Create destroy-nic-nap.yml

akananth · web-flow · commit 3c1efc2581ef · 2025-03-25T15:33:21.000-05:00
diff --git a/.github/workflows/destroy-nic-nap.yml b/.github/workflows/destroy-nic-nap.yml
@@ -0,0 +1,365 @@
+name: "NGINX V5-NIC/NAP Destroy"
+on:
+  push:
+    branches:
+      - destroy-nic-napv5
+  pull_request:
+env:
+  AWS_REGION: us-east-1
+jobs:
+  terraform_arcadia:
+    name: "Destroy Arcadia WebApp"
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./arcadia
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v3
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
+          aws-region: ${{ env.AWS_REGION }}
+      
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Terraform Validate
+        run: terraform validate -no-color
+
+      - name: Terraform Plan (Destroy)
+        if: github.event_name == 'pull_request' || github.event_name == 'push'
+        run: |
+          terraform plan -destroy -no-color -input=false -lock=false -out=tfplan
+          terraform show -no-color tfplan > plan.txt
+
+      - name: Check Changes
+        id: check_changes
+        run: |
+          if grep -q "No changes." plan.txt; then
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+          else
+            echo "has_changes=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Terraform Destroy
+        if: github.event_name == 'push' && github.ref == 'refs/heads/destroy-nic-napv5' && steps.check_changes.outputs.has_changes == 'true'
+        run: terraform destroy -auto-approve -lock=false -input=false
+
+  terraform_policy:
+    name: "Destroy NGINX Policy"
+    runs-on: ubuntu-latest
+    needs: terraform_arcadia
+    defaults:
+      run:
+        working-directory: ./policy
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v3
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Terraform Destroy
+        run: terraform destroy -auto-approve -lock=false
+
+  terraform_nap:
+    name: "Destroy NGINX NIC/App Protect"
+    runs-on: ubuntu-latest
+    needs: terraform_policy
+    defaults:
+      run:
+        working-directory: ./nap
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v3
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Terraform Plan (Destroy)
+        run: |
+          terraform plan -destroy -no-color -input=false -lock=false -out=tfplan \
+            -var="workspace_path=${{ env.WORKSPACE_PATH }}" \
+            -var="nginx_jwt=${{ secrets.NGINX_JWT }}" \
+            -var="nginx_pwd=none"
+        env:
+          WORKSPACE_PATH: "./nap"
+ 
+      - name: Check Changes
+        id: check_changes
+        run: |
+          if grep -q "No changes." plan.txt; then
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+          else
+            echo "has_changes=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Terraform Destroy
+        if: github.event_name == 'push' && github.ref == 'refs/heads/destroy-nic-napv5' && steps.check_changes.outputs.has_changes == 'true'
+        run: |
+          terraform destroy -auto-approve -input=false -lock=false \
+            -var="workspace_path=${{ env.WORKSPACE_PATH }}" \
+            -var="nginx_jwt=${{ secrets.NGINX_JWT }}" \
+            -var="nginx_pwd=none"
+        env:
+          WORKSPACE_PATH: "./nap"
+
+  terraform_eks:
+    name: "Destroy AWS EKS"
+    runs-on: ubuntu-latest
+    needs: terraform_nap
+    defaults:
+      run:
+        working-directory: ./eks-cluster
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v3
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Terraform Plan (Destroy)
+        if: github.event_name == 'pull_request' || github.event_name == 'push'
+        run: |
+          terraform plan -destroy -no-color -input=false -out=tfplan -lock=false
+          terraform show -no-color tfplan > plan.txt
+
+      - name: Check Changes
+        id: check_changes
+        run: |
+          if grep -q "No changes." plan.txt; then
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+          else
+            echo "has_changes=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Terraform Destroy
+        if: github.event_name == 'push' && github.ref == 'refs/heads/destroy-nic-napv5' && steps.check_changes.outputs.has_changes == 'true'
+        run: terraform destroy -auto-approve -input=false -lock=false
+
+  terraform_infra:
+    name: "Destroy AWS Infra"
+    runs-on: ubuntu-latest
+    needs: terraform_eks
+    defaults:
+      run:
+        working-directory: ./infra
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v3
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Terraform Plan (Destroy)
+        if: github.event_name == 'pull_request' || github.event_name == 'push'
+        run: |
+          terraform plan -destroy -no-color -input=false -out=tfplan -lock=false
+          terraform show -no-color tfplan > plan.txt
+
+      - name: Check Changes
+        id: check_changes
+        run: |
+          if grep -q "No changes." plan.txt; then
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+          else
+            echo "has_changes=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Terraform Destroy
+        if: github.event_name == 'push' && github.ref == 'refs/heads/destroy-nic-napv5' && steps.check_changes.outputs.has_changes == 'true'
+        run: terraform destroy -auto-approve -input=false -lock=false
+
+  
+  terraform_S3:
+    name: "Delete S3/DynamoDB"
+    needs: terraform_infra
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./s3
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install jq
+        run: sudo apt-get install -y jq
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v3
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Set Bucket Name
+        id: set_bucket
+        run: |
+          echo "bucket_name=akash-terraform-state-bucket" >> $GITHUB_OUTPUT
+
+      - name: Nuclear S3 Bucket Deletion
+        run: |
+          set -e
+          BUCKET_NAME="${{ steps.set_bucket.outputs.bucket_name }}"
+          
+          # 1. Delete all object versions (with null checks)
+          echo "🔥 Deleting ALL object versions..."
+          versions=$(aws s3api list-object-versions --bucket $BUCKET_NAME --output json || echo '{"Versions":[],"DeleteMarkers":[]}')
+          versions_to_delete=$(echo $versions | jq '{Objects: [.Versions[]? | {Key:.Key, VersionId:.VersionId}]}' || echo '{"Objects":[]}')
+          if [ "$(echo $versions_to_delete | jq '.Objects | length')" -gt 0 ]; then
+            aws s3api delete-objects --bucket $BUCKET_NAME --delete "$versions_to_delete" || true
+          fi
+          
+          # 2. Delete all delete markers (with null checks)
+          echo "🗑️ Deleting ALL delete markers..."
+          markers_to_delete=$(echo $versions | jq '{Objects: [.DeleteMarkers[]? | {Key:.Key, VersionId:.VersionId}]}' || echo '{"Objects":[]}')
+          if [ "$(echo $markers_to_delete | jq '.Objects | length')" -gt 0 ]; then
+            aws s3api delete-objects --bucket $BUCKET_NAME --delete "$markers_to_delete" || true
+          fi
+          
+          # 3. Force delete any remaining objects
+          echo "💥 Force deleting any remaining objects..."
+          aws s3 rm s3://$BUCKET_NAME --recursive --include "*" || true
+          
+          # 4. Delete bucket
+          echo "🚀 Deleting bucket..."
+          aws s3api delete-bucket --bucket $BUCKET_NAME || true
+          
+          # 5. Final verification
+          if aws s3api head-bucket --bucket $BUCKET_NAME 2>/dev/null; then
+            echo "::error::Bucket $BUCKET_NAME still exists after deletion attempts!"
+            exit 1
+          else
+            echo "✅ Bucket $BUCKET_NAME successfully deleted"
+          fi
+
+      - name: Delete DynamoDB Table
+        run: |
+          set -e
+          TABLE_NAME="terraform-lock-table"
+          echo "💥 Deleting DynamoDB table..."
+          if aws dynamodb describe-table --table-name $TABLE_NAME 2>/dev/null; then
+            aws dynamodb delete-table --table-name $TABLE_NAME || true
+            echo "⌛ Waiting for table to be deleted..."
+            aws dynamodb wait table-not-exists --table-name $TABLE_NAME || true
+          fi
+          if aws dynamodb describe-table --table-name $TABLE_NAME 2>/dev/null; then
+            echo "::error::Table $TABLE_NAME still exists!"
+            exit 1
+          else
+            echo "✅ Table $TABLE_NAME successfully deleted"
+          fi
+
+      - name: Clean Up IAM Resources
+        run: |
+          set -e
+          # Delete policy
+          POLICY_ARN=$(aws iam list-policies --query "Policies[?PolicyName=='TerraformStateAccess'].Arn" --output text || echo "")
+          if [ -n "$POLICY_ARN" ]; then
+            echo "🔗 Detaching policy from roles..."
+            ATTACHED_ROLES=$(aws iam list-entities-for-policy --policy-arn $POLICY_ARN --query "PolicyRoles[].RoleName" --output text || echo "")
+            for ROLE in $ATTACHED_ROLES; do
+              aws iam detach-role-policy --role-name $ROLE --policy-arn $POLICY_ARN || true
+            done
+            
+            echo "🗑️ Deleting policy..."
+            aws iam delete-policy --policy-arn $POLICY_ARN || true
+          fi
+
+          # Delete role
+          ROLE_NAME="TerraformCIExecutionRole"
+          if aws iam get-role --role-name $ROLE_NAME 2>/dev/null; then
+            echo "🗑️ Deleting role..."
+            aws iam delete-role --role-name $ROLE_NAME || true
+          fi
+
+      - name: Verify Deletion
+        run: |
+          echo "✅ Verification:"
+          
+          # Verify S3 bucket
+          BUCKET_NAME="${{ steps.set_bucket.outputs.bucket_name }}"
+          if aws s3api head-bucket --bucket "$BUCKET_NAME" 2>/dev/null; then
+            echo "::error::Bucket $BUCKET_NAME still exists!"
+            exit 1
+          else
+            echo "Bucket $BUCKET_NAME deleted successfully"
+          fi
+          
+          # Verify DynamoDB table
+          TABLE_NAME="terraform-lock-table"
+          if aws dynamodb describe-table --table-name "$TABLE_NAME" 2>/dev/null; then
+            echo "::error::Table $TABLE_NAME still exists!"
+            exit 1
+          else
+            echo "Table $TABLE_NAME deleted successfully"
+          fi
+          
+          # Verify IAM resources
+          if aws iam get-policy --policy-arn "arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):policy/TerraformStateAccess" 2>/dev/null; then
+            echo "::error::IAM Policy still exists!"
+            exit 1
+          else
+            echo "IAM Policy deleted successfully"
+          fi
+          
+          if aws iam get-role --role-name "TerraformCIExecutionRole" 2>/dev/null; then
+            echo "::error::IAM Role still exists!"
+            exit 1
+          else
+            echo "IAM Role deleted successfully"
+          fi      
