-
Notifications
You must be signed in to change notification settings - Fork 4
156 lines (135 loc) · 5.95 KB
/
pr-teardown.yml
File metadata and controls
156 lines (135 loc) · 5.95 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
name: PR Teardown
on:
pull_request:
types: [closed]
workflow_dispatch:
inputs:
pr_number:
description: The PR number of the environment to teardown e.g 123
required: true
type: string
jobs:
teardown:
name: PR Teardown
runs-on: ubuntu-latest
environment:
name: dev
env:
APIGEE_ENVIRONMENT: internal-dev
BACKEND_ENVIRONMENT: dev
BACKEND_SUB_ENVIRONMENT: pr-${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr_number }}
LAMBDA_IMAGE_REPOSITORIES: |
backend:imms-backend-repo
batch_processor_filter:imms-batch-processor-filter-repo
delta_backend:imms-delta-backend-repo
filenameprocessor:imms-filenameprocessor-repo
id_sync:imms-id-sync-repo
mesh_processor:imms-mesh-processor-repo
mns_publisher:imms-mns-publisher-repo
recordprocessor:imms-recordprocessor-repo
recordforwarder:imms-recordforwarder-repo
ack_backend:imms-ackbackend-repo
redis_sync:imms-redis-sync-repo
permissions:
id-token: write
contents: read
steps:
- name: Connect to AWS
uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37
with:
aws-region: eu-west-2
role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/auto-ops
role-session-name: github-actions
- name: Whoami
run: aws sts get-caller-identity
- name: Checkout
uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98
- uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85
with:
terraform_version: "1.12.2"
- name: Terraform Init and extract MNS SQS QUEUE ARN
working-directory: infrastructure/instance
run: |
make init apigee_environment=$APIGEE_ENVIRONMENT environment=$BACKEND_ENVIRONMENT sub_environment=$BACKEND_SUB_ENVIRONMENT
make workspace apigee_environment=$APIGEE_ENVIRONMENT environment=$BACKEND_ENVIRONMENT sub_environment=$BACKEND_SUB_ENVIRONMENT
echo "ID_SYNC_QUEUE_ARN=$(make -s output name=id_sync_queue_arn)" >> $GITHUB_ENV
# Destroy still evaluates variable validation, so provide a non-empty fallback when output is unavailable.
resolve_or_placeholder() {
local uri="$(make -s output "name=$1" 2>/dev/null || true)"
echo "${uri:-placeholder.dkr.ecr.eu-west-2.amazonaws.com/$2@sha256:0000000000000000000000000000000000000000000000000000000000000000}"
}
while IFS=: read -r lambda_name repository_name; do
[ -n "${lambda_name}" ] || continue
echo "TF_VAR_${lambda_name}_image_uri=$(resolve_or_placeholder "${lambda_name}_image_uri" "${repository_name}")" >> $GITHUB_ENV
done <<< "${LAMBDA_IMAGE_REPOSITORIES}"
- name: Install poetry
run: pip install poetry==2.1.4
- uses: actions/setup-python@v6.2.0
with:
python-version: 3.11
cache: "poetry"
cache-dependency-path: |
lambdas/mns_subscription/poetry.lock
lambdas/shared/poetry.lock
- name: Unsubscribe MNS
working-directory: "./lambdas/mns_subscription"
env:
APIGEE_ENVIRONMENT: int
SQS_ARN: ${{ env.ID_SYNC_QUEUE_ARN }}
run: |
poetry install --no-root
echo "Unsubscribing SQS to MNS for notifications..."
make unsubscribe
- name: Destroy Lambda event source mappings
working-directory: infrastructure/event_source_mappings
run: |
make init apigee_environment=$APIGEE_ENVIRONMENT environment=$BACKEND_ENVIRONMENT sub_environment=$BACKEND_SUB_ENVIRONMENT
make destroy apigee_environment=$APIGEE_ENVIRONMENT environment=$BACKEND_ENVIRONMENT sub_environment=$BACKEND_SUB_ENVIRONMENT
- name: Terraform Destroy
working-directory: infrastructure/instance
run: |
make destroy apigee_environment=$APIGEE_ENVIRONMENT environment=$BACKEND_ENVIRONMENT sub_environment=$BACKEND_SUB_ENVIRONMENT
- name: Cleanup PR ECR images by prefix
env:
AWS_REGION: eu-west-2
IMAGE_TAG_PREFIX: ${{ env.BACKEND_SUB_ENVIRONMENT }}-
run: |
set -euo pipefail
cleanup_repo_by_prefix() {
local repository_name="$1"
local image_tags
local image_ids_args=""
if ! aws ecr describe-repositories \
--repository-names "${repository_name}" \
--region "${AWS_REGION}" \
>/dev/null 2>&1; then
echo "Repository '${repository_name}' does not exist. Skipping."
return
fi
image_tags=$(
aws ecr list-images \
--repository-name "${repository_name}" \
--region "${AWS_REGION}" \
--filter tagStatus=TAGGED \
--query "imageIds[?starts_with(imageTag, \`${IMAGE_TAG_PREFIX}\`)].imageTag" \
--output text
)
if [ -z "${image_tags}" ] || [ "${image_tags}" = "None" ]; then
echo "No images found in '${repository_name}' for prefix '${IMAGE_TAG_PREFIX}'."
return
fi
for image_tag in ${image_tags}; do
echo "Queueing image tag '${image_tag}' from '${repository_name}' for deletion..."
image_ids_args="${image_ids_args} imageTag=${image_tag}"
done
aws ecr batch-delete-image \
--repository-name "${repository_name}" \
--region "${AWS_REGION}" \
--image-ids ${image_ids_args} \
--output json
}
while IFS=: read -r lambda_name repository_name; do
[ -n "${lambda_name}" ] || continue
[ -n "${repository_name}" ] || continue
cleanup_repo_by_prefix "${repository_name}"
done <<< "${LAMBDA_IMAGE_REPOSITORIES}"