Merge branch 'main' into update-docs

.github/workflows/full-si-deploy.yml

@@ -0,0 +1,270 @@
+name: Deploy Single Instance Oracle DB on Azure
+on:
+  workflow_dispatch: {}
+  push:
+    branches: [ main, features/* ]
+  pull_request:
+    branches: [ main ]
+
+#push, pull_request,
+env:
+  TF_LOG: "INFO"
+  AZ_LOCATION: "eastus" # can be parameterized
+  AZ_RG_BASENAME: "Oracle-test" # can be parameterized
+
+permissions:
+  id-token: write
+  contents: read
+  issues: write
+  pull-requests: write
+
+jobs:
+  terraform:
+    name: '🔧 Terraform'
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+
+    defaults:
+      run:
+        shell: bash
+        working-directory: ./terraform/bootstrap/single_instance
+    steps:
+
+    # Checkout the repository to the GitHub Actions runner
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    # Install the preferred version of Terraform CLI 
+    - name: 📦 Setup Terraform Cli
+      uses: hashicorp/setup-terraform@v2
+      with:
+        terraform_version: 1.6.0
+        terraform_wrapper: false # keep it false to be able to read the outputs values of terraform
+
+    #Check if the SSH key is empty
+    - name: 🔎 Validate SSH Key is not empty
+      run: |
+        if [ -z "${{ secrets.SSH_PRIVATE_KEY }}" ]
+        then
+          echo "SSH_PRIVATE_KEY is empty, you should add a SSH key to the repository secrets. Name of the secret should be SSH_PRIVATE_KEY"
+          exit 1
+        else
+          echo "SSH_PRIVATE_KEY is not empty"
+        fi
+    
+
+    - name: 🗒️ Create the SSH public key for VM
+      run: |
+        cat > temp_ssh_key <<EOF
+        ${{ secrets.SSH_PRIVATE_KEY }}
+        EOF
+        
+        chmod 400 temp_ssh_key
+        ssh-keygen -f temp_ssh_key -y > temp_ssh_key.pub
+
+        echo "SSH_KEY=$(cat temp_ssh_key.pub)" >> $GITHUB_ENV
+        echo "SSH_KEY=${{env.SSH_KEY}}"
+
+        echo "currentDate=$(date)" >> $GITHUB_ENV
+        echo "currentDate=${{env.currentDate}}"
+
+
+      # Generate random string for suffix
+    - name: 🔎 Generate Random String for Resource Group Name
+      id: resourcegroup-generator
+      run: echo ResourceGroupName=${{env.AZ_RG_BASENAME}}-$(date +%s) >> $GITHUB_ENV 
+    - run: echo ${{env.ResourceGroupName}}
+
+    - name: 🗒️ Create a tfvars file for terraform
+      run: |
+        cat > terraform.tfvars <<EOF
+        location = "${{env.AZ_LOCATION}}"
+        resourcegroup_name = "${{env.ResourceGroupName}}"
+        resourcegroup_tags = {
+          "environment" = "dev"
+          "project"     = "oracle"
+          "created"     = "${{env.currentDate}}"
+          "GITHUB_ACTOR" = "${{ github.actor }}"
+          "GITHUB_ACTION_REPOSITORY" = "${{ github.repository }}"
+          "GITHUB_ACTION_REF" = "${{ github.ref }}"
+          "GITHUB_RUN_ID" = "${{ github.run_id }}"
+          "GITHUB_WORKFLOW" = "${{ github.workflow }}"
+        }
+        is_resource_lock_enabled = false
+        #is_diagnostic_settings_enabled = true
+        #diagnostic_target              = "Log_Analytics_Workspace"
+        
+        ssh_key = "${{env.SSH_KEY}}"
+        EOF
+
+    #Login to Azure
+    - name: 🔑 Login via Azure CLI
+      uses: azure/login@v1
+      with:
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+
+      # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
+    - name: 📦 Terraform Init
+      id: init
+      env:
+        RESOURCE_GROUP: ${{ env.ResourceGroupName }}
+      run: terraform init
+
+
+      # Run a terraform validate
+    - name: 🔎 Terraform Validate
+      id: validate
+      if: github.ref != 'refs/heads/main'
+      continue-on-error: true
+      run: terraform validate -no-color
+
+
+      # Run a terraform plan for pull requests only and add a comment 
+    - name: 💻 Terraform Plan
+      id: plan
+      continue-on-error: true
+      run: terraform plan -no-color
+
+
+    - name: "Add a comment to pull requests with plan resutls"
+      id: comment
+      uses: actions/github-script@v6
+      if: (github.event_name == 'pull_request' || github.event_name == 'push')
+      env:
+        PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        script: |
+            const output = `
+            #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
+            #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
+            #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
+
+            *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Workflow: \`${{ github.workflow }}\`*`;
+
+            await github.rest.issues.createComment({
+            issue_number: context.issue.number,
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            body: output
+            })
+            
+
+
+    - name: "◻️ Terraform Plan Status ⁉️"
+      if: steps.plan.outcome == 'failure'
+      run: exit 1
+
+          # On push to main, build or change infrastructure according to Terraform configuration files
+      # On push to main, build or change infrastructure according to Terraform configuration files
+    - name: 💻 Terraform Apply
+    #  if: github.ref == 'refs/heads/main' && github.event_name == 'push' # Remove when I am ready
+      run: terraform apply -auto-approve 
+
+    - name: 🔃 Terraform Refresh State
+      run: terraform  apply -refresh-only -auto-approve
+
+    - run: echo "vm_public_ip_address=$(terraform output vm_public_ip_address)" >> $GITHUB_ENV
+    - run: echo ${{env.vm_public_ip_address}}
+
+
+    outputs:
+      ResourceGroupName: ${{ env.ResourceGroupName }}
+      VM_Public_IP_Address: ${{ env.vm_public_ip_address }}
+
+##############################################################################################################################################
+#                                     SSH Keys and parameter preparation for Ansible                                                         #
+##############################################################################################################################################
+  ssh-keys:
+    needs: terraform
+    name: '🧮 Prepare and run Ansible Playbook'
+    runs-on: ubuntu-latest
+
+    defaults:
+      run:
+        shell: bash
+        working-directory: ./ansible/bootstrap/single_instance
+    steps:
+      - name: 🛒 Checkout
+        uses: actions/checkout@v4
+
+      - name: 🔎 Check IP
+        run: echo "currentRunnerIP=$(curl https://api.ipify.org)" >> $GITHUB_ENV
+      - run: echo "currentRunnerIP=${{env.currentRunnerIP}}"
+      - run: echo "VM_Public_IP_Address=${{needs.terraform.outputs.VM_Public_IP_Address}}" >> $GITHUB_ENV
+      - run: echo "VM_Public_IP_Address=${{env.VM_Public_IP_Address}}"
+
+      - name: 'Install SSH Key'
+        uses: shimataro/ssh-key-action@v2
+        with: 
+          key: ${{ secrets.SSH_PRIVATE_KEY }}
+          name: 'github_actions_id_rsa'
+          known_hosts: "sometin"
+
+      - run: ls /home/runner/.ssh
+      - run: cat /home/runner/.ssh/known_hosts
+
+      # Login to Azure CLI
+      - name: 🔑 Login via Azure CLI
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      # Get Subscription ID
+      - name: 🔎 Get Subscription ID
+        id: subid
+        run: echo "SubscriptionID=$(az account show --query id -o tsv)" >> $GITHUB_ENV
+      - run: echo ${{env.SubscriptionID}} 
+
+      - name: ⌛ Calculate endTimeUTC for JIT request 
+        run: echo "endTimeUtc=$(date -d '+2 hour' '+%FT%T')" >> $GITHUB_ENV
+      - run: echo "endTimeUtc=${{env.endTimeUtc}}"
+      - run: echo "ResourceGroupName=${{needs.terraform.outputs.ResourceGroupName}}" >> $GITHUB_ENV
+      - run: echo "ResourceGroupName=${{env.ResourceGroupName}}"
+
+      - name: 🔑 Login via Az Module
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          enable-AzPSSession: true 
+
+      - name: ✅ Enable JIT on VM
+        uses: azure/powershell@v1
+        with:
+          inlineScript: |
+            $JitPolicyVm1 = (@{id="/subscriptions/${{env.SubscriptionID}}/resourceGroups/${{env.ResourceGroupName}}/providers/Microsoft.Compute/virtualMachines/vm-0"; ports=(@{number=22;endTimeUtc="${{env.endTimeUtc}}";allowedSourceAddressPrefix=@("${{env.currentRunnerIP}}")})})
+
+            $JitPolicyArr=@($JitPolicyVm1)
+
+            Start-AzJitNetworkAccessPolicy -ResourceId "/subscriptions/${{env.SubscriptionID}}/resourceGroups/${{env.ResourceGroupName}}/providers/Microsoft.Security/locations/${{env.AZ_LOCATION}}/jitNetworkAccessPolicies/JIT-SSH-Policy" -VirtualMachine $JitPolicyArr
+          azPSVersion: "latest"
+
+      - name: 🧮 Get Known Hosts parameter using ssh-keyscan
+        run: ssh-keyscan -T 300 -H ${{env.VM_Public_IP_Address}} >> /home/runner/.ssh/known_hosts
+
+      - run: ls /home/runner/.ssh
+      - run: cat /home/runner/.ssh/known_hosts
+
+      - name: 🗒️ Create the inventory file
+        run: |
+          cat > inventory <<EOF
+          [dbservers]
+          ${{env.VM_Public_IP_Address}} ansible_ssh_private_key_file=/home/runner/.ssh/github_actions_id_rsa ansible_user=oracle
+          EOF
+
+      - run: ls 
+      - run: cat inventory
+
+##############################################################################################################################################
+#                                    Ansible                                                                                                 #
+##############################################################################################################################################
+      - name: '🗒️💿🔧 Invoke ansible playbook 😴😴😴'
+        run: ansible-playbook playbook.yml -i inventory