This repository contains the GitHub Actions workflow and configuration files that execute
cloud-nuke for cleaning up AWS accounts.
This repository implements a very simple GitHub Actions workflow defined under .github/workflows/cloud-nuke.yaml. The
workflow uses the .github/workflows/contexts.json file to determine the list of AWS accounts that need to be cleaned
up, and YAML configuration files stored in the config directory for instructing cloud-nuke what resources need to
be included or excluded from the cleanup operation.
At a high level, the workflow performs the following actions:
- Builds a list of AWS accounts that will be cleaned up.
- Downloads a specific version of the
cloud-nukeexecutable using the version tag specified in theCLOUD_NUKE_VERSIONenvironment variable.- This is done to avoid using the
latestversion - new versions of the tool often add new types of resources to be nuked, and that could result in unexpected behaviour if we don't actually want those specific resources gone.
- This is done to avoid using the
- Executes
cloud-nukeagainst all configured AWS accounts.
To add a new AWS account to the cleanup workflow, follow these steps:
- Create a new environment in GitHub.
- The environment name must follow the naming pattern of
account_name-account_id- e.g.sandbox-123456789012. - It is recommended to enable an environment protection rule
that restricts deployments to the environment to protected branches only. Because
cloud-nukeis a very destructive tool, allowing deployments from all branches could result in incidents where incorrect and unreviewed configuration in a branch causes unexpected deletion of AWS resources.
- The environment name must follow the naming pattern of
- Append the new environment's configuration to
.github/workflows/contexts.json, e.g.:
{
"account_name": "sandbox",
"account_id": "123456789012"
}The workflow runs on a schedule which is defined in .github/workflows/cloud-nuke.yaml.