Skip to content
AWS Scheduled Cleanup of test regions

chore(deps): update camunda/camunda-deployment-references digest to ead4be6 #940

Sign in to view logs

chore(deps): update camunda/camunda-deployment-references digest to ead4be6

chore(deps): update camunda/camunda-deployment-references digest to ead4be6 #940

Workflow file for this run

.github/workflows/aws_nightly_cleanup.yml at 25437e8
---
name: AWS Scheduled Cleanup of test regions
on:
schedule:
# Single daily schedule at 5:00
- cron: 0 5 * * *
workflow_dispatch:
inputs:
region:
description: AWS Region to clean up
default: eu-west-2
cleanup_older_than:
description: Minimum age of the resources to cleanup
default: 12h
pull_request:
paths:
- .github/workflows/aws_nightly_cleanup.yml
- .github/workflows/scripts/aws_global_cleanup.sh
- .github/workflows/scripts/aws_regional_cleanup.sh
env:
AWS_PROFILE: infraex
# renovate: datasource=github-tags depName=gruntwork-io/cloud-nuke
CLOUD_NUKE_VERSION: v0.46.0
# Limit workflow to a single execution per ref
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
aws-cleanup:
runs-on: ubuntu-latest
strategy:
fail-fast: false # don't propagate failing jobs
matrix:
# Define regions and types of cleanup based on day
# Please also update the README.md of the project
config:
- region: eu-west-2
day: All
cleanup_older_than: 12h
- region: eu-west-3
day: All
cleanup_older_than: 12h
- region: eu-north-1
day: Saturday
cleanup_older_than: 0h
- region: us-east-1
day: Saturday
cleanup_older_than: 0h
- region: us-east-2
day: Saturday
cleanup_older_than: 0h
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Determine AWS_REGION and CLEANUP_OLDER_THAN
id: determine-values
run: |
if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
AWS_REGION="${{ github.event.inputs.region }}"
CLEANUP_OLDER_THAN="${{ github.event.inputs.cleanup_older_than }}"
else
AWS_REGION="${{ matrix.config.region }}"
CLEANUP_OLDER_THAN="${{ matrix.config.cleanup_older_than }}"
fi
echo "AWS_REGION=$AWS_REGION" | tee -a "$GITHUB_ENV"
echo "CLEANUP_OLDER_THAN=$CLEANUP_OLDER_THAN" | tee -a "$GITHUB_ENV"
- name: Check if job should run based on the day
id: day-check
run: |
# Initialize a variable to determine if the job should continue
should_run=true
# If it's a workflow_dispatch, only allow the first region (eu-west-2) of the matrix to run
if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
if [[ "${{ matrix.config.region }}" != "eu-west-2" ]]; then
echo "Skipping job for this region because only the first region is allowed to run for workflow_dispatch."
should_run=false
else
echo "Running job for the first region only since it's a workflow_dispatch event."
fi
else
# Otherwise, check if the day matches the one in the matrix
current_day=$(date +%A)
if [[ "${{ matrix.config.day }}" != "All" && "${{ matrix.config.day }}" != "$current_day" ]]; then
echo "Skipping job for region ${{ env.AWS_REGION }} as it’s intended for ${{ matrix.config.day }} only."
should_run=false
else
echo "Running job for region ${{ env.AWS_REGION }} on the correct day: $current_day."
fi
fi
echo "should_run=$should_run" | tee -a "$GITHUB_ENV"
# For PR purposes we're overwriting the setting and enable dry run
- name: Set DRY_RUN for PR
if: github.event_name == 'pull_request'
run: |
echo "DRY_RUN=true" | tee -a "$GITHUB_ENV"
echo "CLOUD_NUKE_EXTRA_ARGS=--dry-run" | tee -a "$GITHUB_ENV"
echo "should_run=true" | tee -a "$GITHUB_ENV"
- name: Import Secrets
id: secrets
if: ${{ env.should_run == 'true' }}
uses: hashicorp/vault-action@4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b # v3
with:
url: ${{ secrets.VAULT_ADDR }}
method: approle
roleId: ${{ secrets.VAULT_ROLE_ID }}
secretId: ${{ secrets.VAULT_SECRET_ID }}
exportEnv: false
secrets: |
secret/data/products/infrastructure-experience/ci/common AWS_ACCESS_KEY;
secret/data/products/infrastructure-experience/ci/common AWS_SECRET_KEY;
- name: Configure AWS CLI
if: ${{ env.should_run == 'true' }}
uses: camunda/camunda-deployment-references/./.github/actions/aws-configure-cli@ead4be68d0d0d18471bbe864377ef87ef868caee # main
with:
vault-addr: ${{ secrets.VAULT_ADDR }}
vault-role-id: ${{ secrets.VAULT_ROLE_ID }}
vault-secret-id: ${{ secrets.VAULT_SECRET_ID }}
aws-profile: ${{ env.AWS_PROFILE }}
aws-region: ${{ matrix.config.region }}
- name: Install Cloud Nuke
if: ${{ env.should_run == 'true' }}
run: |
curl -LO \
--retry 5 \
--max-time 15 \
--retry-delay 30 \
https://github.com/gruntwork-io/cloud-nuke/releases/download/${{ env.CLOUD_NUKE_VERSION }}/cloud-nuke_linux_amd64
chmod +x cloud-nuke_linux_amd64
- name: Delete additional regional AWS resources
timeout-minutes: 15
if: ${{ env.should_run == 'true' }}
run: .github/workflows/scripts/aws_regional_cleanup.sh "${{ env.AWS_REGION }}"
# this token is used to clone the github repository containing the base modules
- name: Generate token for GitHub
id: generate-github-token
# Only run for the next step
if: ${{ env.should_run == 'true' && env.AWS_REGION == 'eu-north-1' }}
uses: camunda/infra-global-github-actions/generate-github-app-token-from-vault-secrets@ddce99387a10a4d578e4d7d8e6c6626dcd3d8fd3 # main
with:
github-app-id-vault-key: GITHUB_APP_ID
github-app-id-vault-path: secret/data/products/infrastructure-experience/ci/common
github-app-private-key-vault-key: GITHUB_APP_PRIVATE_KEY
github-app-private-key-vault-path: secret/data/products/infrastructure-experience/ci/common
vault-auth-method: approle
vault-auth-role-id: ${{ secrets.VAULT_ROLE_ID }}
vault-auth-secret-id: ${{ secrets.VAULT_SECRET_ID}}
vault-url: ${{ secrets.VAULT_ADDR }}
owner: camunda
repositories: infraex-terraform
- name: Delete additional global AWS resources
# Only run in a single time per week
if: ${{ env.should_run == 'true' && env.AWS_REGION == 'eu-north-1' }}
timeout-minutes: 45
env:
GITHUB_TOKEN: ${{ steps.generate-github-token.outputs.token }}
run: .github/workflows/scripts/aws_global_cleanup.sh
# This is likely to fail, therefore we ignore the error
# We're ignoring ec2_dhcp_option as they couldn't be deleted
# cloudtrail is managed by IT and can't be deleted either
- name: Run Cloud Nuke
timeout-minutes: 90
env:
DISABLE_TELEMETRY: 'true'
if: ${{ env.should_run == 'true' }}
run: |
./cloud-nuke_linux_amd64 aws ${{ env.CLOUD_NUKE_EXTRA_ARGS }} \
--region ${{ env.AWS_REGION }} \
--force \
--older-than ${{ env.CLEANUP_OLDER_THAN }} \
--exclude-resource-type ec2_dhcp_option \
--exclude-resource-type ec2-keypairs \
--exclude-resource-type s3 \
--exclude-resource-type cloudtrail || true
# The second run should remove the remaining resources (VPCs) and fail if there's anything left
- name: Run Cloud Nuke
timeout-minutes: 90
env:
DISABLE_TELEMETRY: 'true'
if: ${{ env.should_run == 'true' }}
run: |
./cloud-nuke_linux_amd64 aws ${{ env.CLOUD_NUKE_EXTRA_ARGS }} \
--region ${{ env.AWS_REGION }} \
--force \
--older-than ${{ env.CLEANUP_OLDER_THAN }} \
--exclude-resource-type ec2_dhcp_option \
--exclude-resource-type cloudtrail \
--exclude-resource-type ec2-keypairs \
--exclude-resource-type s3
notify-on-failure:
runs-on: ubuntu-latest
if: failure()
needs:
- aws-cleanup
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Notify in Slack in case of failure
id: slack-notification
if: github.event_name == 'schedule'
uses: ./.github/actions/report-failure-on-slack
with:
vault_addr: ${{ secrets.VAULT_ADDR }}
vault_role_id: ${{ secrets.VAULT_ROLE_ID }}
vault_secret_id: ${{ secrets.VAULT_SECRET_ID }}