fix: reorder cleanup — linked accounts before StackSet deletion

ngjinshan · ngjinshan · commit 4490ce967fdd · 2026-04-16T14:38:08.000+08:00
Move linked account resource cleanup before management account StackSet
deletion so stack instances are removed before attempting to delete the
StackSet. Replace fragile inline bash (sleep 5) with delete_stackset.py
which properly waits for instance deletion to complete.
diff --git a/.github/workflows/cleanup.yml b/.github/workflows/cleanup.yml
@@ -83,57 +83,7 @@ jobs:
           done
         continue-on-error: true
 
-      # ── Management account (StackSets live here) ──────────────────────────
-
-      - name: Assume role — management account
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: arn:aws:iam::${{ secrets.AWS_MGMT_ACCOUNT_ID }}:role/GitHubActionsE2ERole
-          aws-region: ap-northeast-2
-        continue-on-error: true
-
-      - name: Delete tagged resources — management account
-        working-directory: .github/scripts
-        run: |
-          python3 teardown.py \
-            --all \
-            --tag-value migTEST0000001 \
-            --regions ap-northeast-2,us-east-1,us-west-2
-        continue-on-error: true
-
-      - name: Delete stale StackSets — management account
-        run: |
-          for ss in $(aws cloudformation list-stack-sets \
-              --status ACTIVE \
-              --query 'Summaries[?starts_with(StackSetName, `map-auto-tagger-e2e-pr`)].StackSetName' \
-              --output text \
-              --region ap-northeast-2 2>/dev/null); do
-            echo "Removing all instances from StackSet: $ss"
-            # Delete all stack instances first (required before deleting the StackSet)
-            aws cloudformation delete-stack-instances \
-              --stack-set-name "$ss" \
-              --regions ap-northeast-2 \
-              --no-retain-stacks \
-              --deployment-targets 'OrganizationalUnitIds=[]' \
-              --region ap-northeast-2 2>/dev/null || \
-            aws cloudformation delete-stack-instances \
-              --stack-set-name "$ss" \
-              --accounts \
-                "${{ secrets.AWS_LINKED1_ACCOUNT_ID }}" \
-                "${{ secrets.AWS_LINKED2_ACCOUNT_ID }}" \
-                "${{ secrets.AWS_LINKED3_ACCOUNT_ID }}" \
-                "${{ secrets.AWS_LINKED4_ACCOUNT_ID }}" \
-                "${{ secrets.AWS_LINKED5_ACCOUNT_ID }}" \
-              --regions ap-northeast-2 \
-              --no-retain-stacks \
-              --region ap-northeast-2 2>/dev/null || true
-            sleep 5
-            echo "Deleting StackSet: $ss"
-            aws cloudformation delete-stack-set --stack-set-name "$ss" --region ap-northeast-2 || true
-          done
-        continue-on-error: true
-
-      # ── Linked account 1 ──────────────────────────────────────────────────
+      # ── Linked accounts (clean these BEFORE deleting StackSets) ───────────
 
       - name: Assume role — linked account 1
         uses: aws-actions/configure-aws-credentials@v4
@@ -151,8 +101,6 @@ jobs:
             --regions ap-northeast-2,us-east-1,us-west-2
         continue-on-error: true
 
-      # ── Linked account 2 ──────────────────────────────────────────────────
-
       - name: Assume role — linked account 2
         uses: aws-actions/configure-aws-credentials@v4
         with:
@@ -169,8 +117,6 @@ jobs:
             --regions ap-northeast-2,us-east-1,us-west-2
         continue-on-error: true
 
-      # ── Linked account 3 ──────────────────────────────────────────────────
-
       - name: Assume role — linked account 3
         uses: aws-actions/configure-aws-credentials@v4
         with:
@@ -187,8 +133,6 @@ jobs:
             --regions ap-northeast-2,us-east-1,us-west-2
         continue-on-error: true
 
-      # ── Linked account 4 ──────────────────────────────────────────────────
-
       - name: Assume role — linked account 4
         uses: aws-actions/configure-aws-credentials@v4
         with:
@@ -205,8 +149,6 @@ jobs:
             --regions ap-northeast-2,us-east-1,us-west-2
         continue-on-error: true
 
-      # ── Linked account 5 ──────────────────────────────────────────────────
-
       - name: Assume role — linked account 5
         uses: aws-actions/configure-aws-credentials@v4
         with:
@@ -222,3 +164,37 @@ jobs:
             --tag-value migTEST0000001 \
             --regions ap-northeast-2,us-east-1,us-west-2
         continue-on-error: true
+
+      # ── Management account (StackSets — delete AFTER linked accounts) ─────
+
+      - name: Assume role — management account
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_MGMT_ACCOUNT_ID }}:role/GitHubActionsE2ERole
+          aws-region: ap-northeast-2
+        continue-on-error: true
+
+      - name: Delete tagged resources — management account
+        working-directory: .github/scripts
+        run: |
+          python3 teardown.py \
+            --all \
+            --tag-value migTEST0000001 \
+            --regions ap-northeast-2,us-east-1,us-west-2
+        continue-on-error: true
+
+      - name: Delete stale StackSets — management account
+        working-directory: .github/scripts
+        run: |
+          for ss in $(aws cloudformation list-stack-sets \
+              --status ACTIVE \
+              --query 'Summaries[?starts_with(StackSetName, `map-auto-tagger-e2e-pr`)].StackSetName' \
+              --output text \
+              --region ap-northeast-2 2>/dev/null); do
+            echo "Deleting StackSet: $ss"
+            python3 delete_stackset.py \
+              --name "$ss" \
+              --accounts "${{ secrets.AWS_LINKED1_ACCOUNT_ID }},${{ secrets.AWS_LINKED2_ACCOUNT_ID }},${{ secrets.AWS_LINKED3_ACCOUNT_ID }},${{ secrets.AWS_LINKED4_ACCOUNT_ID }},${{ secrets.AWS_LINKED5_ACCOUNT_ID }}" \
+              --region ap-northeast-2 || true
+          done
+        continue-on-error: true
