Improve data replication deployment

bogsi17 · bogsi17 · commit cbe07af37394 · 2025-07-07T14:50:18.000+01:00
* Add the options to deploy just the db snapshot or just the webapp
* Taint the DB cluster to force recreation if necessary
* Simplify workflow by removing Destroy option that was never used anyway and by doing the db recreation in a single step
diff --git a/.github/workflows/data-replication-pipeline.yml b/.github/workflows/data-replication-pipeline.yml
@@ -1,5 +1,5 @@
 name: Data replication pipeline
-run-name: ${{ inputs.action }} data replication resources for ${{ inputs.environment }}
+run-name: Deploy ${{ inputs.deployment_type }} data replication resources for ${{ inputs.environment }}
 
 on:
   workflow_dispatch:
@@ -15,18 +15,18 @@ on:
           - qa
           - sandbox-alpha
           - sandbox-beta
+      deployment_type:
+        description: Service to deploy
+        required: true
+        type: choice
+        options:
+          - Full deployment
+          - DB snapshot only
+          - Webapp only
       image_tag:
         description: Docker image tag to deploy
         required: false
         type: string
-      action:
-        description: Action to perform on data replication env
-        required: true
-        type: choice
-        options:
-          - Destroy
-          - Recreate
-        default: Recreate
       db_snapshot_arn:
         description: ARN of the DB snapshot to use (optional)
         required: false
@@ -41,6 +41,8 @@ env:
   aws_role: ${{ inputs.environment == 'production'
     && 'arn:aws:iam::820242920762:role/GithubDeployDataReplicationInfrastructure'
     || 'arn:aws:iam::393416225559:role/GithubDeployDataReplicationInfrastructure' }}
+  recreate_db: ${{ inputs.deployment_type == 'Full deployment' || inputs.deployment_type == 'DB snapshot only' }}
+  recreate_webapp: ${{ inputs.deployment_type == 'Full deployment' || inputs.deployment_type == 'Webapp only' }}
 
 defaults:
   run:
@@ -50,8 +52,8 @@ concurrency:
   group: deploy-data-replica-${{ inputs.environment }}
 
 jobs:
-  prepare:
-    if: ${{ inputs.action == 'Recreate' }}
+  prepare-db-replica:
+    if: env.recreate_db == 'true'
     name: Prepare data replica
     runs-on: ubuntu-latest
     permissions:
@@ -95,25 +97,13 @@ jobs:
           terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
           DB_SECRET_ARN=$(terraform output --raw db_secret_arn)
           echo "DB_SECRET_ARN=$DB_SECRET_ARN" >> $GITHUB_OUTPUT
-      - name: ECR login
-        id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v2
-      - name: Get docker image digest
-        id: get-docker-image-digest
-        run: |
-          set -e
-          DOCKER_IMAGE="${{ steps.login-ecr.outputs.registry }}/mavis/webapp:${{ inputs.image_tag || github.sha }}"
-          docker pull "$DOCKER_IMAGE"
-          DOCKER_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "$DOCKER_IMAGE")
-          DIGEST="${DOCKER_DIGEST#*@}"
-          echo "DIGEST=$DIGEST" >> $GITHUB_OUTPUT
     outputs:
       SNAPSHOT_ARN: ${{ steps.get-latest-snapshot.outputs.SNAPSHOT_ARN }}
       DB_SECRET_ARN: ${{ steps.get-db-secret-arn.outputs.DB_SECRET_ARN }}
-      DOCKER_DIGEST: ${{ steps.get-docker-image-digest.outputs.DIGEST }}
 
-  plan-destroy:
-    name: Plan destruction job
+  prepare-webapp:
+    if: env.recreate_webapp == 'true'
+    name: Prepare webapp
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -125,64 +115,34 @@ jobs:
         with:
           role-to-assume: ${{ env.aws_role }}
           aws-region: eu-west-2
-      - name: Install terraform
-        uses: hashicorp/setup-terraform@v3
-        with:
-          terraform_version: 1.11.4
-      - name: Terraform Plan
-        run: |
-          set -e
-          terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
-          terraform plan -destroy -var-file="env/${{ inputs.environment }}.tfvars" -var="image_digest=filler_value" \
-          -var="db_secret_arn=filler_value" -var="imported_snapshot=filler_value" \
-          -out ${{ runner.temp }}/tfplan_destroy | tee ${{ runner.temp }}/tf_stdout
-      - name: Upload artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: tfplan_destroy_infrastructure-${{ inputs.environment }}
-          path: ${{ runner.temp }}/tfplan_destroy
-
-  destroy:
-    name: Destroy data replication infrastructure
-    runs-on: ubuntu-latest
-    needs: plan-destroy
-    environment: ${{ inputs.environment }}
-    permissions:
-      id-token: write
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: ${{ env.aws_role }}
-          aws-region: eu-west-2
-      - name: Install terraform
-        uses: hashicorp/setup-terraform@v3
-        with:
-          terraform_version: 1.11.4
-      - name: Download artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: tfplan_destroy_infrastructure-${{ inputs.environment }}
-          path: ${{ runner.temp }}
-      - name: Terraform Destroy
-        id: destroy
+      - name: ECR login
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+      - name: Get docker image digest
+        id: get-docker-image-digest
         run: |
           set -e
-          terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
-          terraform apply ${{ runner.temp }}/tfplan_destroy
+          DOCKER_IMAGE="${{ steps.login-ecr.outputs.registry }}/mavis/webapp:${{ inputs.image_tag || github.sha }}"
+          docker pull "$DOCKER_IMAGE"
+          DOCKER_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "$DOCKER_IMAGE")
+          DIGEST="${DOCKER_DIGEST#*@}"
+          echo "DIGEST=$DIGEST" >> $GITHUB_OUTPUT
+    outputs:
+      DOCKER_DIGEST: ${{ steps.get-docker-image-digest.outputs.DIGEST }}
 
   plan:
     name: Terraform plan
     runs-on: ubuntu-latest
     needs:
-      - prepare
-      - destroy
+      - prepare-db-replica
+      - prepare-webapp
+    if: ${{ !cancelled() &&
+          (needs.prepare-db-replica.result == 'success' || needs.prepare-db-replica.result == 'skipped') &&
+          (needs.prepare-webapp.result == 'success' || needs.prepare-webapp.result == 'skipped') }}
     env:
-      SNAPSHOT_ARN: ${{ needs.prepare.outputs.SNAPSHOT_ARN }}
-      DB_SECRET_ARN: ${{ needs.prepare.outputs.DB_SECRET_ARN }}
-      DOCKER_DIGEST: ${{ needs.prepare.outputs.DOCKER_DIGEST }}
+      SNAPSHOT_ARN: ${{ needs.prepare-db-replica.outputs.SNAPSHOT_ARN }}
+      DB_SECRET_ARN: ${{ needs.prepare-db-replica.outputs.DB_SECRET_ARN }}
+      DOCKER_DIGEST: ${{ needs.prepare-webapp.outputs.DOCKER_DIGEST }}
     permissions:
       id-token: write
     steps:
@@ -202,6 +162,10 @@ jobs:
         run: |
           set -e
           terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
+          if [ "${{ env.recreate_db }}" == "true" ]; then
+              echo "Tainting the database instance for recreation"
+              terraform taint aws_rds_cluster.cluster
+          fi
           terraform plan -var="image_digest=${{ env.DOCKER_DIGEST }}" -var="db_secret_arn=${{ env.DB_SECRET_ARN }}" \
           -var="imported_snapshot=${{ env.SNAPSHOT_ARN }}" -var-file="env/${{ inputs.environment }}.tfvars" \
           -var='allowed_egress_cidr_blocks=${{ inputs.egress_cidr }}' \
