open-vault/.github/workflows/test-ci-cleanup.yml

name: test-ci-cleanup
on:
  schedule:
    # * is a special character in YAML so you have to quote this string
    - cron:  '05 02 * * *'

jobs:
  setup:
    runs-on: ubuntu-latest
    outputs:
      regions: ${{steps.setup.outputs.regions}}
    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}
          aws-region: us-east-1
          role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }}
          role-skip-session-tagging: true
          role-duration-seconds: 3600
      - name: Get all regions
        id: setup
        run: |
          echo "regions=$(aws ec2 describe-regions --region us-east-1 --output json --query 'Regions[].RegionName' | tr -d '\n ')" >> "$GITHUB_OUTPUT"          

  aws-nuke:
    needs: setup
    runs-on: ubuntu-latest
    container:
      image: rebuy/aws-nuke
      options:
         --user root
         -t
      env:
        AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
        AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
        TIME_LIMIT: "72h"
    timeout-minutes: 60
    steps:
      - name: Configure AWS credentials
        id: aws-configure
        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}
          aws-region: us-east-1
          role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }}
          role-skip-session-tagging: true
          role-duration-seconds: 3600
          mask-aws-account-id: false
      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - name: Configure
        run: |
          cp enos/ci/aws-nuke.yml .
          sed -i "s/ACCOUNT_NUM/${{ steps.aws-configure.outputs.aws-account-id }}/g" aws-nuke.yml
          sed -i "s/TIME_LIMIT/${TIME_LIMIT}/g" aws-nuke.yml          
      # We don't care if cleanup succeeds or fails, because dependencies be dependenceies,
      # we'll fail on actually actionable things in the quota steep afterwards.
      - name: Clean up abandoned resources
        # Filter STDERR because it's super noisy about things we don't have access to
        run: |
          aws-nuke -c aws-nuke.yml -q --no-dry-run --force 2>/tmp/aws-nuke-error.log || true          

  check-quotas:
    needs: [ setup, aws-nuke ]
    runs-on: ubuntu-latest
    container:
      image: jantman/awslimitchecker
      env:
        AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID_CI }}
        AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY_CI }}
    strategy:
      matrix:
        region: ${{ fromJSON(needs.setup.outputs.regions) }}
    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}
          aws-region: us-east-1
          role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }}
          role-skip-session-tagging: true
          role-duration-seconds: 3600
      # Currently just checking VPC limits across all region, can add more checks here in future
      - name: Check AWS Quotas
        run: awslimitchecker -S "VPC" -r ${{matrix.region}}