Nightly E2E Resource Cleanup #4

Workflow file for this run

.github/workflows/cleanup.yml at d408059

	name: Nightly E2E Resource Cleanup

	on:
	schedule:
	- cron: '0 2 * * *' # 02:00 UTC every day
	workflow_dispatch: # allow manual trigger

	jobs:

	cleanup:
	name: Sweep orphaned E2E test resources
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	contents: read

	steps:
	- uses: actions/checkout@v4

	- uses: actions/setup-python@v5
	with:
	python-version: '3.12'

	- run: pip install boto3

	# ── Single account ────────────────────────────────────────────────────

	- name: Assume role — single account
	uses: aws-actions/configure-aws-credentials@v4
	with:
	role-to-assume: arn:aws:iam::${{ secrets.AWS_SINGLE_ACCOUNT_ID }}:role/GitHubActionsE2ERole
	aws-region: ap-northeast-2
	continue-on-error: true

	- name: Delete tagged resources — single account
	working-directory: .github/scripts
	run: \|
	python3 teardown.py \
	--all \
	--tag-value migTEST0000001 \
	--regions ap-northeast-2,us-east-1,us-west-2
	continue-on-error: true

	- name: Delete stale CF stacks — single account (ap-northeast-2)
	run: \|
	for stack in $(aws cloudformation list-stacks \
	--stack-status-filter CREATE_COMPLETE UPDATE_COMPLETE \
	ROLLBACK_COMPLETE UPDATE_ROLLBACK_COMPLETE \
	CREATE_FAILED UPDATE_FAILED ROLLBACK_FAILED \
	--query 'StackSummaries[?starts_with(StackName, `map-auto-tagger-e2e-pr`)].StackName' \
	--output text \
	--region ap-northeast-2 2>/dev/null); do
	echo "Deleting stack: $stack"
	aws cloudformation delete-stack --stack-name "$stack" --region ap-northeast-2 \|\| true
	done
	continue-on-error: true

	- name: Delete stale CF stacks — single account (us-east-1)
	run: \|
	for stack in $(aws cloudformation list-stacks \
	--stack-status-filter CREATE_COMPLETE UPDATE_COMPLETE \
	ROLLBACK_COMPLETE UPDATE_ROLLBACK_COMPLETE \
	CREATE_FAILED UPDATE_FAILED ROLLBACK_FAILED \
	--query 'StackSummaries[?starts_with(StackName, `map-auto-tagger-e2e-pr`)].StackName' \
	--output text \
	--region us-east-1 2>/dev/null); do
	echo "Deleting stack: $stack"
	aws cloudformation delete-stack --stack-name "$stack" --region us-east-1 \|\| true
	done
	continue-on-error: true

	- name: Delete stale CF stacks — single account (us-west-2)
	run: \|
	for stack in $(aws cloudformation list-stacks \
	--stack-status-filter CREATE_COMPLETE UPDATE_COMPLETE \
	ROLLBACK_COMPLETE UPDATE_ROLLBACK_COMPLETE \
	CREATE_FAILED UPDATE_FAILED ROLLBACK_FAILED \
	--query 'StackSummaries[?starts_with(StackName, `map-auto-tagger-e2e-pr`)].StackName' \
	--output text \
	--region us-west-2 2>/dev/null); do
	echo "Deleting stack: $stack"
	aws cloudformation delete-stack --stack-name "$stack" --region us-west-2 \|\| true
	done
	continue-on-error: true

	# ── Management account (StackSets live here) ──────────────────────────

	- name: Assume role — management account
	uses: aws-actions/configure-aws-credentials@v4
	with:
	role-to-assume: arn:aws:iam::${{ secrets.AWS_MGMT_ACCOUNT_ID }}:role/GitHubActionsE2ERole
	aws-region: ap-northeast-2
	continue-on-error: true

	- name: Delete tagged resources — management account
	working-directory: .github/scripts
	run: \|
	python3 teardown.py \
	--all \
	--tag-value migTEST0000001 \
	--regions ap-northeast-2,us-east-1,us-west-2
	continue-on-error: true

	- name: Delete stale StackSets — management account
	run: \|
	for ss in $(aws cloudformation list-stack-sets \
	--status ACTIVE \
	--query 'Summaries[?starts_with(StackSetName, `map-auto-tagger-e2e-pr`)].StackSetName' \
	--output text \
	--region ap-northeast-2 2>/dev/null); do
	echo "Removing all instances from StackSet: $ss"
	# Delete all stack instances first (required before deleting the StackSet)
	aws cloudformation delete-stack-instances \
	--stack-set-name "$ss" \
	--regions ap-northeast-2 \
	--no-retain-stacks \
	--deployment-targets 'OrganizationalUnitIds=[]' \
	--region ap-northeast-2 2>/dev/null \|\| \
	aws cloudformation delete-stack-instances \
	--stack-set-name "$ss" \
	--accounts \
	"${{ secrets.AWS_LINKED1_ACCOUNT_ID }}" \
	"${{ secrets.AWS_LINKED2_ACCOUNT_ID }}" \
	"${{ secrets.AWS_LINKED3_ACCOUNT_ID }}" \
	"${{ secrets.AWS_LINKED4_ACCOUNT_ID }}" \
	"${{ secrets.AWS_LINKED5_ACCOUNT_ID }}" \
	--regions ap-northeast-2 \
	--no-retain-stacks \
	--region ap-northeast-2 2>/dev/null \|\| true
	sleep 5
	echo "Deleting StackSet: $ss"
	aws cloudformation delete-stack-set --stack-set-name "$ss" --region ap-northeast-2 \|\| true
	done
	continue-on-error: true

	# ── Linked account 1 ──────────────────────────────────────────────────

	- name: Assume role — linked account 1
	uses: aws-actions/configure-aws-credentials@v4
	with:
	role-to-assume: arn:aws:iam::${{ secrets.AWS_LINKED1_ACCOUNT_ID }}:role/GitHubActionsE2ERole
	aws-region: ap-northeast-2
	continue-on-error: true

	- name: Delete tagged resources — linked account 1
	working-directory: .github/scripts
	run: \|
	python3 teardown.py \
	--all \
	--tag-value migTEST0000001 \
	--regions ap-northeast-2,us-east-1,us-west-2
	continue-on-error: true

	- name: Sweep orphaned map-auto-tagger IAM roles — linked account 1
	run: python3 .github/scripts/sweep_iam_roles.py
	continue-on-error: true

	# ── Linked account 2 ──────────────────────────────────────────────────

	- name: Assume role — linked account 2
	uses: aws-actions/configure-aws-credentials@v4
	with:
	role-to-assume: arn:aws:iam::${{ secrets.AWS_LINKED2_ACCOUNT_ID }}:role/GitHubActionsE2ERole
	aws-region: ap-northeast-2
	continue-on-error: true

	- name: Delete tagged resources — linked account 2
	working-directory: .github/scripts
	run: \|
	python3 teardown.py \
	--all \
	--tag-value migTEST0000001 \
	--regions ap-northeast-2,us-east-1,us-west-2
	continue-on-error: true

	- name: Sweep orphaned map-auto-tagger IAM roles — linked account 2
	run: python3 .github/scripts/sweep_iam_roles.py
	continue-on-error: true

	# ── Linked account 3 ──────────────────────────────────────────────────

	- name: Assume role — linked account 3
	uses: aws-actions/configure-aws-credentials@v4
	with:
	role-to-assume: arn:aws:iam::${{ secrets.AWS_LINKED3_ACCOUNT_ID }}:role/GitHubActionsE2ERole
	aws-region: ap-northeast-2
	continue-on-error: true

	- name: Delete tagged resources — linked account 3
	working-directory: .github/scripts
	run: \|
	python3 teardown.py \
	--all \
	--tag-value migTEST0000001 \
	--regions ap-northeast-2,us-east-1,us-west-2
	continue-on-error: true

	- name: Sweep orphaned map-auto-tagger IAM roles — linked account 3
	run: python3 .github/scripts/sweep_iam_roles.py
	continue-on-error: true

	# ── Linked account 4 ──────────────────────────────────────────────────

	- name: Assume role — linked account 4
	uses: aws-actions/configure-aws-credentials@v4
	with:
	role-to-assume: arn:aws:iam::${{ secrets.AWS_LINKED4_ACCOUNT_ID }}:role/GitHubActionsE2ERole
	aws-region: ap-northeast-2
	continue-on-error: true

	- name: Delete tagged resources — linked account 4
	working-directory: .github/scripts
	run: \|
	python3 teardown.py \
	--all \
	--tag-value migTEST0000001 \
	--regions ap-northeast-2,us-east-1,us-west-2
	continue-on-error: true

	- name: Sweep orphaned map-auto-tagger IAM roles — linked account 4
	run: python3 .github/scripts/sweep_iam_roles.py
	continue-on-error: true

	# ── Linked account 5 ──────────────────────────────────────────────────

	- name: Assume role — linked account 5
	uses: aws-actions/configure-aws-credentials@v4
	with:
	role-to-assume: arn:aws:iam::${{ secrets.AWS_LINKED5_ACCOUNT_ID }}:role/GitHubActionsE2ERole
	aws-region: ap-northeast-2
	continue-on-error: true

	- name: Delete tagged resources — linked account 5
	working-directory: .github/scripts
	run: \|
	python3 teardown.py \
	--all \
	--tag-value migTEST0000001 \
	--regions ap-northeast-2,us-east-1,us-west-2
	continue-on-error: true

	- name: Sweep orphaned map-auto-tagger IAM roles — linked account 5
	run: python3 .github/scripts/sweep_iam_roles.py
	continue-on-error: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Nightly E2E Resource Cleanup #4

Workflow file

Nightly E2E Resource Cleanup #4

Uh oh!

Workflow file for this run