Add Slack notifications via AWS Secrets Manager

james00012 · james00012 · commit ee5200ddbc2d · 2026-01-21T11:34:31.000+09:00
- Add notification jobs for each account that post to Slack after all jobs complete
- Fetch webhook URL from AWS Secrets Manager (PhxDevOps) to avoid hardcoding secrets
- Refactor workflow for improved readability (inline region matrix, env vars for versions)
- Use colored attachments (green/red) based on job results
diff --git a/.github/workflows/nuke.yml b/.github/workflows/nuke.yml
@@ -5,10 +5,8 @@ on:
     branches:
       - migrate-nuke-to-gha
   schedule:
-    # Every 3 hours for phxdevops and configtests
-    - cron: '0 */3 * * *'
-    # Nightly at midnight UTC for sandbox
-    - cron: '0 0 * * *'
+    - cron: '0 */3 * * *'  # Every 3 hours (phxdevops, configtests)
+    - cron: '0 0 * * *'    # Nightly at midnight UTC (sandbox)
   workflow_dispatch:
     inputs:
       account:
@@ -26,7 +24,8 @@ permissions:
   contents: read
 
 env:
-  # Common exclude flags for all accounts
+  GO_VERSION: '1.21'
+  MISE_VERSION: '2025.12.10'
   COMMON_EXCLUDES: >-
     --exclude-resource-type iam
     --exclude-resource-type iam-group
@@ -41,6 +40,13 @@ env:
     --exclude-resource-type config-rules
     --exclude-resource-type nat-gateway
     --exclude-resource-type ec2-subnet
+  ALL_REGIONS: >-
+    ap-northeast-1 ap-northeast-2 ap-northeast-3
+    ap-south-1 ap-southeast-1 ap-southeast-2
+    ca-central-1 eu-central-1 eu-north-1
+    eu-west-1 eu-west-2 eu-west-3
+    me-central-1 sa-east-1
+    us-east-1 us-east-2 us-west-1 us-west-2
 
 jobs:
   # ============================================
@@ -62,7 +68,7 @@ jobs:
           aws-region: us-east-1
       - uses: jdx/mise-action@v3
         with:
-          version: 2025.12.10
+          version: ${{ env.MISE_VERSION }}
           experimental: true
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -92,25 +98,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        region:
-          - ap-northeast-1
-          - ap-northeast-2
-          - ap-northeast-3
-          - ap-south-1
-          - ap-southeast-1
-          - ap-southeast-2
-          - ca-central-1
-          - eu-central-1
-          - eu-north-1
-          - eu-west-1
-          - eu-west-2
-          - eu-west-3
-          - me-central-1
-          - sa-east-1
-          - us-east-1
-          - us-east-2
-          - us-west-1
-          - us-west-2
+        region: [ap-northeast-1, ap-northeast-2, ap-northeast-3, ap-south-1, ap-southeast-1, ap-southeast-2, ca-central-1, eu-central-1, eu-north-1, eu-west-1, eu-west-2, eu-west-3, me-central-1, sa-east-1, us-east-1, us-east-2, us-west-1, us-west-2]
     steps:
       - uses: actions/checkout@v4
       - uses: aws-actions/configure-aws-credentials@v4
@@ -119,7 +107,7 @@ jobs:
           aws-region: ${{ matrix.region }}
       - uses: jdx/mise-action@v3
         with:
-          version: 2025.12.10
+          version: ${{ env.MISE_VERSION }}
           experimental: true
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -138,6 +126,51 @@ jobs:
             --region ${{ matrix.region }} ${{ env.COMMON_EXCLUDES }} \
             --delete-unaliased-kms-keys --log-level info
 
+  phxdevops_notify:
+    name: "PhxDevOps: Notify"
+    runs-on: ubuntu-latest
+    if: |
+      always() && (
+        github.event_name == 'push' ||
+        github.event_name == 'workflow_dispatch' && (inputs.account == 'phxdevops' || inputs.account == '') ||
+        github.event_name == 'schedule' && github.event.schedule == '0 */3 * * *'
+      )
+    needs: [phxdevops_global, phxdevops_regional]
+    steps:
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::087285199408:role/cloud-nuke-gha
+          aws-region: us-east-1
+      - name: Send Slack notification
+        run: |
+          WEBHOOK_URL=$(aws secretsmanager get-secret-value \
+            --secret-id cloud-nuke/slack-webhook \
+            --query SecretString --output text)
+
+          if [ "${{ needs.phxdevops_global.result }}" == "success" ] && \
+             [ "${{ needs.phxdevops_regional.result }}" == "success" ]; then
+            STATUS="✅ Success"
+            COLOR="good"
+          else
+            STATUS="❌ Failed"
+            COLOR="danger"
+          fi
+
+          curl -sS -X POST "$WEBHOOK_URL" -H "Content-Type: application/json" -d @- <<EOF
+          {
+            "attachments": [{
+              "color": "${COLOR}",
+              "blocks": [{
+                "type": "section",
+                "text": {
+                  "type": "mrkdwn",
+                  "text": "*PhxDevOps Nuke*: ${STATUS}\nGlobal: ${{ needs.phxdevops_global.result }} | Regional: ${{ needs.phxdevops_regional.result }}\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Run>"
+                }
+              }]
+            }]
+          }
+          EOF
+
   # ============================================
   # ConfigTests Account - Every 3 hours
   # ============================================
@@ -156,7 +189,7 @@ jobs:
           aws-region: us-east-1
       - uses: jdx/mise-action@v3
         with:
-          version: 2025.12.10
+          version: ${{ env.MISE_VERSION }}
           experimental: true
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -186,25 +219,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        region:
-          - ap-northeast-1
-          - ap-northeast-2
-          - ap-northeast-3
-          - ap-south-1
-          - ap-southeast-1
-          - ap-southeast-2
-          - ca-central-1
-          - eu-central-1
-          - eu-north-1
-          - eu-west-1
-          - eu-west-2
-          - eu-west-3
-          - me-central-1
-          - sa-east-1
-          - us-east-1
-          - us-east-2
-          - us-west-1
-          - us-west-2
+        region: [ap-northeast-1, ap-northeast-2, ap-northeast-3, ap-south-1, ap-southeast-1, ap-southeast-2, ca-central-1, eu-central-1, eu-north-1, eu-west-1, eu-west-2, eu-west-3, me-central-1, sa-east-1, us-east-1, us-east-2, us-west-1, us-west-2]
     steps:
       - uses: actions/checkout@v4
       - uses: aws-actions/configure-aws-credentials@v4
@@ -213,7 +228,7 @@ jobs:
           aws-region: ${{ matrix.region }}
       - uses: jdx/mise-action@v3
         with:
-          version: 2025.12.10
+          version: ${{ env.MISE_VERSION }}
           experimental: true
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -233,6 +248,50 @@ jobs:
             --exclude-resource-type internet-gateway \
             --delete-unaliased-kms-keys --log-level info
 
+  configtests_notify:
+    name: "ConfigTests: Notify"
+    runs-on: ubuntu-latest
+    if: |
+      always() && (
+        github.event_name == 'workflow_dispatch' && (inputs.account == 'configtests' || inputs.account == '') ||
+        github.event_name == 'schedule' && github.event.schedule == '0 */3 * * *'
+      )
+    needs: [configtests_global, configtests_regional]
+    steps:
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::087285199408:role/cloud-nuke-gha
+          aws-region: us-east-1
+      - name: Send Slack notification
+        run: |
+          WEBHOOK_URL=$(aws secretsmanager get-secret-value \
+            --secret-id cloud-nuke/slack-webhook \
+            --query SecretString --output text)
+
+          if [ "${{ needs.configtests_global.result }}" == "success" ] && \
+             [ "${{ needs.configtests_regional.result }}" == "success" ]; then
+            STATUS="✅ Success"
+            COLOR="good"
+          else
+            STATUS="❌ Failed"
+            COLOR="danger"
+          fi
+
+          curl -sS -X POST "$WEBHOOK_URL" -H "Content-Type: application/json" -d @- <<EOF
+          {
+            "attachments": [{
+              "color": "${COLOR}",
+              "blocks": [{
+                "type": "section",
+                "text": {
+                  "type": "mrkdwn",
+                  "text": "*ConfigTests Nuke*: ${STATUS}\nGlobal: ${{ needs.configtests_global.result }} | Regional: ${{ needs.configtests_regional.result }}\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Run>"
+                }
+              }]
+            }]
+          }
+          EOF
+
   # ============================================
   # Sandbox Account - Nightly
   # ============================================
@@ -251,7 +310,7 @@ jobs:
           aws-region: us-east-1
       - uses: jdx/mise-action@v3
         with:
-          version: 2025.12.10
+          version: ${{ env.MISE_VERSION }}
           experimental: true
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -281,25 +340,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        region:
-          - ap-northeast-1
-          - ap-northeast-2
-          - ap-northeast-3
-          - ap-south-1
-          - ap-southeast-1
-          - ap-southeast-2
-          - ca-central-1
-          - eu-central-1
-          - eu-north-1
-          - eu-west-1
-          - eu-west-2
-          - eu-west-3
-          - me-central-1
-          - sa-east-1
-          - us-east-1
-          - us-east-2
-          - us-west-1
-          - us-west-2
+        region: [ap-northeast-1, ap-northeast-2, ap-northeast-3, ap-south-1, ap-southeast-1, ap-southeast-2, ca-central-1, eu-central-1, eu-north-1, eu-west-1, eu-west-2, eu-west-3, me-central-1, sa-east-1, us-east-1, us-east-2, us-west-1, us-west-2]
     steps:
       - uses: actions/checkout@v4
       - uses: aws-actions/configure-aws-credentials@v4
@@ -308,7 +349,7 @@ jobs:
           aws-region: ${{ matrix.region }}
       - uses: jdx/mise-action@v3
         with:
-          version: 2025.12.10
+          version: ${{ env.MISE_VERSION }}
           experimental: true
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -327,3 +368,47 @@ jobs:
             --region ${{ matrix.region }} ${{ env.COMMON_EXCLUDES }} \
             --exclude-resource-type eip \
             --delete-unaliased-kms-keys --log-level info
+
+  sandbox_notify:
+    name: "Sandbox: Notify"
+    runs-on: ubuntu-latest
+    if: |
+      always() && (
+        github.event_name == 'workflow_dispatch' && (inputs.account == 'sandbox' || inputs.account == '') ||
+        github.event_name == 'schedule' && github.event.schedule == '0 0 * * *'
+      )
+    needs: [sandbox_global, sandbox_regional]
+    steps:
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::087285199408:role/cloud-nuke-gha
+          aws-region: us-east-1
+      - name: Send Slack notification
+        run: |
+          WEBHOOK_URL=$(aws secretsmanager get-secret-value \
+            --secret-id cloud-nuke/slack-webhook \
+            --query SecretString --output text)
+
+          if [ "${{ needs.sandbox_global.result }}" == "success" ] && \
+             [ "${{ needs.sandbox_regional.result }}" == "success" ]; then
+            STATUS="✅ Success"
+            COLOR="good"
+          else
+            STATUS="❌ Failed"
+            COLOR="danger"
+          fi
+
+          curl -sS -X POST "$WEBHOOK_URL" -H "Content-Type: application/json" -d @- <<EOF
+          {
+            "attachments": [{
+              "color": "${COLOR}",
+              "blocks": [{
+                "type": "section",
+                "text": {
+                  "type": "mrkdwn",
+                  "text": "*Sandbox Nuke*: ${STATUS}\nGlobal: ${{ needs.sandbox_global.result }} | Regional: ${{ needs.sandbox_regional.result }}\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Run>"
+                }
+              }]
+            }]
+          }
+          EOF
