Use new fork of aws-nuke (#83)

* Use new fork of aws-nuke https://github.com/rebuy-de/aws-nuke is not maintained anymore. The official fork is https://github.com/ekristen/aws-nuke as mentioned in the readme. This change updates the conan image and playbook. - use the binary from the new fork - to be on the safe side: keep using the old binary as a last step * Update readme * Fix helm chart for conan and update readme * Fix command line with new version of aws nuke * tool: add login to hurl file (mark for cleanup)
rhpds · Oct 2, 2024 · 874fa50 · 874fa50
1 parent 5081ea6
commit 874fa50
Show file tree

Hide file tree

Showing 7 changed files with 50 additions and 21 deletions.
diff --git a/Containerfile.conan b/Containerfile.conan
@@ -9,7 +9,8 @@ RUN make sandbox-list
 FROM registry.access.redhat.com/ubi8/ubi:latest
     MAINTAINER Guillaume Coré <gucore@redhat.com>
 
-ARG AWSNUKE_VERSION=v2.25.0
+ARG AWSNUKE_VERSION=v3.22.0
+ARG AWSNUKE_LEGACY_VERSION=v2.25.0
 ARG RUSH_VERSION=v0.5.4
 
 USER root
@@ -52,9 +53,12 @@ RUN mkdir -p -m 770  /home/opentlc-mgr/pool_management/output_dir_sandbox \
 # aws-nuke
 ##############################
     && curl --silent --location \
-    https://github.com/rebuy-de/aws-nuke/releases/download/${AWSNUKE_VERSION}/aws-nuke-${AWSNUKE_VERSION}-linux-amd64.tar.gz \
+    https://github.com/ekristen/aws-nuke/releases/download/${AWSNUKE_VERSION}/aws-nuke-${AWSNUKE_VERSION}-linux-amd64.tar.gz \
+    | tar -xz -C /usr/local/bin --wildcards 'aws-nuke' \
+    && curl --silent --location \
+    https://github.com/rebuy-de/aws-nuke/releases/download/${AWSNUKE_LEGACY_VERSION}/aws-nuke-${AWSNUKE_LEGACY_VERSION}-linux-amd64.tar.gz \
     | tar -xz -C /usr/local/bin --wildcards 'aws-nuke-*-linux-amd64' \
-    && ln -s /usr/local/bin/aws-nuke-${AWSNUKE_VERSION}-linux-amd64 /usr/local/bin/aws-nuke \
+    && ln -s /usr/local/bin/aws-nuke-${AWSNUKE_LEGACY_VERSION}-linux-amd64 /usr/local/bin/aws-nuke-legacy \
 ##############################
 # Rush
 ##############################

diff --git a/conan/readme.adoc b/conan/readme.adoc
@@ -6,11 +6,11 @@ image::conan.webp[Conan the destroyer of Sandboxes,300,300,float="left"]
 
 It watches the pool of sandboxes, and look for those marked as `to_cleanup`.
 
-Then it runs link:https://github.com/rebuy-de/aws-nuke[aws-nuke] to wipe them, and put them back in the pool of available sandboxes.
+Then it runs link:https://github.com/ekristen/aws-nuke[aws-nuke] to wipe them, and put them back in the pool of available sandboxes.
 
 == Dependencies
 
-* link:https://github.com/rebuy-de/aws-nuke[`aws-nuke`] binary
+* link:https://github.com/ekristen/aws-nuke[`aws-nuke`] binary
 * IPA client
 * kerberos, `kinit`
 * link:../readme.adoc[`sandbox-list`] binary
@@ -94,3 +94,9 @@ podman run -e sandbox_filter="^sandbox2345 " ...
 
 $ podman secret rm vault_file aws_credentials
 ----
+
+== Install via helm
+
+----
+helm install  -f .dev.conan.yaml sandbox-conan deploy/helm-conan/
+----
diff --git a/deploy/helm-conan/templates/namespace.yaml b/deploy/helm-conan/templates/namespace.yaml
diff --git a/deploy/helm-conan/values.yaml b/deploy/helm-conan/values.yaml
@@ -1,4 +1,5 @@
 ---
+namespace: babylon-sandbox-conan
 deployment:
   image: quay.io/rhpds/sandbox-conan
   tag: latest

diff --git a/playbooks/roles/infra-aws-sandbox/defaults/main.yml b/playbooks/roles/infra-aws-sandbox/defaults/main.yml
@@ -36,7 +36,8 @@ ocpkey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8c3m39CoyA3bbgQUui3MGlJOryfg98NwI
 ####################################
 nuke_sandbox: true
 
-aws_nuke_binary_path: /usr/bin/aws-nuke
+aws_nuke_binary_path: aws-nuke
+aws_nuke_legacy_binary_path: aws-nuke-legacy
 
 aws_nuke_account_blacklist:
   - 017310218799 # Master account

diff --git a/playbooks/roles/infra-aws-sandbox/tasks/reset.yml b/playbooks/roles/infra-aws-sandbox/tasks/reset.yml
@@ -67,7 +67,7 @@
 
     - name: Run aws-nuke on sandbox account
       command: >-
-        {{ aws_nuke_binary_path }} --profile {{ account_name }}
+        {{ aws_nuke_binary_path }} nuke --profile {{ account_name }}
         -c "{{ output_dir }}/{{ account_name }}_nuke-config.yml"
         --no-dry-run
         --force
@@ -100,7 +100,7 @@
         - name: Run aws-nuke again
           when: run_aws_nuke_again | default(false)
           command: >-
-            {{ aws_nuke_binary_path }} --profile {{ account_name }}
+            {{ aws_nuke_binary_path }} nuke --profile {{ account_name }}
             -c "{{ output_dir }}/{{ account_name }}_nuke-config.yml"
             --no-dry-run
             --force
@@ -118,6 +118,23 @@
         - debug:
             var: _awsnuke2
 
+    - name: Run aws-nuke legacy on sandbox account
+      # be on the safe side, run the official (unmaintained) binary
+      command: >-
+        {{ aws_nuke_lecacy_binary_path }} --profile {{ account_name }}
+        -c "{{ output_dir }}/{{ account_name }}_nuke-config.yml"
+        --no-dry-run
+        --force
+      args:
+        stdin: "{{ account_name }}{{ alias_suffix }}"
+      register: _awsnuke_legacy
+      ignore_errors: true
+      retries: "{{ aws_nuke_legacy_retries | default(0) }}"
+      until: _awsnuke_legacy is succeeded
+      no_log: true
+      async: 1800
+      poll: 30
+      delay: 30
 
     - name: Report aws-nuke error
       fail:

diff --git a/tools/sandbox_mark_for_cleanup.hurl b/tools/sandbox_mark_for_cleanup.hurl
@@ -1,3 +1,16 @@
+#################################################################################
+# Get an access token using the login token
+#################################################################################
+
+GET {{host}}/api/v1/login
+Authorization: Bearer {{login_token}}
+HTTP 200
+[Captures]
+access_token: jsonpath "$.access_token"
+[Asserts]
+jsonpath "$.access_token" isString
+jsonpath "$.access_token_exp" isString
+
 #################################################################################
 # Stop a placement
 #################################################################################