feat: [PMM-14303] OpenShift cluster cleanup Lambda automation

Automated Lambda function for comprehensive OpenShift cluster infrastructure
cleanup across AWS regions. Implements long-term solution for automatic
cleanup of OpenShift clusters after retention period.

Core Capabilities:
- Automatic cluster detection via master node identification
- Complete infrastructure removal: VPC, ELB, Route53, S3, EC2
- Dependency-aware cleanup ordering
- Multi-region support with configurable targeting

Safety & Monitoring:
- DRY_RUN mode (default) for safe testing
- CloudWatch metrics and alarms
- SNS notifications for cleanup reports
- Structured JSON logging with AWS Lambda Powertools

Technical Stack:
- Python 3.13 on ARM64 architecture
- 1024MB memory, 600s timeout
- CDK infrastructure as code
- EventBridge scheduled execution (configurable, default 15min)

Testing:
- 27 unit tests covering all OpenShift operations
- Integration tests for end-to-end workflows
- All tests passing

Jira: PMM-14303

Author: nogueiraanderson

IaC/cdk/README.md

@@ -0,0 +1,64 @@
+# CDK Projects
+
+AWS CDK (Cloud Development Kit) infrastructure as code implementations.
+
+## Projects
+
+### aws-resources-cleanup
+Comprehensive AWS resource cleanup Lambda with CDK deployment.
+
+**Purpose**: Automated cleanup of EC2 instances, EKS clusters, and OpenShift infrastructure based on TTL policies and billing tags.
+
+**Features**:
+- TTL-based expiration (8h, 24h policies)
+- Billing tag validation (category + Unix timestamps)
+- EKS CloudFormation deletion
+- OpenShift comprehensive cleanup (VPC, ELB, Route53, S3, NAT, security groups)
+- DRY_RUN mode (default)
+- SNS notifications
+- Hourly EventBridge schedule
+
+**Quick Start**:
+```bash
+cd aws-resources-cleanup
+just install          # Install dependencies
+just deploy           # Deploy in DRY_RUN mode
+just logs             # Tail CloudWatch logs
+```
+
+📖 **Full documentation**: [aws-resources-cleanup/README.md](aws-resources-cleanup/README.md)
+
+## Requirements
+
+- AWS CLI configured with appropriate profile
+- `uv` package manager: `brew install uv`
+- `just` task runner: `brew install just`
+
+## Common Commands
+
+All projects use Justfile for consistent automation:
+
+| Command | Description |
+|---------|-------------|
+| `just install` | Install all dependencies |
+| `just synth` | Generate CloudFormation template |
+| `just diff` | Preview infrastructure changes |
+| `just deploy` | Deploy stack |
+| `just destroy` | Remove stack |
+| `just logs` | Tail CloudWatch logs (if applicable) |
+
+## Adding New CDK Projects
+
+When creating a new CDK project in this directory:
+
+1. Create project directory: `mkdir project-name`
+2. Initialize CDK: `cdk init app --language python`
+3. Add Justfile for automation
+4. Add project-specific README.md
+5. Update this README with project description
+
+## Resources
+
+- [AWS CDK Documentation](https://docs.aws.amazon.com/cdk/)
+- [CDK Python API Reference](https://docs.aws.amazon.com/cdk/api/v2/python/)
+- [Justfile Documentation](https://github.com/casey/just)

IaC/cdk/aws-resources-cleanup/.gitignore

@@ -0,0 +1,84 @@
+# CDK
+cdk.out/
+.cdk.staging/
+cdk.context.json
+
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# Virtual environments
+venv/
+ENV/
+env/
+.venv
+
+# Testing
+.pytest_cache/
+.coverage
+htmlcov/
+.tox/
+
+# IDEs
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Lambda artifacts
+*.zip
+/tmp/
+
+# Lambda dependencies (installed at build time)
+lambda/*.dist-info/
+lambda/bin/
+lambda/boto3/
+lambda/boto3-*.dist-info/
+lambda/botocore/
+lambda/botocore-*.dist-info/
+lambda/aws_lambda_powertools/
+lambda/aws_lambda_powertools-*.dist-info/
+lambda/aws_xray_sdk/
+lambda/aws_xray_sdk-*.dist-info/
+lambda/s3transfer/
+lambda/s3transfer-*.dist-info/
+lambda/jmespath/
+lambda/jmespath-*.dist-info/
+lambda/dateutil/
+lambda/python_dateutil-*.dist-info/
+lambda/urllib3/
+lambda/urllib3-*.dist-info/
+lambda/six.py
+lambda/six-*.dist-info/
+lambda/typing_extensions.py
+lambda/typing_extensions-*.dist-info/
+lambda/wrapt/
+lambda/wrapt-*.dist-info/
+lambda/.lock
+
+# Logs
+*.log

IaC/cdk/aws-resources-cleanup/README.md

@@ -0,0 +1,108 @@
+# OpenShift Cluster Cleanup
+
+Automated Lambda for OpenShift cluster cleanup across AWS regions.
+
+**Runtime**: Python 3.13 ARM64, 1024MB, 600s timeout
+**Default**: DRY_RUN mode (logs only)
+**Concurrency**: 1 (prevents race conditions)
+
+## Features
+
+- **OpenShift Detection**: Automatic discovery via master node identification
+- **Comprehensive Cleanup**: VPC, Load Balancers, Route53, S3, EC2 instances
+- **Multi-Region**: Scans all or specific AWS regions
+- **DRY_RUN Mode**: Safe testing without actual resource deletion
+- **Monitoring**: CloudWatch logs, metrics, and SNS notifications
+- **Scheduled Execution**: Configurable via EventBridge (default: 15 minutes)
+
+## Quick Start
+
+```bash
+brew install uv just
+cd IaC/cdk/aws-resources-cleanup
+just install
+just bootstrap      # First time only
+just deploy         # DRY_RUN mode
+just deploy-live    # LIVE mode (destructive!)
+```
+
+## Commands
+
+```bash
+just deploy         # Deploy (DRY_RUN)
+just logs           # Tail logs
+just invoke-aws     # Manual trigger
+just params         # Show config
+just test           # Run tests
+```
+
+Run `just` for all commands.
+
+## Configuration
+
+Key parameters (CloudFormation):
+
+| Parameter | Default | Description |
+|-----------|---------|-------------|
+| `DryRunMode` | `true` | Safe mode - logs only |
+| `ScheduleRateMinutes` | `15` | Run frequency |
+| `TargetRegions` | `all` | Regions to scan |
+| `LogLevel` | `INFO` | Log verbosity |
+| `OpenShiftCleanupEnabled` | `true` | Enable OpenShift cleanup |
+| `OpenShiftBaseDomain` | `cd.percona.com` | DNS base domain |
+
+View all: `just params`
+
+## OpenShift Cluster Detection
+
+The Lambda automatically detects OpenShift clusters by:
+1. Scanning EC2 instances for master nodes (naming pattern: `*-master-*`)
+2. Detecting infrastructure ID from VPC tags
+3. Identifying all cluster resources (VPC, ELB, Route53, S3)
+4. Orchestrating complete cleanup in dependency order
+
+Cleanup process:
+1. Load balancers (ELB, ALB, NLB)
+2. NAT gateways and Elastic IPs
+3. Network interfaces
+4. VPC endpoints
+5. Security groups
+6. Subnets and route tables
+7. Internet gateways
+8. VPC
+9. Route53 DNS records
+10. S3 state buckets
+11. EC2 instances
+
+## Logging
+
+```
+Processing region for OpenShift cleanup: us-east-2
+OpenShift cluster detected: my-cluster (infra-id: my-cluster-abc123)
+[DRY-RUN] Would TERMINATE_OPENSHIFT_CLUSTER: my-cluster
+OpenShift scan complete for us-east-2: 342 instances scanned, 1 cluster found
+Cleanup complete: 1 action across 17 regions (18.2s)
+```
+
+## Troubleshooting
+
+```bash
+just logs-recent    # Check logs
+just params         # Verify config
+just invoke-aws     # Test manually
+```
+
+**Issues:**
+- No actions: Set `DryRunMode=false`
+- OpenShift errors: Check CloudWatch logs for details
+- No clusters detected: Verify master node naming pattern
+
+## Architecture
+
+```
+EventBridge (15min) → Lambda → OpenShift Detection → Cleanup Orchestration → SNS
+                                       ↓
+                        VPC, ELB, Route53, S3, EC2
+```
+
+Lambda retrieves function name from CDK outputs for alignment with infrastructure.

IaC/cdk/aws-resources-cleanup/app.py

@@ -0,0 +1,25 @@
+#!/usr/bin/env python3
+"""CDK app for OpenShift Cluster Cleanup Lambda."""
+
+import os
+import aws_cdk as cdk
+from stacks.resource_cleanup_stack import ResourceCleanupStack
+
+app = cdk.App()
+
+ResourceCleanupStack(
+    app,
+    "AWSResourcesCleanupStack",
+    description="OpenShift cluster infrastructure cleanup for AWS",
+    env=cdk.Environment(
+        account=os.getenv('CDK_DEFAULT_ACCOUNT'),
+        region=os.getenv('CDK_DEFAULT_REGION', 'us-east-2')
+    ),
+    tags={
+        "Project": "PlatformEngineering",
+        "ManagedBy": "CDK",
+        "iit-billing-tag": "openshift-cleanup"
+    }
+)
+
+app.synth()

IaC/cdk/aws-resources-cleanup/cdk.json

@@ -0,0 +1,114 @@
+{
+  "app": "python3 app.py",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "requirements*.txt",
+      "source.bat",
+      "**/__pycache__",
+      "**/*.pyc",
+      ".pytest_cache"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ],
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+    "@aws-cdk/aws-iam:standardizedServicePrincipals": true,
+    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
+    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
+    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
+    "@aws-cdk/aws-route53-patternslibrary:useCertificate": true,
+    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
+    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
+    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
+    "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
+    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
+    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
+    "@aws-cdk/aws-redshift:columnId": true,
+    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
+    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
+    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
+    "@aws-cdk/aws-kms:aliasNameRef": true,
+    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
+    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
+    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
+    "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
+    "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
+    "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
+    "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
+    "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
+    "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
+    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
+    "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true,
+    "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true,
+    "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true,
+    "@aws-cdk/aws-eks:nodegroupNameAttribute": true,
+    "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true,
+    "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true,
+    "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false,
+    "@aws-cdk/aws-s3:keepNotificationInImportedBucket": false,
+    "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
+    "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": true,
+    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true,
+    "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": true,
+    "@aws-cdk/aws-dynamodb:retainTableReplica": true,
+    "@aws-cdk/aws-ec2-alpha:useResourceIdForVpcV2Migration": false,
+    "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": true,
+    "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": true,
+    "@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway": true,
+    "@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": true,
+    "@aws-cdk/aws-ecs:disableEcsImdsBlocking": true,
+    "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": false,
+    "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": true,
+    "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true,
+    "@aws-cdk/aws-events:requireEventBusPolicySid": true,
+    "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": true,
+    "@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal": true,
+    "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": true,
+    "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": false,
+    "@aws-cdk/aws-lambda:recognizeVersionProps": true,
+    "@aws-cdk/aws-lambda:useCdkManagedLogGroup": true,
+    "@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
+    "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": true,
+    "@aws-cdk/aws-route53-patters:useCertificate": true,
+    "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true,
+    "@aws-cdk/aws-s3:publicAccessBlockedByDefault": true,
+    "@aws-cdk/aws-s3:setUniqueReplicationRoleName": true,
+    "@aws-cdk/aws-signer:signingProfileNamePassedToCfn": true,
+    "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": true,
+    "@aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask": true,
+    "@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": true,
+    "@aws-cdk/cognito:logUserPoolClientSecretValue": false,
+    "@aws-cdk/core:aspectPrioritiesMutating": true,
+    "@aws-cdk/core:aspectStabilization": true,
+    "@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": true,
+    "@aws-cdk/core:enableAdditionalMetadataCollection": true,
+    "@aws-cdk/core:explicitStackTags": true,
+    "@aws-cdk/core:newStyleStackSynthesis": true,
+    "@aws-cdk/core:stackRelativeExports": true,
+    "@aws-cdk/pipelines:reduceAssetRoleTrustScope": true,
+    "@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope": true,
+    "@aws-cdk/pipelines:reduceStageRoleTrustScope": true,
+    "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": true
+  }
+}