Transcript
basically everything has to pass before the code hits production. But your backups, well, those are still running on a schedule, completely disconnected from your deployments. But what if they didn't have to be? What if backups could be integrated into the pipeline, just like all the other processes? What if we could be sure we have a duplicate copy of our repo in the event that a merge fails, or better yet, block that actual merge if the backup fails, ensuring you always have the last line of defense? Well, that's exactly what we're going to build today with Rubrik. Hi, I'm Mike from Rubrik, and today we're building what I'm calling Backup as Code. We're going to create a GitHub action that triggers an on-demand Rubrik snapshot every time code is merged into the main branch of our GitHub repository. So any time that a pull request is approved or any time the main branch is updated, Rubrik will automatically take the backup of the repo as it was before, so we always have that last known good state. Now, if you want to see the full Rubrik solution for protecting GitHub beyond just what we're building today, check out the Rubrik Explorer demo. Link's down in the description. But for now, let's just get into it. So before we actually wire anything up, let's look at what the action actually does. Here's the repo that we're going to be working with, and I'm going to go ahead and we'll take a look at the action.yaml here. This is the contract. It really defines the inputs that the action expects, things like our RSC URI, our client ID and secret for authentication, the repository name, the SLA domain that we want to use for the backup, and then we have this wait flag, which simply controls whether the action's just going to trigger the backup and move on, or it's going to stick around and pull until it completes. Now, this is a composite action, so under runs, we can see here it's going to install Python, it's going to install the request library, and it's going to call our backup script. So let's take a look at that actual script. Now, the flow here, pretty straightforward. First, we authenticate to Rubrik Security Cloud using our OAuth credentials. This is a standard token exchange, and then it's going to resolve the GitHub repository inside RSC. So it takes the repo name from the action input, looks up the idea via GraphQL endpoint, does the same thing for the SLA domain, and once we have both these IDs, it's going to go ahead and fire off the on-demand snapshot mutation. Now, again, we can see if wait is set to true here, it's going to enter this polling loop and check the activity series status every 10 seconds until Rubrik reports back with either a success or a failure. Now, if the backup succeeds, we have exit code zero. If it fails, exit code one, and that's what's going to kill our workflow. So here's the repo that we're working with, and I'm going to go ahead and create a new workflow file here under GitHub workflows, and we're going to call this RubrikBackup.yaml, and I'm going to go ahead and paste all the syntax in here to the action code. So let's walk through this. So the trigger here is pretty simple. We're going to fire on any push domain, so every single merge is going to kick this off. The job itself is going to run on Ubuntu. It's going to go ahead and check out the repo and then call the Rubrik on-demand backup action, which is pointing to my GitHub account at the moment, but you can go ahead, fork this, do whatever you want to it, change it, you know, tailored to your organization's needs. So we're going to pass our RSC URI, client ID, and secret. These are all stored as GitHub secrets, so we specify the repository context, the SLA we want. In this case, we're going to say gold, and then we're going to go ahead and set our key flag here, which is wait to true. So this tells the action to pull Rubrik until the snapshot either succeeds or fails. If it fails, the workflow itself is going to fail. There's going to be no green check marks, no merge. Now, before we run this, we actually need to make sure that our secrets are in place, so let's head back over to our repo settings and check that out. So under secrets and variables here, I'm going to click on actions, and you can see we've added three repository secrets, the RSC URI, the client ID, and the client secret. These are going to come from a service account that is set up within Rubrik Security Cloud, nothing special here. Just make sure that the service account has the permission to trigger on-demand snapshots for the objects that you're targeting. So with everything in place here, let's have some fun and run it. So I've already gone ahead and committed some changes and created a PR to get those changes merged into production, so I'm going to go ahead and approve this PR and see what happens. So the merge now is in process. We can see that our actions kicked off, so let's dive in for more details. So we can see here the action authenticating to RSC, resolving the repo, looking up the SLA, all that fun stuff, and now it's polling. So every 10 seconds, it's checking back with Rubrik and waiting for that success status. Now, let's jump over to Rubrik Security Cloud and kind of see the other side of this, and as we come in here, we can see there's our on-demand job. It's been triggered. It's running, protecting that repo for us, and there it is. It's completed successfully for us on the Rubrik side, so let's now flip back to GitHub. And voila, green checkmark. The action picked up that success status, exited cleanly, and the workflow passed. So that merge now has a known good recovery point tied directly to this commit. And that's it. Event-driven, verifiable, and enforced right inside the same repo where your code lives. If you're already enforcing tests and policies in your pipeline, there's no reason that backups should be the exception. Now, the link to the action is down in the description. Feel free, like I said, to fork it, modify it, tailor it to your organization's needs, and also down there, you'll find a link to our self-guided interactive hands-on labs where you can check out Rubrik's GitHub protection solution for yourself. Thanks so much for watching, and we'll see you in the next one. Microsoft Mechanics www.microsoft.com www.microsoft.com
