Devsecops/emvaldes/runleaks (#17023) #28898
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Validate Resources | |
on: | |
pull_request: | |
branches: | |
- production | |
- main | |
- test | |
push: | |
branches: | |
- production | |
- main | |
- test | |
schedule: | |
- cron: "36 3 * * *" | |
env: | |
AZURE_CREDENTIALS: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}' | |
jobs: | |
pre_job: | |
name: Set Build Environment | |
runs-on: ubuntu-latest | |
outputs: | |
env_name: ${{ env.VALIDATE_ENV }} | |
steps: | |
- name: Check out changes | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 | |
- name: Build vars | |
id: build_vars | |
uses: ./.github/actions/build-vars | |
- name: Force env if schedule | |
shell: bash | |
run: | | |
if [[ ${{ github.event_name == 'schedule' }} == 'true' ]]; then | |
echo "VALIDATE_ENV=prod" >> $GITHUB_ENV | |
else | |
echo "VALIDATE_ENV=${{ steps.build_vars.outputs.env_name }}" >> $GITHUB_ENV | |
fi | |
validate_dns: | |
name: Check infrastructure resources | |
if: ${{ needs.pre_job.outputs.env_name && (github.actor != 'dependabot[bot]') }} | |
needs: | |
- pre_job | |
environment: ${{ needs.pre_job.outputs.env_name }} | |
concurrency: ${{ needs.pre_job.outputs.env_name }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check Out Changes | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 | |
- name: Connect to VPN and login to Azure | |
uses: ./.github/actions/vpn-azure | |
with: | |
env-name: ${{ needs.pre_job.outputs.env_name }} | |
tls-key: ${{ secrets.TLS_KEY }} | |
ca-cert: ${{ secrets.CA_CRT}} | |
user-crt: ${{ secrets.USER_CRT }} | |
user-key: ${{ secrets.USER_KEY }} | |
sp-creds: ${{ env.AZURE_CREDENTIALS }} | |
- name: Restart DNS if failure | |
uses: ./.github/actions/retry | |
with: | |
timeout_seconds: 60 | |
max_attempts: 3 | |
retry_wait_seconds: 180 | |
command: dig google.com @10.0.2.4 | |
shell: bash | |
on_retry_command: >- | |
az container stop --name pdh${{ needs.pre_job.outputs.env_name }}-dns | |
-g prime-data-hub-${{ needs.pre_job.outputs.env_name }}; | |
az container start --name pdh${{ needs.pre_job.outputs.env_name }}-dns | |
-g prime-data-hub-${{ needs.pre_job.outputs.env_name }}; | |
- name: Restart legacy SFTP if wrong ip | |
if: needs.pre_job.outputs.env_name != 'prod' | |
uses: ./.github/actions/retry | |
with: | |
timeout_seconds: 60 | |
max_attempts: 3 | |
retry_wait_seconds: 180 | |
command: | | |
ip=$(az container show --name pdh${{ needs.pre_job.outputs.env_name }}-sftpserver \ | |
-g prime-data-hub-${{ needs.pre_job.outputs.env_name }} -o tsv --query 'ipAddress.ip') | |
last_octet=${ip: -2} | |
if [[ $last_octet -ne 20 ]]; then exit 1; fi | |
shell: bash | |
on_retry_command: >- | |
az container stop --name pdh${{ needs.pre_job.outputs.env_name }}-sftpserver | |
-g prime-data-hub-${{ needs.pre_job.outputs.env_name }}; | |
az container start --name pdh${{ needs.pre_job.outputs.env_name }}-sftpserver | |
-g prime-data-hub-${{ needs.pre_job.outputs.env_name }}; | |
optimize_demo_dbs: | |
name: Optimize demo databases | |
if: github.event_name == 'schedule' | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
env_name: [ demo1, demo2, demo3 ] | |
steps: | |
- name: Check Out Changes | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 | |
- uses: azure/login@v2 | |
with: | |
creds: ${{ env.AZURE_CREDENTIALS }} | |
- name: Reduce database replica sizes | |
uses: ./.github/actions/retry | |
with: | |
timeout_minutes: 180 | |
max_attempts: 3 | |
retry_wait_seconds: 1800 | |
command: | | |
REPLICA_COUNT=$(az postgres server list -g prime-data-hub-${{ matrix.env_name }} --query '[*].name' | \ | |
jq '[.[] | select(contains("pgsql-replica"))] | length') | |
if [[ ${REPLICA_COUNT} -gt 0 ]]; then | |
az postgres server update -g prime-data-hub-${{ matrix.env_name }} -n pdh${{ matrix.env_name }}-pgsql-replica --sku-name GP_Gen5_4 | |
fi | |
shell: bash | |
vpn_validation: | |
name: VPN Validation | |
if: github.event_name == 'schedule' | |
runs-on: ubuntu-latest | |
continue-on-error: true | |
strategy: | |
max-parallel: 2 | |
matrix: | |
env_name: [ prod, staging, demo1, demo2, demo3 ] | |
environment: ${{ matrix.env_name }} | |
concurrency: ${{ matrix.env_name }} | |
steps: | |
- name: Check Out Changes | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 | |
- uses: azure/login@v2 | |
with: | |
creds: ${{ env.AZURE_CREDENTIALS }} | |
- name: Fetch VPN DNS IP | |
id: fetch_vpn_ip | |
shell: bash | |
run: | | |
DNS_IP=$(az container show -g prime-data-hub-${{ matrix.env_name }} \ | |
--name pdh${{ matrix.env_name }}-dns --query 'ipAddress.ip' -o tsv) | |
echo "dns_ip=$DNS_IP" >> $GITHUB_OUTPUT | |
- name: Connect to VPN | |
uses: ./.github/actions/vpn-azure | |
with: | |
env-name: ${{ matrix.env_name }} | |
tls-key: ${{ secrets.TLS_KEY }} | |
ca-cert: ${{ secrets.CA_CRT}} | |
user-crt: ${{ secrets.USER_CRT }} | |
user-key: ${{ secrets.USER_KEY }} | |
dns-ip: ${{ steps.fetch_vpn_ip.outputs.dns_ip }} |