89 lines
3.5 KiB
YAML
89 lines
3.5 KiB
YAML
name: test-ci-cleanup
|
|
on:
|
|
schedule:
|
|
# * is a special character in YAML so you have to quote this string
|
|
- cron: '05 02 * * *'
|
|
|
|
jobs:
|
|
setup:
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
regions: ${{steps.setup.outputs.regions}}
|
|
steps:
|
|
- name: Configure AWS credentials
|
|
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
|
|
with:
|
|
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
|
|
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}
|
|
aws-region: us-east-1
|
|
role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }}
|
|
role-skip-session-tagging: true
|
|
role-duration-seconds: 3600
|
|
- name: Get all regions
|
|
id: setup
|
|
run: |
|
|
echo "regions=$(aws ec2 describe-regions --region us-east-1 --output json --query 'Regions[].RegionName' | tr -d '\n ')" >> "$GITHUB_OUTPUT"
|
|
|
|
aws-nuke:
|
|
needs: setup
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: rebuy/aws-nuke
|
|
options:
|
|
--user root
|
|
-t
|
|
env:
|
|
AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
|
|
AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
|
|
TIME_LIMIT: "72h"
|
|
timeout-minutes: 60
|
|
steps:
|
|
- name: Configure AWS credentials
|
|
id: aws-configure
|
|
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
|
|
with:
|
|
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
|
|
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}
|
|
aws-region: us-east-1
|
|
role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }}
|
|
role-skip-session-tagging: true
|
|
role-duration-seconds: 3600
|
|
mask-aws-account-id: false
|
|
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
- name: Configure
|
|
run: |
|
|
cp enos/ci/aws-nuke.yml .
|
|
sed -i "s/ACCOUNT_NUM/${{ steps.aws-configure.outputs.aws-account-id }}/g" aws-nuke.yml
|
|
sed -i "s/TIME_LIMIT/${TIME_LIMIT}/g" aws-nuke.yml
|
|
# We don't care if cleanup succeeds or fails, because dependencies be dependenceies,
|
|
# we'll fail on actually actionable things in the quota steep afterwards.
|
|
- name: Clean up abandoned resources
|
|
# Filter STDERR because it's super noisy about things we don't have access to
|
|
run: |
|
|
aws-nuke -c aws-nuke.yml -q --no-dry-run --force 2>/tmp/aws-nuke-error.log || true
|
|
|
|
check-quotas:
|
|
needs: [ setup, aws-nuke ]
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: jantman/awslimitchecker
|
|
env:
|
|
AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID_CI }}
|
|
AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY_CI }}
|
|
strategy:
|
|
matrix:
|
|
region: ${{ fromJSON(needs.setup.outputs.regions) }}
|
|
steps:
|
|
- name: Configure AWS credentials
|
|
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
|
|
with:
|
|
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
|
|
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}
|
|
aws-region: us-east-1
|
|
role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }}
|
|
role-skip-session-tagging: true
|
|
role-duration-seconds: 3600
|
|
# Currently just checking VPC limits across all region, can add more checks here in future
|
|
- name: Check AWS Quotas
|
|
run: awslimitchecker -S "VPC" -r ${{matrix.region}}
|