awsnuke #419
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: awsnuke | |
on: | |
push: | |
branches: | |
- main | |
paths: | |
- '.github/workflows/awsnuke.yml' | |
pull_request: | |
branches: | |
- main | |
types: [opened, edited, reopened, synchronize] | |
paths: | |
- '.github/workflows/awsnuke.yml' | |
schedule: | |
# * is a special character in YAML so you have to quote this string | |
# trigger every sunday at 12:00am | |
- cron: '0 12 * * 0' | |
workflow_dispatch: | |
env: | |
AWS_REGION: "eu-west-2" | |
ENVIRONMENT_MANAGEMENT: ${{ secrets.MODERNISATION_PLATFORM_ENVIRONMENTS }} | |
TF_IN_AUTOMATION: true | |
NUKE_ACCOUNTS: ${{ secrets.MODERNISATION_PLATFORM_AUTONUKE }} | |
NUKE_BLOCKLIST_ACCOUNTS: ${{ secrets.MODERNISATION_PLATFORM_AUTONUKE_BLOCKLIST }} | |
permissions: {} | |
defaults: | |
run: | |
shell: bash | |
jobs: | |
setup-prerequisites: | |
runs-on: ubuntu-latest | |
outputs: | |
matrix: ${{ steps.set-matrix.outputs.matrix }} | |
account_blocklist_str : ${{ steps.set-blocklist-string.outputs.account_blocklist_str }} | |
steps: | |
- id: set-matrix | |
name: Set Up Matrix | |
run: echo "matrix=$(jq -c '.| map(select(. !="testing-test"))|sort' <<< $NUKE_ACCOUNTS)" >> $GITHUB_OUTPUT | |
- id: set-blocklist-string | |
name: Set Up Blocklist | |
run: | | |
account_blocklist_str="" | |
while read -r account_alias _; do | |
account_number=$(jq -r -e --arg account_name "$account_alias" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT) | |
account_blocklist_str+=" - \"${account_number}\" # ${account_alias}" | |
account_blocklist_str+=$'\n' | |
done <<< "$(jq -c -r '.[]' <<< $NUKE_BLOCKLIST_ACCOUNTS)" # Taking this approach as piping (|) to a read opens a subshell and passes the variables to it by value | |
# Encoding and passing blocklist string as an output | |
echo "account_blocklist_str=$(echo -n "${account_blocklist_str}" | base64 -w 0)" >> $GITHUB_OUTPUT | |
nuke: | |
strategy: | |
fail-fast: false | |
matrix: | |
nuke_accts: ${{ fromJSON(needs.setup-prerequisites.outputs.matrix) }} | |
name: Sandbox Nuke | |
permissions: | |
id-token: write # This is required for requesting the JWT | |
contents: read # This is required for actions/checkout | |
runs-on: ubuntu-latest | |
needs: setup-prerequisites | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- name: Set Account Number | |
run: | | |
ACCOUNT_NUMBER=$(jq -r -e --arg account_name "${ACCOUNT_NAME}" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT) | |
echo "::add-mask::$ACCOUNT_NUMBER" | |
echo "ACCOUNT_NUMBER=${ACCOUNT_NUMBER}" >> $GITHUB_ENV | |
- name: configure aws credentials | |
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 | |
with: | |
role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions" | |
role-session-name: githubactionsrolesession | |
aws-region: ${{ env.AWS_REGION }} | |
- name: Setup Nuke Account String | |
run: | | |
accounts_str='' | |
accounts_str+=" \"${ACCOUNT_NUMBER}\": # ${ACCOUNT_NAME}" | |
accounts_str+=$'\n' | |
accounts_str+=" presets:" | |
accounts_str+=$'\n' | |
accounts_str+=" - \"common\"" | |
accounts_str+=$'\n' | |
echo "$accounts_str" | |
echo "ACCOUNTS_STR<<EOF" >> $GITHUB_ENV | |
echo "$accounts_str" >> $GITHUB_ENV | |
echo "EOF" >> $GITHUB_ENV | |
- name: Setup Nuke Config | |
run: | | |
export accounts_str="$ACCOUNTS_STR" | |
export account_blocklist_str=$(echo "${{ needs.setup-prerequisites.outputs.account_blocklist_str }}" | base64 --decode) | |
cat scripts/nuke-config-template.txt | envsubst > nuke-config.yml | |
- name: Install AWS Nuke | |
run: | | |
echo "BEGIN: Install AWS Nuke" | |
mkdir -p $HOME/bin | |
wget -c "https://github.com/rebuy-de/aws-nuke/releases/download/${AWS_NUKE_VERSION}/aws-nuke-${AWS_NUKE_VERSION}-linux-amd64.tar.gz" -O - | tar -xz -C $HOME/bin | |
mv "$HOME/bin/aws-nuke-${AWS_NUKE_VERSION}-linux-amd64" $HOME/bin/aws-nuke | |
chmod +x $HOME/bin/aws-nuke | |
echo "END: Install AWS Nuke" | |
env: | |
AWS_NUKE_VERSION: v2.25.0 | |
- name: Nuke Plan (Dry Run) | |
run: | | |
aws sts assume-role --role-arn "arn:aws:iam::${ACCOUNT_NUMBER}:role/MemberInfrastructureAccess" --role-session-name githubactionsgotestrolesession > creds | |
$(echo "export AWS_ACCESS_KEY_ID=$(echo $(cat creds) | sed -n 's/.*"AccessKeyId": "\([^"]*\)".*/\1/p')") | |
$(echo "export AWS_SECRET_ACCESS_KEY=$(echo $(cat creds) | sed -n 's/.*"SecretAccessKey": "\([^"]*\)".*/\1/p')") | |
$(echo "export AWS_SESSION_TOKEN=$(echo $(cat creds) | sed -n 's/.*"SessionToken": "\([^"]*\)".*/\1/p')") | |
grep "MemberInfrastructureAccess" <<< $(aws sts get-caller-identity) || { echo 'Failed to assume role' ; exit 1; } | |
$HOME/bin/aws-nuke --access-key-id "$AWS_ACCESS_KEY_ID" \ | |
--secret-access-key "$AWS_SECRET_ACCESS_KEY" \ | |
--session-token "$AWS_SESSION_TOKEN" \ | |
--config nuke-config.yml \ | |
--force | |
- name: Nuke Apply (-no-dry-run) | |
if: ${{ github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main') }} | |
run: | | |
# The environment gets reset between steps, so the role needs to be re-assumed. | |
aws sts assume-role --role-arn "arn:aws:iam::${ACCOUNT_NUMBER}:role/MemberInfrastructureAccess" --role-session-name githubactionsgotestrolesession > creds | |
$(echo "export AWS_ACCESS_KEY_ID=$(echo $(cat creds) | sed -n 's/.*"AccessKeyId": "\([^"]*\)".*/\1/p')") | |
$(echo "export AWS_SECRET_ACCESS_KEY=$(echo $(cat creds) | sed -n 's/.*"SecretAccessKey": "\([^"]*\)".*/\1/p')") | |
$(echo "export AWS_SESSION_TOKEN=$(echo $(cat creds) | sed -n 's/.*"SessionToken": "\([^"]*\)".*/\1/p')") | |
grep "MemberInfrastructureAccess" <<< $(aws sts get-caller-identity) || { echo 'Failed to assume role' ; exit 1; } | |
$HOME/bin/aws-nuke --access-key-id "$AWS_ACCESS_KEY_ID" \ | |
--secret-access-key "$AWS_SECRET_ACCESS_KEY" \ | |
--session-token "$AWS_SESSION_TOKEN" \ | |
--config nuke-config.yml \ | |
--force \ | |
--no-dry-run | |
- name: Slack failure notification | |
uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 | |
with: | |
payload: | | |
{"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK | |
if: ${{ failure() }} | |
env: | |
ACCOUNT_NAME: ${{ matrix.nuke_accts }} | |
# testing-test account is not set up with OIDC because it is used to terratest OIDC-related resources. Therefore it's handled as a special case | |
# using testing-ci user static credentials. | |
nuke-testing-test: | |
name: Sandbox Nuke (testing-test) | |
permissions: | |
contents: read # This is required for actions/checkout | |
runs-on: ubuntu-latest | |
needs: setup-prerequisites | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- name: Set Account Number | |
run: | | |
ACCOUNT_NUMBER=$(jq -r -e --arg account_name "${ACCOUNT_NAME}" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT) | |
echo "::add-mask::$ACCOUNT_NUMBER" | |
echo "ACCOUNT_NUMBER=${ACCOUNT_NUMBER}" >> $GITHUB_ENV | |
- name: Setup Nuke Account String | |
run: | | |
accounts_str='' | |
accounts_str+=" \"${ACCOUNT_NUMBER}\": # ${ACCOUNT_NAME}" | |
accounts_str+=$'\n' | |
accounts_str+=" presets:" | |
accounts_str+=$'\n' | |
accounts_str+=" - \"common\"" | |
accounts_str+=$'\n' | |
echo "$accounts_str" | |
echo "ACCOUNTS_STR<<EOF" >> $GITHUB_ENV | |
echo "$accounts_str" >> $GITHUB_ENV | |
echo "EOF" >> $GITHUB_ENV | |
- name: Setup Nuke Config | |
run: | | |
export accounts_str="$ACCOUNTS_STR" | |
export account_blocklist_str=$(echo "${{ needs.setup-prerequisites.outputs.account_blocklist_str }}" | base64 --decode) | |
cat scripts/nuke-config-template.txt | envsubst > nuke-config.yml | |
- name: Install AWS Nuke | |
run: | | |
echo "BEGIN: Install AWS Nuke" | |
mkdir -p $HOME/bin | |
wget -c "https://github.com/rebuy-de/aws-nuke/releases/download/${AWS_NUKE_VERSION}/aws-nuke-${AWS_NUKE_VERSION}-linux-amd64.tar.gz" -O - | tar -xz -C $HOME/bin | |
mv "$HOME/bin/aws-nuke-${AWS_NUKE_VERSION}-linux-amd64" $HOME/bin/aws-nuke | |
chmod +x $HOME/bin/aws-nuke | |
echo "END: Install AWS Nuke" | |
env: | |
AWS_NUKE_VERSION: v2.25.0 | |
- name: Nuke Plan (Dry Run) | |
run: | | |
aws sts assume-role --role-arn "arn:aws:iam::${ACCOUNT_NUMBER}:role/MemberInfrastructureAccess" --role-session-name githubactionsgotestrolesession > creds | |
$(echo "export AWS_ACCESS_KEY_ID=$(echo $(cat creds) | sed -n 's/.*"AccessKeyId": "\([^"]*\)".*/\1/p')") | |
$(echo "export AWS_SECRET_ACCESS_KEY=$(echo $(cat creds) | sed -n 's/.*"SecretAccessKey": "\([^"]*\)".*/\1/p')") | |
$(echo "export AWS_SESSION_TOKEN=$(echo $(cat creds) | sed -n 's/.*"SessionToken": "\([^"]*\)".*/\1/p')") | |
grep "MemberInfrastructureAccess" <<< $(aws sts get-caller-identity) || { echo 'Failed to assume role' ; exit 1; } | |
$HOME/bin/aws-nuke --access-key-id "$AWS_ACCESS_KEY_ID" \ | |
--secret-access-key "$AWS_SECRET_ACCESS_KEY" \ | |
--session-token "$AWS_SESSION_TOKEN" \ | |
--config nuke-config.yml \ | |
--force | |
- name: Nuke Apply (-no-dry-run) | |
if: ${{ github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main') }} | |
run: | | |
# The environment gets reset between steps, so the AWS credentials get overwritten and the role needs to be re-assumed. | |
aws sts assume-role --role-arn "arn:aws:iam::${ACCOUNT_NUMBER}:role/MemberInfrastructureAccess" --role-session-name githubactionsgotestrolesession > creds | |
$(echo "export AWS_ACCESS_KEY_ID=$(echo $(cat creds) | sed -n 's/.*"AccessKeyId": "\([^"]*\)".*/\1/p')") | |
$(echo "export AWS_SECRET_ACCESS_KEY=$(echo $(cat creds) | sed -n 's/.*"SecretAccessKey": "\([^"]*\)".*/\1/p')") | |
$(echo "export AWS_SESSION_TOKEN=$(echo $(cat creds) | sed -n 's/.*"SessionToken": "\([^"]*\)".*/\1/p')") | |
grep "MemberInfrastructureAccess" <<< $(aws sts get-caller-identity) || { echo 'Failed to assume role' ; exit 1; } | |
$HOME/bin/aws-nuke --access-key-id "$AWS_ACCESS_KEY_ID" \ | |
--secret-access-key "$AWS_SECRET_ACCESS_KEY" \ | |
--session-token "$AWS_SESSION_TOKEN" \ | |
--config nuke-config.yml \ | |
--force \ | |
--no-dry-run | |
- name: Slack failure notification | |
uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 | |
with: | |
payload: | | |
{"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK | |
if: ${{ failure() }} | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.TESTING_AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.TESTING_AWS_SECRET_ACCESS_KEY }} | |
ACCOUNT_NAME: "testing-test" |