From 1def0ce6b7adecf0bc3b998bc0340ae88bd3722a Mon Sep 17 00:00:00 2001
From: Ashish Ranjan <rnshis@amazon.com>
Date: Mon, 24 Apr 2023 17:08:48 -0700
Subject: [PATCH] Adds pipeline for aws-nuke

This commit adds pipeline for aws-nuke to periodically delete aws
resources.

Signed-off-by: Ashish Ranjan <rnshis@amazon.com>
---
 tests/pipelines/cleanup/aws/README.md         | 25 +++++++++++
 tests/pipelines/cleanup/aws/binding.yaml      | 12 +++++
 .../cleanup/aws/cleanup-template.yaml         | 44 +++++++++++++++++++
 tests/pipelines/cleanup/aws/cronjob.yaml      | 17 +++++++
 .../pipelines/cleanup/aws/eventlistener.yaml  | 14 ++++++
 .../pipelines/cleanup/{ => tekton}/README.md  |  0
 .../cleanup/{ => tekton}/binding.yaml         |  0
 .../{ => tekton}/cleanup-template.yaml        |  0
 .../cleanup/{ => tekton}/cronjob.yaml         |  0
 .../cleanup/{ => tekton}/eventlistener.yaml   |  0
 .../cleanup/{ => tekton}/serviceaccount.yaml  |  0
 11 files changed, 112 insertions(+)
 create mode 100644 tests/pipelines/cleanup/aws/README.md
 create mode 100644 tests/pipelines/cleanup/aws/binding.yaml
 create mode 100644 tests/pipelines/cleanup/aws/cleanup-template.yaml
 create mode 100644 tests/pipelines/cleanup/aws/cronjob.yaml
 create mode 100644 tests/pipelines/cleanup/aws/eventlistener.yaml
 rename tests/pipelines/cleanup/{ => tekton}/README.md (100%)
 rename tests/pipelines/cleanup/{ => tekton}/binding.yaml (100%)
 rename tests/pipelines/cleanup/{ => tekton}/cleanup-template.yaml (100%)
 rename tests/pipelines/cleanup/{ => tekton}/cronjob.yaml (100%)
 rename tests/pipelines/cleanup/{ => tekton}/eventlistener.yaml (100%)
 rename tests/pipelines/cleanup/{ => tekton}/serviceaccount.yaml (100%)

diff --git a/tests/pipelines/cleanup/aws/README.md b/tests/pipelines/cleanup/aws/README.md
new file mode 100644
index 00000000..a555e27a
--- /dev/null
+++ b/tests/pipelines/cleanup/aws/README.md
@@ -0,0 +1,25 @@
+# Cleanup old aws resources
+
+Here is how users can clean up old aws resources periodically.
+
+The general method is to use a CronJob to trigger a Task that deletes old aws resources that are not protected by aws-nuke config. 
+
+## Prerequisites
+
+* A Kubernetes cluster with Tekton Pipelines installed
+* Several old aws resources you wish to delete
+
+## Scheduling the cleanup job
+
+You'll need to install all the files in this directory to run the cleanup task.
+
+
+* [cleanup-template.yaml](cleanup-template.yaml): this creates the TriggerTemplate that spawns the TaskRun that does the deleting. It uses the `aws-nuke` CLI to do the deleting. 
+
+* [binding.yaml](binding.yaml): this creates the TriggerBinding that is used to pass parameters to the TaskRun. There are two parameters that are passed by this.
+    - `aws-nuke-s3-config-path`: this holds the aws-nuke config s3 path. The config holds the resources that needs to be retained by the sweeper job. For instructions on building a aws-nuke config, refer to this https://github.com/rebuy-de/aws-nuke
+    - `aws-account-alias`: aws-nuke requires account alias for confirmation before deleting. Here is how the account alias can be setup. https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-alias.html
+
+* [eventlistener.yaml](eventlistener.yaml): this creates the sink that receives the incoming event that triggers the creation of the cleanup job.
+
+* [cronjob.yaml](cronjob.yaml): this is used to run the cleanup job on a schedule. The schedule for the job running can be set in the `.spec.schedule` field using [crontab format](https://crontab.guru/)
\ No newline at end of file
diff --git a/tests/pipelines/cleanup/aws/binding.yaml b/tests/pipelines/cleanup/aws/binding.yaml
new file mode 100644
index 00000000..fdbb1280
--- /dev/null
+++ b/tests/pipelines/cleanup/aws/binding.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: triggers.tekton.dev/v1alpha1
+kind: TriggerBinding
+metadata:
+  name: aws-account-cleanup
+  namespace: tekton-pipelines
+spec: 
+  params: 
+    - name: aws-nuke-s3-config-path
+      value: <Replace this with s3 path of config>
+    - name: aws-account-alias
+      value: <Replace this with account alias>
\ No newline at end of file
diff --git a/tests/pipelines/cleanup/aws/cleanup-template.yaml b/tests/pipelines/cleanup/aws/cleanup-template.yaml
new file mode 100644
index 00000000..62c40240
--- /dev/null
+++ b/tests/pipelines/cleanup/aws/cleanup-template.yaml
@@ -0,0 +1,44 @@
+---
+apiVersion: triggers.tekton.dev/v1alpha1
+kind: TriggerTemplate
+metadata:
+  name: aws-account-cleanup
+  namespace: tekton-pipelines 
+spec:
+  params:
+    - name: aws-nuke-s3-config-path
+      description: S3 path for the aws nuke's config file.
+    - name: aws-account-alias
+      description: aws account alias for the account to be sweeped.
+  resourcetemplates:
+  - apiVersion: tekton.dev/v1beta1
+    kind: TaskRun
+    metadata:
+      name: aws-account-cleanup-runs-$(uid)
+    spec:
+      serviceAccountName: tekton-pipelines-executor
+      taskSpec:
+        description: |
+          Sweeps down an aws account for leftover resources, based on the config provided
+        workspaces:
+        - name: config
+        params:
+        - name: aws-nuke-s3-config-path
+          description: S3 path for the aws nuke's config file. i.e s3://dev-eks-rnshis/aws-nuke.yaml
+        - name: aws-account-alias
+          description: aws account alias for the account to be sweeped.
+        steps:
+        - name: download-config
+          image: amazon/aws-cli
+          script: |
+            aws s3 cp $(params.aws-nuke-s3-config-path) $(workspaces.config.path)/config.yaml
+        - name: sweep-aws-account
+          image: quay.io/rebuy/aws-nuke:v2.22.1
+          script: |
+            # TODO: Add --no-dry-run to start deleting the resources
+            echo "$(params.aws-account-alias)" | aws-nuke -c $(workspaces.config.path)/config.yaml
+      params:
+      - name: aws-nuke-s3-config-path
+        value: $(tt.params.aws-nuke-s3-config-path)
+      - name: aws-account-alias
+        value: $(tt.params.aws-account-alias)
\ No newline at end of file
diff --git a/tests/pipelines/cleanup/aws/cronjob.yaml b/tests/pipelines/cleanup/aws/cronjob.yaml
new file mode 100644
index 00000000..4a4569c7
--- /dev/null
+++ b/tests/pipelines/cleanup/aws/cronjob.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: aws-account-cleanup
+  namespace: tekton-pipelines
+spec:
+  schedule: "0 0 */30 * *" # Triggers in every 30 days
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: curl
+            image: curlimages/curl
+            args: ["curl", "-X", "POST", "--data", "{}", "el-aws-account-cleanup.tekton-pipelines.svc.cluster.local:8080"]
+          restartPolicy: Never
\ No newline at end of file
diff --git a/tests/pipelines/cleanup/aws/eventlistener.yaml b/tests/pipelines/cleanup/aws/eventlistener.yaml
new file mode 100644
index 00000000..853f72cf
--- /dev/null
+++ b/tests/pipelines/cleanup/aws/eventlistener.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: triggers.tekton.dev/v1alpha1
+kind: EventListener
+metadata:
+  name: aws-account-cleanup
+  namespace: tekton-pipelines
+spec:
+  serviceAccountName: tekton-triggers
+  triggers:
+    - name: cron
+      bindings:
+      - ref: aws-account-cleanup
+      template:
+        ref: aws-account-cleanup
\ No newline at end of file
diff --git a/tests/pipelines/cleanup/README.md b/tests/pipelines/cleanup/tekton/README.md
similarity index 100%
rename from tests/pipelines/cleanup/README.md
rename to tests/pipelines/cleanup/tekton/README.md
diff --git a/tests/pipelines/cleanup/binding.yaml b/tests/pipelines/cleanup/tekton/binding.yaml
similarity index 100%
rename from tests/pipelines/cleanup/binding.yaml
rename to tests/pipelines/cleanup/tekton/binding.yaml
diff --git a/tests/pipelines/cleanup/cleanup-template.yaml b/tests/pipelines/cleanup/tekton/cleanup-template.yaml
similarity index 100%
rename from tests/pipelines/cleanup/cleanup-template.yaml
rename to tests/pipelines/cleanup/tekton/cleanup-template.yaml
diff --git a/tests/pipelines/cleanup/cronjob.yaml b/tests/pipelines/cleanup/tekton/cronjob.yaml
similarity index 100%
rename from tests/pipelines/cleanup/cronjob.yaml
rename to tests/pipelines/cleanup/tekton/cronjob.yaml
diff --git a/tests/pipelines/cleanup/eventlistener.yaml b/tests/pipelines/cleanup/tekton/eventlistener.yaml
similarity index 100%
rename from tests/pipelines/cleanup/eventlistener.yaml
rename to tests/pipelines/cleanup/tekton/eventlistener.yaml
diff --git a/tests/pipelines/cleanup/serviceaccount.yaml b/tests/pipelines/cleanup/tekton/serviceaccount.yaml
similarity index 100%
rename from tests/pipelines/cleanup/serviceaccount.yaml
rename to tests/pipelines/cleanup/tekton/serviceaccount.yaml