aws · movence · Jan 8, 2026 · Jan 8, 2026
@@ -309,3 +309,25 @@ jobs:
           set -e
           go run ./clean_security_group/clean_security_group.go || { echo "Failed to clean security groups"; exit 1; }
 
+  clean-ssm-documents:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
+          aws-region: us-west-2
+
+      - name: Clean Old Test SSM Documents and Parameters
+        working-directory: tool/clean
+        run: |
+          set -e
+          echo "Cleaning test SSM documents and parameters in us-west-2"
+          go run ./clean_ssm_documents/clean_ssm_documents.go --dry-run=false || { echo "Failed to clean SSM documents in us-west-2"; exit 1; }
+
@@ -0,0 +1,43 @@
+# SSM Documents and Parameters Cleanup Tool
+
+This tool cleans up test SSM documents and parameters that may be left behind from CloudWatch Agent testing.
+
+## What it cleans
+
+### SSM Documents
+- Documents with prefixes:
+  - `Test-AmazonCloudWatch-ManageAgent-` (used by ssm_document tests)
+
+### SSM Parameters
+- Parameters with exact names:
+  - `agentConfig1` (used by ssm_document tests)
+  - `agentConfig2` (used by ssm_document tests)
+
+**Note**: These patterns have been verified to only match test resources and will not affect production SSM documents or parameters.
+
+## Usage
+
+```bash
+# Dry run (default) - shows what would be deleted without actually deleting
+go run ./clean_ssm_documents.go
+
+# Actually delete resources
+go run ./clean_ssm_documents.go --dry-run=false
+
+# Enable verbose logging to see all API calls
+go run ./clean_ssm_documents.go --verbose
+
+# Combine flags
+go run ./clean_ssm_documents.go --dry-run=false --verbose
+```
+
+## Configuration
+
+The tool is configured to:
+- Clean resources older than 1 day
+- Use 10 concurrent workers for processing
+- Run in dry-run mode by default for safety
+
+## Integration
+
+This tool is integrated into the GitHub Actions workflow `clean-aws-resources.yml` and runs daily across multiple AWS regions to clean up test resources automatically.