AWS Scheduled Cleanup of test regions #10
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: AWS Nightly Cleanup of test regions | |
| on: | |
| schedule: | |
| - cron: '0 5 * * *' | |
| workflow_dispatch: | |
| pull_request: | |
| paths: | |
| - .github/workflows/aws_nightly_cleanup.yml | |
| env: | |
| AWS_PROFILE: "infex" | |
| CLEANUP_OLDER_THAN: "12h" | |
| # renovate: datasource=github-tags depName=gruntwork-io/cloud-nuke | |
| CLOUD_NUKE_VERSION: v0.36.0 | |
| jobs: | |
| aws-nightly-cleanup: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false # don't propagate failing jobs | |
| matrix: | |
| aws_test_regions: ["eu-west-2", "eu-west-3"] | |
| env: | |
| AWS_REGION: ${{ matrix.aws_test_regions }} | |
| steps: | |
| - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
| - name: Import Secrets | |
| id: secrets | |
| uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3 | |
| with: | |
| url: ${{ secrets.VAULT_ADDR }} | |
| method: approle | |
| roleId: ${{ secrets.VAULT_ROLE_ID }} | |
| secretId: ${{ secrets.VAULT_SECRET_ID }} | |
| exportEnv: false | |
| secrets: | | |
| secret/data/products/infrastructure-experience/ci/common AWS_ACCESS_KEY; | |
| secret/data/products/infrastructure-experience/ci/common AWS_SECRET_KEY; | |
| # Official action does not support profiles | |
| - name: Add profile credentials to ~/.aws/credentials | |
| run: | | |
| aws configure set aws_access_key_id ${{ steps.secrets.outputs.AWS_ACCESS_KEY }} --profile ${{ env.AWS_PROFILE }} | |
| aws configure set aws_secret_access_key ${{ steps.secrets.outputs.AWS_SECRET_KEY }} --profile ${{ env.AWS_PROFILE }} | |
| aws configure set region ${{ env.AWS_REGION }} --profile ${{ env.AWS_PROFILE }} | |
| - name: Install Cloud Nuke | |
| run: | | |
| wget https://github.com/gruntwork-io/cloud-nuke/releases/download/${{ env.CLOUD_NUKE_VERSION }}/cloud-nuke_linux_amd64 | |
| chmod +x cloud-nuke_linux_amd64 | |
| # This is likely to fail, therefore we ignore the error | |
| # We're ignoring ec2_dhcp_option as they couldn't be deleted | |
| # cloudtrail is managed by IT and can't be deleted either | |
| - name: Run Cloud Nuke | |
| timeout-minutes: 45 | |
| env: | |
| DISABLE_TELEMETRY: "true" | |
| run: | | |
| ./cloud-nuke_linux_amd64 aws \ | |
| --region ${{ env.AWS_REGION }} \ | |
| --force \ | |
| --older-than ${{ env.CLEANUP_OLDER_THAN }} \ | |
| --exclude-resource-type ec2_dhcp_option \ | |
| --exclude-resource-type ec2-keypairs \ | |
| --exclude-resource-type s3 \ | |
| --exclude-resource-type cloudtrail || true | |
| # Following will delete global resources and things that cloud-nuke does not support | |
| - name: Delete additional AWS resources | |
| timeout-minutes: 15 | |
| run: .github/workflows/scripts/aws_cleanup.sh "${{ env.AWS_REGION }}" | |
| # The second run should remove the remaining resources (VPCs) and fail if there's anything left | |
| - name: Run Cloud Nuke | |
| timeout-minutes: 45 | |
| env: | |
| DISABLE_TELEMETRY: "true" | |
| run: | | |
| ./cloud-nuke_linux_amd64 aws \ | |
| --region ${{ env.AWS_REGION }} \ | |
| --force \ | |
| --older-than ${{ env.CLEANUP_OLDER_THAN }} \ | |
| --exclude-resource-type ec2_dhcp_option \ | |
| --exclude-resource-type cloudtrail \ | |
| --exclude-resource-type ec2-keypairs \ | |
| --exclude-resource-type s3 | |
| notify-on-failure: | |
| runs-on: ubuntu-latest | |
| if: failure() | |
| needs: | |
| - aws-nightly-cleanup | |
| steps: | |
| - name: Notify in Slack in case of failure | |
| id: slack-notification | |
| if: github.event_name == 'schedule' | |
| uses: ./.github/actions/report-failure-on-slack | |
| with: | |
| vault_addr: ${{ secrets.VAULT_ADDR }} | |
| vault_role_id: ${{ secrets.VAULT_ROLE_ID }} | |
| vault_secret_id: ${{ secrets.VAULT_SECRET_ID }} |