-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
init: initial simple version of the janitor
Signed-off-by: Richard Case <richard.case@suse.com>
- Loading branch information
1 parent
b6f206e
commit 1ca737e
Showing
17 changed files
with
689 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
name: Run CI checks | ||
|
||
on: [pull_request, workflow_dispatch] | ||
|
||
jobs: | ||
ci: | ||
name: ci | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v4 | ||
- uses: actions/setup-go@v4 | ||
with: | ||
go-version: '1.21' | ||
check-latest: true | ||
cache: true | ||
- name: Build | ||
run: make build | ||
- name: Test | ||
run: make test |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
name: release | ||
|
||
on: | ||
push: | ||
tags: | ||
- 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10 | ||
|
||
env: | ||
TAG: ${{ github.ref_name }} | ||
REGISTRY: ghcr.io | ||
|
||
permissions: | ||
contents: write # Allow to create a release. | ||
|
||
jobs: | ||
build: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
packages: write | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v3 | ||
with: | ||
fetch-depth: 0 | ||
- name: setupGo | ||
uses: actions/setup-go@v4 | ||
with: | ||
go-version: '=1.21.3' | ||
- name: Docker login | ||
uses: docker/login-action@v2 | ||
with: | ||
registry: ${{ env.REGISTRY }} | ||
username: ${{ github.actor }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
- name: Build docker image | ||
run: make docker-build-all TAG=${{ env.TAG }} | ||
- name: Push docker image | ||
run: make docker-push-all TAG=${{ env.TAG }} | ||
release: | ||
name: Create draft release | ||
needs: build | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Set env | ||
run: echo "RELEASE_TAG=${GITHUB_REF:10}" >> $GITHUB_ENV | ||
- name: checkout code | ||
uses: actions/checkout@v3 | ||
with: | ||
fetch-depth: 0 | ||
- name: Create draft GH release | ||
uses: softprops/action-gh-release@v1 | ||
with: | ||
draft: true | ||
generate_release_notes: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
# Build the manager binary | ||
ARG builder_image | ||
|
||
# Build architecture | ||
ARG ARCH | ||
|
||
FROM ${builder_image} as builder | ||
WORKDIR /workspace | ||
|
||
# Run this with docker build --build-arg goproxy=$(go env GOPROXY) to override the goproxy | ||
ARG goproxy=https://proxy.golang.org | ||
# Run this with docker build --build-arg package=./controlplane or --build-arg package=./bootstrap | ||
ENV GOPROXY=$goproxy | ||
|
||
# Copy the Go Modules manifests | ||
COPY go.mod go.mod | ||
COPY go.sum go.sum | ||
|
||
# Cache deps before building and copying source so that we don't need to re-download as much | ||
# and so that source changes don't invalidate our downloaded layer | ||
RUN --mount=type=cache,target=/go/pkg/mod \ | ||
go mod download | ||
|
||
COPY ./ ./ | ||
|
||
ARG package=. | ||
ARG ARCH | ||
ARG ldflags | ||
|
||
RUN --mount=type=cache,target=/go/pkg/mod \ | ||
CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} \ | ||
go build -trimpath -ldflags "${ldflags} -extldflags '-static'" \ | ||
-o aws-janitor . | ||
|
||
FROM gcr.io/distroless/static:nonroot-${ARCH} | ||
LABEL org.opencontainers.image.source=https://github.com/rancher-sandbox/aws-janitor | ||
WORKDIR / | ||
COPY --from=builder /workspace/aws-janitor . | ||
# Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies | ||
USER 65532 | ||
ENTRYPOINT ["/aws-janitor"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
SHELL = /usr/bin/env bash -o pipefail | ||
.SHELLFLAGS = -ec | ||
|
||
GO_VERSION ?= 1.21.3 | ||
GO_CONTAINER_IMAGE ?= docker.io/library/golang:$(GO_VERSION) | ||
|
||
# Use GOPROXY environment variable if set | ||
GOPROXY := $(shell go env GOPROXY) | ||
ifeq ($(GOPROXY),) | ||
GOPROXY := https://proxy.golang.org | ||
endif | ||
export GOPROXY | ||
|
||
# Active module mode, as we use go modules to manage dependencies | ||
export GO111MODULE=on | ||
|
||
# This option is for running docker manifest command | ||
export DOCKER_CLI_EXPERIMENTAL := enabled | ||
|
||
TAG ?= dev | ||
ARCH ?= $(shell go env GOARCH) | ||
ALL_ARCH = amd64 arm64 s390x | ||
REGISTRY ?= ghcr.io | ||
ORG ?= rancher-sandbox | ||
ACTION_IMAGE_NAME ?= aws-janitor | ||
ACTION_IMG ?= $(REGISTRY)/$(ORG)/$(ACTION_IMAGE_NAME) | ||
MANIFEST_IMG ?= $(ACTION_IMG)-$(ARCH) | ||
|
||
.PHONY: test | ||
test: | ||
go test ./... | ||
|
||
.PHONY: build | ||
build: | ||
go build -o bin/aws-janitor main.go | ||
|
||
## -------------------------------------- | ||
## Docker | ||
## -------------------------------------- | ||
|
||
.PHONY: docker-push | ||
docker-push: ## Push the docker images | ||
docker push $(MANIFEST_IMG):$(TAG) | ||
|
||
.PHONY: docker-push-all | ||
docker-push-all: $(addprefix docker-push-,$(ALL_ARCH)) ## Push all the architecture docker images | ||
$(MAKE) docker-push-manifest-action | ||
|
||
docker-push-%: | ||
$(MAKE) ARCH=$* docker-push | ||
|
||
.PHONY: docker-push-manifest-action | ||
docker-push-manifest-action: ## Push the multiarch manifest for the actions docker images | ||
## Minimum docker version 18.06.0 is required for creating and pushing manifest images. | ||
docker manifest create --amend $(ACTION_IMG):$(TAG) $(shell echo $(ALL_ARCH) | sed -e "s~[^ ]*~$(ACTION_IMG)\-&:$(TAG)~g") | ||
@for arch in $(ALL_ARCH); do docker manifest annotate --arch $${arch} ${ACTION_IMG}:${TAG} ${ACTION_IMG}-$${arch}:${TAG}; done | ||
docker manifest push --purge $(ACTION_IMG):$(TAG) | ||
|
||
.PHONY: docker-pull-prerequisites | ||
docker-pull-prerequisites: | ||
docker pull docker.io/docker/dockerfile:1.4 | ||
docker pull $(GO_CONTAINER_IMAGE) | ||
docker pull gcr.io/distroless/static:latest | ||
|
||
.PHONY: docker-build-all | ||
docker-build-all: $(addprefix docker-build-,$(ALL_ARCH)) ## Build docker images for all architectures | ||
|
||
docker-build-%: | ||
$(MAKE) ARCH=$* docker-build | ||
|
||
.PHONY: docker-build | ||
docker-build: docker-pull-prerequisites ## Run docker-build-* targets for all providers | ||
DOCKER_BUILDKIT=1 docker build --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg package=. --build-arg ldflags="$(LDFLAGS)" . -t $(MANIFEST_IMG):$(TAG) | ||
|
||
docker-list-all: | ||
@echo $(CONTROLLER_IMG):${TAG} | ||
@for arch in $(ALL_ARCH); do echo $(ACTION_IMG)-$${arch}:${TAG}; done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,41 @@ | ||
# aws-janitor | ||
# AWS Janitor | ||
|
||
A GitHub Action to cleanup AWS resources that have exceeded a TTL. | ||
|
||
> By default the action will not perform the delete (i.e. it will be a dry-run). You need to explicitly set commit to `true`. | ||
It supports cleaning up the following services: | ||
|
||
- EKS Clusters | ||
- Auto Scaling Groups | ||
|
||
## Inputs | ||
|
||
| Name | Required | Description | | ||
| ----------------- | -------- | -------------------------------------------------------------------------------------- | | ||
| regions | Y | A comma seperated list of regions to clean resources in. You can use * for all regions | | ||
| allow-all-regions | N | Set to true if use * from regions. | | ||
| ttl | Y | The duration that a resource can live for. For example, use 24h for 1 day. | | ||
| commit | N | Whether to perform the delete. Defaults to `false` which is a dry run | | ||
|
||
## Example Usage | ||
|
||
```yaml | ||
jobs: | ||
cleanup: | ||
runs-on: ubuntu-latest | ||
name: Cleanup resource groups | ||
steps: | ||
- name: Cleanup | ||
uses: rancher-sandbox/aws-janitor@v0.1.0 | ||
with: | ||
regions: eu-west-1 | ||
ttl: 168h | ||
env: | ||
AWS_ACCESS_KEY_ID: {{secrets.AWS_ACCESS_KEY_ID}} | ||
AWS_SECRET_ACCESS_KEY: {{secrets.AWS_SECRET_ACCESS_KEY}} | ||
``` | ||
## Implementation Notes | ||
It currently assumes that an instance of a service will have some form of creation date. This means that the implementation can be simpler as it doesn't need to adopt a "mark & sweep" pattern that requires saving state between runs of the action. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
name: 'AWS Janitor' | ||
author: 'Rancher Sandbox' | ||
description: 'Clean-up AWS resources based on a TTL.' | ||
inputs: | ||
regions: | ||
description: 'A comma separated list of regions to clean resources in. You can use * for all regions.' | ||
required: true | ||
allow-all-regions: | ||
description: 'Set to true if you want to allow cleaning resources in all regions. If true then * must be used for regions.' | ||
required: false | ||
default: 'false' | ||
ttl: | ||
description: 'The duration that a resource can live for. For example, use 24h for 1 day.' | ||
required: true | ||
commit: | ||
description: 'Should the action just report or do the actual delete.' | ||
required: false | ||
default: 'false' | ||
runs: | ||
using: 'docker' | ||
image: 'docker://ghcr.io/rancher-sandbox/aws-janitor:v0.1.0' | ||
branding: | ||
icon: 'delete' | ||
color: 'blue' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
package action | ||
|
||
import ( | ||
"context" | ||
"fmt" | ||
"strings" | ||
|
||
"github.com/aws/aws-sdk-go/aws" | ||
"github.com/aws/aws-sdk-go/aws/endpoints" | ||
"github.com/aws/aws-sdk-go/aws/session" | ||
"github.com/aws/aws-sdk-go/service/autoscaling" | ||
"github.com/aws/aws-sdk-go/service/eks" | ||
) | ||
|
||
type AwsJanitorAction interface { | ||
Cleanup(ctx context.Context, input *Input) error | ||
} | ||
|
||
func New(commit bool) AwsJanitorAction { | ||
return &action{ | ||
commit: commit, | ||
} | ||
} | ||
|
||
type action struct { | ||
commit bool | ||
} | ||
|
||
func (a *action) Cleanup(ctx context.Context, input *Input) error { | ||
|
||
//NOTE: ordering matters here! | ||
cleanupFuncs := map[string]CleanupFunc{ | ||
eks.ServiceName: a.cleanEKSClusters, | ||
autoscaling.ServiceName: a.cleanASGs, | ||
} | ||
inputRegions := strings.Split(input.Regions, ",") | ||
|
||
for service, cleanupFunc := range cleanupFuncs { | ||
regions := getServiceRegions(service, inputRegions) | ||
|
||
for _, region := range regions { | ||
sess, err := session.NewSession(&aws.Config{ | ||
Region: aws.String(region)}, | ||
) | ||
if err != nil { | ||
return fmt.Errorf("failed to create aws session for region %s: %w", region, err) | ||
} | ||
|
||
scope := &CleanupScope{ | ||
TTL: input.TTL, | ||
Session: sess, | ||
Commit: input.Commit, | ||
} | ||
|
||
Log("Cleaning up resources for service %s in region %s", service, region) | ||
if err := cleanupFunc(ctx, scope); err != nil { | ||
return fmt.Errorf("failed running cleanup for service %s: %w", service, err) | ||
} | ||
} | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func getServiceRegions(service string, inputRegions []string) []string { | ||
regions := []string{} | ||
allRegions := inputRegions[0] == "*" | ||
|
||
sr, exists := endpoints.RegionsForService(endpoints.DefaultPartitions(), endpoints.AwsPartitionID, service) | ||
if exists { | ||
for _, region := range sr { | ||
if allRegions { | ||
regions = append(regions, region.ID()) | ||
} else { | ||
for _, r := range inputRegions { | ||
if r == region.ID() { | ||
regions = append(regions, region.ID()) | ||
} | ||
} | ||
} | ||
} | ||
} | ||
|
||
return regions | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
package action | ||
|
||
import ( | ||
"context" | ||
"time" | ||
|
||
"github.com/aws/aws-sdk-go/aws/session" | ||
) | ||
|
||
type CleanupScope struct { | ||
Session *session.Session | ||
TTL time.Duration | ||
Commit bool | ||
} | ||
|
||
type CleanupFunc func(ctx context.Context, input *CleanupScope) error |
Oops, something went wrong.