-
Notifications
You must be signed in to change notification settings - Fork 21
258 lines (225 loc) · 8.94 KB
/
destroy-devnet.yml
File metadata and controls
258 lines (225 loc) · 8.94 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
name: Destroy Devnet
on:
workflow_dispatch:
inputs:
devnet_name:
description: "Devnet name (without 'devnet-' prefix, e.g. 'mytest' destroys 'devnet-mytest')"
required: true
type: string
destroy_target:
description: "What to destroy"
required: true
type: choice
default: "all"
options:
- all
- platform
- network
jobs:
destroy:
name: Destroy Devnet
runs-on: ubuntu-22.04
timeout-minutes: 60
concurrency:
group: "devnet-${{ github.event.inputs.devnet_name }}"
cancel-in-progress: false
env:
NETWORK_NAME: "devnet-${{ github.event.inputs.devnet_name }}"
DEVNET_ONLY_GUARD: "true"
DESTROY_TARGET: ${{ github.event.inputs.destroy_target }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_REGION: ${{ secrets.AWS_REGION }}
TERRAFORM_S3_BUCKET: ${{ secrets.TERRAFORM_S3_BUCKET }}
TERRAFORM_S3_KEY: ${{ secrets.TERRAFORM_S3_KEY }}
TERRAFORM_DYNAMODB_TABLE: ${{ secrets.TERRAFORM_DYNAMODB_TABLE }}
ANSIBLE_HOST_KEY_CHECKING: "false"
steps:
- name: Validate devnet name
env:
NAME: ${{ github.event.inputs.devnet_name }}
run: |
if [[ -z "$NAME" ]]; then
echo "Error: devnet_name is required"
exit 1
fi
if [[ "$NAME" =~ ^devnet- ]]; then
echo "Error: Do not include 'devnet-' prefix. Just provide the name (e.g. 'mytest')"
exit 1
fi
if [[ ! "$NAME" =~ ^[a-z0-9][a-z0-9-]*$ ]]; then
echo "Error: devnet_name must be lowercase alphanumeric with optional hyphens"
exit 1
fi
if [[ "$NAME" == "testnet" || "$NAME" == "mainnet" || "$NAME" == mainnet-* ]]; then
echo "Error: reserved network names are not allowed in this workflow"
exit 1
fi
if [[ ! "devnet-$NAME" =~ ^devnet-[a-z0-9][a-z0-9-]*$ ]]; then
echo "Error: resulting network name is not a valid devnet name"
exit 1
fi
echo "Will destroy: devnet-$NAME (target: $DESTROY_TARGET)"
- name: Checkout dash-network-deploy
uses: actions/checkout@v4
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install Node.js dependencies
run: npm ci
- name: Set up Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: "1.12.1"
terraform_wrapper: false
- name: Install system dependencies
run: |
sudo apt-get update
sudo apt-get install -y python3-pip python3-netaddr sshpass jq
- name: Install Ansible
run: |
python3 -m pip install --upgrade pip
python3 -m pip install ansible-core==2.16.3 jmespath
- name: Install Ansible roles
run: |
ansible-galaxy install -r ansible/requirements.yml
mkdir -p ~/.ansible/roles
cp -r ansible/roles/* ~/.ansible/roles/
- name: Set up SSH keys
env:
DEPLOY_SERVER_KEY: ${{ secrets.DEPLOY_SERVER_KEY }}
EVO_APP_DEPLOY_KEY: ${{ secrets.EVO_APP_DEPLOY_KEY }}
EVO_APP_DEPLOY_WRITE_KEY: ${{ secrets.EVO_APP_DEPLOY_WRITE_KEY }}
run: |
mkdir -p ~/.ssh
# Server SSH key for connecting to nodes
printf '%s\n' "$DEPLOY_SERVER_KEY" > ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa
# Derive public key from private key
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
chmod 644 ~/.ssh/id_rsa.pub
# GitHub deploy key for cloning configs repo
printf '%s\n' "$EVO_APP_DEPLOY_KEY" > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
# Optional write key for pushing to configs repo
if [[ -n "$EVO_APP_DEPLOY_WRITE_KEY" ]]; then
printf '%s\n' "$EVO_APP_DEPLOY_WRITE_KEY" > ~/.ssh/id_ed25519_write
chmod 600 ~/.ssh/id_ed25519_write
fi
# SSH config
cat > ~/.ssh/config << 'EOL'
Host github.com
IdentityFile ~/.ssh/id_ed25519
StrictHostKeyChecking no
Host *
IdentityFile ~/.ssh/id_rsa
User ubuntu
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
EOL
chmod 600 ~/.ssh/config
- name: Create networks/.env
run: |
mkdir -p networks
cat > networks/.env << EOF
PRIVATE_KEY_PATH=$HOME/.ssh/id_rsa
PUBLIC_KEY_PATH=$HOME/.ssh/id_rsa.pub
AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
AWS_REGION=$AWS_REGION
TERRAFORM_S3_BUCKET=$TERRAFORM_S3_BUCKET
TERRAFORM_S3_KEY=$TERRAFORM_S3_KEY
TERRAFORM_DYNAMODB_TABLE=$TERRAFORM_DYNAMODB_TABLE
EOF
- name: Clone network configs
run: |
rm -rf networks/.git
git clone git@github.com:dashpay/dash-network-configs.git /tmp/dash-network-configs
# Copy config files for this devnet
cp /tmp/dash-network-configs/$NETWORK_NAME.yml networks/ 2>/dev/null || true
cp /tmp/dash-network-configs/$NETWORK_NAME.tfvars networks/ 2>/dev/null || true
cp /tmp/dash-network-configs/$NETWORK_NAME.inventory networks/ 2>/dev/null || true
- name: Validate config files exist
run: |
MISSING=()
for ext in yml tfvars inventory; do
if [[ ! -f "networks/$NETWORK_NAME.$ext" ]]; then
MISSING+=("networks/$NETWORK_NAME.$ext")
fi
done
if [[ ${#MISSING[@]} -gt 0 ]]; then
echo "Error: Missing config file(s):"
for f in "${MISSING[@]}"; do
echo " - $f"
done
echo ""
echo "Available configs in dash-network-configs:"
ls /tmp/dash-network-configs/*.yml 2>/dev/null || echo " (none)"
exit 1
fi
echo "Found all config files for $NETWORK_NAME"
ls -la networks/$NETWORK_NAME.*
- name: Print destruction plan
run: |
echo "============================================"
echo "WARNING: Destroying $NETWORK_NAME"
echo "Target: $DESTROY_TARGET"
echo "============================================"
echo ""
case "$DESTROY_TARGET" in
all)
echo "This will DESTROY ALL INFRASTRUCTURE (EC2 instances, VPCs, etc.)"
echo "and remove configs from the dash-network-configs repo."
;;
platform)
echo "This will destroy platform services on HP masternodes."
echo "Infrastructure will be kept."
;;
network)
echo "This will destroy all services and configs on nodes."
echo "Infrastructure will be kept."
;;
esac
echo ""
- name: Destroy devnet
env:
TF_IN_AUTOMATION: "true"
TF_CLI_ARGS_destroy: "-auto-approve"
run: |
chmod +x ./bin/destroy
./bin/destroy "$NETWORK_NAME" -t="$DESTROY_TARGET"
- name: Remove configs from dash-network-configs
if: github.event.inputs.destroy_target == 'all'
env:
EVO_APP_DEPLOY_WRITE_KEY: ${{ secrets.EVO_APP_DEPLOY_WRITE_KEY }}
run: |
cd /tmp/dash-network-configs
git config user.name "GitHub Actions"
git config user.email "actions@github.com"
# Remove config files for this devnet
git rm "$NETWORK_NAME.yml" 2>/dev/null || true
git rm "$NETWORK_NAME.tfvars" 2>/dev/null || true
git rm "$NETWORK_NAME.inventory" 2>/dev/null || true
git commit -m "Remove configs for $NETWORK_NAME (destroyed)" || echo "No changes to commit"
# Use optional write key if configured; otherwise try default key.
if [[ -n "$EVO_APP_DEPLOY_WRITE_KEY" && -f "$HOME/.ssh/id_ed25519_write" ]]; then
GIT_SSH_COMMAND='ssh -i ~/.ssh/id_ed25519_write -o StrictHostKeyChecking=no' git push || {
echo "::warning::Failed to push config removal with EVO_APP_DEPLOY_WRITE_KEY"
exit 0
}
else
git push || {
echo "::warning::Failed to push config removal (likely read-only EVO_APP_DEPLOY_KEY). Configure secret EVO_APP_DEPLOY_WRITE_KEY with write access."
exit 0
}
fi
echo "Configs removed from dash-network-configs repo"
- name: Print summary
if: always()
run: |
echo "============================================"
echo "Devnet: $NETWORK_NAME"
echo "Target: $DESTROY_TARGET"
echo "Status: Destruction complete"
echo "============================================"