Auto-nuke and redeploy development environments on weekly basis

Feature description

This feature automatically destroys all resources in development environments on a weekly basis, and provides a utitily to recreate resources in these environments. This is useful for environments with the sandbox permission, which allow users to provision resources directly through the AWS web console alongside infrastructure as code (IaC). In such cases, the auto-nuke will make ensure the manually created resources will be regularly removed. If requested, resources defined in terraform can then be recreated.

Every Sunday:

• At 22:00 the awsnuke.yml workflow is triggered. This workflow nukes all the configured development environments using the AWS Nuke tool.
• At 12:00 the nuke-redeploy.yml workflow is triggered. If requested, this workflow redeploys IaC into the nuked environment using terraform apply.

An outline of the ‘nuke’ algorithm is as follows:

• For every account in a dynamically generated list of all sandbox accounts:
  • Assume the MemberInfrastructureAccess role under the account ID
  • Nuke the resources under the account ID
  • (Optionally) Perform terraform apply in order to recreate all resources from terraform

Configuration

Auto-nuke consumes the following dynamically generated Github secrets stored in the Modernisation Platorm Environments repository:

• MODERNISATION_PLATFORM_AUTONUKE_BLOCKLIST: Account aliases to always exclude from auto-nuke. This takes precedence over all other configuration options. Due to the destructive nature of the tool, AWS-Nuke requires at least one account ID in the configured blocklist. Our blocklist contains all production, preproduction, and core accounts.

• MODERNISATION_PLATFORM_AUTONUKE: Account aliases of sandbox accounts to be auto-nuked on weekly basis.

• MODERNISATION_PLATFORM_AUTONUKE_REBUILD: Accounts to be rebuilt after auto-nuke runs. This secret is consumed by the nuke-redeploy.yml workflow.

The nuke-config-template.txt is populated with account and blocklist information during the runtime of the awsnuke.yml workflow, to produce a valid aws-nuke configuration file.

When new sandbox development environment is onboarded

When Modernisation Platform onboards a new sandbox development environment or converts an existing development environment to a sandbox it is automatically added to the autonuke account list and will be nuked as part of the regular scheduled workflow run. Customers can optionally request to have their environment rebuilt after nuke and, in some exceptional circumstances, excluded from nuke.

The default behaviour can be modified by adding a nuke attribute to the environments json file.

Eg:

    {
      "name": "development",
      "access": [
        {
          "sso_group_name": "my-application",
          "level": "sandbox",
          "nuke": "rebuild"
        }
      ]
    }

Valid values are:

• include = nukes but doesn’t rebuild (default option if nothing added)
• exclude = doesn’t nuke or rebuild
• rebuild = nukes and rebuilds

Please contact us in #ask-modernisation-platform channel for details.

This page was last reviewed on 28 June 2024. It needs to be reviewed again on 28 December 2024 by the page owner #modernisation-platform .

This page was set to be reviewed before 28 December 2024 by the page owner #modernisation-platform. This might mean the content is out of date.