forked from eclipse-edc/MinimumViableDataspace
-
Notifications
You must be signed in to change notification settings - Fork 10
127 lines (108 loc) · 5.39 KB
/
destroyParticipant.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
name: DestroyParticipant
on:
workflow_call:
inputs:
participant_name:
description: 'Name of the participant.'
required: true
type: string
resources_prefix:
description: 'Resources name prefix used to avoid naming conflicts between resources of different DataSpaces.'
required: true
type: string
registry_service_url:
description: 'Url of the Dataspace registry service.'
required: true
type: string
workflow_dispatch:
inputs:
participant_name:
description: 'Name of the participant.'
required: true
type: string
resources_prefix:
description: 'Resources name prefix used to avoid naming conflicts between resources of different DataSpaces.'
required: true
type: string
registry_service_url:
description: 'Url of the Dataspace registry service.'
required: true
type: string
# Grant permissions to obtain federated identity credentials
# see https://docs.github.com/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure
permissions:
id-token: write
contents: read
env:
RESOURCES_PREFIX: ${{ github.event.inputs.resources_prefix || inputs.resources_prefix }}
PARTICIPANT_NAME: ${{ github.event.inputs.participant_name || inputs.participant_name }}
REGISTRATION_SERVICE_URL: ${{ github.event.inputs.registry_service_url || inputs.registry_service_url }}
jobs:
# Delete deployed Azure resource group.
Destroy-Participant:
continue-on-error: true
runs-on: ubuntu-latest
defaults:
run:
working-directory: deployment/terraform/participant
steps:
- uses: actions/checkout@v2
- name: 'Az CLI login'
uses: azure/login@v1
with:
client-id: ${{ secrets.ARM_CLIENT_ID }}
tenant-id: ${{ secrets.ARM_TENANT_ID }}
subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }}
- name: 'Download tfvars file'
run: az storage blob download --account-name "${{ secrets.TERRAFORM_STATE_STORAGE_ACCOUNT }}" -c "${{ secrets.TERRAFORM_STATE_CONTAINER }}" -f terraform.tfvars -n "${{ env.PARTICIPANT_NAME }}${{ env.RESOURCES_PREFIX }}.tfvars" --auth-mode key
- name: 'Delete terraform resources'
run: |
# Create backend.conf file to retrieve the remote terraform state during terraform init.
echo '
resource_group_name = "${{ secrets.COMMON_RESOURCE_GROUP }}"
storage_account_name = "${{ secrets.TERRAFORM_STATE_STORAGE_ACCOUNT }}"
container_name = "${{ secrets.TERRAFORM_STATE_CONTAINER }}"
key = "${{ env.PARTICIPANT_NAME }}${{ env.RESOURCES_PREFIX }}.tfstate"
' >> backend.conf
terraform init -backend-config=backend.conf
terraform destroy -auto-approve
env:
# Authentication settings for Terraform AzureRM provider
# See https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
# Passing dummy variables to terraform destroy, because destroy needs input variables to be defined, but uses the state.
TF_VAR_application_sp_client_secret: dummy
# The Destroy job uses continue-on-error: true so that if one destroy job fails, the others don't get killed.
# This has the side effect of making the overall job (and hence calling workflow) succeed when it should fail.
# To solve this, we upload an extra marker blob at the end of the `Destroy-Participants` job,
# and delete the blobs in a separate job matrix. That `Post-Destroy-Participants` job will then cause the workflow to fail
# if a completion marker blob is not found (meaning that a Destroy job did not succeed).
- name: 'Completion marker blob'
run: az storage blob upload --account-name "${{ secrets.TERRAFORM_STATE_STORAGE_ACCOUNT }}" -c "${{ secrets.TERRAFORM_STATE_CONTAINER }}" -f /dev/null -n "${{ env.PARTICIPANT_NAME }}${{ env.RESOURCES_PREFIX }}.completed" --auth-mode key
- name: 'Unregister participant'
run: |
curl -X DELETE $REGISTRATION_SERVICE_API_URL/registry/participant/$PARTICIPANT_TO_DELETE
env:
REGISTRATION_SERVICE_API_URL: ${{ env.REGISTRATION_SERVICE_URL }}/api
PARTICIPANT_TO_DELETE: ${{ env.PARTICIPANT_NAME }}
# Post-Destroy jos must wait for all Destroy jobs to complete, so that their failure does not interrupt in-progress Destroy jobs
Post-Destroy-Participant:
needs:
- Destroy-Participant
runs-on: ubuntu-latest
steps:
- name: 'Az CLI login'
uses: azure/login@v1
with:
client-id: ${{ secrets.ARM_CLIENT_ID }}
tenant-id: ${{ secrets.ARM_TENANT_ID }}
subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }}
- name: 'Delete state, tfvars and completion marker blobs'
run: |
for extension in tfvars tfstate completed
do
az storage blob delete --account-name "${{ secrets.TERRAFORM_STATE_STORAGE_ACCOUNT }}" -c "${{ secrets.TERRAFORM_STATE_CONTAINER }}" -n "${{ env.PARTICIPANT_NAME }}${{ env.RESOURCES_PREFIX }}.$extension" --auth-mode key
done