test-ci-cleanup-oss #666
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: test-ci-cleanup-oss | |
on: | |
schedule: | |
# * is a special character in YAML so you have to quote this string | |
- cron: '05 02 * * *' | |
permissions: | |
contents: read | |
jobs: | |
setup: | |
if: ${{ github.event.repository.name == 'boundary' }} | |
runs-on: ${{ fromJSON(vars.RUNNER) }} | |
outputs: | |
regions: ${{steps.regions.outputs.regions}} | |
steps: | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }} | |
aws-region: us-east-1 | |
role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }} | |
role-skip-session-tagging: true | |
role-duration-seconds: 3600 | |
- name: Get all regions | |
id: regions | |
run: | | |
echo "regions=$(aws ec2 describe-regions --region us-east-1 --output json --query 'Regions[].RegionName' | tr -d '\n ')" >> "$GITHUB_OUTPUT" | |
aws-nuke: | |
if: ${{ github.event.repository.name == 'boundary' }} | |
runs-on: ${{ fromJSON(vars.RUNNER) }} | |
container: | |
image: rebuy/aws-nuke | |
options: | |
--user root | |
-t | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
TIME_LIMIT: "48h" | |
timeout-minutes: 60 | |
steps: | |
- name: Configure AWS credentials | |
id: aws-configure | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }} | |
aws-region: us-east-1 | |
role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }} | |
role-skip-session-tagging: true | |
role-duration-seconds: 3600 | |
mask-aws-account-id: false | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Configure | |
run: | | |
cp enos/ci/aws-nuke.yml . | |
sed -i "s/ACCOUNT_NUM/${{ steps.aws-configure.outputs.aws-account-id }}/g" aws-nuke.yml | |
sed -i "s/TIME_LIMIT/${TIME_LIMIT}/g" aws-nuke.yml | |
# We don't care if cleanup succeeds or fails, because dependencies be dependenceies, | |
# we'll fail on actually actionable things in the quota steep afterwards. | |
- name: Clean up abandoned resources | |
# Filter STDERR because it's super noisy about things we don't have access to | |
run: | | |
aws-nuke -c aws-nuke.yml -q --no-dry-run --force 2>/tmp/aws-nuke-error.log || true | |
check-quotas: | |
if: ${{ github.event.repository.name == 'boundary' }} | |
needs: [ setup, aws-nuke ] | |
runs-on: ${{ fromJSON(vars.RUNNER) }} | |
container: | |
image: jantman/awslimitchecker | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_CI }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }} | |
strategy: | |
matrix: | |
region: ${{ fromJSON(needs.setup.outputs.regions) }} | |
steps: | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }} | |
aws-region: us-east-1 | |
role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }} | |
role-skip-session-tagging: true | |
role-duration-seconds: 3600 | |
# Currently just checking VPC limits across all region, can add more checks here in future | |
- name: Check AWS Quotas | |
run: awslimitchecker -S "VPC" -r ${{matrix.region}} |