Auto-nuke and redeploy development environments on weekly basis
Feature description
This feature automatically nukes and optionally recreates development environments on weekly basis. This is useful for environments with the sandbox permission, which allow users provisioning resources directly through the AWS web console as opposite to using terraform. In such cases, the auto-nuke will make sure the resources created manually will be cleared on weekly basis. If requested, the resources defined in terraform will then be recreated.
Every Sunday:
- At 10.00pm the awsnuke.yml workflow is triggered. This workflow nukes all the configured development environments using the AWS Nuke tool (https://github.com/rebuy-de/aws-nuke).
- At 12.00 noon the nuke-redeploy.yml workflow is triggered. If requested, this workflow redeploys the nuked environment using terraform apply.
A sketch of the algorithm is as follows:
- For every account in a dynamically generated list of all sandbox accounts
- Assume the role MemberInfrastructureAccess under the account ID
- Nuke the resources under the account ID
- (Optionally) Perform terraform apply in order to recreate all resources from terraform
Configuration
Auto-nuke consumes the following dynamically generated Github secrets stored in the Modernisation Platorm Environments repository:
MODERNISATION_PLATFORM_AUTONUKE_BLOCKLIST
: Account aliases to always exclude from auto-nuke. This takes precedence over all other configuration options. Due to the destructive nature of the tool, AWS-Nuke (https://github.com/rebuy-de/aws-nuke) requires at least one Account ID in the configured blocklist. Our blocklist contains all production. preproduction and core accounts.MODERNISATION_PLATFORM_AUTONUKE
: Account aliases of sandbox accounts to be auto-nuked on weekly basis.MODERNISATION_PLATFORM_AUTONUKE_REBUILD
: Accounts to be rebuilt after auto-nuke runs. This secret is consumed by thenuke-redeploy.yml
workflow.
The nuke-config-template.txt
is populated with account and blocklist information during the runtime of the awsnuke.yml
workflow, to produce a valid aws-nuke configuration file.
When new sandbox development environment is onboarded
When Modernisation Platform onboards a new sandbox development environment or converts an existing development environment to a sandbox it is automatically added to the autonuke account list and will be nuked as part of the regular scheduled workflow run. Customers can optionally request to have their environment rebuilt after nuke and, in some exceptional circumstances, excluded from nuke.
The default behaviour can be modified by adding a nuke
attribute to the environments json file.
Eg:
{
"name": "development",
"access": [
{
"github_slug": "my-application",
"level": "sandbox",
"nuke": "rebuild"
}
]
}
Valid values are:
include
= nukes but doesn’t rebuild (default option if nothing added)
exclude
= doesn’t nuke or rebuild
rebuild
= nukes and rebuilds
Please contact us in #ask-modernisation-platform channel for details.