gruntwork-io
diff --git a/‎.github/workflows/nuke-account.yml‎
Lines changed: 218 additions & 0 deletions b/‎.github/workflows/nuke-account.yml‎
Lines changed: 218 additions & 0 deletions
@@ -0,0 +1,218 @@
+name: Nuke Account
+
+on:
+  workflow_call:
+    inputs:
+      account_name:
+        required: true
+        type: string
+      role_arn:
+        required: true
+        type: string
+      older_than:
+        required: true
+        type: string
+      extra_excludes:
+        required: false
+        type: string
+        default: ''
+
+env:
+  MISE_VERSION: '2025.12.10'
+  COMMON_EXCLUDES: >-
+    --exclude-resource-type iam
+    --exclude-resource-type iam-group
+    --exclude-resource-type iam-policy
+    --exclude-resource-type iam-role
+    --exclude-resource-type iam-service-linked-role
+    --exclude-resource-type oidcprovider
+    --exclude-resource-type route53-hosted-zone
+    --exclude-resource-type route53-cidr-collection
+    --exclude-resource-type route53-traffic-policy
+    --exclude-resource-type ecr
+    --exclude-resource-type config-rules
+    --exclude-resource-type nat-gateway
+    --exclude-resource-type ec2-subnet
+
+jobs:
+  global:
+    name: "${{ inputs.account_name }}: Global"
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    outputs:
+      deleted_count: ${{ steps.nuke.outputs.deleted_count }}
+      error_count: ${{ steps.nuke.outputs.error_count }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ inputs.role_arn }}
+          aws-region: us-east-1
+      - uses: jdx/mise-action@v3
+        with:
+          version: ${{ env.MISE_VERSION }}
+          experimental: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/cache@v4
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-go-
+      - run: go mod download
+      - name: Nuke global resources
+        id: nuke
+        run: |
+          set +e
+          go run -ldflags="-X 'main.VERSION=${{ github.sha }}'" main.go aws \
+            --older-than ${{ inputs.older_than }} --force --config ./.github/nuke_config.yml \
+            --region global ${{ env.COMMON_EXCLUDES }} ${{ inputs.extra_excludes }} \
+            --delete-unaliased-kms-keys --log-level info 2>&1 | tee /tmp/nuke.log
+          EXIT_CODE=${PIPESTATUS[0]}
+
+          DELETED=$(grep -c "^\s*INFO\s*\[Deleted\]" /tmp/nuke.log || echo "0")
+          ERRORS=$(grep -c "^\s*ERROR\s*\[Failed\]" /tmp/nuke.log || echo "0")
+          echo "deleted_count=${DELETED}" >> $GITHUB_OUTPUT
+          echo "error_count=${ERRORS}" >> $GITHUB_OUTPUT
+
+          exit $EXIT_CODE
+      - name: Upload global log
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ inputs.account_name }}-global
+          path: /tmp/nuke.log
+          retention-days: 7
+
+  regional:
+    name: "${{ inputs.account_name }}: ${{ matrix.region }}"
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    strategy:
+      fail-fast: false
+      matrix:
+        region:
+          - ap-northeast-1
+          - ap-northeast-2
+          - ap-northeast-3
+          - ap-south-1
+          - ap-southeast-1
+          - ap-southeast-2
+          - ca-central-1
+          - eu-central-1
+          - eu-north-1
+          - eu-west-1
+          - eu-west-2
+          - eu-west-3
+          - me-central-1
+          - sa-east-1
+          - us-east-1
+          - us-east-2
+          - us-west-1
+          - us-west-2
+    steps:
+      - uses: actions/checkout@v4
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ inputs.role_arn }}
+          aws-region: ${{ matrix.region }}
+      - uses: jdx/mise-action@v3
+        with:
+          version: ${{ env.MISE_VERSION }}
+          experimental: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/cache@v4
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-go-
+      - run: go mod download
+      - name: Nuke ${{ matrix.region }}
+        id: nuke
+        run: |
+          set +e
+          go run -ldflags="-X 'main.VERSION=${{ github.sha }}'" main.go aws \
+            --older-than ${{ inputs.older_than }} --force --config ./.github/nuke_config.yml \
+            --region ${{ matrix.region }} ${{ env.COMMON_EXCLUDES }} ${{ inputs.extra_excludes }} \
+            --delete-unaliased-kms-keys --log-level info 2>&1 | tee /tmp/nuke.log
+          EXIT_CODE=${PIPESTATUS[0]}
+
+          DELETED=$(grep -c "^\s*INFO\s*\[Deleted\]" /tmp/nuke.log || echo "0")
+          ERRORS=$(grep -c "^\s*ERROR\s*\[Failed\]" /tmp/nuke.log || echo "0")
+          echo "deleted_count=${DELETED}" >> $GITHUB_OUTPUT
+          echo "error_count=${ERRORS}" >> $GITHUB_OUTPUT
+
+          exit $EXIT_CODE
+      - name: Upload results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ inputs.account_name }}-${{ matrix.region }}
+          path: /tmp/nuke.log
+          retention-days: 7
+
+  notify:
+    name: "${{ inputs.account_name }}: Notify"
+    runs-on: ubuntu-latest
+    if: always()
+    needs: [global, regional]
+    steps:
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::087285199408:role/cloud-nuke-gha
+          aws-region: us-east-1
+      - name: Download all artifacts
+        uses: actions/download-artifact@v4
+        with:
+          pattern: ${{ inputs.account_name }}-*
+          path: /tmp/logs
+          merge-multiple: true
+        continue-on-error: true
+      - name: Aggregate and notify
+        run: |
+          WEBHOOK_URL=$(aws secretsmanager get-secret-value \
+            --secret-id cloud-nuke/slack-webhook \
+            --query SecretString --output text)
+
+          TOTAL_DELETED=0
+          TOTAL_ERRORS=0
+          if [ -d /tmp/logs ]; then
+            TOTAL_DELETED=$(grep -rh "^\s*INFO\s*\[Deleted\]" /tmp/logs 2>/dev/null | wc -l || echo "0")
+            TOTAL_ERRORS=$(grep -rh "^\s*ERROR\s*\[Failed\]" /tmp/logs 2>/dev/null | wc -l || echo "0")
+          fi
+
+          if [ "${{ needs.global.result }}" == "success" ] && \
+             [ "${{ needs.regional.result }}" == "success" ]; then
+            STATUS="✅ Success"
+            COLOR="good"
+          else
+            STATUS="❌ Failed"
+            COLOR="danger"
+          fi
+
+          MSG="*${{ inputs.account_name }} Nuke*: ${STATUS}"
+          MSG="${MSG}\nDeleted: ${TOTAL_DELETED} resources"
+          if [ "$TOTAL_ERRORS" -gt 0 ]; then
+            MSG="${MSG} | Errors: ${TOTAL_ERRORS}"
+          fi
+          MSG="${MSG}\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Run>"
+
+          curl -sS -X POST "$WEBHOOK_URL" -H "Content-Type: application/json" -d @- <<EOF
+          {
+            "attachments": [{
+              "color": "${COLOR}",
+              "blocks": [{
+                "type": "section",
+                "text": {
+                  "type": "mrkdwn",
+                  "text": "${MSG}"
+                }
+              }]
+            }]
+          }
+          EOF