in source/idea/pipeline/stack.py [0:0]
def get_destroy_step(self) -> pipelines.CodeBuildStep:
codebuild_cloudformation_read_policy = iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"cloudformation:ListStacks",
"cloudformation:DescribeStacks",
],
resources=[
f"arn:{self.partition}:cloudformation:{self.region}:{self.account}:stack/Deploy-{INSTALL_STACK_NAME}/*",
f"arn:{self.partition}:cloudformation:{self.region}:{self.account}:stack/{self.params.cluster_name}-bootstrap/*",
f"arn:{self.partition}:cloudformation:{self.region}:{self.account}:stack/{self.params.cluster_name}-cluster/*",
f"arn:{self.partition}:cloudformation:{self.region}:{self.account}:stack/{self.params.cluster_name}-metrics/*",
f"arn:{self.partition}:cloudformation:{self.region}:{self.account}:stack/{self.params.cluster_name}-directoryservice/*",
f"arn:{self.partition}:cloudformation:{self.region}:{self.account}:stack/{self.params.cluster_name}-identity-provider/*",
f"arn:{self.partition}:cloudformation:{self.region}:{self.account}:stack/{self.params.cluster_name}-shared-storage/*",
f"arn:{self.partition}:cloudformation:{self.region}:{self.account}:stack/{self.params.cluster_name}-cluster-manager/*",
f"arn:{self.partition}:cloudformation:{self.region}:{self.account}:stack/{self.params.cluster_name}-vdc/*",
f"arn:{self.partition}:cloudformation:{self.region}:{self.account}:stack/{self.params.cluster_name}-bastion-host/*",
f"arn:{self.partition}:cloudformation:{self.region}:{self.account}:stack/Deploy-{BATTERIES_INCLUDED_STACK_NAME}*",
],
)
codebuild_cloudformation_delete_stack_policy = iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"cloudformation:DeleteStack",
],
resources=[
f"arn:{self.partition}:cloudformation:{self.region}:{self.account}:stack/Deploy-{INSTALL_STACK_NAME}/*",
f"arn:{self.partition}:cloudformation:{self.region}:{self.account}:stack/Deploy-{BATTERIES_INCLUDED_STACK_NAME}*",
],
)
codebuild_read_ssm_parameter_vpc_id_policy = iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"ssm:GetParameter",
],
resources=[
f"arn:{self.partition}:ssm:{self.region}:{self.account}:parameter{self.params.vpc_id}"
],
)
codebuild_read_file_systems_policy = iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"fsx:DescribeFileSystems",
"fsx:DescribeStorageVirtualMachines",
"fsx:DescribeVolumes",
],
resources=["*"],
)
codebuild_efs_delete_file_systems_policy = iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"elasticfilesystem:DeleteMountTarget",
"elasticfilesystem:DeleteFileSystem",
],
resources=["*"],
conditions={
"StringEquals": {
"aws:ResourceTag/res:EnvironmentName": [self.params.cluster_name],
},
},
)
codebuild_efs_filesystem_ec2_delete_eni_policy = iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"ec2:DeleteNetworkInterface",
],
resources=["*"],
)
codebuild_fsx_delete_file_systems_policy = iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"fsx:DeleteFileSystem",
],
resources=["*"],
conditions={
"StringEquals": {
"aws:ResourceTag/res:EnvironmentName": [self.params.cluster_name],
},
},
)
codebuild_fsx_delete_svms_volumes_policy = iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"fsx:DeleteVolume",
"fsx:DeleteStorageVirtualMachine",
"fsx:CreateBackup",
"fsx:TagResource",
],
resources=["*"],
)
codebuild_shared_storage_security_group_read_policy = iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"ec2:DescribeSecurityGroups",
],
resources=["*"],
)
codebuild_shared_storage_security_group_delete_policy = iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"ec2:DeleteSecurityGroup",
],
resources=["*"],
conditions={
"StringEquals": {
"aws:ResourceTag/Name": [
f"{self.params.cluster_name}-shared-storage-security-group"
],
},
},
)
(
codebuild_destroy_records_read_policy,
codebuild_destroy_records_route53_policy,
) = self.get_web_and_vdi_record_policy()
commands = ["source/idea/pipeline/scripts/destroy/commands.sh"]
if self._portal_domain_name != "":
commands.insert(
0, "source/idea/pipeline/scripts/common/web_and_vdi_record_commands.sh"
)
return pipelines.CodeBuildStep(
"Destroy",
build_environment=codebuild.BuildEnvironment(
build_image=codebuild.LinuxBuildImage.STANDARD_7_0,
compute_type=codebuild.ComputeType.SMALL,
privileged=True,
),
env=dict(
CLUSTER_NAME=self.params.cluster_name,
AWS_REGION=self.region,
BATTERIES_INCLUDED="true" if self._bi else "false",
USE_BI_PARAMETERS_FROM_SSM=(
"true" if self._use_bi_parameters_from_ssm else "false"
),
DESTROY_BATTERIES_INCLUDED="true" if self._destroy_bi else "false",
VPC_ID=self.params.vpc_id,
INSTALL_STACK_NAME=INSTALL_STACK_NAME,
BATTERIES_INCLUDED_STACK_NAME=f"Deploy-{BATTERIES_INCLUDED_STACK_NAME}",
PORTAL_DOMAIN=self._portal_domain_name,
WEB_PORTAL_DOMAIN=self.params.custom_domain_name_for_web_ui,
VDI_PORTAL_DOMAIN=self.params.custom_domain_name_for_vdi,
WEB_AND_VDI_RECORD_ACTION="DELETE",
),
install_commands=get_commands_for_scripts(
[
"source/idea/pipeline/scripts/common/install_commands.sh",
"source/idea/pipeline/scripts/destroy/install_commands.sh",
]
),
commands=get_commands_for_scripts(commands),
role_policy_statements=[
codebuild_cloudformation_read_policy,
codebuild_cloudformation_delete_stack_policy,
codebuild_read_ssm_parameter_vpc_id_policy,
codebuild_read_file_systems_policy,
codebuild_efs_delete_file_systems_policy,
codebuild_efs_filesystem_ec2_delete_eni_policy,
codebuild_fsx_delete_file_systems_policy,
codebuild_fsx_delete_svms_volumes_policy,
codebuild_shared_storage_security_group_read_policy,
codebuild_shared_storage_security_group_delete_policy,
codebuild_destroy_records_read_policy,
codebuild_destroy_records_route53_policy,
],
timeout=Duration.hours(2),
)