my-stamps.ru: migrate away from DigitalOcean

[php-coder]

Reasons to change the hosting:

• I can't pay for it anymore as my card isn't accepted
• The price got higher ($7.2/mo) and there should be a cheaper alternative

Requirements:

• it should be possible to create VMs with Terraform
• consider using Selectel (see https://docs.selectel.ru/en/terraform/quickstart/)

Plan:

• automate the current provisioning with Terraform
  • install tfenv to fix tfenv: command not found
  • show versions of tfenv and terraform
    • fix cat: /home/runner/work/mystamps/mystamps/tfenv/version: No such file or directory. Version could not be resolved (set by /home/runner/work/mystamps/mystamps/tfenv/version or tfenv use <version>) (execute tfenv use after installation)
  • execute terraform init
  • execute terraform plan
    • fix Error: No configuration files
    • pass -detailed-exitcode option
    • import existing resources
      • commit encrypted terraform.tfstate file in generated-terraform branch
      • pass a token as -var option or as env variable TF_VAR_<name> commit encrypted terraform.tfvars file (with do_token)
      • checkout generated-terraform branch to the nested folder
      • decrypt terraform.tfvars file (+ always clean it up)
      • decrypt terraform.tfstate file (+ always clean it up)
      • pass -state=terraform.tfstate option and -var-file=terraform.tfvars
      • update docs to use files from a new branch (decrypt, remove terraform.tfvars.example file and update .gitignore)
  • decide whether to execute terraform apply or not (and how to deal with terraform's plan and possibly modified state file)
    • consider using input variables for plan/apply
      • https://github.blog/changelog/2021-11-10-github-actions-input-types-for-manual-workflows/
      • https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#onworkflow_dispatchinputs
  • mark a variable as sensitive (https://www.digitalocean.com/community/tutorials/how-to-protect-sensitive-data-in-terraform) (requires terraform >= 0.14; see Update Terraform to 0.15.x #1613)
• automate the current provisioning with Ansible
  • Publish playbook for production #1125
  • Use ansible-vault for sensitive data #435
  • Ansible: automate prod server installation #267
  • run a playbook in --syntax-check mode
    • commit infra/vagrant/provisioning/prod.inventory
      • correct links
    • commit infra/vagrant/provisioning/vars/prod.yml
    • fix ansible-playbook: ERROR! the role 'php-coder.oraclejdk' was not found
    • fix ansible-galaxy: ERROR! Expecting requirements file to be a dict with the key 'collections' that contains a list of collections to install
  • run a playbook in --check mode (resolution: as we can't fully rely on check mode (because shell and command are always get executed), let's not use it)
  • run a real playbook
    • fix Failed to connect to the host via ssh: Host key verification failed (disable host key checking)
    • fix Failed to connect to the host via ssh: no such identity: /Users/coder/.ssh/mystamps_rsa: No such file or directory (commit mystamps_rsa)
    • fix Could not find or access '../../../target/mystamps.war (need to build WAR file)
• provision with Terraform to a new server
• provision with Ansible to a new server
• add caching for tfenv/terraform/ansible/ansible roles
• consider running ansible with --diff option (and set diff: no to the tasks with sensitive information) (resolution: we decided to not use check mode, so this option isn't needed either)
• merge together 2 prod inventories (one for deploy and one for everything else) (Use mystamps-app Ansible role for deployment #431)
• choose a way to run ansible: fully from a pipeline or from within a script (like deploy.sh). The latter has a benefit that it can be run locally, as well (easier to debug)

See also similar issue for the past migration: #399