Disable clounts when tearing down a review environment
Summary
As a cloudigrade dev, I want cloudigrade to disable clounts on review env teardown, so that I don't have junk piling up in my aws account.
Acceptance Criteria
-
Verify that "Clean Up Review" calls a management command that: -
runs before oc delete
-
attempts to disable all known CloudAccount objects -
disables related AWS CloudTrail trails for those CloudAccount objects (this should be "for free" simply by CloudAccount.disable()
) -
does not stop/abort processing if some subset of the CloudAccounts fails to disable. - For example, if the Role/Policy for an AwsCloudAccount no longer works, that should only fail the affected account, not the others.
-
-
Verify that this new operation runs successfully in a variety of not-production environments.
If we have no other "real" accounts in production environment,
-
Verify that running this operation in prod has no effect and instead produces some log indicating that it refuses to run in production. - Verify that no accounts exist in prod.
- Manually use sources-api in prod to create a CloudAccount.
- Manually run the command in prod.
- Verify that the created account is still enabled.
Assumptions and Questions
- Are we using repl? Are we making a management command?
- Management command! See AC and idea notes below.
- Idea 1:
- Add a command call in the gitlab-ci.yml "Clean up" job immediately before the
oc delete
commands to iterate through all known CloudAccounts and.disable()
each of them, with each of those disables in a try-except to allow them to fail if necessary but not stop the process.
- Add a command call in the gitlab-ci.yml "Clean up" job immediately before the
- We fear running this in prod. How can we bake in a check to the new command we write to ensure it is DEBUG-only or review-only?
- This is an exercise for whoever picks up this issue. PLEASE discuss with the team!
- QE does not need to build automated integration tests around this issue. Unit testing and manual verification by developers should be sufficient.
Edited by Ghost User