shipit/shippable.yml at master · Shippable/shipit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
resources:
  - name: shipit_repo
    type: gitRepo
    integration: avinci_gh
    pointer:
      sourceName: shippable/shipit
      branch: master

  - name: shipit_gh_ssh
    type: integration
    integration: avi_gh_ssh

  - name: shipit_bits_access_cli
    type: cliConfig
    integration: aws_bits_access
    pointer:
      region: us-east-1

  - name: shipit_rc_pem
    type: integration
    integration: aws-rc-pem

  - name: shipit_rc_swarm
    type: params
    version:
      params:
        secure: bfSsma2F5exzt18nXLbbXUcsRjnQqWcnkKWInlBh+a7LYdo1G9Cwv9kiIkMi/+kcFL86QHnJmdHdvxbgtPUoa18GBGU8LLLg05pvQTBmjnrGQ0cUg9DJPGY5Jvc1eJdG0ABju+QCPjEGzY5VRWhHkabXg7kROAeQ0Eexe6GuK379cOw+ddnyP1Q+lvcIm2iCZVf7ODBgC69cN+yXU/0WQg3X6H/WcSbZPYdx22Tk3uVa0kloKc4CE0BwMWIPQHc69yE+vRxMkS6iJ6dlm+MAK7g5mXFYQ4DVbwxpmgFJyJHVJtX7LnxqbQ+nlJqe/Nk6zXKkMMvZ5DId9weMAvSVLw==

  - name: shippable_version
    type: version
    seed:
      versionName: "7.3.0"

  - name: drydock_version
    type: version
    seed:
      versionName: "7.2.3"

  - name: rc_slack
    type: notification
    integration: ship-slack
    pointer:
      recipients:
        - "#rc"

  - name: cron_backup_rc_db
    type: time
    versionTemplate:
      # 04:30 UTC daily
      interval: 30 4 * * *

jobs:
  - name: rc_deploy
    type: runSh
    dependencyMode: strict
    runtime:
      timeoutMinutes: 15
    on_start:
      - NOTIFY: rc_slack
    steps:
      - IN: shipit_repo
        switch: off
      - IN: shipit_rc_pem
        switch: off
      - IN: shipit_rc_swarm
        switch: off
      - IN: baseami_patch
      - IN: api_sh_img
      - IN: www_sh_img
      - IN: nexec_sh_img
      - IN: mktg_sh_img
      - IN: micro_sh_img
      - IN: u16admiral_sh_img
      - IN: shipit_bits_access_cli
        scopes:
          - ecr
        switch: off
      - TASK:
          name: deploy_to_rc
          script:
            - pushd $(shipctl get_resource_state "shipit_repo")
            - ./deployRc.sh
            - popd
      - TASK:
          name: cleanup_untagged_images
          script:
            - |
              repositories=$(aws ecr describe-repositories --output text | awk '{print $5}')
              while read -r repo; do
                untagged_images=$(aws ecr list-images --repository-name $repo --filter tagStatus=UNTAGGED --query 'imageIds[*]' --output text)
                while read -r untagged_image; do
                  if [ ! -z "$untagged_image" ]; then
                    echo "Deleting untagged image: $untagged_image from repo: $repo"
                    aws ecr batch-delete-image --repository-name $repo --image-ids imageDigest="$untagged_image"
                  else
                    echo "No untagged image present in repo: $repo"
                  fi
                done <<< "$untagged_images"
              done <<< "$repositories"
    on_success:
      - NOTIFY: rc_slack
    on_failure:
      - NOTIFY: rc_slack

  - name: prod_release
    type: release
    steps:
      - IN: shippable_version
        switch: off
      - IN: bvt
        switch: off
      - TASK: managed
        bump: patch

  - name: drydock_release
    type: release
    steps:
      - IN: drydock_version
        switch: off
      - IN: bvt
        switch: off
      - TASK: managed
        bump: patch

  - name: backup_rc_db
    type: runSh
    integrations:
      - aws-rc-pem
      - aws_rc_access
    steps:
      - IN: rc_slack
        switch: off
      - IN: shipit_rc_swarm
        switch: off
      - IN: cron_backup_rc_db
      - TASK:
          runtime:
            options:
              env:
                - SWARM_RES: shipit_rc_swarm
                - PEM_RES: aws-rc-pem
                - AWS_ACCESS_RES: aws_rc_access
                - DB_HOST: msg1
                - BACKUP_SCRIPT_PATH: /home/ubuntu/backupDb.sh
                - BACKUP_OPTS: rc /backups
                - AWS_REGION: us-east-1
                - CONTEXT: rc
                - MAX_BACKUP_AGE: "1 day"
          script:
            - |
               # Set up context
               BASTION_IP=$RC_BASTION_IP
               BASTION_USER=$RC_BASTION_USER
               BACKUP_EBS_VOLUME_ID=$RC_BACKUP_EBS_VOLUME_ID
               PEM_FILE=$(shipctl get_resource_env $PEM_RES KEYPATH)
               set -o pipefail

            - |
               # Print context
               echo CONTEXT=$CONTEXT
               echo BASTION_IP=$BASTION_IP
               echo BASTION_USER=$BASTION_USER
               echo BACKUP_EBS_VOLUME_ID=$BACKUP_EBS_VOLUME_ID
               echo PEM_FILE=$PEM_FILE
               echo DB_HOST=$DB_HOST
               echo BACKUP_SCRIPT_PATH=$BACKUP_SCRIPT_PATH
               echo BACKUP_OPTS=$BACKUP_OPTS

            - |
               # Run backup
               ssh -i $PEM_FILE ${BASTION_USER}@${BASTION_IP} ssh $DB_HOST $BACKUP_SCRIPT_PATH $BACKUP_OPTS

            - |
               # Create snapshot
               NOW=$(date +"%Y_%m_%d-%H_%M")
               NAME="$CONTEXT-db-$NOW"
               TAGS="ResourceType=snapshot,Tags=[{Key=Name,Value=$NAME}]"
               DESC="$CONTEXT DB backup snapshot at $NOW"
               export AWS_ACCESS_KEY_ID=$(shipctl get_integration_field $AWS_ACCESS_RES accessKey)
               export AWS_SECRET_ACCESS_KEY=$(shipctl get_integration_field $AWS_ACCESS_RES secretKey)
               aws ec2 create-snapshot --volume-id "$BACKUP_EBS_VOLUME_ID" --tag-specifications "$TAGS" --description "$DESC" --region $AWS_REGION | tee snapshot.json

            - |
               # Wait for snapshot to complete
               SNAPSHOT_ID=$(jq -r .SnapshotId snapshot.json)
               shippable_retry aws ec2 wait snapshot-completed --region $AWS_REGION --snapshot-ids $SNAPSHOT_ID

            - |
               # Notify successful backup
               shipctl notify rc_slack --recipient="#$CONTEXT" --text="$CONTEXT DB backup created with name $NAME and snapshot ID $SNAPSHOT_ID"
            - |
               # Update job version info
               shipctl put_resource_state_multi $JOB_NAME "SNAPSHOT_ID=$SNAPSHOT_ID versionName=$NAME"

            - |
               # Delete expired backups
               TODAY=$(date +"%Y-%m-%d")
               BACKUP_EXPIRY_DATE=$(date --date=$TODAY"-$MAX_BACKUP_AGE" +"%Y-%m-%d")
               AWS_ACCOUNT_ID=$(aws sts get-caller-identity | jq -r .Account)
               QUERY="Snapshots[?StartTime<\`$BACKUP_EXPIRY_DATE\`].{SnapshotId: SnapshotId}"
               FILTERS=Name=tag:"Name",Values="$CONTEXT-db-*"
               echo "Backup expiry date: $BACKUP_EXPIRY_DATE"
               echo "Query: $QUERY"
               echo "Filters: $FILTERS"
               aws ec2 describe-snapshots --region $AWS_REGION --owner-ids $AWS_ACCOUNT_ID --filters $FILTERS --query "$QUERY" | tee expired_snapshots.json
               NUM_EXPIRED_BACKUPS=$(jq '. | length' expired_snapshots.json)
               echo "$NUM_EXPIRED_BACKUPS expired backups found."
               if [ "$NUM_EXPIRED_BACKUPS" != "0" ]; then
                 jq -r .[].SnapshotId expired_snapshots.json | xargs -L 1 aws ec2 delete-snapshot --region $AWS_REGION --snapshot-id
               fi
    on_failure:
      script:
        - shipctl notify rc_slack --recipient="#$CONTEXT" --text="*FAILED TO COMPLETE BACKUP OF $CONTEXT DB*" --color="#ff0000"