Percona-Lab
diff --git a/‎IaC/cdk/README.md‎
Lines changed: 64 additions & 0 deletions b/‎IaC/cdk/README.md‎
Lines changed: 64 additions & 0 deletions
diff --git a/‎IaC/cdk/aws-resources-cleanup/.gitignore‎
Lines changed: 57 additions & 0 deletions b/‎IaC/cdk/aws-resources-cleanup/.gitignore‎
Lines changed: 57 additions & 0 deletions
diff --git a/‎IaC/cdk/aws-resources-cleanup/README.md‎
Lines changed: 116 additions & 0 deletions b/‎IaC/cdk/aws-resources-cleanup/README.md‎
Lines changed: 116 additions & 0 deletions
diff --git a/‎IaC/cdk/aws-resources-cleanup/app.py‎
Lines changed: 25 additions & 0 deletions b/‎IaC/cdk/aws-resources-cleanup/app.py‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎IaC/cdk/aws-resources-cleanup/cdk.json‎
Lines changed: 71 additions & 0 deletions b/‎IaC/cdk/aws-resources-cleanup/cdk.json‎
Lines changed: 71 additions & 0 deletions
@@ -0,0 +1,64 @@
+# CDK Projects
+
+AWS CDK (Cloud Development Kit) infrastructure as code implementations.
+
+## Projects
+
+### aws-resources-cleanup
+Comprehensive AWS resource cleanup Lambda with CDK deployment.
+
+**Purpose**: Automated cleanup of EC2 instances, EKS clusters, and OpenShift infrastructure based on TTL policies and billing tags.
+
+**Features**:
+- TTL-based expiration (8h, 24h policies)
+- Billing tag validation (category + Unix timestamps)
+- EKS CloudFormation deletion
+- OpenShift comprehensive cleanup (VPC, ELB, Route53, S3, NAT, security groups)
+- DRY_RUN mode (default)
+- SNS notifications
+- Hourly EventBridge schedule
+
+**Quick Start**:
+```bash
+cd aws-resources-cleanup
+just install          # Install dependencies
+just deploy           # Deploy in DRY_RUN mode
+just logs             # Tail CloudWatch logs
+```
+
+📖 **Full documentation**: [aws-resources-cleanup/README.md](aws-resources-cleanup/README.md)
+
+## Requirements
+
+- AWS CLI configured with appropriate profile
+- `uv` package manager: `brew install uv`
+- `just` task runner: `brew install just`
+
+## Common Commands
+
+All projects use Justfile for consistent automation:
+
+| Command | Description |
+|---------|-------------|
+| `just install` | Install all dependencies |
+| `just synth` | Generate CloudFormation template |
+| `just diff` | Preview infrastructure changes |
+| `just deploy` | Deploy stack |
+| `just destroy` | Remove stack |
+| `just logs` | Tail CloudWatch logs (if applicable) |
+
+## Adding New CDK Projects
+
+When creating a new CDK project in this directory:
+
+1. Create project directory: `mkdir project-name`
+2. Initialize CDK: `cdk init app --language python`
+3. Add Justfile for automation
+4. Add project-specific README.md
+5. Update this README with project description
+
+## Resources
+
+- [AWS CDK Documentation](https://docs.aws.amazon.com/cdk/)
+- [CDK Python API Reference](https://docs.aws.amazon.com/cdk/api/v2/python/)
+- [Justfile Documentation](https://github.com/casey/just)
@@ -0,0 +1,57 @@
+# CDK
+cdk.out/
+.cdk.staging/
+cdk.context.json
+
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# Virtual environments
+venv/
+ENV/
+env/
+.venv
+
+# Testing
+.pytest_cache/
+.coverage
+htmlcov/
+.tox/
+
+# IDEs
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Lambda artifacts
+*.zip
+/tmp/
+
+# Logs
+*.log
@@ -0,0 +1,116 @@
+# AWS Resources Cleanup
+
+Automated cleanup Lambda for EC2 instances, EKS clusters, and OpenShift infrastructure.
+
+## Overview
+
+Comprehensive resource cleanup Lambda that runs hourly to enforce TTL policies, billing tag compliance, and infrastructure lifecycle management across all AWS regions.
+
+**Default Mode**: DRY_RUN (logs actions without execution)
+
+## Features
+
+### EC2 Cleanup
+- **TTL Expiration**: Enforces `creation-time` + `delete-cluster-after-hours` tags
+- **Stop Policy**: Honors `stop-after-days` for staging instances
+- **Long Stopped**: Terminates instances stopped >30 days
+- **Untagged Instances**: Removes instances without valid billing tags after grace period
+- **Billing Tag Validation**: Validates category strings or Unix timestamps
+
+**Protected Instances**:
+- Persistent billing tags: `jenkins-*`, `pmm-dev`
+- Valid `iit-billing-tag` timestamps
+- Instances with `Name` tag matching protected patterns
+
+### EKS Cleanup
+- CloudFormation stack deletion with configurable skip patterns
+- Default protection: `pe-.*` (platform engineering clusters)
+
+### OpenShift Cleanup
+Full cluster destruction including:
+- Compute: EC2 instances
+- Network: VPC, subnets, route tables, internet gateways, NAT gateways, ENIs, Elastic IPs
+- Load Balancers: Classic ELB, ALB, NLB
+- Security: Security groups, VPC endpoints
+- DNS: Route53 hosted zones and records
+- Storage: S3 buckets with `kubernetes.io/cluster/<cluster-name>` tags
+
+**Reconciliation Loop**: Retries resource deletion to handle dependency ordering
+
+## Environment Variables
+
+| Variable | Type | Default | Description |
+|----------|------|---------|-------------|
+| `DRY_RUN` | bool | `true` | Preview mode - logs actions without execution |
+| `SNS_TOPIC_ARN` | string | `""` | SNS topic for cleanup notifications |
+| `UNTAGGED_THRESHOLD_MINUTES` | int | `30` | Grace period for untagged instances before deletion |
+| `EKS_SKIP_PATTERN` | string | `pe-.*` | Regex pattern for protected EKS cluster names |
+| `OPENSHIFT_CLEANUP_ENABLED` | bool | `true` | Enable OpenShift cluster cleanup |
+| `OPENSHIFT_BASE_DOMAIN` | string | `cd.percona.com` | Route53 base domain for OpenShift clusters |
+| `OPENSHIFT_MAX_RETRIES` | int | `3` | Max reconciliation attempts for resource deletion |
+
+**Runtime**: Python 3.12, 1024 MB memory, 10 minute timeout, hourly schedule
+
+## Quick Start
+
+### Prerequisites
+```bash
+brew install uv       # Python package manager
+brew install just     # Task runner
+```
+
+### Deploy
+```bash
+cd IaC/cdk/aws-resources-cleanup
+
+# Install dependencies and bootstrap CDK (first time)
+just install
+just bootstrap
+
+# Deploy in DRY_RUN mode (safe)
+just deploy
+```
+
+### Monitor
+```bash
+just logs           # Tail CloudWatch logs
+just invoke-aws     # Manual invocation
+just info           # Lambda configuration
+```
+
+## Common Commands
+
+| Command | Description |
+|---------|-------------|
+| `just deploy` | Deploy in DRY_RUN mode |
+| `just deploy-live` | Deploy in LIVE mode (⚠️ destructive!) |
+| `just logs` | Tail CloudWatch logs (follow) |
+| `just logs-recent` | Show logs from last hour |
+| `just update-code` | Fast Lambda code update (no CDK) |
+| `just update-env DRY_RUN=false` | Switch to LIVE mode |
+| `just diff` | Preview infrastructure changes |
+| `just destroy` | Remove entire stack |
+
+Run `just` to see all commands.
+
+## Cleanup Policies
+
+Policies are evaluated in priority order:
+
+1. **TTL Expiration**
+   - Tags: `creation-time` (Unix timestamp) + `delete-cluster-after-hours` (integer)
+   - Action: Terminate when TTL expires
+
+2. **Stop Policy**
+   - Tag: `stop-after-days` (integer)
+   - Action: Stop instance after specified days
+
+3. **Long Stopped**
+   - Criteria: Instance in stopped state >30 days
+   - Action: Terminate
+
+4. **Untagged**
+   - Criteria: Missing or invalid `iit-billing-tag`
+   - Action: Terminate after grace period (default: 30 minutes)
+
+**Protection**: Instances with persistent billing tags or valid timestamps are never auto-deleted.
@@ -0,0 +1,25 @@
+#!/usr/bin/env python3
+"""CDK app for AWS Resources Cleanup Lambda."""
+
+import os
+import aws_cdk as cdk
+from stacks.resource_cleanup_stack import ResourceCleanupStack
+
+app = cdk.App()
+
+ResourceCleanupStack(
+    app,
+    "AWSResourcesCleanupStack",
+    description="Comprehensive AWS resource cleanup: EC2, EKS, OpenShift infrastructure",
+    env=cdk.Environment(
+        account=os.getenv('CDK_DEFAULT_ACCOUNT'),
+        region=os.getenv('CDK_DEFAULT_REGION', 'us-east-2')
+    ),
+    tags={
+        "Project": "PlatformEngineering",
+        "ManagedBy": "CDK",
+        "iit-billing-tag": "resource-cleanup"
+    }
+)
+
+app.synth()
@@ -0,0 +1,71 @@
+{
+  "app": "python3 app.py",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "requirements*.txt",
+      "source.bat",
+      "**/__pycache__",
+      "**/*.pyc",
+      ".pytest_cache"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ],
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+    "@aws-cdk/aws-iam:standardizedServicePrincipals": true,
+    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
+    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
+    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
+    "@aws-cdk/aws-route53-patternslibrary:useCertificate": true,
+    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
+    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
+    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
+    "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
+    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
+    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
+    "@aws-cdk/aws-redshift:columnId": true,
+    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
+    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
+    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
+    "@aws-cdk/aws-kms:aliasNameRef": true,
+    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
+    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
+    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
+    "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
+    "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
+    "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
+    "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
+    "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
+    "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
+    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
+    "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true,
+    "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true,
+    "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true,
+    "@aws-cdk/aws-eks:nodegroupNameAttribute": true,
+    "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true,
+    "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true,
+    "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false,
+    "@aws-cdk/aws-s3:keepNotificationInImportedBucket": false
+  }
+}