From 6739192c62a2be982d8c8a8c108d4fc1f1b2f3c4 Mon Sep 17 00:00:00 2001 From: Malcolm Baig Date: Wed, 27 Mar 2024 11:55:31 +0000 Subject: [PATCH 1/2] Remove keyvault-related jobs from Makefile None of the keyvault printing / editing jobs work: - They invoke a configuration job read-keyvault-config that isn't defined. - Even if it was defined, the jobs would still fail because the Find app keyvault isn't structured like it is for other services. Specifically, it doesn't hold secrets in a serialized data structure sitting behind a single secret name defined in Azure. As secrets can be added and updated via the Azure portal, simply remove these jobs for now. --- Makefile | 12 ----------- docs/ops-manual.md | 52 ++-------------------------------------------- 2 files changed, 2 insertions(+), 62 deletions(-) diff --git a/Makefile b/Makefile index 92bdb8d3..98ca284d 100644 --- a/Makefile +++ b/Makefile @@ -10,7 +10,6 @@ help: ## Show this help SERVICE_SHORT=faltrn - .PHONY: aks aks: ## Sets environment variables for aks deployment $(eval PLATFORM=aks) @@ -80,17 +79,6 @@ install-fetch-config: ## Install the fetch-config script, for viewing/editing se && chmod +x bin/fetch_config.rb \ || true -edit-keyvault-secret: read-keyvault-config install-fetch-config set-azure-account - bin/fetch_config.rb -s azure-key-vault-secret:${KEY_VAULT_NAME}/${KEY_VAULT_SECRET_NAME} \ - -e -d azure-key-vault-secret:${KEY_VAULT_NAME}/${KEY_VAULT_SECRET_NAME} -f yaml -c - -print-keyvault-secret: read-keyvault-config install-fetch-config set-azure-account - bin/fetch_config.rb -s azure-key-vault-secret:${KEY_VAULT_NAME}/${KEY_VAULT_SECRET_NAME} -f yaml - -validate-keyvault-secret: read-keyvault-config install-fetch-config set-azure-account - bin/fetch_config.rb -s azure-key-vault-secret:${KEY_VAULT_NAME}/${KEY_VAULT_SECRET_NAME} -d quiet \ - && echo Data in ${KEY_VAULT_NAME}/${KEY_VAULT_SECRET_NAME} looks valid - .PHONY: set-space-developer set-space-developer: read-deployment-config ## make dev set-space-developer USER_ID=first.last@digital.education.gov.uk $(if $(USER_ID), , $(error Missing environment variable "USER_ID", USER_ID required for this command to run)) diff --git a/docs/ops-manual.md b/docs/ops-manual.md index a7fa5b4b..a025436c 100644 --- a/docs/ops-manual.md +++ b/docs/ops-manual.md @@ -34,57 +34,9 @@ tail -f /app/log/production.log ## Updating environment variables -Make sure you have the `az` command line tool: +The app keyvaults for Find can be found in the Azure devops portal. The development one, for example, is found [here](https://portal.azure.com/#@platform.education.gov.uk/resource/subscriptions/20da9d12-7ee1-42bb-b969-3fe9112964a7/resourceGroups/s189t01-faltrn-dv-rg/providers/Microsoft.KeyVault/vaults/s189t01-faltrn-dv-app-kv/secrets). -```bash -asdf plugin add azure-cli - -asdf install -``` - -Login to Azure and make sure it gets the right subscriptions: - -```bash -$ az login -A web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no -web browser is available or if the web browser fails to open, use device code -flow with `az login --use-device-code`. -The following tenants don't contain accessible subscriptions. Use 'az login --allow-no-subscriptions' to have tenant level access. -xxxxxxxx-yyyy-zzzz-xxxx-yyyyyyyyyyyy 'digital.education.gov.uk' -[ - { - "cloudName": "AzureCloud", - "homeTenantId": "xxxxxxxx-yyyy-zzzz-xxxx-yyyyyyyyyyyy", - "id": "xxxxxxxx-yyyy-zzzz-xxxx-yyyyyyyyyyyy", - "isDefault": true, - "managedByTenants": [ - { - "tenantId": "xxxxxxxx-yyyy-zzzz-xxxx-yyyyyyyyyyyy" - } - ], - "name": "s189-teacher-services-cloud-test", - "state": "Enabled", - "tenantId": "xxxxxxxx-yyyy-zzzz-xxxx-yyyyyyyyyyyy", - "user": { - "name": "Joe.BLOGGS@digital.EDUCATION.GOV.UK", - "type": "user" - } - }, - ... -] -``` - -To view all environment variables on the `dev` environment: - -```bash -make dev print-keyvault-secret -``` - -To edit environment variables on the `dev` environment (opens `$EDITOR`): - -```bash -make dev edit-keyvault-secret -``` +Assuming you have the correct permissions, the environment variables can be edited via the portal UI. Check with the infrastructure team if you don't have access. ## Logit From 1187e08dec77c782ea11ba4c87fa464353462485 Mon Sep 17 00:00:00 2001 From: Malcolm Baig Date: Wed, 27 Mar 2024 13:09:52 +0000 Subject: [PATCH 2/2] Remove old PaaS jobs from Makefile These are jobs and scripts that were used when Find was still deployed to GOVUK PaaS. They are no longer required now that Find deploys to AKS. --- Makefile | 33 --------------------------------- bin/download-db-backup | 31 ------------------------------- bin/restore-db | 26 -------------------------- 3 files changed, 90 deletions(-) delete mode 100755 bin/download-db-backup delete mode 100755 bin/restore-db diff --git a/Makefile b/Makefile index 98ca284d..932a0733 100644 --- a/Makefile +++ b/Makefile @@ -79,39 +79,6 @@ install-fetch-config: ## Install the fetch-config script, for viewing/editing se && chmod +x bin/fetch_config.rb \ || true -.PHONY: set-space-developer -set-space-developer: read-deployment-config ## make dev set-space-developer USER_ID=first.last@digital.education.gov.uk - $(if $(USER_ID), , $(error Missing environment variable "USER_ID", USER_ID required for this command to run)) - cf set-space-role ${USER_ID} dfe ${SPACE} SpaceDeveloper - -.PHONY: unset-space-developer -unset-space-developer: read-deployment-config ## make dev unset-space-developer USER_ID=first.last@digital.education.gov.uk - $(if $(USER_ID), , $(error Missing environment variable "USER_ID", USER_ID required for this command to run)) - cf unset-space-role ${USER_ID} dfe ${SPACE} SpaceDeveloper - -stop-app: read-deployment-config ## Stops api app, make dev stop-app CONFIRM_STOP=1 - $(if $(CONFIRM_STOP), , $(error stop-app can only run with CONFIRM_STOP)) - cf target -s ${SPACE} - cf stop ${FLT_APP_NAME} - -get-postgres-instance-guid: read-deployment-config ## Gets the postgres service instance's guid - cf target -s ${SPACE} > /dev/null - cf service ${POSTGRES_DATABASE_NAME} --guid - $(eval DB_INSTANCE_GUID=$(shell cf service ${POSTGRES_DATABASE_NAME} --guid)) - -rename-postgres-service: read-deployment-config ## make dev rename-postgres-service NEW_NAME_SUFFIX=old CONFIRM_RENAME - $(if $(CONFIRM_RENAME), , $(error can only run with CONFIRM_RENAME)) - $(if $(NEW_NAME_SUFFIX), , $(error NEW_NAME_SUFFIX is required)) - cf target -s ${SPACE} > /dev/null - cf rename-service ${POSTGRES_DATABASE_NAME} ${POSTGRES_DATABASE_NAME}-$(NEW_NAME_SUFFIX) - -restore-data-from-backup: read-deployment-config # make production restore-data-from-backup CONFIRM_RESTORE=YES BACKUP_FILENAME="find-a-lost-trn-production-pg-svc-2022-04-28-01" - @if [[ "$(CONFIRM_RESTORE)" != YES ]]; then echo "Please enter "CONFIRM_RESTORE=YES" to run workflow"; exit 1; fi - $(eval export AZURE_BACKUP_STORAGE_ACCOUNT_NAME=$(AZURE_BACKUP_STORAGE_ACCOUNT_NAME)) - $(if $(BACKUP_FILENAME), , $(error can only run with BACKUP_FILENAME, eg BACKUP_FILENAME="find-a-lost-trn-production-pg-svc-2022-04-28-01")) - bin/download-db-backup ${AZURE_BACKUP_STORAGE_ACCOUNT_NAME} ${AZURE_BACKUP_STORAGE_CONTAINER_NAME} ${BACKUP_FILENAME}.tar.gz - bin/restore-db ${DEPLOY_ENV} ${CONFIRM_RESTORE} ${SPACE} ${BACKUP_FILENAME}.sql ${POSTGRES_DATABASE_NAME} - terraform-init: bin/terrafile [[ "${SP_AUTH}" != "true" ]] && az account set -s $(AZURE_SUBSCRIPTION) || true ./bin/terrafile -p terraform/aks/vendor/modules -f terraform/aks/workspace_variables/$(CONFIG)_Terrafile diff --git a/bin/download-db-backup b/bin/download-db-backup deleted file mode 100755 index 722df22d..00000000 --- a/bin/download-db-backup +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash -set -eu - -AZURE_BACKUP_STORAGE_ACCOUNT_NAME=$1 -AZURE_BACKUP_STORAGE_CONTAINER_NAME=$2 -BACKUP_FILENAME=$3 - -if [[ -z "${AZURE_BACKUP_STORAGE_ACCOUNT_NAME}" ]]; then - echo "AZURE_BACKUP_STORAGE_ACCOUNT_NAME environment variable not set" - exit 1 -fi -if [[ -z "${AZURE_BACKUP_STORAGE_CONTAINER_NAME}" ]]; then - echo "AZURE_BACKUP_STORAGE_CONTAINER_NAME environment variable not set" - exit 1 -fi - -if [[ -z "${BACKUP_FILENAME}" ]]; then - echo "BACKUP_FILENAME environment variable not set" - exit 1 -fi - -Exists=$(az storage blob exists --account-name ${AZURE_BACKUP_STORAGE_ACCOUNT_NAME} -c ${AZURE_BACKUP_STORAGE_CONTAINER_NAME} -n ${BACKUP_FILENAME} -o tsv) - -if [[ "${Exists}" = "False" ]]; then - echo "There are no files found matching the filename ${BACKUP_FILENAME} in container ${AZURE_BACKUP_STORAGE_CONTAINER_NAME}" - exit 1 -else - echo "File ${BACKUP_FILENAME} found in container ${AZURE_BACKUP_STORAGE_CONTAINER_NAME}. Downloading" - az storage blob download --account-name ${AZURE_BACKUP_STORAGE_ACCOUNT_NAME} -c ${AZURE_BACKUP_STORAGE_CONTAINER_NAME} -n ${BACKUP_FILENAME} -f ${BACKUP_FILENAME} - tar -xvzf "${BACKUP_FILENAME}" -fi diff --git a/bin/restore-db b/bin/restore-db deleted file mode 100755 index 8449f8c2..00000000 --- a/bin/restore-db +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -set -eu -CF_ORG_NAME='dfe' -DEPLOY_ENV=$1 -CONFIRM_RESTORE=$2 -SPACE=$3 -BACKUP_FILENAME=$4 -POSTGRES_DATABASE_NAME=$5 - -if [[ -z "${DEPLOY_ENV}" ]]; then - echo "DEPLOY_ENV environment variable not set" - exit 1 -fi - -if [[ -z "${SPACE}" ]]; then - echo "SPACE environment variable not set" - exit 1 -fi - -if [[ ! -f "${BACKUP_FILENAME}" ]]; then - echo "${BACKUP_FILENAME} does not exist." - exit 1 -else - cf target -o "${CF_ORG_NAME}" -s "${SPACE}" - cf conduit ${POSTGRES_DATABASE_NAME} -- psql < "${BACKUP_FILENAME}" -fi