forked from eclipse-edc/MinimumViableDataspace
-
Notifications
You must be signed in to change notification settings - Fork 10
185 lines (158 loc) · 7.68 KB
/
destroy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
name: Destroy
on:
workflow_call:
inputs:
resources_prefix:
description: 'Resources name prefix used to avoid naming conflicts between resources of different DataSpaces.'
required: true
type: string
workflow_dispatch:
inputs:
resources_prefix:
description: 'Resources name prefix used to avoid naming conflicts between resources of different DataSpaces.'
required: true
type: string
# Grant permissions to obtain federated identity credentials
# see https://docs.github.com/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure
permissions:
id-token: write
contents: read
env:
RESOURCES_PREFIX: ${{ github.event.inputs.resources_prefix || inputs.resources_prefix }}
jobs:
Matrix:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@v2
- id: set-matrix
run: |
matrix=$(jq -c . participants.json)
echo "::set-output name=matrix::$matrix"
# Delete deployed Azure resource groups for each dataspace participant.
Destroy-Participants:
needs: Matrix
continue-on-error: true
runs-on: ubuntu-latest
strategy:
matrix: ${{ fromJson(needs.Matrix.outputs.matrix) }}
defaults:
run:
working-directory: deployment/terraform/participant
steps:
- uses: actions/checkout@v2
- name: 'Az CLI login'
uses: azure/login@v1
with:
client-id: ${{ secrets.ARM_CLIENT_ID }}
tenant-id: ${{ secrets.ARM_TENANT_ID }}
subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }}
- name: 'Download tfvars file'
run: az storage blob download --account-name "${{ secrets.TERRAFORM_STATE_STORAGE_ACCOUNT }}" -c "${{ secrets.TERRAFORM_STATE_CONTAINER }}" -f terraform.tfvars -n "${{ matrix.participant }}${{ env.RESOURCES_PREFIX }}.tfvars" --auth-mode key
- name: 'Delete terraform resources'
run: |
# Create backend.conf file to retrieve the remote terraform state during terraform init.
echo '
resource_group_name = "${{ secrets.COMMON_RESOURCE_GROUP }}"
storage_account_name = "${{ secrets.TERRAFORM_STATE_STORAGE_ACCOUNT }}"
container_name = "${{ secrets.TERRAFORM_STATE_CONTAINER }}"
key = "${{ matrix.participant }}${{ env.RESOURCES_PREFIX }}.tfstate"
' >> backend.conf
terraform init -backend-config=backend.conf
terraform destroy -auto-approve
env:
# Authentication settings for Terraform AzureRM provider
# See https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
# Passing dummy variables to terraform destroy, because destroy needs input variables to be defined, but uses the state.
TF_VAR_application_sp_client_secret: dummy
# The Destroy job uses continue-on-error: true so that if one destroy job fails, the others don't get killed.
# This has the side effect of making the overall job (and hence calling workflow) succeed when it should fail.
# To solve this, we upload an extra marker blob at the end of the `Destroy-Participants` job,
# and delete the blobs in a separate job matrix. That `Post-Destroy-Participants` job will then cause the workflow to fail
# if a completion marker blob is not found (meaning that a Destroy job did not succeed).
- name: 'Completion marker blob'
run: az storage blob upload --account-name "${{ secrets.TERRAFORM_STATE_STORAGE_ACCOUNT }}" -c "${{ secrets.TERRAFORM_STATE_CONTAINER }}" -f /dev/null -n "${{ matrix.participant }}${{ env.RESOURCES_PREFIX }}.completed" --auth-mode key
# Delete shared deployed Azure resources.
Destroy-Dataspace:
continue-on-error: true
runs-on: ubuntu-latest
defaults:
run:
working-directory: deployment/terraform/dataspace
steps:
- uses: actions/checkout@v2
- name: 'Az CLI login'
uses: azure/login@v1
with:
client-id: ${{ secrets.ARM_CLIENT_ID }}
tenant-id: ${{ secrets.ARM_TENANT_ID }}
subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }}
- name: 'Download tfvars file'
run: az storage blob download --account-name "${{ secrets.TERRAFORM_STATE_STORAGE_ACCOUNT }}" -c "${{ secrets.TERRAFORM_STATE_CONTAINER }}" -f terraform.tfvars -n "${{ env.RESOURCES_PREFIX }}.tfvars" --auth-mode key
- name: 'Delete terraform resources'
run: |
# Create backend.conf file to retrieve the remote terraform state during terraform init.
echo '
resource_group_name = "${{ secrets.COMMON_RESOURCE_GROUP }}"
storage_account_name = "${{ secrets.TERRAFORM_STATE_STORAGE_ACCOUNT }}"
container_name = "${{ secrets.TERRAFORM_STATE_CONTAINER }}"
key = "${{ env.RESOURCES_PREFIX }}.tfstate"
' >> backend.conf
terraform init -backend-config=backend.conf
terraform destroy -auto-approve
env:
# Authentication settings for Terraform AzureRM provider
# See https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
# See Destroy-Participants job for explanation about the completion marker blob
- name: 'Completion marker blob'
run: az storage blob upload --account-name "${{ secrets.TERRAFORM_STATE_STORAGE_ACCOUNT }}" -c "${{ secrets.TERRAFORM_STATE_CONTAINER }}" -f /dev/null -n "${{ env.RESOURCES_PREFIX }}.completed" --auth-mode key
# Post-Destroy jos must wait for all Destroy jobs to complete, so that their failure does not interrupt in-progress Destroy jobs
Post-Destroy-Participants:
needs:
- Matrix
- Destroy-Participants
- Destroy-Dataspace
runs-on: ubuntu-latest
strategy:
matrix: ${{ fromJson(needs.Matrix.outputs.matrix) }}
steps:
- name: 'Az CLI login'
uses: azure/login@v1
with:
client-id: ${{ secrets.ARM_CLIENT_ID }}
tenant-id: ${{ secrets.ARM_TENANT_ID }}
subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }}
- name: 'Delete state, tfvars and completion marker blobs'
run: |
for extension in tfvars tfstate completed
do
az storage blob delete --account-name "${{ secrets.TERRAFORM_STATE_STORAGE_ACCOUNT }}" -c "${{ secrets.TERRAFORM_STATE_CONTAINER }}" -n "${{ matrix.participant }}${{ env.RESOURCES_PREFIX }}.$extension" --auth-mode key
done
Post-Destroy-Dataspace:
needs:
- Matrix
- Destroy-Participants
- Destroy-Dataspace
runs-on: ubuntu-latest
steps:
- name: 'Az CLI login'
uses: azure/login@v1
with:
client-id: ${{ secrets.ARM_CLIENT_ID }}
tenant-id: ${{ secrets.ARM_TENANT_ID }}
subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }}
- name: 'Delete state, tfvars and completion marker blobs'
run: |
for extension in tfvars tfstate completed
do
az storage blob delete --account-name "${{ secrets.TERRAFORM_STATE_STORAGE_ACCOUNT }}" -c "${{ secrets.TERRAFORM_STATE_CONTAINER }}" -n "${{ env.RESOURCES_PREFIX }}.$extension" --auth-mode key
done