dynamically retrieve the latest aws rds ca #13
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: check-unused-resources | |
| on: | |
| push: | |
| schedule: | |
| - cron: "0 0 * * *" | |
| jobs: | |
| check-unused-databases-aws: | |
| runs-on: aws-core-2-default | |
| strategy: | |
| fail-fast: false # don't propate failing jobs | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install if required common software tooling | |
| uses: camunda/infra-global-github-actions/common-tooling@main | |
| with: | |
| java-enabled: false | |
| yarn-enabled: false | |
| python-version: "3.12" | |
| - name: Import secrets | |
| uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0 | |
| id: secrets | |
| with: | |
| url: ${{ secrets.VAULT_ADDR }} | |
| method: approle | |
| roleId: ${{ secrets.VAULT_ROLE_ID }} | |
| secretId: ${{ secrets.VAULT_SECRET_ID }} | |
| secrets: | | |
| secret/data/products/infrastructure-experience/ci/common AURORA_POSTGRESQL_PASSWORD; | |
| secret/data/products/infrastructure-experience/ci/common AURORA_POSTGRESQL_USERNAME; | |
| - name: Drop unused database | |
| run: | | |
| sudo apt-get update && sudo apt-get install -y build-essential postgresql-client | |
| python3 -m pip install awscli | |
| RETENTION_INTERVAL="2 days" | |
| # Define the databases in an array | |
| databases=( | |
| "camunda-ci-eks-aurora-postgresql-13.cluster-clnwzia8ptad.eu-central-1.rds.amazonaws.com:5432" | |
| "camunda-ci-eks-aurora-postgresql-14.cluster-clnwzia8ptad.eu-central-1.rds.amazonaws.com:5432" | |
| "camunda-ci-eks-aurora-postgresql-15.cluster-clnwzia8ptad.eu-central-1.rds.amazonaws.com:5432" | |
| "camunda-ci-eks-aurora-postgresql-16.cluster-clnwzia8ptad.eu-central-1.rds.amazonaws.com:5432" | |
| ) | |
| for db in "${databases[@]}"; do | |
| IFS=':' read -ra db_info <<< "$db" | |
| PGHOST="${db_info[0]}" | |
| PGPORT="${db_info[1]}" | |
| PGDATABASE="postgres" | |
| PGUSER="keycloak-irsa" | |
| PGPASSWORD="${{ steps.secrets.outputs.AURORA_POSTGRESQL_PASSWORD }}" | |
| export PGPASSWORD | |
| export PGPORT | |
| export PGUSER | |
| export PGHOST | |
| export PGDATABASE | |
| export RETENTION_INTERVAL | |
| user_exists="$(psql -U "${{ steps.secrets.outputs.AURORA_POSTGRESQL_USERNAME }}" -d "$PGDATABASE" -tAc "SELECT 1 FROM pg_roles WHERE rolname='$PGUSER'")" | |
| if [ "$user_exists" = "1" ]; then | |
| PGPASSWORD="$(aws rds generate-db-auth-token --hostname "${PGHOST}" --port "${PGPORT}" --region "${AWS_REGION}" --username "${PGUSER}")" | |
| export PGPASSWORD | |
| bash ./.helpers/actions/drop-unused-db.sh | |
| else | |
| echo "The user ${PGUSER} does not exist on '${PGHOST}:${PGPORT}', skipping." | |
| fi | |
| done |