Security Group Cleanup #583
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Security Group Cleanup | |
on: | |
schedule: | |
- cron: "0 2 * * *" | |
workflow_dispatch: | |
jobs: | |
security-group-cleanup: | |
name: Security Group Cleanup | |
runs-on: ubuntu-20.04 | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- uses: ./.github/actions/setup # We need this largely for the PROJECT variable setting | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ secrets.AWS_OIDC_ROLE_TO_ASSUME }} | |
aws-region: us-east-1 | |
role-duration-seconds: 10800 | |
- name: Clean Up Unassigned Security Groups | |
id: runningStages | |
run: | | |
# Step 1, get a list of all security groups attached to ENIs | |
inusesgs=(`aws ec2 describe-network-interfaces \ | |
--query "NetworkInterfaces[].Groups[].GroupId" \ | |
--output text`) | |
# Step 2, get a list of all security groups owned by our project. | |
allsgs=(`aws ec2 describe-security-groups \ | |
--filters Name=tag:PROJECT,Values="$PROJECT" \ | |
--query "SecurityGroups[].GroupId" \ | |
--output text`) | |
# Step 3, delete any security group owned by our project that's not attached to an ENI | |
for i in "${allsgs[@]}" | |
do | |
if [[ " ${inusesgs[*]} " =~ " ${i} " ]]; then | |
echo "Keping $i as it is in use" | |
else | |
echo "Deleting $i as it is not in use..." | |
aws ec2 delete-security-group --group-id $i | |
fi | |
done |