMENT_AWS_SECRET_ACCESS_KEY"
echo "::add-mask::$DEPLOYMENT_GITHUB_API_TOKEN"
echo "::set-output name=aws-access-key::$DEPLOYMENT_AWS_ACCESS_KEY_ID"
echo "::set-output name=aws-secret-access-key::$DEPLOYMENT_AWS_SECRET_ACCESS_KEY"
echo "::set-output name=github-api-token::$DEPLOYMENT_GITHUB_API_TOKEN"
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
CIPHERTEXT: ${{ github.event.inputs.secrets }}
REGION: ${{ env.region }}
- id: setup-aws-submitted
name: Configure AWS credentials with submitted details
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ steps.decrypt-secrets.outputs.aws-access-key }}
aws-secret-access-key: ${{ steps.decrypt-secrets.outputs.aws-secret-access-key }}
aws-region: ${{ env.region }}
- id: checkout
name: Check out source code
uses: actions/checkout@v2
with:
token: ${{ secrets.API_TOKEN_GITHUB }}
- id: setup-aws-privileged
name: Configure AWS privileged credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.region }}
- id: install-eksctl
name: Install eksctl
run: |-
curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
sudo mv /tmp/eksctl /usr/local/bin
- id: wait-pending-removals
name: Wait for previous removal jobs before proceeding
uses: softprops/turnstyle@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- id: remove-pipeline-fargate-profile
name: Remove Fargate profile for the pipelines
uses: nick-invision/retry@v2
with:
timeout_seconds: 900
max_attempts: 30
retry_on: error
command: |
output=$(eksctl delete fargateprofile --cluster biomage-staging --name pipeline-${SANDBOX_ID} 2>&1)
echo $output
echo $output | egrep "deleted Fargate profile|No Fargate Profile found"
# Add jitter to break up correlated events.
on_retry_command: sleep $((20 + RANDOM % 10));
env:
SANDBOX_ID: ${{ github.event.inputs.sandbox-id }}
- id: remove-worker-fargate-profile
name: Remove Fargate profile for the workers
uses: nick-invision/retry@v2
with:
timeout_seconds: 900
max_attempts: 30
retry_on: error
command: |
output=$(eksctl delete fargateprofile --cluster biomage-staging --name worker-${SANDBOX_ID} 2>&1)
echo $output
echo $output | egrep "deleted Fargate profile|No Fargate Profile found"
# Add jitter to break up correlated events.
on_retry_command: sleep $((20 + RANDOM % 10));
env:
SANDBOX_ID: ${{ github.event.inputs.sandbox-id }}
- id: add-manifest-to-repo
name: Add manifest file to repository.
run: |-
rm ./releases/staging/$SANDBOX_ID.yaml
env:
SANDBOX_ID: ${{ github.event.inputs.sandbox-id }}
- id: set-name
name: Set name of the CloudFormation stack for SNS topic and Cognito pool
run: |-
BASE_NAME=biomage-sns-staging-$SANDBOX_ID
echo "::set-output name=sns-name::$BASE_NAME"
BASE_NAME=biomage-rds-staging-$SANDBOX_ID
echo "::set-output name=rds-name::$BASE_NAME"
BASE_NAME=biomage-cognito-staging-$SANDBOX_ID
echo "::set-output name=cognito-name::$BASE_NAME"
env:
SANDBOX_ID: ${{ github.event.inputs.sandbox-id }}
- id: remove-template-sns
name: Remove CloudFormation stack for SNS topic
run: |-
aws cloudformation delete-stack --stack-name $STACK_NAME
env:
STACK_NAME: ${{ steps.set-name.outputs.sns-name }}
- id: remove-template-rds
name: Remove CloudFormation stack for RDS
run: |-
aws cloudformation delete-stack --stack-name $STACK_NAME
env:
STACK_NAME: ${{ steps.set-name.outputs.rds-name }}
- id: remove-template-cognito
name: Remove CloudFormation stack for Cognito pool clients
run: |-
aws cloudformation delete-stack --stack-name $STACK_NAME
env:
STACK_NAME: ${{ steps.set-name.outputs.cognito-name }}
- id: disable-admin-enforcement
name: Temporarily disable admin enforcement
uses: benjefferies/[email protected]
with:
access_token: ${{ secrets.API_TOKEN_GITHUB }}
owner: ${{ github.repository_owner }}
repo: iac
enforce_admins: false
retries: 8
- id: pull
name: Pull and allow unrelated histories.
run: |-
git pull --allow-unrelated-histories
- id: push-deployment
uses: stefanzweifel/git-auto-commit-action@v4
with:
commit_message: Remove staging environment ${{ github.event.inputs.sandbox-id }}
- id: on-failure-retry
if: failure()
name: Retry in case push failed.
uses: nick-invision/retry@v2
with:
timeout_seconds: 30
max_attempts: 5
retry_on: error
command: git config user.name "GitHub Actions" && git pull --allow-unrelated-histories --no-edit && git push origin master
# Add jitter to break up correlated events.
on_retry_command: sleep $[($RANDOM % 10) + 5]s
- id: enable-admin-enforcement
name: Re-enable admin enforcement
uses: benjefferies/[email protected]
if: always()
with:
access_token: ${{ secrets.API_TOKEN_GITHUB }}
owner: ${{ github.repository_owner }}
repo: iac
enforce_admins: true
retries: 8