-
Notifications
You must be signed in to change notification settings - Fork 51
158 lines (146 loc) · 6.11 KB
/
destroy-environment.yml
File metadata and controls
158 lines (146 loc) · 6.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
name: Destroy Environment
run-name: Destroying ${{ inputs.prefix }}* by @${{ github.actor }}
on:
# Ability to execute on demand
workflow_dispatch:
inputs:
prefix:
type: string
description: "Delete all environments starting with `prefix`"
required: true
ignore-prefix:
type: string
description: "Ignore all environments starting with `ignore-prefix`"
required: false
ec-api-key:
type: string
description: "**Optional** To delete env environments on your own organization, enter your Elastic Cloud API key."
required: false
workflow_call:
inputs:
prefix:
type: string
description: "Delete all environments starting with `prefix`"
required: true
ignore-prefix:
type: string
description: "Ignore all environments starting with `ignore-prefix`"
required: false
ec-api-key:
type: string
description: "**Optional** To delete env environments on your own organization, enter your Elastic Cloud API key."
required: false
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_REGION: "eu-west-1"
ENV_PREFIX: ${{ inputs.prefix }}
ENV_IGNORE_PREFIX: ${{ inputs.ignore-prefix }}
jobs:
Destroy:
runs-on: ubuntu-22.04
timeout-minutes: 120
# Add "id-token" with the intended permissions.
permissions:
contents: "read"
id-token: "write"
steps:
- name: Check out the repo
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Init Hermit
run: ./bin/hermit env -r >> $GITHUB_ENV
working-directory: ./
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: Get Elastic Cloud API Keys from Vault
id: get-ec-credentials
if: inputs.ec-api-key == ''
uses: hashicorp/vault-action@9c2d817b85b9fff56bcab21cb74b485aee9e9d73 # v2.8.1
continue-on-error: true
with:
url: ${{ secrets.VAULT_ADDR }}
roleId: ${{ secrets.CSP_VAULT_ROLE_ID }}
secretId: ${{ secrets.CSP_VAULT_SECRET_ID }}
method: approle
secrets: |
secret/csp-team/ci/elastic-cloud/production api_key | EC_API_KEY_PRODUCTION ;
secret/csp-team/ci/elastic-cloud/staging api_key | EC_API_KEY_STAGING ;
secret/csp-team/ci/elastic-cloud/qa api_key | EC_API_KEY_QA
- name: Mask API Key
if: ${{ inputs.ec-api-key != '' }}
run: |
ec_api_key=$(jq -r '.inputs["ec-api-key"]' $GITHUB_EVENT_PATH)
echo "::add-mask::$ec_api_key"
echo "USER_PROVIDED_EC_API_KEY=$ec_api_key" >> $GITHUB_ENV
- name: Set Elastic Cloud Credentials as environment variables
id: set-ec-credentials
shell: bash
run: |
# If user provided API key, use it as fallback for all environments
if [[ -n "${USER_PROVIDED_EC_API_KEY:-}" ]]; then
echo "Using user-provided API key for all environments"
echo "EC_API_KEY_PRODUCTION=${USER_PROVIDED_EC_API_KEY}" >> $GITHUB_ENV
echo "EC_API_KEY_STAGING=${USER_PROVIDED_EC_API_KEY}" >> $GITHUB_ENV
echo "EC_API_KEY_QA=${USER_PROVIDED_EC_API_KEY}" >> $GITHUB_ENV
else
# Use Vault credentials, with fallback to production secret if vault fails
echo "EC_API_KEY_PRODUCTION=${EC_API_KEY_PRODUCTION:-${{ secrets.EC_API_KEY }}}" >> $GITHUB_ENV
echo "EC_API_KEY_STAGING=${EC_API_KEY_STAGING:-${EC_API_KEY_PRODUCTION:-${{ secrets.EC_API_KEY }}}}" >> $GITHUB_ENV
echo "EC_API_KEY_QA=${EC_API_KEY_QA:-${EC_API_KEY_PRODUCTION:-${{ secrets.EC_API_KEY }}}}" >> $GITHUB_ENV
fi
- id: google-auth
name: Authenticate to Google Cloud
uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2
with:
workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
- id: azure-auth
name: Azure login
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Destroy Environment
env:
EC_API_KEY_PRODUCTION: ${{ env.EC_API_KEY_PRODUCTION }}
EC_API_KEY_STAGING: ${{ env.EC_API_KEY_STAGING }}
EC_API_KEY_QA: ${{ env.EC_API_KEY_QA }}
run: |
just delete-cloud-env "${ENV_PREFIX}" "${ENV_IGNORE_PREFIX}" "false"
- name: Send Slack Notification
uses: ./.github/actions/slack-notification
if: always()
continue-on-error: true
env:
RUN_URL: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
JOB_STATUS_COLOR: "${{ job.status == 'success' && '#36a64f' || '#D40E0D' }}"
with:
vault-url: ${{ secrets.VAULT_ADDR }}
vault-role-id: ${{ secrets.CSP_VAULT_ROLE_ID }}
vault-secret-id: ${{ secrets.CSP_VAULT_SECRET_ID }}
slack-payload: |
{
"text": "${{ github.workflow }} job <${{env.RUN_URL}}|${{ inputs.prefix }}> triggered by `${{github.actor}}`",
"blocks": [
{
"type": "divider"
}
],
"attachments": [
{
"color": "${{ env.JOB_STATUS_COLOR }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "${{ github.workflow }} job <${{env.RUN_URL}}|${{ inputs.prefix }}> triggered by `${{github.actor}}`"
}
}
]
}
]
}