Merge pull request #435 from NHSDigital/master

acarriedev · web-flow · commit 74faae02e5ee · 2023-04-19T16:36:18.000+01:00
APM-4219 Use latest file on build artifact
diff --git a/azure/cleanup-ecs-pr-proxies.yml b/azure/cleanup-ecs-pr-proxies.yml
@@ -4,7 +4,7 @@ trigger: none
 pr: none
 
 schedules:
-  - cron: "0 2 * * *"
+  - cron: "0 */4 * * *" # Every 4 hours
     displayName: Daily PR cleanup
     branches:
       include:
@@ -14,11 +14,16 @@ schedules:
 parameters:
   - name: retries
     type: object
+    displayName: Retries
     default:
       - "0"
       - "1"
       - "2"
       - "3"
+  - name: retain_hours
+    displayName: Retain hours
+    type: string
+    default: "72"
 
 jobs:
   - job: build
@@ -47,6 +52,13 @@ jobs:
       - bash: |
           tfenv use 0.14.6
         displayName: setup terraform
+      
+      - task: s3-cache-action@1
+        inputs:
+          key: poetry | utils | poetry.lock
+          location: ".venv"
+          debug: true
+        displayName: cache utils pre-requisites 
 
       - bash: |
           make install
@@ -56,10 +68,11 @@ jobs:
         - template: ./components/cleanup-ecs-pr-proxies-job.yml
           parameters:
             retry: '${{ retry }}'
+            retain_hours: '${{ parameters.retain_hours }}'
 
       - bash: |
           echo "AWS role session has timed out after multiple retries"
           exit -1
         displayName: Trigger failure if role has timed out
-        condition: eq(variables['has_aws_role_timedout'], 'true')
+        condition: eq(variables['should_retry'], 'true')
 
diff --git a/azure/components/cleanup-ecs-pr-proxies-job.yml b/azure/components/cleanup-ecs-pr-proxies-job.yml
@@ -1,30 +1,31 @@
 parameters:
   - name: retry
     type: string
+  - name: retain_hours
+    type: string
 
 steps:
-      - template: ./aws-assume-role.yml
-        parameters:
-          role: "auto-ops"
-          profile: "apm_ptl"
+  - template: ./aws-assume-role.yml
+    parameters:
+      role: "auto-ops"
+      profile: "apm_ptl"
+
+  - bash: make remove-stale-locks
+    displayName: Remove stale locks
+
+  - bash: |
+      export retain_hours="${{ parameters.retain_hours }}"
+      ANSIBLE_FORCE_COLOR=yes make -C ansible remove-old-ecs-pr-deploys
+      ERROR_CODE=$?
+      echo ERROR_CODE - $ERROR_CODE
 
-      - bash: |
-          make remove-stale-locks
-          export retain_hours=72
-          ANSIBLE_FORCE_COLOR=yes make -C ansible remove-old-ecs-pr-deploys | tee /tmp/output.txt
-          ERROR_CODE=$?
-          ROLE_TIMEOUT_MSG="The AWS assume role session token is due to expire"
-          if grep -q "$ROLE_TIMEOUT_MSG" /tmp/output.txt ; then
-            echo "stderr for ansible has the error \"$ROLE_TIMEOUT_MSG\""
-            echo "Re-assuming role and re-running step"
-            echo "##vso[task.setvariable variable=has_aws_role_timedout;]true"
+      if [ $ERROR_CODE -ne 0 ] ; then 
+        echo "\n\nansible has unhandled error, re-trying"
+        echo "##vso[task.setvariable variable=should_retry;]true"
 
-          elif [ $ERROR_CODE -ne 0 ] ; then 
-            echo "\n\nansible has unhandled error, re-raising"
-            exit -1
-          else
-            echo "##vso[task.setvariable variable=has_aws_role_timedout;]false"
-          fi
+      else
+        echo "##vso[task.setvariable variable=should_retry;]false"
+      fi
 
-        displayName: "cleanup older pr deploys"
-        condition: or(eq( ${{ parameters.retry }}, '0'), eq(variables['has_aws_role_timedout'], 'true'))
+    displayName: cleanup older pr deploys
+    condition: or(eq( ${{ parameters.retry }}, '0'), eq(variables['should_retry'], 'true'))
diff --git a/azure/components/set-facts.yml b/azure/components/set-facts.yml
@@ -19,9 +19,9 @@ parameters:
 steps:
   - bash: |
       set -euo pipefail
-      echo "!!! If you get an error here, it is because '${{ parameters.service_name }}' is not the source alias name of the artifact"
+      echo "!!! Using ls -t will set the latest file for the artifact. If you get an error here, it is because '${{ parameters.service_name }}' is not the source alias name of the artifact"
       ls -R $(Pipeline.Workspace)
-      export SERVICE_ARTIFACT_NAME=`ls $(Pipeline.Workspace)/s/${{ parameters.service_name }}`
+      export SERVICE_ARTIFACT_NAME=`ls -t $(Pipeline.Workspace)/s/${{ parameters.service_name }}`
       echo "##vso[task.setvariable variable=SERVICE_ARTIFACT_NAME]$SERVICE_ARTIFACT_NAME"
       echo "Set Artifact Name of: $SERVICE_ARTIFACT_NAME"
     displayName: 'Set SERVICE_ARTIFACT_NAME'
diff --git a/scripts/terraform_force_unlock.py b/scripts/terraform_force_unlock.py
@@ -26,41 +26,70 @@
 
 
 @click.command()
-@click.option("--min-age-hr", type=int, default=8)
-@click.option("--key-prefix", type=str, default="nhsd-apm-management-ptl-terraform/env:/api-deployment:ptl:")
+@click.option("--min-age-hr", type=int, default=4)
+@click.option(
+    "--key-prefix",
+    type=str,
+    default="nhsd-apm-management-ptl-terraform/env:/api-deployment:ptl:",
+)
 @click.option("--table-name", type=str, default="terraform-state-lock")
 @click.option("--profile", type=str, default="apm_ptl")
 def main(min_age_hr, key_prefix, table_name, profile):
-
     accepted_envs = ["apm_ptl", "apm_prod"]
 
     if profile not in accepted_envs:
         raise ValueError("Profile must be apm_ptl or apm_prod")
 
-    terraform_lock_table = boto3.Session(profile_name=profile).resource("dynamodb").Table(table_name)
+    terraform_lock_table = (
+        boto3.Session(profile_name=profile).resource("dynamodb").Table(table_name)
+    )
 
     filter_expr = "begins_with(#n0, :v0) AND attribute_exists(#n1)"
 
     ExpressionAttributeNames = {"#n0": "LockID", "#n1": "Info"}
     ExpressionAttributeValues = {
         ":v0": key_prefix,
     }
-    items = terraform_lock_table.scan(FilterExpression=filter_expr, ExpressionAttributeNames=ExpressionAttributeNames, ExpressionAttributeValues=ExpressionAttributeValues)
-    print(f"Found {len(items['Items'])} locks which start with key prefix '{key_prefix}'")
+    items = terraform_lock_table.scan(
+        FilterExpression=filter_expr,
+        ExpressionAttributeNames=ExpressionAttributeNames,
+        ExpressionAttributeValues=ExpressionAttributeValues,
+    )
+
+    total_items = items["Items"]
+
+    while "LastEvaluatedKey" in items:
+        items = terraform_lock_table.scan(
+            FilterExpression=filter_expr,
+            ExpressionAttributeNames=ExpressionAttributeNames,
+            ExpressionAttributeValues=ExpressionAttributeValues,
+            ExclusiveStartKey=items["LastEvaluatedKey"],
+        )
+        total_items.extend(items["Items"])
+
+    print(
+        f"Found {len(items['Items'])} locks which start with key prefix '{key_prefix}'"
+    )
 
     removed_count = 0
-    for lock_item in items["Items"]:
+    for lock_item in total_items:
         lock_item_info = json.loads(lock_item["Info"])
         lock_id = lock_item["LockID"]
         created_at = dateutil.parser.parse(lock_item_info["Created"])
 
-        if datetime.datetime.now(datetime.timezone.utc) - created_at > datetime.timedelta(hours=min_age_hr):
-            print(f"{lock_id} {created_at=} is more than {min_age_hr} hours old, deleting lock...")
+        if datetime.datetime.now(
+            datetime.timezone.utc
+        ) - created_at > datetime.timedelta(hours=min_age_hr):
+            print(
+                f"{lock_id} {created_at=} is more than {min_age_hr} hours old, deleting lock..."
+            )
             terraform_lock_table.delete_item(Key={"LockID": lock_id})
             removed_count += 1
 
         else:
-            print(f"{lock_id} {created_at=} is not more than {min_age_hr} hours old, leaving it alone!")
+            print(
+                f"{lock_id} {created_at=} is not more than {min_age_hr} hours old, leaving it alone!"
+            )
 
     print(f"Removed {removed_count} locks")
 
