feat: OpenShift cluster cleanup Lambda (v3.0.0)

Automated Lambda function for comprehensive OpenShift cluster cleanup across
AWS regions. Handles VPC, Load Balancers, Route53, S3, and EC2 instances.

Features:
- Automatic cluster detection via master node identification
- Comprehensive resource cleanup in dependency order
- Multi-region support with configurable targeting
- DRY_RUN mode for safe testing
- CloudWatch metrics and SNS notifications
- Scheduled execution via EventBridge (default: 15 minutes)

Infrastructure:
- Python 3.13 ARM64 runtime
- 1024MB memory, 600s timeout
- Concurrency: 1 (prevents race conditions)
- IAM permissions: OpenShift-specific (VPC, ELB, Route53, S3)

Deployment:
- CDK-based infrastructure as code
- CloudFormation parameters for configuration
- Just commands for easy management

Testing:
- 27 unit tests covering OpenShift operations
- Integration tests for orchestration flow
- All tests passing with good coverage

Author: nogueiraanderson

IaC/cdk/aws-resources-cleanup/README.md

@@ -1,19 +1,19 @@
-# AWS Resources Cleanup
+# OpenShift Cluster Cleanup
 
-Automated Lambda for EC2, EBS, EKS, and OpenShift cleanup across AWS regions.
+Automated Lambda for OpenShift cluster cleanup across AWS regions.
 
 **Runtime**: Python 3.13 ARM64, 1024MB, 600s timeout
 **Default**: DRY_RUN mode (logs only)
 **Concurrency**: 1 (prevents race conditions)
 
 ## Features
 
-- **EC2**: TTL expiration, stop policy, long-stopped instances, untagged cleanup
-- **EBS**: Unattached volume deletion
-- **EKS**: CloudFormation stack deletion (skip pattern: `pe-.*`)
-- **OpenShift**: Full cluster cleanup (VPC, ELB, Route53, S3)
-
-**Protection**: Persistent tags (`jenkins-*`, `pmm-dev`), valid billing tags, `PerconaKeep`, "do not remove" in names
+- **OpenShift Detection**: Automatic discovery via master node identification
+- **Comprehensive Cleanup**: VPC, Load Balancers, Route53, S3, EC2 instances
+- **Multi-Region**: Scans all or specific AWS regions
+- **DRY_RUN Mode**: Safe testing without actual resource deletion
+- **Monitoring**: CloudWatch logs, metrics, and SNS notifications
+- **Scheduled Execution**: Configurable via EventBridge (default: 15 minutes)
 
 ## Quick Start
 
@@ -33,7 +33,7 @@ just deploy         # Deploy (DRY_RUN)
 just logs           # Tail logs
 just invoke-aws     # Manual trigger
 just params         # Show config
-just test           # Run tests (176, 87% coverage)
+just test           # Run tests
 ```
 
 Run `just` for all commands.
@@ -44,33 +44,44 @@ Key parameters (CloudFormation):
 
 | Parameter | Default | Description |
 |-----------|---------|-------------|
-| `DryRunMode` | `true` | Safe mode |
+| `DryRunMode` | `true` | Safe mode - logs only |
 | `ScheduleRateMinutes` | `15` | Run frequency |
 | `TargetRegions` | `all` | Regions to scan |
 | `LogLevel` | `INFO` | Log verbosity |
-| `UntaggedThresholdMinutes` | `30` | Grace period |
-| `VolumeCleanupEnabled` | `true` | Enable volume cleanup |
-| `EKSCleanupEnabled` | `true` | Enable EKS cleanup |
 | `OpenShiftCleanupEnabled` | `true` | Enable OpenShift cleanup |
+| `OpenShiftBaseDomain` | `cd.percona.com` | DNS base domain |
 
 View all: `just params`
 
-## Cleanup Policies
-
-Priority order:
-
-1. **TTL** - `creation-time` + `delete-cluster-after-hours` → TERMINATE
-2. **Stop** - `stop-after-days` → STOP
-3. **Long Stopped** - >30 days → TERMINATE
-4. **Untagged** - Missing `iit-billing-tag` → TERMINATE
+## OpenShift Cluster Detection
+
+The Lambda automatically detects OpenShift clusters by:
+1. Scanning EC2 instances for master nodes (naming pattern: `*-master-*`)
+2. Detecting infrastructure ID from VPC tags
+3. Identifying all cluster resources (VPC, ELB, Route53, S3)
+4. Orchestrating complete cleanup in dependency order
+
+Cleanup process:
+1. Load balancers (ELB, ALB, NLB)
+2. NAT gateways and Elastic IPs
+3. Network interfaces
+4. VPC endpoints
+5. Security groups
+6. Subnets and route tables
+7. Internet gateways
+8. VPC
+9. Route53 DNS records
+10. S3 state buckets
+11. EC2 instances
 
 ## Logging
 
 ```
-Instance i-0d09... protected: Valid billing tag 'ps-package-testing'
-[DRY-RUN] Would TERMINATE instance i-085e... in us-east-2: Missing billing tag
-Instance scan for us-west-2: 11 scanned, 1 actions, 10 protected
-Cleanup complete: 31 actions across 17 regions (15.4s)
+Processing region for OpenShift cleanup: us-east-2
+OpenShift cluster detected: my-cluster (infra-id: my-cluster-abc123)
+[DRY-RUN] Would TERMINATE_OPENSHIFT_CLUSTER: my-cluster
+OpenShift scan complete for us-east-2: 342 instances scanned, 1 cluster found
+Cleanup complete: 1 action across 17 regions (18.2s)
 ```
 
 ## Troubleshooting
@@ -83,13 +94,15 @@ just invoke-aws     # Test manually
 
 **Issues:**
 - No actions: Set `DryRunMode=false`
-- Volume cleanup fails: Check `VolumeCleanupEnabled=true`, volumes `available`
-- OpenShift errors: Auto-retries 3 times
+- OpenShift errors: Check CloudWatch logs for details
+- No clusters detected: Verify master node naming pattern
 
 ## Architecture
 
 ```
-EventBridge → Lambda → EC2/Volumes/EKS/OpenShift → SNS
+EventBridge (15min) → Lambda → OpenShift Detection → Cleanup Orchestration → SNS
+                                       ↓
+                        VPC, ELB, Route53, S3, EC2
 ```
 
-Justfile retrieves function name from CDK outputs for alignment.
+Lambda retrieves function name from CDK outputs for alignment with infrastructure.

IaC/cdk/aws-resources-cleanup/app.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-"""CDK app for AWS Resources Cleanup Lambda."""
+"""CDK app for OpenShift Cluster Cleanup Lambda."""
 
 import os
 import aws_cdk as cdk
@@ -10,15 +10,15 @@
 ResourceCleanupStack(
     app,
     "AWSResourcesCleanupStack",
-    description="Comprehensive AWS resource cleanup: EC2, EKS, OpenShift infrastructure",
+    description="OpenShift cluster infrastructure cleanup for AWS",
     env=cdk.Environment(
         account=os.getenv('CDK_DEFAULT_ACCOUNT'),
         region=os.getenv('CDK_DEFAULT_REGION', 'us-east-2')
     ),
     tags={
         "Project": "PlatformEngineering",
         "ManagedBy": "CDK",
-        "iit-billing-tag": "resource-cleanup"
+        "iit-billing-tag": "openshift-cleanup"
     }
 )
 

IaC/cdk/aws-resources-cleanup/lambda/aws_resource_cleanup/__init__.py

@@ -1,5 +1,8 @@
-"""EC2 Cleanup Lambda - Modular implementation."""
+"""OpenShift Cluster Cleanup Lambda for AWS."""
 
 from .handler import lambda_handler
 
+__version__ = "3.0.0"
+__description__ = "Automated OpenShift cluster infrastructure cleanup"
+
 __all__ = ["lambda_handler"]

IaC/cdk/aws-resources-cleanup/lambda/aws_resource_cleanup/ec2/__init__.py

@@ -1,31 +1,7 @@
-"""EC2 instance management, volume cleanup, and cleanup policies."""
+"""EC2 operations for OpenShift cluster cleanup."""
 
-from .instances import (
-    cirrus_ci_add_iit_billing_tag,
-    is_protected,
-    execute_cleanup_action,
-)
-from .policies import (
-    check_ttl_expiration,
-    check_stop_after_days,
-    check_long_stopped,
-    check_untagged,
-)
-from .volumes import (
-    check_unattached_volume,
-    delete_volume,
-    is_volume_protected,
-)
+from .instances import execute_cleanup_action
 
 __all__ = [
-    "cirrus_ci_add_iit_billing_tag",
-    "is_protected",
     "execute_cleanup_action",
-    "check_ttl_expiration",
-    "check_stop_after_days",
-    "check_long_stopped",
-    "check_untagged",
-    "check_unattached_volume",
-    "delete_volume",
-    "is_volume_protected",
 ]