Delete Kured & add var image, purge in pipelines

.github/workflows/deploy-secure-aks-baseline.yaml

@@ -21,12 +21,13 @@ env:
   ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
   ARM_PARTNER_ID: "f85b2775-ec1d-4fef-949e-bbd6957082af"
   ENVIRONMENT: ${{ github.run_id }}
+  image: aztfmod/rover-preview:0.15.3-2105.210707
 
 jobs:
   deploy-launchpad:
     runs-on: ubuntu-latest
     container:
-      image:  aztfmod/rover-preview:0.15.3-2105.210707
+      image:  $(image)
       options: --user 0
     outputs:
       prefix: ${{ steps.test.outputs.PREFIX }}
@@ -70,7 +71,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: deploy-launchpad
     container:
-      image:  aztfmod/rover-preview:0.15.3-2105.210707
+      image: $(image)
       options: --user 0
     outputs:
       prefix: ${{ steps.test.outputs.PREFIX }}
@@ -110,7 +111,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: deploy-launchpad
     container:
-      image:  aztfmod/rover-preview:0.15.3-2105.210707
+      image: $(image)
       options: --user 0
     steps:
       - name: Checkout Repository
@@ -144,7 +145,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: deploy-networking-hub
     container:
-      image:  aztfmod/rover-preview:0.15.3-2105.210707
+      image: $(image)
       options: --user 0
     steps:
       - name: Checkout Repository
@@ -178,7 +179,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [deploy-networking-hub, deploy-networking-spoke, deploy-shared-services]
     container:
-      image:  aztfmod/rover-preview:0.15.3-2105.210707
+      image: $(image)
       options: --user 0
     outputs:
       prefix: ${{ steps.test.outputs.PREFIX }}
@@ -218,7 +219,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: deploy-aks
     container:
-      image:  aztfmod/rover-preview:0.15.3-2105.210707
+      image: $(image)
       options: --user 0
     steps:
       - name: Checkout Repository
@@ -266,7 +267,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: deploy-addons
     container:
-      image:  aztfmod/rover-preview:0.15.3-2105.210707
+      image: $(image)
       options: --user 0
     steps:
       - name: Checkout Repository
@@ -296,7 +297,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [destroy-addons]
     container:
-      image:  aztfmod/rover-preview:0.15.3-2105.210707
+      image: $(image)
       options: --user 0
     steps:
       - name: Checkout Repository
@@ -325,7 +326,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: destroy-aks
     container:
-      image:  aztfmod/rover-preview:0.15.3-2105.210707
+      image: $(image)
       options: --user 0
     steps:
       - name: Checkout Repository
@@ -355,7 +356,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: destroy-aks
     container:
-      image:  aztfmod/rover-preview:0.15.3-2105.210707
+      image: $(image)
       options: --user 0
     steps:
       - name: Checkout Repository
@@ -385,7 +386,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: destroy-networking-spoke
     container:
-      image:  aztfmod/rover-preview:0.15.3-2105.210707
+      image: $(image)
       options: --user 0
     steps:
       - name: Checkout Repository
@@ -415,7 +416,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [destroy-networking-hub, destroy-shared-services]
     container:
-      image:  aztfmod/rover-preview:0.15.3-2105.210707
+      image: $(image)
       options: --user 0
     steps:
       - name: Checkout Repository
@@ -439,4 +440,30 @@ jobs:
           /tf/caf/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/landingzone/scripts/launchpad.sh
         env:
           ACTION: "destroy -auto-approve"
-           
+
+  purge:
+    name: purge
+    runs-on: ubuntu-latest
+    if: ${{ failure() || cancelled() }}
+
+    needs: [deploy-launchpad, deploy-shared-services, deploy-networking-hub, deploy-networking-spoke,deploy-aks, deploy-addons, destroy-addons, destroy-aks,  destroy-networking-spoke, destroy-networking-hub, destroy-shared-services, destroy-launchpad]
+
+    container:
+      image: aztfmod/rover:0.15.4-2105.2603
+      options: --user 0
+
+    steps:
+      - name: Login azure
+        run: |
+          az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
+          az account set -s  ${{ env.ARM_SUBSCRIPTION_ID }}
+      - name: Complete purge
+        run: |
+          for i in `az monitor diagnostic-settings subscription list -o tsv --query "value[?contains(name, '${{ github.run_id }}' )].name"`; do echo "purging subscription diagnostic-settings: $i" && $(az monitor diagnostic-settings subscription delete --name $i --yes); done
+          for i in `az monitor log-profiles list -o tsv --query '[].name'`; do az monitor log-profiles delete --name $i; done
+          for i in `az ad group list --query "[?contains(displayName, '${{ github.run_id }}')].objectId" -o tsv`; do echo "purging Azure AD group: $i" && $(az ad group delete --verbose --group $i || true); done
+          for i in `az ad app list --query "[?contains(displayName, '${{ github.run_id }}')].appId" -o tsv`; do echo "purging Azure AD app: $i" && $(az ad app delete --verbose --id $i || true); done
+          for i in `az keyvault list-deleted --query "[?tags.testing_job_id=='${{ github.run_id }}'].name" -o tsv`; do az keyvault purge --name $i; done
+          for i in `az group list --query "[?tags.testing_job_id=='${{ github.run_id }}'].name" -o tsv`; do echo "purging resource group: $i" && $(az group delete -n $i -y --no-wait || true); done
+          for i in `az role assignment list --query "[?contains(roleDefinitionName, '${{ github.run_id }}')].roleDefinitionName" -o tsv`; do echo "purging role assignment: $i" && $(az role assignment delete --role $i || true); done
+          for i in `az role definition list --query "[?contains(roleName, '${{ github.run_id }}')].roleName" -o tsv`; do echo "purging custom role definition: $i" && $(az role definition delete --name $i || true); done

enterprise_scale/construction_sets/aks/online/aks_secure_baseline/cluster-baseline-settings/kured-1.4.0-dockerhub.yaml

@@ -1,109 +0,0 @@
-# https://github.com/weaveworks/kured/releases/download/1.4.0/kured-1.4.0-dockerhub.yaml
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: kured
-rules:
-  - apiGroups: [""]
-    resources: ["nodes"]
-    verbs: ["get", "patch"]
-  - apiGroups: [""]
-    resources: ["pods"]
-    verbs: ["list", "delete", "get"]
-  - apiGroups: ["apps"]
-    resources: ["daemonsets"]
-    verbs: ["get"]
-  - apiGroups: [""]
-    resources: ["pods/eviction"]
-    verbs: ["create"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: kured
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: kured
-subjects:
-  - kind: ServiceAccount
-    name: kured
-    namespace: cluster-baseline-settings
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  namespace: cluster-baseline-settings
-  name: kured
-rules:
-  - apiGroups: ["apps"]
-    resources: ["daemonsets"]
-    resourceNames: ["kured"]
-    verbs: ["update"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  namespace: cluster-baseline-settings
-  name: kured
-subjects:
-  - kind: ServiceAccount
-    namespace: cluster-baseline-settings
-    name: kured
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: kured
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: kured
-  namespace: cluster-baseline-settings
----
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: kured
-  namespace: cluster-baseline-settings
-spec:
-  selector:
-    matchLabels:
-      name: kured
-  updateStrategy:
-    type: RollingUpdate
-  template:
-    metadata:
-      labels:
-        name: kured
-      annotations:
-        prometheus.io/scrape: "true"
-        prometheus.io/port: "8080"
-    spec:
-      serviceAccountName: kured
-      tolerations:
-        - key: node-role.kubernetes.io/master
-          effect: NoSchedule
-      hostPID: true
-      restartPolicy: Always
-      containers:
-        - name: kured
-          # PRODUCTION READINESS CHANGE REQUIRED
-          # This image should be sourced from a non-public container registry, such as the
-          # one deployed along side of this reference implementation.
-          # az acr import --source docker.io/weaveworks/kured:1.4.0 -n <your-acr-instance-name>
-          # and then set this to
-          # image: <your-acr-instance-name>.azurecr.io/weaveworks/kured:1.4.0
-          image: docker.io/weaveworks/kured:1.4.0
-          imagePullPolicy: IfNotPresent
-          securityContext:
-            privileged: true
-          env:
-            - name: KURED_NODE_ID
-              valueFrom:
-                fieldRef:
-                  fieldPath: spec.nodeName
-          command:
-            - /usr/bin/kured
-            - --ds-namespace=cluster-baseline-settings

enterprise_scale/construction_sets/aks/online/aks_secure_baseline/landingzone/scripts/deploy_level_with_rover.sh

@@ -25,5 +25,6 @@ fi
   -lz /tf/caf/landingzones/caf_solution${ADDON_NAME} \
   -var-folder /tf/caf/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/landingzone/configuration/${LEVEL_NAME}/${LZ_NAME} \
   -tfstate ${LZ_NAME}.tfstate \
+  -var tags='{testing_job_id='$TF_VAR_environment'}' \
   -level ${LEVEL_NAME} \
-  -a ${ACTION}
+  -a ${ACTION}

enterprise_scale/construction_sets/aks/online/aks_secure_baseline/landingzone/scripts/launchpad.sh

@@ -18,6 +18,7 @@ then
     -lz /tf/caf/landingzones/caf_launchpad \
     -var-folder /tf/caf/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/landingzone/configuration/level0/launchpad \
         -launchpad \
+        -var tags='{testing_job_id='"$TF_VAR_environment"'}' \
         -level level0 \
         -a ${ACTION}
 else