ci: fix disaster recovery GH flow (#1994)

rubenruizdegauna · web-flow · commit 9de757e8bee0 · 2025-01-15T12:08:15.000+01:00
* ci: fix disaster recovery GH flow

* validate date is in the past

* aws session duration

* fix path in staging

* increase session duration
diff --git a/.github/workflows/recover_s3_repository.yml b/.github/workflows/recover_s3_repository.yml
@@ -3,12 +3,25 @@ name: . ⚠️⚠️⚠️ Recover S3 Repository back in time ⚠️⚠️⚠️
 on:
   workflow_dispatch:
     inputs:
-      date_time:
-        description: 'UTC DateTime to recover the S3 repository back in time (MM-DD-YYYY HH:MM:SS +0)'
+      #description: 'UTC DateTime to recover the S3 repository back in time (MM-DD-YYYY HH:MM:SS +0)'
+      date_year:
+        description: 'UTC Date YEAR (YYYY) to recover the S3 repository back in time'
+        type: string
+        required: true
+      date_month:
+        description: 'UTC Date MONTH (MM) to recover the S3 repository back in time'
+        type: string
+        required: true
+      date_day:
+        description: 'UTC Date DAY (DD) to recover the S3 repository back in time'
+        type: string
+        required: true
+      time:
+        description: 'UTC Time (HH:MM:SS) to recover the S3 repository back in time'
         type: string
         required: true
       path:
-        description: 'Path under infrastructure_agent folder to recover (w/o leading slash, with trailing slash)'
+        description: 'Path under infrastructure_agent folder to recover (w/o leading nor trailing slash)'
         type: string
         required: true
       environment:
@@ -29,31 +42,46 @@ env:
 jobs:
   recover-s3-repository:
     name: Execute S3 PIT restore
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Validate datetime
         run: |
-          datetime="${{ github.event.inputs.date_time }}"
+          echo "Validating that datetime is in correct format"
+          datetime="${{ github.event.inputs.date_month }}-${{ github.event.inputs.date_day }}-${{ github.event.inputs.date_year }} ${{ github.event.inputs.time }} +0000"
           # Use Python's strptome (same as s3-pit-restore) to check if it's a valid datetime
           python3 -c "from datetime import datetime; datetime.strptime('$datetime', '%m-%d-%Y %H:%M:%S %z')" 2> /dev/null
           exit_code=$?          
-          if [ $exit_code -ne 0 ]]; then
+          if [ $exit_code -ne 0 ]; then
             exit 1
           fi
+          echo "datetime format is correct"
+          echo ""
+          
+          echo "Validating that datetime is not in the future"
+          # check that datetime is not in the future
+          python3 -c "from datetime import datetime,timezone; import sys; sys.exit(1) if datetime.strptime('$datetime', '%m-%d-%Y %H:%M:%S %z') >= datetime.now(timezone.utc) else sys.exit(0)"
+          exit_code=$?          
+          if [ $exit_code -ne 0 ]; then
+            exit 1
+          fi
+          echo "datetime is not in the future"
+          
+          echo "DATE_TIME=$datetime" >> $GITHUB_ENV
 
       - name: Validate path input does not have leading nor trailing slash
         run: |
+          set -e
           s3_path="${{ github.event.inputs.path }}"
           # Check if the path has a leading slash
           if [[ "$s3_path" == /* ]]; then
             echo "Invalid path: should not have a leading slash."
-            return 1
+            exit 1
           fi
       
           # Check if the path has a trailing slash
           if [[ "$s3_path" == */ ]]; then
             echo "Invalid path: should not have a trailing slash."
-            return 1
+            exit 1
           fi
 
       - name: Checkout repository
@@ -63,43 +91,45 @@ jobs:
           ref: master
 
       - name: Setup AWS credentials for Production
-        if: ${{ env.ENVIRONMENT == 'production' }}
+        if: ${{ github.event.inputs.environment == 'production' }}
         run: |
           ./setup_aws_credentials.sh
         env:
           AWS_ACCESS_KEY_ID: ${{ secrets.OHAI_AWS_ACCESS_KEY_ID_PRODUCTION }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.OHAI_AWS_SECRET_ACCESS_KEY_PRODUCTION }}
           AWS_ROLE_ARN: ${{ secrets.OHAI_AWS_ROLE_ARN_PRODUCTION }}
           AWS_ROLE_SESSION_NAME: ${{ secrets.OHAI_AWS_ROLE_SESSION_NAME_PRODUCTION }}
+          AWS_SESSION_DURATION_SECONDS: 14400
           TEMP_AWS_PROFILE: ${{ env.TEMP_AWS_PROFILE }}
 
       - name: Run S3 PIT restore
-        if: ${{ env.ENVIRONMENT == 'production' }}
+        if: ${{ github.event.inputs.environment == 'production' }}
         run: |
           BUCKET="nr-downloads-main" \
           PREFIX="${{ env.MANDATORY_PREFIX }}${{ github.event.inputs.path }}" \
-          TIME="${{ github.event.inputs.date_time }}" \
+          TIME="${{ env.DATE_TIME }}" \
           IMAGE="${{ env.IMAGE }}" \
           AWS_PROFILE="${{ env.TEMP_AWS_PROFILE }}" \
           make restore
 
       - name: Setup AWS credentials for Staging
-        if: ${{ env.ENVIRONMENT == 'staging' }}
+        if: ${{ github.event.inputs.environment == 'staging' }}
         run: |
           ./setup_aws_credentials.sh
         env:
           AWS_ACCESS_KEY_ID: ${{ secrets.OHAI_AWS_ACCESS_KEY_ID_STAGING }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.OHAI_AWS_SECRET_ACCESS_KEY_STAGING }}
           AWS_ROLE_ARN: ${{ secrets.OHAI_AWS_ROLE_ARN_STAGING }}
           AWS_ROLE_SESSION_NAME: ${{ secrets.OHAI_AWS_ROLE_SESSION_NAME_STAGING }}
+          AWS_SESSION_DURATION_SECONDS: 14400
           TEMP_AWS_PROFILE: ${{ env.TEMP_AWS_PROFILE }}
 
       - name: Run S3 PIT restore in Staging S3
-        if: ${{ env.ENVIRONMENT == 'staging' }}
+        if: ${{ github.event.inputs.environment == 'staging' }}
         run: |
           BUCKET="nr-downloads-ohai-staging" \
-          PREFIX="${{ env.MANDATORY_PREFIX }}${{ env.S3_PATH }}" \
-          TIME="${{ env.DATETIME }}" \
+          PREFIX="${{ env.MANDATORY_PREFIX }}${{ github.event.inputs.path }}" \
+          TIME="${{ env.DATE_TIME }}" \
           IMAGE="${{ env.IMAGE }}" \
           AWS_PROFILE="${{ env.TEMP_AWS_PROFILE }}" \
           make restore
diff --git a/.github/workflows/repository_latest_added_files.yml b/.github/workflows/repository_latest_added_files.yml
@@ -8,8 +8,20 @@ on:
         type: string
         default: '500'
         required: true
-      date_time:
-        description: 'UTC Date and time to show files added before and after (YYYY-MM-DD HH:MM:SS)'
+      date_year:
+        description: 'UTC Date YEAR (YYYY) to recover the S3 repository back in time'
+        type: string
+        required: true
+      date_month:
+        description: 'UTC Date MONTH (MM) to recover the S3 repository back in time'
+        type: string
+        required: true
+      date_day:
+        description: 'UTC Date DAY (DD) to recover the S3 repository back in time'
+        type: string
+        required: true
+      time:
+        description: 'UTC Time (HH:MM:SS) to recover the S3 repository back in time'
         type: string
         required: true
       environment:
@@ -24,11 +36,12 @@ on:
 jobs:
   list-files:
     name: List files added before and after datetime
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Validate datetime
         run: |
-          datetime="${{ github.event.inputs.date_time }}"
+          set -e
+          datetime="${{ github.event.inputs.date_year }}-${{ github.event.inputs.date_month }}-${{ github.event.inputs.date_day }} ${{ github.event.inputs.time }}"
           # Regular expression to match the format YYYY-MM-DD HH:MM:SS
           regex="^[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}$"
       
@@ -38,11 +51,12 @@ jobs:
           else
             exit 1
           fi
+          echo "DATE_TIME=$datetime" >> $GITHUB_ENV
 
       - name: List files created before and after datetime in Production S3
         if: ${{ github.event.inputs.environment == 'production' }}
         run: |
-          TZ="UTC" aws s3 ls s3://nr-downloads-main/infrastructure_agent/ --recursive | sort | grep --color  -m 1 -C {{ github.event.inputs.count }} "^${{ github.event.inputs.date_time }}"
+          TZ="UTC" aws s3 ls s3://nr-downloads-main/infrastructure_agent/ --recursive | sort | grep --color  -m 1 -C ${{ github.event.inputs.count }} "^${{ env.DATE_TIME }}"
         env:
           AWS_ACCESS_KEY_ID: ${{ secrets.OHAI_AWS_ACCESS_KEY_ID_PRODUCTION }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.OHAI_AWS_SECRET_ACCESS_KEY_PRODUCTION }}
@@ -52,7 +66,7 @@ jobs:
       - name: List files created before and after datetime in Staging S3
         if: ${{ github.event.inputs.environment == 'staging' }}
         run: |
-          TZ="UTC" aws s3 ls s3://nr-downloads-ohai-staging/infrastructure_agent/ --recursive | sort | grep --color  -m 1 -C {{ github.event.inputs.count }} "^${{ github.event.inputs.date_time }}"
+          TZ="UTC" aws s3 ls s3://nr-downloads-ohai-staging/infrastructure_agent/ --recursive | sort | grep --color  -m 1 -C ${{ github.event.inputs.count }} "^${{ env.DATE_TIME }}"
         env:
           AWS_ACCESS_KEY_ID: ${{ secrets.OHAI_AWS_ACCESS_KEY_ID_STAGING }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.OHAI_AWS_SECRET_ACCESS_KEY_STAGING }}
diff --git a/.github/workflows/repository_latest_added_packages.yml b/.github/workflows/repository_latest_added_packages.yml
@@ -21,7 +21,7 @@ on:
 jobs:
   list-packages:
     name: List latest added packages into the S3 repository
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     steps:
       - name: List latest packages in Production S3
         if: ${{ github.event.inputs.environment == 'production' }}
