DEVOPS-1743 Web Vault Migration workflow improvements (#7966)

* DEVOPS-1743 REFACTOR: Azure Storage Account sync process * DEVOPS-1743 REFACTOR: deploy-web.yml to include branch or tag information on run * DEVOPS-1743 REFACTOR: Slack channel for devops alerts * DEVOPS-1743 DEBUG: display index.html content * DEVOPS-1743 REFACTOR: Azure storage blob sync command in deploy-web.yml * DEVOPS-1743 Update Azure Storage Account connection string retrieval * DEVOPS-1743 DEGUG: azcopy version check before syncing to Azure Storage Account * DEVOPS-1743 REFACTOR: azcopy command in deploy-web.yml * DEVOPS-1743 REFACTOR: add recursive flag to azcopy command * DEVOPS-1743 REFACTOR: azcopy command in deploy-web.yml * DEVOPS-1743 FIX: azcopy sync command in deploy-web.yml * DEVOPS-1743 FIX: URL formatting in deploy-web.yml * DEVOPS-1743 ADD: azcopy login command to deploy-web.yml * DEVOPS-1743 ADD: AZCOPY_AUTO_LOGIN_TYPE to AZCLI * DEVOPS-1743 REFACTOR: azcopy sync command to include date parameter * DEVOPS-1743 REFACTOR: deploy-web.yml script to fix sync command * DEVOPS-1743 ADD: Azure Storage Account sync with debug logging * DEVOPS-1743 Add debug logs for azcopy * DEVOPS-1743 ADD: sync-utility parameters to use either az sync or azcopy in subsequent steps in deploy-web.yml * DEVOPS-1743 FIX: conditional statements in deploy-web.yml * DEVOPS-1743 ADD: debug logs for azcopy utility * DEVOPS-1743 REFACTOR: sync utility to az-sync * DEVOPS-1743 REFACTOR: azcopy logs and sync utility * DEVOPS-1743 REFACTOR: sync-utility option to deploy-web workflow * DEVOPS-1743 REFACTOR: AZCOPY_AUTO_LOGIN_TYPE to SPN * DEVOPS-1743 ADD: azcopy login status command * DEVOPS-1743 ADD: AZCOPY environment variables for SPA authentication * DEVOPS-1743 REFACTOR: AZCOPY_SPA_APPLICATION_ID and AZCOPY_TENANT_ID environment variables * DEVOPS-1743 FIX: azcopy sync destination URL * DEVOPS-1743 Update AZCOPY environment variables * DEVOPS-1743 REFACTOR: deploy-web.yml with AZCOPY environment variables * DEVOPS-1743 FIX: sync command in deploy-web.yml * DEVOPS-1743 ADD: retrieval of Storage Account SPN Client Secret for azcopy * DEVOPS-1743 ADD: retrieval of Storage Account SPN Application ID and Tenant ID for azcopy * DEVOPS-1743 REFACTOR: sync-utility to azcopy in deploy-web.yml * DEVOPS-1743 REFACTOR: secrets retrieval IDs in deploy-web.yml * DEVOPS-1743 DELETE: unnecessary commands in deploy-web.yml * DEVOPS-1743 REFACTOR: secrets retrieval in deploy-web.yml * DEVOPS-1743 ADD: debug mode to deploy-web workflow * DEVOPS-1743 REFACTOR: deploy-web.yml to remove unnecessary conditional checks
2024-02-27 13:48:36 -06:00 · 2024-02-27 13:48:36 -06:00 · e833e93b3b
parent d3c222dc23
commit e833e93b3b
1 changed files with 48 additions and 16 deletions
--- a/.github/workflows/deploy-web.yml
+++ b/.github/workflows/deploy-web.yml
@ -1,6 +1,6 @@
 ---
 name: Deploy Web Vault
-run-name: Deploy Web Vault to ${{ inputs.environment }}
+run-name: Deploy Web Vault to ${{ inputs.environment }} from ${{ inputs.branch-or-tag }}

 on:
  workflow_dispatch:
@ -19,6 +19,10 @@ on:
        description: "Branch or Tag name to deploy (examples: 'main', 'feature/sm', 'web-v2023.12.0')"
        type: string
        default: main
+      debug:
+        description: "Debug mode"
+        type: boolean
+        default: false

  workflow_call:
    inputs:
@ -30,6 +34,10 @@ on:
        description: "Branch or Tag name to deploy (examples: 'main', 'feature/sm', 'web-v2023.12.0')"
        type: string
        default: main
+      debug:
+        description: "Debug mode"
+        type: boolean
+        default: false

 permissions:
  deployments: write
@ -45,6 +53,7 @@ jobs:
      environment-artifact: ${{ steps.config.outputs.environment-artifact }}
      azure-login-creds: ${{ steps.config.outputs.azure-login-creds }}
      retrieve-secrets-keyvault: ${{ steps.config.outputs.retrieve-secrets-keyvault }}
+      sync-utility: ${{ steps.config.outputs.sync-utility }}
    steps:
      - name: Configure
        id: config
@ -89,6 +98,8 @@ jobs:
              echo "environment-url=http://vault.$ENV_NAME_LOWER.bitwarden.pw" >> $GITHUB_OUTPUT
              ;;
          esac
+          # Set the sync utility to use for deployment to the environment (az-sync or azcopy)
+          echo "sync-utility=azcopy" >> $GITHUB_OUTPUT

  approval:
    name: Approval for Deployment to ${{ needs.setup.outputs.environment-name }}
@ -212,13 +223,22 @@ jobs:
        with:
          creds: ${{ secrets[needs.setup.outputs.azure-login-creds] }}

-      - name: Retrieve Storage Account connection string
-        id: retrieve-secrets
+      - name: Retrieve Storage Account connection string for az sync
+        if: ${{ needs.setup.outputs.sync-utility == 'az-sync' }}
+        id: retrieve-secrets-az-sync
        uses: bitwarden/gh-actions/get-keyvault-secrets@main
        with:
          keyvault: ${{ needs.setup.outputs.retrieve-secrets-keyvault }}
          secrets: "sa-bitwarden-web-vault-dev-key-temp"

+      - name: Retrieve Storage Account name and SPN credentials for azcopy
+        if: ${{ needs.setup.outputs.sync-utility == 'azcopy' }}
+        id: retrieve-secrets-azcopy
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: ${{ needs.setup.outputs.retrieve-secrets-keyvault }}
+          secrets: "sa-bitwarden-web-vault-name,sp-bitwarden-web-vault-password,sp-bitwarden-web-vault-appid,sp-bitwarden-web-vault-tenant"
+
      - name: 'Download cloud asset from branch/tag: ${{ inputs.branch-or-tag }}'
        uses: bitwarden/gh-actions/download-artifacts@main
        with:
@ -232,22 +252,34 @@ jobs:
        working-directory: apps/web
        run: unzip ${{ env._ENVIRONMENT_ARTIFACT }}

-      - name: Empty container in Storage Account
-        run: |
-          az storage blob delete-batch \
-            --source '$web' \
-            --pattern '*' \
-            --connection-string "${{ steps.retrieve-secrets.outputs.sa-bitwarden-web-vault-dev-key-temp }}"
-
-      - name: Deploy to Azure Storage Account
+      - name: Sync to Azure Storage Account using az storage blob sync
+        if: ${{ needs.setup.outputs.sync-utility == 'az-sync' }}
        working-directory: apps/web
        run: |
-          az storage blob upload-batch \
+          az storage blob sync \
            --source "./build" \
-            --destination '$web' \
-            --connection-string "${{ steps.retrieve-secrets.outputs.sa-bitwarden-web-vault-dev-key-temp }}" \
-            --overwrite \
-            --no-progress
+            --container '$web' \
+            --connection-string "${{ steps.retrieve-secrets-az-sync.outputs.sa-bitwarden-web-vault-dev-key-temp }}"
+
+      - name: Sync to Azure Storage Account using azcopy
+        if: ${{ needs.setup.outputs.sync-utility == 'azcopy' }}
+        working-directory: apps/web
+        env:
+          AZCOPY_AUTO_LOGIN_TYPE: SPN
+          AZCOPY_SPA_APPLICATION_ID: ${{ steps.retrieve-secrets-azcopy.outputs.sp-bitwarden-web-vault-appid }}
+          AZCOPY_SPA_CLIENT_SECRET: ${{ steps.retrieve-secrets-azcopy.outputs.sp-bitwarden-web-vault-password }}
+          AZCOPY_TENANT_ID: ${{ steps.retrieve-secrets-azcopy.outputs.sp-bitwarden-web-vault-tenant }}
+        run: |
+          azcopy sync ./build 'https://${{ steps.retrieve-secrets-azcopy.outputs.sa-bitwarden-web-vault-name }}.blob.core.windows.net/$web/' \
+            --delete-destination=true
+
+      - name: Debug sync logs
+        if: ${{ inputs.debug }}
+        run: cat /home/runner/.azcopy/*.log
+
+      - name: Debug index.html
+        if: ${{ inputs.debug }}
+        run: cat apps/web/build/index.html

      - name: Update deployment status to Success
        if: success()