From dae73d602aec0129f6ca18cd06095c893197a113 Mon Sep 17 00:00:00 2001 From: Erik Kristensen Date: Tue, 1 Oct 2024 19:48:38 -0600 Subject: [PATCH 1/7] docs: improve quickstart, add starter config --- docs/quick-start.md | 2 +- docs/starter-config.md | 123 +++++++++++++++++++++++++++++++++++++++++ mkdocs.yml | 1 + 3 files changed, 125 insertions(+), 1 deletion(-) create mode 100644 docs/starter-config.md diff --git a/docs/quick-start.md b/docs/quick-start.md index 506cc79d..85cae10a 100644 --- a/docs/quick-start.md +++ b/docs/quick-start.md @@ -1,6 +1,6 @@ # First Run -## First Configuration +## First Simple Configuration First you need to create a config file for *aws-nuke*. This is a minimal one: diff --git a/docs/starter-config.md b/docs/starter-config.md new file mode 100644 index 00000000..198806bf --- /dev/null +++ b/docs/starter-config.md @@ -0,0 +1,123 @@ +# Starter Configuration + +This is a good starting configuration for `aws-nuke`. This configuration will help you get started with the tool and +give you a good idea of what you can do with it. + +By default, many of the settings are populated. Many of the resources that are deprecated or not available are excluded. + +Additionally, there are 3 presets for common configurations of things you might want to filter (i.e. keep around). + +!!! note + You must replace the account ID with your own account ID. This is a placeholder account ID. + +!!! warning + This does not **cover** all settings, nor does it protect against resources that you might want to keep around, this + is a **starting configuration only**. + +```yaml +regions: + - global + - us-east-1 + - us-east-2 + +blocklist: + - "987654321098" # Production Account + +settings: + EC2Image: + IncludeDisabled: true + IncludeDeprecated: true + DisableDeregistrationProtection: true + EC2Instance: + DisableStopProtection: true + DisableDeletionProtection: true + RDSInstance: + DisableDeletionProtection: true + CloudFormationStack: + DisableDeletionProtection: true + DynamoDBTable: + DisableDeletionProtection: true + +resource-types: + excludes: + - S3Object # Excluded because S3 bucket removal handles removing all S3Objects + - ServiceCatalogTagOption # Excluded due to https://github.com/rebuy-de/aws-nuke/issues/515 + - ServiceCatalogTagOptionPortfolioAttachment # Excluded due to https://github.com/rebuy-de/aws-nuke/issues/515 + - FMSNotificationChannel # Excluded because it's not available + - FMSPolicy # Excluded because it's not available + - MachineLearningMLModel # Excluded due to ML being unavailable + - MachineLearningDataSource # Excluded due to ML being unavailable + - MachineLearningBranchPrediction # Excluded due to ML being unavailable + - MachineLearningEvaluation # Excluded due to ML being unavailable + - RoboMakerDeploymentJob # Deprecated Service + - RoboMakerFleet # Deprecated Service + - RoboMakerRobot # Deprecated Service + - RoboMakerSimulationJob + - RoboMakerRobotApplication + - RoboMakerSimulationApplication + - OpsWorksApp # Deprecated service + - OpsWorksInstance # Deprecated service + - OpsWorksLayer # Deprecated service + - OpsWorksUserProfile # Deprecated service + - OpsWorksCMBackup # Deprecated service + - OpsWorksCMServer # Deprecated service + - OpsWorksCMServerState # Deprecated service + - CodeStarProject # Deprecated service + - CodeStarConnection # Deprecated service + - CodeStarNotification # Deprecated service + - Cloud9Environment # Deprecated service + - CloudSearchDomain # Deprecated service + - RedshiftServerlessSnapshot # Deprecated service + - RedshiftServerlessNamespace # Deprecated service + - RedshiftServerlessWorkgroup # Deprecated service + +presets: + common: + filters: + BudgetsBudget: + - property: Name + value: "My Zero-Spend Budget" + + organization: + filters: + IAMSAMLProvider: + - property: ARN + type: contains + value: "AWSSSO" + IAMRole: + - property: Name + type: contains + value: "OrganizationAccountAccessRole" + IAMRolePolicyAttachment: + - property: RoleName + value: "OrganizationAccountAccessRole" + + defaults: + filters: + EC2Subnet: + - property: DefaultVPC + value: "true" + EC2DefaultSecurityGroupRule: + - property: DefaultVPC + value: "true" + EC2DHCPOption: + - property: DefaultVPC + value: "true" + EC2VPC: + - property: IsDefault + value: "true" + EC2InternetGateway: + - property: DefaultVPC + value: "true" + EC2InternetGatewayAttachment: + - property: DefaultVPC + value: "true" + +accounts: + '012345678901': + presets: + - common + - organization + - defaults + +``` \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml index 10dd4ad7..f7846d78 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -71,6 +71,7 @@ nav: - Install: installation.md - Authentication: auth.md - Quick Start: quick-start.md + - Starter Config: starter-config.md - Migration Guide: migration-guide.md - Features: - Overview: features/overview.md From a8da2d27d1062585467131137e91fb18f4ae1654 Mon Sep 17 00:00:00 2001 From: Erik Kristensen Date: Tue, 1 Oct 2024 19:49:33 -0600 Subject: [PATCH 2/7] feat(backup-vault): fix resource name, add deprecated alias --- resources/{backup-vaults.go => backup-vault.go} | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) rename resources/{backup-vaults.go => backup-vault.go} (93%) diff --git a/resources/backup-vaults.go b/resources/backup-vault.go similarity index 93% rename from resources/backup-vaults.go rename to resources/backup-vault.go index 52b7beec..074fae87 100644 --- a/resources/backup-vaults.go +++ b/resources/backup-vault.go @@ -21,13 +21,16 @@ type BackupVault struct { tags map[string]*string } -const AWSBackupVaultResource = "AWSBackupVault" +const BackupVaultResource = "BackupVault" func init() { registry.Register(®istry.Registration{ - Name: AWSBackupVaultResource, + Name: BackupVaultResource, Scope: nuke.Account, Lister: &AWSBackupVaultLister{}, + DeprecatedAliases: []string{ + "AWSBackupVault", + }, }) } From 9499e203cc56ad668cbdb12ea90f44a56d67afb0 Mon Sep 17 00:00:00 2001 From: Erik Kristensen Date: Tue, 1 Oct 2024 19:50:15 -0600 Subject: [PATCH 3/7] fix(gamelift): skip unsupported regions --- resources/gamelift-mm-config.go | 7 ++++++- resources/gamelift-mm-rule.go | 7 ++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/resources/gamelift-mm-config.go b/resources/gamelift-mm-config.go index ff41001b..0d5e6b69 100644 --- a/resources/gamelift-mm-config.go +++ b/resources/gamelift-mm-config.go @@ -2,6 +2,7 @@ package resources import ( "context" + "errors" "time" "github.com/aws/aws-sdk-go/service/gamelift" @@ -36,7 +37,11 @@ func (l *GameLiftMatchmakingConfigurationLister) List(_ context.Context, o inter for { resp, err := svc.DescribeMatchmakingConfigurations(params) if err != nil { - return nil, err + var unsupportedRegionException *gamelift.UnsupportedRegionException + if errors.As(err, &unsupportedRegionException) { + return resources, nil + } + return resources, err } for _, config := range resp.Configurations { diff --git a/resources/gamelift-mm-rule.go b/resources/gamelift-mm-rule.go index 63abdb2d..d2ece20c 100644 --- a/resources/gamelift-mm-rule.go +++ b/resources/gamelift-mm-rule.go @@ -2,6 +2,7 @@ package resources import ( "context" + "errors" "github.com/aws/aws-sdk-go/service/gamelift" @@ -35,7 +36,11 @@ func (l *GameLiftMatchmakingRuleSetLister) List(_ context.Context, o interface{} for { resp, err := svc.DescribeMatchmakingRuleSets(params) if err != nil { - return nil, err + var unsupportedRegionException *gamelift.UnsupportedRegionException + if errors.As(err, &unsupportedRegionException) { + return resources, nil + } + return resources, err } for _, ruleSet := range resp.RuleSets { From 517efd4364092cf32f1e813712a3d3c4033c6ab9 Mon Sep 17 00:00:00 2001 From: Erik Kristensen Date: Tue, 1 Oct 2024 19:50:47 -0600 Subject: [PATCH 4/7] fix(transcribe): skip unsupported regions --- resources/transcribe-call-analytics-category.go | 7 +++++++ resources/transcribe-call-analytics-job.go | 9 ++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/resources/transcribe-call-analytics-category.go b/resources/transcribe-call-analytics-category.go index 4eea717a..85fbb022 100644 --- a/resources/transcribe-call-analytics-category.go +++ b/resources/transcribe-call-analytics-category.go @@ -2,6 +2,8 @@ package resources import ( "context" + "errors" + "strings" "time" "github.com/aws/aws-sdk-go/service/transcribeservice" @@ -39,6 +41,11 @@ func (l *TranscribeCallAnalyticsCategoryLister) List(_ context.Context, o interf listOutput, err := svc.ListCallAnalyticsCategories(listCallAnalyticsCategoriesInput) if err != nil { + var badRequestException *transcribeservice.BadRequestException + if errors.As(err, &badRequestException) && + strings.Contains(badRequestException.Message(), "isn't supported in this region") { + return resources, nil + } return nil, err } for _, category := range listOutput.Categories { diff --git a/resources/transcribe-call-analytics-job.go b/resources/transcribe-call-analytics-job.go index 6f4471b1..209d57a8 100644 --- a/resources/transcribe-call-analytics-job.go +++ b/resources/transcribe-call-analytics-job.go @@ -2,6 +2,8 @@ package resources import ( "context" + "errors" + "strings" "time" "github.com/aws/aws-sdk-go/aws" @@ -41,8 +43,13 @@ func (l *TranscribeCallAnalyticsJobLister) List(_ context.Context, o interface{} listOutput, err := svc.ListCallAnalyticsJobs(listCallAnalyticsJobsInput) if err != nil { - return nil, err + var badRequestException *transcribeservice.BadRequestException + if errors.As(err, &badRequestException) && + strings.Contains(badRequestException.Message(), "isn't supported in this region") { + return resources, nil + } } + for _, job := range listOutput.CallAnalyticsJobSummaries { resources = append(resources, &TranscribeCallAnalyticsJob{ svc: svc, From b1ca8df1e83a7ae944cd8dd134fa441a3c6ce4e5 Mon Sep 17 00:00:00 2001 From: Erik Kristensen Date: Tue, 1 Oct 2024 19:51:16 -0600 Subject: [PATCH 5/7] refactor(quicksight-subscription): fix imports --- resources/quicksight-subscriptions.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/resources/quicksight-subscriptions.go b/resources/quicksight-subscriptions.go index a729abed..eb223b7c 100644 --- a/resources/quicksight-subscriptions.go +++ b/resources/quicksight-subscriptions.go @@ -7,11 +7,13 @@ import ( "github.com/aws/aws-sdk-go/service/quicksight" "github.com/aws/aws-sdk-go/service/quicksight/quicksightiface" - "github.com/ekristen/aws-nuke/v3/pkg/nuke" + "github.com/ekristen/libnuke/pkg/registry" "github.com/ekristen/libnuke/pkg/resource" libsettings "github.com/ekristen/libnuke/pkg/settings" "github.com/ekristen/libnuke/pkg/types" + + "github.com/ekristen/aws-nuke/v3/pkg/nuke" ) const QuickSightSubscriptionResource = "QuickSightSubscription" From f8d72ce999120d46465b4f05c752539c0e19c7c1 Mon Sep 17 00:00:00 2001 From: Erik Kristensen Date: Tue, 1 Oct 2024 19:51:43 -0600 Subject: [PATCH 6/7] fix(quicksight-user): skip unsupported regions --- resources/quicksight-user.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/resources/quicksight-user.go b/resources/quicksight-user.go index 2022044b..f059dc36 100644 --- a/resources/quicksight-user.go +++ b/resources/quicksight-user.go @@ -2,11 +2,13 @@ package resources import ( "context" + "errors" "github.com/gotidy/ptr" "github.com/aws/aws-sdk-go/service/quicksight" "github.com/aws/aws-sdk-go/service/quicksight/quicksightiface" + "github.com/ekristen/libnuke/pkg/registry" "github.com/ekristen/libnuke/pkg/resource" "github.com/ekristen/libnuke/pkg/types" @@ -60,7 +62,11 @@ func (l *QuickSightUserLister) List(_ context.Context, o interface{}) ([]resourc return !lastPage }) if err != nil { - return nil, err + var notFoundException *quicksight.ResourceNotFoundException + if !errors.As(err, ¬FoundException) { + return nil, err + } + return resources, nil } return resources, nil From 41a33907e30426500e4872ed2c44ddda95e9cf36 Mon Sep 17 00:00:00 2001 From: Erik Kristensen Date: Tue, 1 Oct 2024 19:52:38 -0600 Subject: [PATCH 7/7] feat(ec2-default-security-group-rule): add missing property for DefaultVPC --- ...ecurity-group-rules.go => ec2-default-security-group-rule.go} | 1 + 1 file changed, 1 insertion(+) rename resources/{ec2-default-security-group-rules.go => ec2-default-security-group-rule.go} (98%) diff --git a/resources/ec2-default-security-group-rules.go b/resources/ec2-default-security-group-rule.go similarity index 98% rename from resources/ec2-default-security-group-rules.go rename to resources/ec2-default-security-group-rule.go index f72d2645..8c162998 100644 --- a/resources/ec2-default-security-group-rules.go +++ b/resources/ec2-default-security-group-rule.go @@ -120,6 +120,7 @@ func (r *EC2DefaultSecurityGroupRule) Remove(_ context.Context) error { func (r *EC2DefaultSecurityGroupRule) Properties() types.Properties { properties := types.NewProperties() properties.Set("SecurityGroupId", r.groupID) + properties.Set("DefaultVPC", true) return properties }