Added AMI cleanup tool

[fheinecke]

This PR adds a tool to cleanup old dev tag AMIs. Last time this was ran manually it reduced our annual AWS spend by about $400k.

This PR is the first one for this repo that conforms to RFD 1. As such, a lot of the changes are repo-wide tooling needed to meet these requirements. These features will make it much easier to add future projects to this repo.

The following features have been added:

• The original Python script that @reedloden has been rewritten in Go.
• Wrote unit tests covering most of the program's logic.
• Wrote tooling to build multi-arch binaries, tarballs, and container images. See buddy PR Added CI/CD pipelines for AMI cleanup tool #239.
• Wrote PR and publishing workflows. See buddy PR Added CI/CD pipelines for AMI cleanup tool #239.
• Added a GitHub Action (not workflow) to use this tool via GHA.
• Setup and configured Renovate to manage this project only. See buddy PR Added Renovate config for AMI cleanup tool #237.

Post merge, the following work needs to be done:

• The GHA environment for this repo needs to be configured for Renovate.
• The action needs to be used somewhere (probably teleport.e) to actually prune images.

The tool has been tested locally on one of the dev accounts, but the rest of this (GHA workflows, project-specific Renovate configuration) have not been. I expect that there are some problems here that I won't be able to fix until the PR lands and they actually run.

Updates gravitational/teleport.e#3187

[wadells]

My big question:

Did you run earthly by @camscale, @tcsc and @r0mant?

From what I've read of it, I'm partial to the tool for isolation and reproducibility -- not to mention "better than the 1980s Makefile syntax". However it is a notable new tool that isn't in our toolchain yet.

Other feedback:

• I might avoid adding "ami" to the name of this tool. I think it is likely we'll see cleanup workflows expand to other artifact types. Knowing how things go, there is a good chance that e.g. S3 or ECR cleanup could get added to this tool.
• Including renovate in the same PR is a lot. I might recommend we include it in a separate PR. It looks like it is mostly for Earthfiles currently, but it'd be good to discuss the long term goal for renovate vs dependabot in this repo, and I'm not sure we want to sidtrack the cleanup script discussion with that.

[fheinecke]

Did you run earthly by @camscale, @tcsc and @r0mant?

I talked with @r0mant about it briefly during our 1x1 last week. While using it here specifically was not discussed, I figured it would be a good starting place to evaluate the tool. If we don't like it, then only ~150 lines of code are lost (not a huge deal IMO).

I personally think there are some huge benefits to using it over our more traditional makefile/dockerfile/shell script/etc. spagetti. I can go into more details here if desired, but I put this item as a proposed quarterly goal for our team which should cover discussing the merits and flaws of the solution.

I might avoid adding "ami" to the name of this tool. I think it is likely we'll see cleanup workflows expand to other artifact types. Knowing how things go, there is a good chance that e.g. S3 or ECR cleanup could get added to this tool.

I thought about this, and I was even thinking about adding public ECR cleanup (ECR lifecycles not supported here) next. However I thought that it might be better to pull common code out into a lib and build a different tool, instead of adding ECR support to this one. Personally I am a fan of the "every tool does one specific job" Unix philosophy (paraphrasing).

What do you think?

Including renovate in the same PR is a lot. I might recommend we include it in a separate PR. It looks like it is mostly for Earthfiles currently, but it'd be good to discuss the long term goal for renovate vs dependabot in this repo, and I'm not sure we want to sidtrack the cleanup script discussion with that.

I thought about this pretty heavily, and I'm still not sure which way is better. On one hand:

• All the code (workflow) and 90% of the config is already written/tested/in use, as it was copy/pasted from cloud-terraform
• Renovate is basically useless if there is no tool/dependencies to run it against
• It's a little easier for me to manage/merge one PR in this repo rather than several (PRs here usually sit open for quite a while)
• It's needed for this tool per the RFD

On the other hand, separating it out in another PR would:

• Allow for a more dependency management specific discussion about these changes
• Make this PR a little easier to review

Do you (or other reviewers) have a strong preference one way of another?

[camscale]

Do you (or other reviewers) have a strong preference one way of another?

Anything you can do to break up a +2,500 line PR is appreciated. If the renovate stuff is essentially independent of the functionality of the tool to clean up the AMIs, then I suggest splitting it out. Layering PRs to build up from a small essential kernel and adding new orthogonal concerns is much easier to review than all in one big bang. At first blush, the bullet point list at the top of the PR description listing the features looks like they could almost be separate PRs too. It may mean adding stuff that does not initially conform to the RFD, but as long as you are heading there I think that's fine.

[zmb3]

internal is not a very good package name - it doesn't say anything about what the code in the package does.

https://go.dev/blog/package-names

Good package names make code better. A package’s name provides context for its contents, making it easier for clients to understand what the package is for and how to use it. The name also helps package maintainers determine what does and does not belong in the package as it evolves. Well-named packages make it easier to find the code you need.

[fheinecke]

This decision was based on the Go standard project layout here, which states that for smaller projects extra structure is not required, and that this code can live under a package named internal. One of the examples provided in the standard uses this naming scheme.

Do you want me to change this? If so, how do you want me to structure the project?

[zmb3]

Yeah, I remember when that repo was published there was a whole buzz about it because it is not in any way a "Go standard project layout." This is random internet people who slapped the term "standard" on their project.

I'd be much more inclined to adopt the device in the official Go blog (linked above).

In any case, the point of internal packages is that they reside in the subtree of a directory named internal, not that the package itself is necessarily named internal. This prevents them from being imported outside of the module but still gives you the opportunity to select a package name that better describes its contents.

[zmb3]

Why mix int32 and int here? Do you actually care about the width of an integer here?

[fheinecke]

I don't, but the AWS API uses int32 for this value. Using int32 keeps the type consistent. Additionally, if I were to switch to int via something like int(<aws API call int32 value>), then the value could overflow on 32 bit systems if AWS ever changes the type to int64 (which would not cause a compilation error and would be unlikely to be manually caught).

[zmb3]

Do we need a 3rd party dependency for this? Can time.Parse do this for you?

[fheinecke]

Strictly speaking, yes. time does not fully support iso8601, just a subset. According to the docs the returned value is an iso8601 timestamp string.

[r0mant]

Should we continue if we failed to cleanup one image instead of returning on first failure?

[fheinecke]

I think so - if one fails for whatever reason, then it is highly likely that the remaining will fail. The most common failures include invalid AWS credentials, API rate limits, bugs resulting in invalid queries.

[r0mant]

Personally I would just allow the tool to accept regions as a CLI argument for simplicity and avoided an extra API call but no strong opinion.

[fheinecke]

IMO this is a better approach because:

• If we start publishing images to additional regions (such as when AWS adds additional regions) then we don't have to remember to update some cleanup list somewhere.
• Moving this upwards to a CLI parameter means more shell code (granted this is very little). I'm trying to move as much as reasonably possible via a testable, rather than add additional shell code.

[r0mant]

Functions with side effects like this that modify the passed in argument are usually an anti-pattern, can we avoid doing that? E.g. just have a helper method that returns a client for a specified region.

[fheinecke]

Passing the struct by value does create a new copy of the config. See https://go.dev/play/p/yS0-otWZ4KA as an example. The original cfg value that is passed upon call to cleanupRegion is not modified.

[r0mant]

Why are we checking for !ai.shouldDoDryRun here?

[fheinecke]

The AWS API will return a "dry run error" upon success, which needs special handling to ignore.

[fheinecke]

@r0mant and @zmb3 I addressed your review comments. I plan on changing everything I did not comment on, but how I change them may depend on the outcome of your responses to my comments. Please take another look when you get a chance.

[zmb3]

Thanks for the updates. This is looking a lot more like an idiomatic Go project now! 😄

[zmb3]

This doesn't seem necessary anymore.

[zmb3]

Remove this?

[zmb3]

Suggested change

	name: Cleanup old AMI images
	name: Clean up old AMI images

[zmb3]

Suggested change

	// TODO move this under /libs at some point, however it is nowhere near
	// large enough to justify separate module today
	package cleanup
	package cleanup

In addition to not being necessary, this will also make sure godoc doesn't interpret your TODO as package documentation.

[zmb3]

Suggested change

// region Account API

In addition to not being common in Go code, this comment will be interpreted as godoc.

[zmb3]

Suggested change

	func (ai ApplicationInstance) cleanupRegion(ctx context.Context, cfg aws.Config, regionName string) (int32, int, error) {
	func (ai *ApplicationInstance) cleanupRegion(ctx context.Context, cfg aws.Config, regionName string) (int32, int, error) {

It's a bit odd to have a mix of pointer and non-pointer receivers on the same type.

[zmb3]

Suggested change

	// If the image is less than a month old, don't do anything
	// don't delete newer images

This comment won't go out of date if we change maxImageKeepAge

[zmb3]

Personally, I'd make sure to set checkError in all test cases above and then do away with this if. Less conditionals are easier to reason about and it makes your test cases more explicit.

[zmb3]

Suggested change

	// Setup the application instance
	// Set up the application instance

[zmb3]

Suggested change

	allResults := make([]string, 0)
	allResults := make([]string, 0, len(actionSuppliedResults))