Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
d36565a
netwwork, iam and rds module
wavehassman Apr 9, 2026
8968156
fix RDS, add variables and outputs, add EB module
wavehassman Jun 11, 2026
ddfbc82
CI/CD
wavehassman Jun 11, 2026
ac67443
spin up, down and cleanup
wavehassman Jun 11, 2026
57a7be0
finishing touches
wavehassman Jun 12, 2026
bdca4d1
enable testing before merging
wavehassman Jun 12, 2026
b29e24c
bugs found testing
wavehassman Jun 15, 2026
db8a4b1
remove keyless
wavehassman Jun 15, 2026
3386ca8
change spin up and down to sandbox for testing
wavehassman Jun 26, 2026
ffc395c
fix cross-region snapshot copy: add kms key and permissions
wavehassman Jun 26, 2026
b8b7e7c
add full sandbox IAM permissions to github-actions user
wavehassman Jun 26, 2026
ba36f42
fix amplify: make access_token optional, trigger build via CLI
wavehassman Jun 26, 2026
cff10d2
add managed IAM policies for sandbox Terraform provisioning
wavehassman Jun 26, 2026
525a508
manual Amplify zip deploy, full IAM permissions for CI user
wavehassman Jun 26, 2026
51db25d
fix: use us-east-2 for Amplify CLI calls (app is in sandbox region)
wavehassman Jun 26, 2026
ae2c719
vite
wavehassman Jun 26, 2026
5385a06
subdomain
wavehassman Jun 26, 2026
6479619
subdomain pt2
wavehassman Jun 26, 2026
59c4f7c
fix destroy
wavehassman Jun 26, 2026
c66f3fa
change domain name
wavehassman Jul 3, 2026
c6abcb9
grant route53:ListTagsForResource to github-actions-finishline
wavehassman Jul 3, 2026
815aa35
remove redundant manual Route53 DNS step for Amplify custom domain
wavehassman Jul 3, 2026
7676731
enable HTTPS for sandbox backend to fix mixed-content login failure
wavehassman Jul 3, 2026
79d3719
grant acm:RequestCertificate and related actions to github-actions-fi…
wavehassman Jul 3, 2026
fa2b42d
grant acm:AddTagsToCertificate and RemoveTagsFromCertificate to githu…
wavehassman Jul 3, 2026
ced1a38
fix malformed backend URL causing mixed-content/cert-mismatch on login
wavehassman Jul 3, 2026
34bd975
fix CORS/JWT middleware for sandbox to use real Google auth like prod…
wavehassman Jul 3, 2026
aa076d4
build
wavehassman Jul 3, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
83 changes: 83 additions & 0 deletions .github/workflows/sandbox-down.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
name: Sandbox Tear-Down

on:
pull_request:
types: [closed]
branches:
- sandbox

# Share the concurrency group with sandbox-up so they can't run simultaneously.
concurrency:
group: sandbox
cancel-in-progress: false

permissions:
contents: read

jobs:
tear-down:
runs-on: ubuntu-latest
timeout-minutes: 30
if: github.event.pull_request.merged == true

steps:
- name: Checkout
uses: actions/checkout@v4

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1

- name: Check if sandbox exists
id: check
run: |
STATUS=$(aws elasticbeanstalk describe-environments \
--environment-names finishline-sandbox-env \
--region us-east-2 \
--query "Environments[0].Status" \
--output text 2>/dev/null || echo "None")

if [ "$STATUS" = "None" ] || [ "$STATUS" = "" ] || [ "$STATUS" = "Terminated" ]; then
echo "No active sandbox found, nothing to tear down."
echo "exists=false" >> "$GITHUB_OUTPUT"
else
echo "Sandbox found with status: $STATUS, proceeding with teardown."
echo "exists=true" >> "$GITHUB_OUTPUT"
fi

- name: Setup Terraform
if: steps.check.outputs.exists == 'true'
uses: hashicorp/setup-terraform@v3
with:
terraform_version: "~1.0"
terraform_wrapper: false

- name: Terraform init
if: steps.check.outputs.exists == 'true'
working-directory: infrastructure/environments/sandbox
run: terraform init

- name: Terraform destroy
if: steps.check.outputs.exists == 'true'
working-directory: infrastructure/environments/sandbox
env:
# Terraform requires all required variables to have values even for destroy.
# The actual values are irrelevant since destroy only reads state.
TF_VAR_db_master_password: "unused"
TF_VAR_session_secret: "unused"
TF_VAR_encryption_key: "unused"
TF_VAR_google_client_secret: "unused"
TF_VAR_drive_refresh_token: "unused"
TF_VAR_calendar_refresh_token: "unused"
TF_VAR_slack_bot_token: "unused"
TF_VAR_slack_token_secret: "unused"
TF_VAR_slack_signing_secret: "unused"
TF_VAR_notification_endpoint_secret: "unused"
run: terraform destroy -auto-approve

- name: Tag-based cleanup safety net
if: steps.check.outputs.exists == 'true'
run: bash infrastructure/scripts/cleanup-sandbox.sh
Loading
Loading