Automatic periodic cleanup of CI AWS account

[RothAndrew]

As a maintainer of UDS projects that needs to use an AWS account for CI, I want any orphaned resources to be periodically deleted, so that their CI runs do not run into LimitExceeded errors.

As the company that supports UDS projects that needs to use an AWS account for CI, we want any orphaned resources to be periodically deleted, so that we can avoid wasting money on unneeded and unused resources.

Acceptance Criteria:

1. Apart from a pre-defined small list of IAM Users, Identity Provider, Roles, and Policies that enable usage of the account, all resources in UDS's Ephemeral CI AWS Account are automatically deleted at 2AM Eastern Time every day.
2. The configuration file for performing the deletion action is stored in version control

Notes:

• The specific numbers are negotiable. If it ends up being decided that doing it at a different time or a different frequency is more valuable that works as long as the spirit of the need is met (but we should come back in and edit the AC to reflect the new numbers)
• We need to be careful of how this will interact with Renovate. In several repos Renovate is currently set with a schedule of before 4am every weekday but it isn't yet clear which timezone it used. Using 2AM Eastern Time should avoid conflicts with Renovate regardless of which timezone Renovate uses.

[RothAndrew]

A likely good option here is to use GitHub Actions as the trigger. The workflow that gets run can live in the same repo that stores the Infrastructure as Code that we use to establish the persistent resources in that account:

• IAM Users (?)
• IdentityProvider
• Roles
• Policies

AFAIK that repo doesn't exist yet, but we should make one and do the above resources as IaC once we get access the UDS Ephemeral CI AWS Account. CC @Vandiver247

[UncleGedd]

AFAIK that repo doesn't exist yet

I think it'll be this repo, noting that there is a PR to actually populate it (cc @zachariahmiller )

[UncleGedd]

This all sounds good though. Running at 0400 EST on weekdays is fine as well, noting that we're hoping to do nightly (at midnight EST) runs of our EKS CI jobs

[RothAndrew]

Design for this issue is specified here: https://github.com/defenseunicorns/uds-aws-account-iac/issues/3

@UncleGedd please review. Once this design gets refined/reviewed/accepted, I will start implementation.

[UncleGedd]

Commenting here for posterity: deferring to @zachariahmiller on this one, thanks!

[RothAndrew]

Met up with @zachariahmiller and got a good way forward. Getting started on implementing this.

@Vandiver247 when do you anticipate the AWS account will be ready for us to start working in?