DEVOPS-281 terraforminator automation removes rgs with TEMPORAR tag as TRUE

Author: githubofkrishnadhas

.github/dependabot.yaml

@@ -0,0 +1,29 @@
+
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: /
+    schedule:
+      interval: monthly
+    # Assignees to set on pull requests
+    assignees:
+      - "githubofkrishnadhas"
+    # prefix specifies a prefix for all commit messages. When you specify a prefix for commit messages,
+    # GitHub will automatically add a colon between the defined prefix and the commit message provided the
+    # defined prefix ends with a letter, number, closing parenthesis, or closing bracket.
+    commit-message:
+      prefix: "dependabot python package"
+    # Use reviewers to specify individual reviewers or teams of reviewers for all pull requests raised for a package manager.
+    reviewers:
+      - "devwithkrishna/admin"
+    # Raise pull requests for version updates to pip against the `main` branch
+    target-branch: "main"
+    # Labels on pull requests for version updates only
+#    labels:
+#      - "pip dependencies"
+    # Increase the version requirements for Composer only when required
+    versioning-strategy: increase-if-necessary
+    # Dependabot opens a maximum of five pull requests for version updates. Once there are five open pull requests from Dependabot,
+    # Dependabot will not open any new requests until some of those open requests are merged or closed.
+    # Use open-pull-requests-limit to change this limit.
+    open-pull-requests-limit: 10

.github/workflows/azure-terraforminator.yaml

@@ -0,0 +1,37 @@
+name: azure-decommision-unsed-resource-groups-with-temporary-tag-as-true
+on:
+  schedule:
+    - cron: '0 0 * * *'  # This means every day at 00:00 UTC
+  workflow_dispatch:
+    inputs:
+      subscription_name:
+        required: true
+        type: string
+        default: "TECH-ARCHITECTS-NONPROD"
+        description: "The azure subscription name."
+
+run-name: azure-decommision-unsed-resource-groups-with-temporary-tag-as-true
+jobs:
+  azure-decommision-unsed-resource-groups-with-temporary-tag-as-true:
+    runs-on: ubuntu-latest
+    env:
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+      AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      subscription_name: "TECH-ARCHITECTS-NONPROD"
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: set up python
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.11'
+      - name: package installations
+        run: |
+          pip install poetry
+          poetry install
+      - name: run python program
+        run: |
+          poetry run python3 terraforminator.py --subscription_name ${{ env.subscription_name }}
+      - name: program execution completed
+        run: echo "program execution completed"

.gitignore

@@ -1,37 +1,5 @@
-# Local .terraform directories
-**/.terraform/*
+.idea/**
+.env
+poetry.lock
 
-# .tfstate files
-*.tfstate
-*.tfstate.*
 
-# Crash log files
-crash.log
-crash.*.log
-
-# Exclude all .tfvars files, which are likely to contain sensitive data, such as
-# password, private keys, and other secrets. These should not be part of version 
-# control as they are data points which are potentially sensitive and subject 
-# to change depending on the environment.
-*.tfvars
-*.tfvars.json
-
-# Ignore override files as they are usually used to override resources locally and so
-# are not checked in
-override.tf
-override.tf.json
-*_override.tf
-*_override.tf.json
-
-# Ignore transient lock info files created by terraform apply
-.terraform.tfstate.lock.info
-
-# Include override files you do wish to add to version control using negated pattern
-# !example_override.tf
-
-# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
-# example: *tfplan*
-
-# Ignore CLI configuration files
-.terraformrc
-terraform.rc

pyproject.toml

@@ -0,0 +1,20 @@
+[tool.poetry]
+name = "azure-terraforminator"
+version = "0.1.0"
+description = ""
+authors = ["githubofkrishnadhas <[email protected]>"]
+readme = "README.md"
+
+[tool.poetry.dependencies]
+python = "^3.11"
+requests = "^2.32.3"
+python-dotenv = "^1.0.1"
+azure-identity = "^1.18.0"
+azure-mgmt-resource = "^23.1.1"
+azure-mgmt-resourcegraph = "^8.0.0"
+azure-core = "^1.31.0"
+
+
+[build-system]
+requires = ["poetry-core"]
+build-backend = "poetry.core.masonry.api"

resource_graph_query.py

@@ -0,0 +1,48 @@
+from azure.identity import DefaultAzureCredential
+import azure.mgmt.resourcegraph as arg
+import logging
+import os
+from dotenv import load_dotenv
+
+def run_azure_rg_query(subscription_name: str):
+    """
+    Run a resource graph query to get the subscription id of a subscription back
+    :return: subscription_id str
+    """
+    credential = DefaultAzureCredential()
+    # Create Azure Resource Graph client and set options
+    arg_client = arg.ResourceGraphClient(credential)
+
+    query = f"""
+             resourcecontainers 
+             | where type == 'microsoft.resources/subscriptions' and name == '{subscription_name}' 
+             | project subscriptionId 
+            """
+
+    print(f"query is {query}")
+
+    # Create query
+    arg_query = arg.models.QueryRequest( query=query)
+
+    # Run query
+    arg_result = arg_client.resources(arg_query)
+
+    # Show Python object
+    # print(arg_result)
+    subscription_id = arg_result.data[0]['subscriptionId']
+    print(f"Subscription ID is : {subscription_id}")
+    return subscription_id
+
+def main():
+    """
+    To test the script
+    :return:
+    """
+    load_dotenv()
+    logging.info("ARG query being prepared......")
+    run_azure_rg_query(subscription_name="TECH-ARCHITECTS-NONPROD")
+    logging.info("ARG query Completed......")
+
+
+if __name__ == "__main__":
+    main()

terraforminator.py

@@ -0,0 +1,78 @@
+import os
+from datetime import datetime
+import argparse
+import asyncio
+from dotenv import load_dotenv
+from azure.identity import DefaultAzureCredential
+from azure.mgmt.resource.resources.v2022_09_01 import ResourceManagementClient
+from azure.core.exceptions import ResourceNotFoundError
+from resource_graph_query import run_azure_rg_query
+
+async def list_resource_groups_with_temporary_tag(subscription_id: str):
+	"""
+	List the resource groups in authenticated subscriptions with Temporary tag value as TRUE
+	:return:
+	"""
+	# load_dotenv()
+	credential = DefaultAzureCredential()
+	resource_management_client = ResourceManagementClient(subscription_id=subscription_id, credential=credential)
+	tag_filter= f"tagName eq 'Temporary' and tagValue eq 'TRUE'"
+	all_rgs_filtered = resource_management_client.resource_groups.list(filter=tag_filter)
+	rgs_to_deleted = []
+	for rg in all_rgs_filtered:
+		rg_dict = {
+			'name': rg.name,
+			'location': rg.location
+		}
+		rgs_to_deleted.append(rg_dict) # final dictionary of rgs to be deleted with Temporary tag value as TRUE
+
+	print(rgs_to_deleted)
+
+	return rgs_to_deleted
+async def delete_resource_groups(subscription_id: str, rgs_to_be_deleted: list[dict]):
+	"""
+	Delete the resource groups with Temporary tag value as TRUE
+	:return:
+	"""
+	credential = DefaultAzureCredential()
+	resource_management_client = ResourceManagementClient(subscription_id=subscription_id, credential=credential)
+
+	for rg in rgs_to_be_deleted:
+		try:
+			print(f"Deleting {rg['name']} from {subscription_id}")
+			resource_management_client.resource_groups.begin_delete(resource_group_name=rg['name']).result()
+			print(f"Successfully deleted {rg['name']}")
+
+		except ResourceNotFoundError:
+
+			print(f"Resource group '{rg['name']}' not found.")
+
+		except Exception as e:
+
+			print(f"Failed to delete resource group '{rg['name']}': {e}")
+		# Optional: Add a short delay between deletions to prevent overwhelming the service
+		await asyncio.sleep(1)
+
+
+async def main():
+	"""To test the code"""
+	start_time = datetime.utcnow()  # Get start time in UTC
+	print(f"Process started at (UTC): {start_time}")
+	load_dotenv()
+	parser = argparse.ArgumentParser("Decommission nolonger used resource groups in Azure.")
+	parser.add_argument("--subscription_name", type=str, required=True,help="Azure subscription name")
+
+	args = parser.parse_args()
+
+	subscription_name = args.subscription_name
+	subscription_id = run_azure_rg_query(subscription_name=subscription_name)
+	rgs_to_deleted = await list_resource_groups_with_temporary_tag(subscription_id=subscription_id)
+	await delete_resource_groups(subscription_id=subscription_id, rgs_to_be_deleted=rgs_to_deleted)
+	end_time = datetime.utcnow()  # Get end time in UTC
+	print(f"Process completed at (UTC): {end_time}")
+	# Calculate and print elapsed time
+	elapsed_time = end_time - start_time
+	print(f"Total elapsed time: {elapsed_time} (hh:mm:ss)")
+
+if __name__ == "__main__":
+	asyncio.run(main())