Skip to content

destroy

destroy #374

Workflow file for this run

# destroy - github workflow
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
# https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions
name: destroy
# name of GitHub event that triggers workflow
# https://help.github.com/en/actions/reference/events-that-trigger-workflows#watch-event-watch
on:
# trigger via webhook
# https://github.com/adamrushuk/devops-lab/blob/master/TriggerCustomAction.ps1#L28
repository_dispatch:
types: [destroy]
# enable manual workflow
# https://docs.github.com/en/actions/configuring-and-managing-workflows/configuring-a-workflow#manually-running-a-workflow
workflow_dispatch:
inputs: {}
# permissions for oidc login
# https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
# global environment variables
# https://help.github.com/en/actions/configuring-and-managing-workflows/using-environment-variables
env:
# prefix: used for some globally unique name requirements
PREFIX: arshz
# debug
CI_DEBUG: true
# azure creds (used with OIDC auth)
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
# other
# prod or staging
CERT_API_ENVIRONMENT: staging
DNS_RG_NAME: rg-dns
EMAIL_ADDRESS: certadmin@domain.com
ENABLE_TLS_INGRESS: true
FORCE_TEST_FAIL: false
K8S_TLS_SECRET_NAME: tls-secret
KEY_VAULT_NAME: kv-rush-aqy2
KEY_VAULT_CERT_NAME: wildcard-thehypepipe-co-uk
KEY_VAULT_RESOURCE_GROUP_NAME: rg-keyvault-acmebot
# NOTE: "eastus" is cheaper than "uksouth"
LOCATION: eastus
ROOT_DOMAIN_NAME: thehypepipe.co.uk
# STORAGE_KEY: 'env var set by Get-StorageKey.ps1'
VELERO_ENABLED: true
# terraform
TF_IN_AUTOMATION: "true"
TF_INPUT: "false"
TF_LOG_PATH: terraform.log
TF_LOG: "ERROR" # https://developer.hashicorp.com/terraform/internals/debugging
# https://github.com/hashicorp/terraform/releases
TF_VERSION: "1.7.3"
TF_WORKING_DIR: terraform-vf
# azurerm provider oidc
# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc
# https://developer.hashicorp.com/terraform/language/settings/backends/azurerm#oidc_request_token
ARM_USE_OIDC: "true"
# Env var concatenation is currently not supported at Workflow or Job scope. See workaround below:
# https://github.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489
jobs:
destroy:
# always pin versions
# view installed software: https://help.github.com/en/actions/reference/software-installed-on-github-hosted-runners
runs-on: ubuntu-22.04
# https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idenvironment
environment:
name: dev
# only run if owner triggered action
if: github.actor == github.event.repository.owner.login
steps:
# Checkout
# Reference the major version of a release
# https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#example-using-versioned-actions
- uses: actions/checkout@v4
# specify different branch
# NOT required as I've changed the default branch to develop
# with:
# ref: develop
# Env var concatenation
# https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#environment-files
- name: Concatenate env vars (Workaround)
run: |
chmod -R +x ./scripts/
echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" >> $GITHUB_ENV
echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" >> $GITHUB_ENV
echo "ARGOCD_FQDN=argocd.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV
echo "DNS_DOMAIN_NAME=nexus.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV
echo "TERRAFORM_STORAGE_ACCOUNT=${{ env.PREFIX }}sttfstate${{ env.LOCATION }}001" >> $GITHUB_ENV
echo "TERRAFORM_STORAGE_CONTAINER=terraform" >> $GITHUB_ENV
echo "TERRAFORM_STORAGE_RG=${{ env.PREFIX }}-rg-tfstate-dev-001" >> $GITHUB_ENV
echo "VELERO_STORAGE_ACCOUNT=${{ env.PREFIX }}stbckuksouth001" >> $GITHUB_ENV
# Login
# https://github.com/Azure/login
- name: Login via OIDC to Azure Public Cloud (az cli and az powershell)
uses: azure/login@v1
with:
client-id: ${{ secrets.ARM_CLIENT_ID }}
tenant-id: ${{ secrets.ARM_TENANT_ID }}
subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }}
enable-AzPSSession: true
# Ensure AKS cluster is running, else timeouts will occur on k8s Terraform resource destroy tasks
- name: Start AKS Cluster
continue-on-error: true
run: ./scripts/start_aks_cluster.sh
# Prereqs
# TODO remove this step
# - name: Lookup Storage Key
# run: ./scripts/storage_key.sh
- name: Replace tokens in Terraform config files
run: pwsh -command "./scripts/Replace-Tokens.ps1"
env:
IFTTT_WEBHOOK_KEY: ${{ secrets.IFTTT_WEBHOOK_KEY }}
# Terraform
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ env.TF_VERSION }}
- name: 💀 Terraform destroy
run: |
echo 'Running terraform init...'
terraform init \
-backend-config="resource_group_name=$TERRAFORM_STORAGE_RG" \
-backend-config="storage_account_name=$TERRAFORM_STORAGE_ACCOUNT"
echo 'Running terraform destroy...'
terraform destroy -no-color -auto-approve
working-directory: ${{ env.TF_WORKING_DIR }}
- name: Terraform logs
uses: actions/upload-artifact@v2
with:
name: Terraform logs
path: ${{ env.TF_WORKING_DIR }}/${{ env.TF_LOG_PATH }}
if: always()
# Cleanup
- name: Delete Storage
run: ./scripts/storage_delete.sh
# Notify
- name: Notify slack
continue-on-error: true
env:
SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
run: ./scripts/send_slack_message.sh "[devops-lab] Destroy complete"