-
Notifications
You must be signed in to change notification settings - Fork 2
168 lines (143 loc) · 6.3 KB
/
destroy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
# destroy - github workflow
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
# https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions
name: destroy
# name of GitHub event that triggers workflow
# https://help.github.com/en/actions/reference/events-that-trigger-workflows#watch-event-watch
on:
# trigger via webhook
# https://github.com/adamrushuk/devops-lab/blob/master/TriggerCustomAction.ps1#L28
repository_dispatch:
types: [destroy]
# enable manual workflow
# https://docs.github.com/en/actions/configuring-and-managing-workflows/configuring-a-workflow#manually-running-a-workflow
workflow_dispatch:
inputs: {}
# permissions for oidc login
# https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
# global environment variables
# https://help.github.com/en/actions/configuring-and-managing-workflows/using-environment-variables
env:
# prefix: used for some globally unique name requirements
PREFIX: arshz
# debug
CI_DEBUG: true
# azure creds (used with OIDC auth)
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
# other
# prod or staging
CERT_API_ENVIRONMENT: staging
DNS_RG_NAME: rg-dns
EMAIL_ADDRESS: certadmin@domain.com
ENABLE_TLS_INGRESS: true
FORCE_TEST_FAIL: false
K8S_TLS_SECRET_NAME: tls-secret
KEY_VAULT_NAME: kv-rush-aqy2
KEY_VAULT_CERT_NAME: wildcard-thehypepipe-co-uk
KEY_VAULT_RESOURCE_GROUP_NAME: rg-keyvault-acmebot
# NOTE: "eastus" is cheaper than "uksouth"
LOCATION: eastus
ROOT_DOMAIN_NAME: thehypepipe.co.uk
# STORAGE_KEY: 'env var set by Get-StorageKey.ps1'
VELERO_ENABLED: true
# terraform
TF_IN_AUTOMATION: "true"
TF_INPUT: "false"
TF_LOG_PATH: terraform.log
TF_LOG: "ERROR" # https://developer.hashicorp.com/terraform/internals/debugging
# https://github.com/hashicorp/terraform/releases
TF_VERSION: "1.7.3"
TF_WORKING_DIR: ./terraform
# azurerm provider oidc
# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc
# https://developer.hashicorp.com/terraform/language/settings/backends/azurerm#oidc_request_token
ARM_USE_OIDC: "true"
# Env var concatenation is currently not supported at Workflow or Job scope. See workaround below:
# https://github.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489
jobs:
destroy:
# always pin versions
# view installed software: https://help.github.com/en/actions/reference/software-installed-on-github-hosted-runners
runs-on: ubuntu-22.04
# https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idenvironment
environment:
name: dev
# only run if owner triggered action
if: github.actor == github.event.repository.owner.login
steps:
# Checkout
# Reference the major version of a release
# https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#example-using-versioned-actions
- uses: actions/checkout@v4
# specify different branch
# NOT required as I've changed the default branch to develop
# with:
# ref: develop
# Env var concatenation
# https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#environment-files
- name: Concatenate env vars (Workaround)
run: |
chmod -R +x ./scripts/
echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" >> $GITHUB_ENV
echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" >> $GITHUB_ENV
echo "ARGOCD_FQDN=argocd.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV
echo "DNS_DOMAIN_NAME=nexus.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV
echo "TERRAFORM_STORAGE_ACCOUNT=${{ env.PREFIX }}sttfstate${{ env.LOCATION }}001" >> $GITHUB_ENV
echo "TERRAFORM_STORAGE_CONTAINER=terraform" >> $GITHUB_ENV
echo "TERRAFORM_STORAGE_RG=${{ env.PREFIX }}-rg-tfstate-dev-001" >> $GITHUB_ENV
echo "VELERO_STORAGE_ACCOUNT=${{ env.PREFIX }}stbckuksouth001" >> $GITHUB_ENV
# Login
# https://github.com/Azure/login
- name: Login via OIDC to Azure Public Cloud (az cli and az powershell)
uses: azure/login@v1
with:
client-id: ${{ secrets.ARM_CLIENT_ID }}
tenant-id: ${{ secrets.ARM_TENANT_ID }}
subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }}
enable-AzPSSession: true
# Ensure AKS cluster is running, else timeouts will occur on k8s Terraform resource destroy tasks
- name: Start AKS Cluster
continue-on-error: true
run: ./scripts/start_aks_cluster.sh
# Prereqs
# TODO remove this step
# - name: Lookup Storage Key
# run: ./scripts/storage_key.sh
- name: Replace tokens in Terraform config files
run: pwsh -command "./scripts/Replace-Tokens.ps1"
env:
IFTTT_WEBHOOK_KEY: ${{ secrets.IFTTT_WEBHOOK_KEY }}
# Terraform
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ env.TF_VERSION }}
- name: 💀 Terraform destroy
run: |
echo 'Running terraform init...'
terraform init \
-backend-config="resource_group_name=$TERRAFORM_STORAGE_RG" \
-backend-config="storage_account_name=$TERRAFORM_STORAGE_ACCOUNT"
echo 'Running terraform destroy...'
terraform destroy -no-color -auto-approve
working-directory: ${{ env.TF_WORKING_DIR }}
- name: Terraform logs
uses: actions/upload-artifact@v2
with:
name: Terraform logs
path: ${{ env.TF_WORKING_DIR }}/${{ env.TF_LOG_PATH }}
if: always()
# Cleanup
- name: Delete Storage
run: ./scripts/storage_delete.sh
# Notify
- name: Notify slack
continue-on-error: true
env:
SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
run: ./scripts/send_slack_message.sh "[devops-lab] Destroy complete"