From e833e93b3b1d447aebb7042bb1db570adc0df983 Mon Sep 17 00:00:00 2001
From: Alex Urbina <42731074+urbinaalex17@users.noreply.github.com>
Date: Tue, 27 Feb 2024 13:48:36 -0600
Subject: [PATCH] DEVOPS-1743 Web Vault Migration workflow improvements (#7966)

* DEVOPS-1743 REFACTOR: Azure Storage Account sync process

* DEVOPS-1743 REFACTOR: deploy-web.yml to include branch or tag information on run

* DEVOPS-1743 REFACTOR: Slack channel for devops alerts

* DEVOPS-1743 DEBUG: display index.html content

* DEVOPS-1743 REFACTOR: Azure storage blob sync command in deploy-web.yml

* DEVOPS-1743 Update Azure Storage Account connection string retrieval

* DEVOPS-1743 DEGUG: azcopy version check before syncing to Azure Storage Account

* DEVOPS-1743 REFACTOR: azcopy command in deploy-web.yml

* DEVOPS-1743 REFACTOR: add recursive flag to azcopy command

* DEVOPS-1743 REFACTOR: azcopy command in deploy-web.yml

* DEVOPS-1743 FIX: azcopy sync command in deploy-web.yml

* DEVOPS-1743 FIX: URL formatting in deploy-web.yml

* DEVOPS-1743 ADD: azcopy login command to deploy-web.yml

* DEVOPS-1743 ADD: AZCOPY_AUTO_LOGIN_TYPE to AZCLI

* DEVOPS-1743 REFACTOR: azcopy sync command to include date parameter

* DEVOPS-1743 REFACTOR: deploy-web.yml script to fix sync command

* DEVOPS-1743 ADD: Azure Storage Account sync with debug logging

* DEVOPS-1743 Add debug logs for azcopy

* DEVOPS-1743 ADD: sync-utility parameters to use either az sync or azcopy in subsequent steps in deploy-web.yml

* DEVOPS-1743 FIX: conditional statements in deploy-web.yml

* DEVOPS-1743 ADD: debug logs for azcopy utility

* DEVOPS-1743 REFACTOR: sync utility to az-sync

* DEVOPS-1743 REFACTOR: azcopy logs and sync utility

* DEVOPS-1743 REFACTOR: sync-utility option to deploy-web workflow

* DEVOPS-1743 REFACTOR: AZCOPY_AUTO_LOGIN_TYPE to SPN

* DEVOPS-1743 ADD: azcopy login status command

* DEVOPS-1743 ADD: AZCOPY environment variables for SPA authentication

* DEVOPS-1743 REFACTOR: AZCOPY_SPA_APPLICATION_ID and AZCOPY_TENANT_ID environment variables

* DEVOPS-1743 FIX: azcopy sync destination URL

* DEVOPS-1743 Update AZCOPY environment variables

* DEVOPS-1743 REFACTOR: deploy-web.yml with AZCOPY environment variables

* DEVOPS-1743 FIX: sync command in deploy-web.yml

* DEVOPS-1743 ADD: retrieval of Storage Account SPN Client Secret for azcopy

* DEVOPS-1743 ADD: retrieval of Storage Account SPN Application ID and Tenant ID for azcopy

* DEVOPS-1743 REFACTOR: sync-utility to azcopy in deploy-web.yml

* DEVOPS-1743 REFACTOR: secrets retrieval IDs in deploy-web.yml

* DEVOPS-1743 DELETE: unnecessary commands in deploy-web.yml

* DEVOPS-1743 REFACTOR: secrets retrieval in deploy-web.yml

* DEVOPS-1743 ADD: debug mode to deploy-web workflow

* DEVOPS-1743 REFACTOR: deploy-web.yml to remove unnecessary conditional checks
---
 .github/workflows/deploy-web.yml | 64 ++++++++++++++++++++++++--------
 1 file changed, 48 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/deploy-web.yml b/.github/workflows/deploy-web.yml
index 9809eba359..4bc0cc0a7b 100644
--- a/.github/workflows/deploy-web.yml
+++ b/.github/workflows/deploy-web.yml
@@ -1,6 +1,6 @@
 ---
 name: Deploy Web Vault
-run-name: Deploy Web Vault to ${{ inputs.environment }}
+run-name: Deploy Web Vault to ${{ inputs.environment }} from ${{ inputs.branch-or-tag }}
 
 on:
   workflow_dispatch:
@@ -19,6 +19,10 @@ on:
         description: "Branch or Tag name to deploy (examples: 'main', 'feature/sm', 'web-v2023.12.0')"
         type: string
         default: main
+      debug:
+        description: "Debug mode"
+        type: boolean
+        default: false
 
   workflow_call:
     inputs:
@@ -30,6 +34,10 @@ on:
         description: "Branch or Tag name to deploy (examples: 'main', 'feature/sm', 'web-v2023.12.0')"
         type: string
         default: main
+      debug:
+        description: "Debug mode"
+        type: boolean
+        default: false
 
 permissions:
   deployments: write
@@ -45,6 +53,7 @@ jobs:
       environment-artifact: ${{ steps.config.outputs.environment-artifact }}
       azure-login-creds: ${{ steps.config.outputs.azure-login-creds }}
       retrieve-secrets-keyvault: ${{ steps.config.outputs.retrieve-secrets-keyvault }}
+      sync-utility: ${{ steps.config.outputs.sync-utility }}
     steps:
       - name: Configure
         id: config
@@ -89,6 +98,8 @@ jobs:
               echo "environment-url=http://vault.$ENV_NAME_LOWER.bitwarden.pw" >> $GITHUB_OUTPUT
               ;;
           esac
+          # Set the sync utility to use for deployment to the environment (az-sync or azcopy)
+          echo "sync-utility=azcopy" >> $GITHUB_OUTPUT
 
   approval:
     name: Approval for Deployment to ${{ needs.setup.outputs.environment-name }}
@@ -212,13 +223,22 @@ jobs:
         with:
           creds: ${{ secrets[needs.setup.outputs.azure-login-creds] }}
 
-      - name: Retrieve Storage Account connection string
-        id: retrieve-secrets
+      - name: Retrieve Storage Account connection string for az sync
+        if: ${{ needs.setup.outputs.sync-utility == 'az-sync' }}
+        id: retrieve-secrets-az-sync
         uses: bitwarden/gh-actions/get-keyvault-secrets@main
         with:
           keyvault: ${{ needs.setup.outputs.retrieve-secrets-keyvault }}
           secrets: "sa-bitwarden-web-vault-dev-key-temp"
 
+      - name: Retrieve Storage Account name and SPN credentials for azcopy
+        if: ${{ needs.setup.outputs.sync-utility == 'azcopy' }}
+        id: retrieve-secrets-azcopy
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: ${{ needs.setup.outputs.retrieve-secrets-keyvault }}
+          secrets: "sa-bitwarden-web-vault-name,sp-bitwarden-web-vault-password,sp-bitwarden-web-vault-appid,sp-bitwarden-web-vault-tenant"
+
       - name: 'Download cloud asset from branch/tag: ${{ inputs.branch-or-tag }}'
         uses: bitwarden/gh-actions/download-artifacts@main
         with:
@@ -232,22 +252,34 @@ jobs:
         working-directory: apps/web
         run: unzip ${{ env._ENVIRONMENT_ARTIFACT }}
 
-      - name: Empty container in Storage Account
-        run: |
-          az storage blob delete-batch \
-            --source '$web' \
-            --pattern '*' \
-            --connection-string "${{ steps.retrieve-secrets.outputs.sa-bitwarden-web-vault-dev-key-temp }}"
-
-      - name: Deploy to Azure Storage Account
+      - name: Sync to Azure Storage Account using az storage blob sync
+        if: ${{ needs.setup.outputs.sync-utility == 'az-sync' }}
         working-directory: apps/web
         run: |
-          az storage blob upload-batch \
+          az storage blob sync \
             --source "./build" \
-            --destination '$web' \
-            --connection-string "${{ steps.retrieve-secrets.outputs.sa-bitwarden-web-vault-dev-key-temp }}" \
-            --overwrite \
-            --no-progress
+            --container '$web' \
+            --connection-string "${{ steps.retrieve-secrets-az-sync.outputs.sa-bitwarden-web-vault-dev-key-temp }}"
+
+      - name: Sync to Azure Storage Account using azcopy
+        if: ${{ needs.setup.outputs.sync-utility == 'azcopy' }}
+        working-directory: apps/web
+        env:
+          AZCOPY_AUTO_LOGIN_TYPE: SPN
+          AZCOPY_SPA_APPLICATION_ID: ${{ steps.retrieve-secrets-azcopy.outputs.sp-bitwarden-web-vault-appid }}
+          AZCOPY_SPA_CLIENT_SECRET: ${{ steps.retrieve-secrets-azcopy.outputs.sp-bitwarden-web-vault-password }}
+          AZCOPY_TENANT_ID: ${{ steps.retrieve-secrets-azcopy.outputs.sp-bitwarden-web-vault-tenant }}
+        run: |
+          azcopy sync ./build 'https://${{ steps.retrieve-secrets-azcopy.outputs.sa-bitwarden-web-vault-name }}.blob.core.windows.net/$web/' \
+            --delete-destination=true
+
+      - name: Debug sync logs
+        if: ${{ inputs.debug }}
+        run: cat /home/runner/.azcopy/*.log
+
+      - name: Debug index.html
+        if: ${{ inputs.debug }}
+        run: cat apps/web/build/index.html
 
       - name: Update deployment status to Success
         if: success()