Updated code to use S3 bucket name and AWS region from GitHub secrets #2

Workflow file for this run

.github/workflows/destroy-nic-napv5.yml at 1671274

	name: "NGINX NIC/NAPV5 Destroy"
	on:
	push:
	branches:
	- destroy-nic-napv5
	pull_request:
	env:
	# AWS_REGION: us-east-1
	TF_VAR_AWS_S3_BUCKET_NAME: ${{ secrets.TF_VAR_AWS_S3_BUCKET_NAME }}
	TF_VAR_AWS_REGION: ${{ secrets.TF_VAR_AWS_REGION }}
	jobs:
	terraform_arcadia:
	name: "Destroy Arcadia WebApp"
	runs-on: ubuntu-latest
	defaults:
	run:
	working-directory: ./arcadia

	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Configure AWS Credentials
	uses: aws-actions/configure-aws-credentials@v3
	with:
	aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
	aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
	aws-region: ${{ secrets.TF_VAR_AWS_REGION }}

	- name: Setup Terraform
	uses: hashicorp/setup-terraform@v3

	- name: Terraform Init
	run: \|
	terraform init \
	-backend-config="bucket=${{ secrets.TF_VAR_AWS_S3_BUCKET_NAME }}" \
	-backend-config="region=${{ secrets.TF_VAR_AWS_REGION }}"

	- name: Terraform Validate
	run: terraform validate -no-color

	- name: Terraform Plan (Destroy)
	if: github.event_name == 'pull_request' \|\| github.event_name == 'push'
	run: \|
	terraform plan -destroy -no-color -input=false -lock=false -out=tfplan
	terraform show -no-color tfplan > plan.txt

	- name: Check Changes
	id: check_changes
	run: \|
	if grep -q "No changes." plan.txt; then
	echo "has_changes=false" >> $GITHUB_OUTPUT
	else
	echo "has_changes=true" >> $GITHUB_OUTPUT
	fi

	- name: Terraform Destroy
	if: github.event_name == 'push' && github.ref == 'refs/heads/destroy-nic-napv5' && steps.check_changes.outputs.has_changes == 'true'
	run: terraform destroy -auto-approve -lock=false -input=false

	terraform_policy:
	name: "Destroy NGINX Policy"
	runs-on: ubuntu-latest
	needs: terraform_arcadia
	defaults:
	run:
	working-directory: ./policy
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Configure AWS Credentials
	uses: aws-actions/configure-aws-credentials@v3
	with:
	aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
	aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
	aws-region: ${{ secrets.TF_VAR_AWS_REGION }}

	- name: Setup Terraform
	uses: hashicorp/setup-terraform@v3

	- name: Terraform Init
	run: \|
	terraform init \
	-backend-config="bucket=${{ secrets.TF_VAR_AWS_S3_BUCKET_NAME }}" \
	-backend-config="region=${{ secrets.TF_VAR_AWS_REGION }}"

	- name: Terraform Destroy
	run: terraform destroy -auto-approve -lock=false

	terraform_nap:
	name: "Destroy NGINX NIC/App Protect"
	runs-on: ubuntu-latest
	needs: terraform_policy
	defaults:
	run:
	working-directory: ./nap
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Configure AWS Credentials
	uses: aws-actions/configure-aws-credentials@v3
	with:
	aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
	aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
	aws-region: ${{ secrets.TF_VAR_AWS_REGION }}

	- name: Setup Terraform
	uses: hashicorp/setup-terraform@v3

	- name: Terraform Init
	run: \|
	terraform init \
	-backend-config="bucket=${{ secrets.TF_VAR_AWS_S3_BUCKET_NAME }}" \
	-backend-config="region=${{ secrets.TF_VAR_AWS_REGION }}"

	- name: Terraform Plan (Destroy)
	run: \|
	terraform plan -destroy -no-color -input=false -lock=false -out=tfplan \
	-var="workspace_path=${{ env.WORKSPACE_PATH }}" \
	-var="nginx_jwt=${{ secrets.NGINX_JWT }}" \
	-var="nginx_pwd=none"
	env:
	WORKSPACE_PATH: "./nap"

	- name: Check Changes
	id: check_changes
	run: \|
	if grep -q "No changes." plan.txt; then
	echo "has_changes=false" >> $GITHUB_OUTPUT
	else
	echo "has_changes=true" >> $GITHUB_OUTPUT
	fi

	- name: Terraform Destroy
	if: github.event_name == 'push' && github.ref == 'refs/heads/destroy-nic-napv5' && steps.check_changes.outputs.has_changes == 'true'
	run: \|
	terraform destroy -auto-approve -input=false -lock=false \
	-var="workspace_path=${{ env.WORKSPACE_PATH }}" \
	-var="nginx_jwt=${{ secrets.NGINX_JWT }}" \
	-var="nginx_pwd=none"
	env:
	WORKSPACE_PATH: "./nap"

	terraform_eks:
	name: "Destroy AWS EKS"
	runs-on: ubuntu-latest
	needs: terraform_nap
	defaults:
	run:
	working-directory: ./eks-cluster
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Configure AWS Credentials
	uses: aws-actions/configure-aws-credentials@v3
	with:
	aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
	aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
	aws-region: ${{ secrets.TF_VAR_AWS_REGION }}

	- name: Setup Terraform
	uses: hashicorp/setup-terraform@v3

	- name: Terraform Init
	run: \|
	terraform init \
	-backend-config="bucket=${{ secrets.TF_VAR_AWS_S3_BUCKET_NAME }}" \
	-backend-config="region=${{ secrets.TF_VAR_AWS_REGION }}"

	- name: Terraform Plan (Destroy)
	if: github.event_name == 'pull_request' \|\| github.event_name == 'push'
	run: \|
	terraform plan -destroy -no-color -input=false -out=tfplan -lock=false
	terraform show -no-color tfplan > plan.txt

	- name: Check Changes
	id: check_changes
	run: \|
	if grep -q "No changes." plan.txt; then
	echo "has_changes=false" >> $GITHUB_OUTPUT
	else
	echo "has_changes=true" >> $GITHUB_OUTPUT
	fi

	- name: Terraform Destroy
	if: github.event_name == 'push' && github.ref == 'refs/heads/destroy-nic-napv5' && steps.check_changes.outputs.has_changes == 'true'
	run: terraform destroy -auto-approve -input=false -lock=false

	terraform_infra:
	name: "Destroy AWS Infra"
	runs-on: ubuntu-latest
	needs: terraform_eks
	defaults:
	run:
	working-directory: ./infra
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Configure AWS Credentials
	uses: aws-actions/configure-aws-credentials@v3
	with:
	aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
	aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
	aws-region: ${{ secrets.TF_VAR_AWS_REGION }}

	- name: Setup Terraform
	uses: hashicorp/setup-terraform@v3

	- name: Terraform Init
	run: \|
	terraform init \
	-backend-config="bucket=${{ secrets.TF_VAR_AWS_S3_BUCKET_NAME }}" \
	-backend-config="region=${{ secrets.TF_VAR_AWS_REGION }}"

	- name: Terraform Plan (Destroy)
	if: github.event_name == 'pull_request' \|\| github.event_name == 'push'
	run: \|
	terraform plan -destroy -no-color -input=false -out=tfplan -lock=false
	terraform show -no-color tfplan > plan.txt

	- name: Check Changes
	id: check_changes
	run: \|
	if grep -q "No changes." plan.txt; then
	echo "has_changes=false" >> $GITHUB_OUTPUT
	else
	echo "has_changes=true" >> $GITHUB_OUTPUT
	fi

	- name: Terraform Destroy
	if: github.event_name == 'push' && github.ref == 'refs/heads/destroy-nic-napv5' && steps.check_changes.outputs.has_changes == 'true'
	run: terraform destroy -auto-approve -input=false -lock=false


	terraform_S3:
	name: "Delete S3/DynamoDB"
	needs: terraform_infra
	runs-on: ubuntu-latest
	defaults:
	run:
	working-directory: ./s3
	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Install jq
	run: sudo apt-get install -y jq

	- name: Configure AWS Credentials
	uses: aws-actions/configure-aws-credentials@v3
	with:
	aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
	aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
	aws-region: ${{ secrets.TF_VAR_AWS_REGION }}

	- name: Set Bucket Name
	id: set_bucket
	run: \|
	echo "bucket_name= ${{ secrets.TF_VAR_AWS_S3_BUCKET_NAME }}" >> $GITHUB_OUTPUT

	- name: Nuclear S3 Bucket Deletion
	run: \|
	set -e
	BUCKET_NAME="${{ steps.set_bucket.outputs.bucket_name }}"

	# 1. Delete all object versions (with null checks)
	echo "🔥 Deleting ALL object versions..."
	versions=$(aws s3api list-object-versions --bucket $BUCKET_NAME --output json \|\| echo '{"Versions":[],"DeleteMarkers":[]}')
	versions_to_delete=$(echo $versions \| jq '{Objects: [.Versions[]? \| {Key:.Key, VersionId:.VersionId}]}' \|\| echo '{"Objects":[]}')
	if [ "$(echo $versions_to_delete \| jq '.Objects \| length')" -gt 0 ]; then
	aws s3api delete-objects --bucket $BUCKET_NAME --delete "$versions_to_delete" \|\| true
	fi

	# 2. Delete all delete markers (with null checks)
	echo "🗑️ Deleting ALL delete markers..."
	markers_to_delete=$(echo $versions \| jq '{Objects: [.DeleteMarkers[]? \| {Key:.Key, VersionId:.VersionId}]}' \|\| echo '{"Objects":[]}')
	if [ "$(echo $markers_to_delete \| jq '.Objects \| length')" -gt 0 ]; then
	aws s3api delete-objects --bucket $BUCKET_NAME --delete "$markers_to_delete" \|\| true
	fi

	# 3. Force delete any remaining objects
	echo "💥 Force deleting any remaining objects..."
	aws s3 rm s3://$BUCKET_NAME --recursive --include "*" \|\| true

	# 4. Delete bucket
	echo "🚀 Deleting bucket..."
	aws s3api delete-bucket --bucket $BUCKET_NAME \|\| true

	# 5. Final verification
	if aws s3api head-bucket --bucket $BUCKET_NAME 2>/dev/null; then
	echo "::error::Bucket $BUCKET_NAME still exists after deletion attempts!"
	exit 1
	else
	echo "✅ Bucket $BUCKET_NAME successfully deleted"
	fi

	- name: Delete DynamoDB Table
	run: \|
	set -e
	TABLE_NAME="terraform-lock-table"
	echo "💥 Deleting DynamoDB table..."
	if aws dynamodb describe-table --table-name $TABLE_NAME 2>/dev/null; then
	aws dynamodb delete-table --table-name $TABLE_NAME \|\| true
	echo "⌛ Waiting for table to be deleted..."
	aws dynamodb wait table-not-exists --table-name $TABLE_NAME \|\| true
	fi
	if aws dynamodb describe-table --table-name $TABLE_NAME 2>/dev/null; then
	echo "::error::Table $TABLE_NAME still exists!"
	exit 1
	else
	echo "✅ Table $TABLE_NAME successfully deleted"
	fi

	- name: Clean Up IAM Resources
	run: \|
	set -e
	# Delete policy
	POLICY_ARN=$(aws iam list-policies --query "Policies[?PolicyName=='TerraformStateAccess'].Arn" --output text \|\| echo "")
	if [ -n "$POLICY_ARN" ]; then
	echo "🔗 Detaching policy from roles..."
	ATTACHED_ROLES=$(aws iam list-entities-for-policy --policy-arn $POLICY_ARN --query "PolicyRoles[].RoleName" --output text \|\| echo "")
	for ROLE in $ATTACHED_ROLES; do
	aws iam detach-role-policy --role-name $ROLE --policy-arn $POLICY_ARN \|\| true
	done

	echo "🗑️ Deleting policy..."
	aws iam delete-policy --policy-arn $POLICY_ARN \|\| true
	fi

	# Delete role
	ROLE_NAME="TerraformCIExecutionRole"
	if aws iam get-role --role-name $ROLE_NAME 2>/dev/null; then
	echo "🗑️ Deleting role..."
	aws iam delete-role --role-name $ROLE_NAME \|\| true
	fi

	- name: Verify Deletion
	run: \|
	echo "✅ Verification:"

	# Verify S3 bucket
	BUCKET_NAME="${{ steps.set_bucket.outputs.bucket_name }}"
	if aws s3api head-bucket --bucket "$BUCKET_NAME" 2>/dev/null; then
	echo "::error::Bucket $BUCKET_NAME still exists!"
	exit 1
	else
	echo "Bucket $BUCKET_NAME deleted successfully"
	fi

	# Verify DynamoDB table
	TABLE_NAME="terraform-lock-table"
	if aws dynamodb describe-table --table-name "$TABLE_NAME" 2>/dev/null; then
	echo "::error::Table $TABLE_NAME still exists!"
	exit 1
	else
	echo "Table $TABLE_NAME deleted successfully"
	fi

	# Verify IAM resources
	if aws iam get-policy --policy-arn "arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):policy/TerraformStateAccess" 2>/dev/null; then
	echo "::error::IAM Policy still exists!"
	exit 1
	else
	echo "IAM Policy deleted successfully"
	fi

	if aws iam get-role --role-name "TerraformCIExecutionRole" 2>/dev/null; then
	echo "::error::IAM Role still exists!"
	exit 1
	else
	echo "IAM Role deleted successfully"
	fi

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Updated code to use S3 bucket name and AWS region from GitHub secrets #2

Workflow file

Updated code to use S3 bucket name and AWS region from GitHub secrets #2

Jobs

Run details

Workflow file for this run