Skip to content

Commit

Permalink
merge main
Browse files Browse the repository at this point in the history
  • Loading branch information
@corybekk
corybekk committed Nov 6, 2024
2 parents 0bb6a0a + 1ba4abc commit d43ed42
Show file tree
Hide file tree
Showing 3 changed files with 73 additions and 406 deletions.
41 changes: 18 additions & 23 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,29 +1,24 @@
FROM golang:1.21-alpine as builder

RUN apk add --no-cache git make curl openssl

# Configure Go
ENV GOPATH=/go PATH=/go/bin:$PATH CGO_ENABLED=0 GO111MODULE=on
RUN mkdir -p ${GOPATH}/src ${GOPATH}/bin

WORKDIR /src

COPY go.mod .
COPY go.sum .
RUN go mod download

COPY . .

RUN set -x \
&& make build \
&& cp /src/dist/aws-nuke /usr/local/bin/

FROM alpine:latest
# syntax=docker/dockerfile:1.10-labs
FROM alpine:3.20.3 as base
RUN apk add --no-cache ca-certificates
RUN adduser -D aws-nuke

COPY --from=builder /usr/local/bin/* /usr/local/bin/
FROM ghcr.io/acorn-io/images-mirror/golang:1.21 AS build
COPY / /src
WORKDIR /src
ENV CGO_ENABLED=0
RUN \
--mount=type=cache,target=/go/pkg \
--mount=type=cache,target=/root/.cache/go-build \
go build -ldflags '-s -w -extldflags="-static"' -o bin/aws-nuke main.go

RUN adduser -D aws-nuke
FROM base AS goreleaser
ENTRYPOINT ["/usr/local/bin/aws-nuke"]
COPY aws-nuke /usr/local/bin/aws-nuke
USER aws-nuke

FROM base
ENTRYPOINT ["/usr/local/bin/aws-nuke"]
COPY --from=build --chmod=755 /src/bin/aws-nuke /usr/local/bin/aws-nuke
RUN chmod +x /usr/local/bin/aws-nuke
USER aws-nuke
321 changes: 0 additions & 321 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,324 +88,3 @@ You can contribute to *aws-nuke* by forking this repository, making your changes
this repository. If you are unsure how to solve a problem or have other questions about a contributions, please create
a GitHub issue.

## Version 3

Version 3 is a rewrite of this tool using [libnuke](https://github.com/ekristen/libnuke) with a focus on improving a number of the outstanding things
that I couldn't get done with the original project without separating out the core code into a library. See Goals
below for more.

### Changes

- The root command will result in help now on v3, the primary nuke command moved to `nuke`. **Breaking**
- CloudFormation Stacks now support a hold and wait for parent deletion process. **Quasi-Breaking**
- Nested CloudFormation Stacks are now eligible for deletion and no longer omitted. **Quasi-Breaking**
- The entire resource lister format has changed and requires a struct.
- Context is passed throughout the entire library now, including the listing function and the removal function.
- This is in preparation for supporting AWS SDK Go v2

### Goals

- Adding additional tests
- Adding additional resources
- Adding documentation for adding resources and using the tool
- Consider adding DAG for dependencies between resource types and individual resources
- This will improve the process of deleting resources that have dependencies on other resources and reduce
errors and unnecessary API calls.

## Documentation

The project is built to have the documentation right alongside the code in the `docs/` directory leveraging
[Material for Mkdocs](https://squidfunk.github.io/mkdocs-material/)

In the root of the project exists mkdocs.yml which drives the configuration for the documentation.

This README.md is currently copied to `docs/index.md` and the documentation is automatically published to the GitHub
pages location for this repository using a GitHub Action workflow. It does not use the `gh-pages` branch.


## Use Cases

- We are testing our [Terraform](https://www.terraform.io/) code with Jenkins. Sometimes a Terraform run fails during development and
messes up the account. With *aws-nuke* we can simply clean up the failed account, so it can be reused for the next
build.
- Our platform developers have their own AWS Accounts where they can create their own Kubernetes clusters for testing
purposes. With *aws-nuke* it is very easy to clean up these account at the end of the day and keep the costs low.


### Feature Flags

There are some features, which are quite opinionated. To make those work for
everyone, *aws-nuke* has flags to manually enable those features. These can be
configured on the root-level of the config, like this:

```yaml
---
feature-flags:
disable-deletion-protection:
RDSInstance: true
EC2Instance: true
CloudformationStack: true
force-delete-lightsail-addons: true
```
### Filtering Resources
It is possible to filter this is important for not deleting the current user
for example or for resources like S3 Buckets which have a globally shared
namespace and might be hard to recreate. Currently the filtering is based on
the resource identifier. The identifier will be printed as the first step of
*aws-nuke* (eg `i-01b489457a60298dd` for an EC2 instance).

**Note: Even with filters you should not run aws-nuke on any AWS account, where
you cannot afford to lose all resources. It is easy to make mistakes in the
filter configuration. Also, since aws-nuke is in continous development, there
is always a possibility to introduce new bugs, no matter how careful we review
new code.**

The filters are part of the account-specific configuration and are grouped by
resource types. This is an example of a config that deletes all resources but
the `admin` user with its access permissions and two access keys:

```yaml
---
regions:
- global
- eu-west-1
account-blocklist:
- 1234567890
accounts:
0987654321:
filters:
IAMUser:
- "admin"
IAMUserPolicyAttachment:
- "admin -> AdministratorAccess"
IAMUserAccessKey:
- "admin -> AKSDAFRETERSDF"
- "admin -> AFGDSGRTEWSFEY"
```

Any resource whose resource identifier exactly matches any of the filters in
the list will be skipped. These will be marked as "filtered by config" on the
*aws-nuke* run.

#### Filter Properties

Some resources support filtering via properties. When a resource support these
properties, they will be listed in the output like in this example:

```log
global - IAMUserPolicyAttachment - 'admin -> AdministratorAccess' - [RoleName: "admin", PolicyArn: "arn:aws:iam::aws:policy/AdministratorAccess", PolicyName: "AdministratorAccess"] - would remove
```

To use properties, it is required to specify a object with `properties` and
`value` instead of the plain string.

These types can be used to simplify the configuration. For example, it is
possible to protect all access keys of a single user:

```yaml
IAMUserAccessKey:
- property: UserName
value: "admin"
```

#### Filter Types

There are also additional comparision types than an exact match:

- `exact` – The identifier must exactly match the given string. This is the default.
- `contains` – The identifier must contain the given string.
- `glob` – The identifier must match against the given [glob
pattern](https://en.wikipedia.org/wiki/Glob_(programming)). This means the
string might contains wildcards like `*` and `?`. Note that globbing is
designed for file paths, so the wildcards do not match the directory
separator (`/`). Details about the glob pattern can be found in the [library
documentation](https://godoc.org/github.com/mb0/glob).
- `regex` – The identifier must match against the given regular expression.
Details about the syntax can be found in the [library
documentation](https://golang.org/pkg/regexp/syntax/).
- `dateOlderThan` - The identifier is parsed as a timestamp. After the offset is added
to it (specified in the `value` field), the resulting timestamp must be AFTER the
current time. Details on offset syntax can be found in the [library documentation](https://golang.org/pkg/time/#ParseDuration).
Supported date formats are epoch time, `2006-01-02`, `2006/01/02`, `2006-01-02T15:04:05Z`,
`2006-01-02T15:04:05.999999999Z07:00`, and `2006-01-02T15:04:05Z07:00`.

To use a non-default comparision type, it is required to specify an object with
`type` and `value` instead of the plain string.

These types can be used to simplify the configuration. For example, it is
possible to protect all access keys of a single user by using `glob`:

```yaml
IAMUserAccessKey:
- type: glob
value: "admin -> *"
```

#### Using Them Together

It is also possible to use Filter Properties and Filter Types together. For
example to protect all Hosted Zone of a specific TLD:

```yaml
Route53HostedZone:
- property: Name
type: glob
value: "*.rebuy.cloud."
```

#### Inverting Filter Results

Any filter result can be inverted by using `invert: true`, for example:

```yaml
CloudFormationStack:
- property: Name
value: "foo"
invert: true
```

In this case *any* CloudFormationStack ***but*** the ones called "foo" will be
filtered. Be aware that *aws-nuke* internally takes every resource and applies
every filter on it. If a filter matches, it marks the node as filtered.

#### Filter Presets

It might be the case that some filters are the same across multiple accounts.
This especially could happen, if provisioning tools like Terraform are used or
if IAM resources follow the same pattern.

For this case *aws-nuke* supports presets of filters, that can applied on
multiple accounts. A configuration could look like this:

```yaml
---
regions:
- "global"
- "eu-west-1"
account-blocklist:
- 1234567890
accounts:
555421337:
presets:
- "common"
555133742:
presets:
- "common"
- "terraform"
555134237:
presets:
- "common"
- "terraform"
filters:
EC2KeyPair:
- "notebook"
presets:
terraform:
filters:
S3Bucket:
- type: glob
value: "my-statebucket-*"
DynamoDBTable:
- "terraform-lock"
common:
filters:
IAMRole:
- "OrganizationAccountAccessRole"
```

## Install

### For macOS
`brew install aws-nuke`

### Use Released Binaries

The easiest way of installing it, is to download the latest
[release](https://github.com/ekristen/aws-nuke/releases) from GitHub.

#### Example for Linux Intel/AMD

Download and extract
`$ wget -c https://github.com/rebuy-de/aws-nuke/releases/download/v2.25.0/aws-nuke-v2.25.0-linux-amd64.tar.gz -O - | tar -xz -C $HOME/bin`

Run
`$ aws-nuke-v2.25.0-linux-amd64`

### Compile from Source

To compile *aws-nuke* from source you need a working
[Golang](https://golang.org/doc/install) development environment.

*aws-nuke* uses go modules and so the clone path should no matter.

The easiest way to compile is by using [goreleaser](https://goreleaser.io)

```bash
goreleaser --rm-dist --snapshot --single-target
```

**Note:** this will automatically build for your current architecture and place the result
in the releases directory.

You may also use `make` to compile the binary, this was left over from before the fork.

Also you need to install [golint](https://github.com/golang/lint/) and [GNU
Make](https://www.gnu.org/software/make/).

Then you just need to run `make build` to compile a binary into the project
directory or `make install` go install *aws-nuke* into `$GOPATH/bin`. With
`make xc` you can cross compile *aws-nuke* for other platforms.

### Docker

You can run *aws-nuke* with Docker by using a command like this:

```bash
$ docker run \
--rm -it \
-v /full-path/to/nuke-config.yml:/home/aws-nuke/config.yml \
-v /home/user/.aws:/home/aws-nuke/.aws \
quay.io/rebuy/aws-nuke:v2.25.0 \
--profile default \
--config /home/aws-nuke/config.yml
```

To make it work, you need to adjust the paths for the AWS config and the
*aws-nuke* config.

Also you need to specify the correct AWS profile. Instead of mounting the AWS
directory, you can use the `--access-key-id` and `--secret-access-key` flags.

Make sure you use the latest version in the image tag. Alternatiely you can use
`main` for the latest development version, but be aware that this is more
likely to break at any time.

## Testing

### Unit Tests

To unit test *aws-nuke*, some tests require [gomock](https://github.com/golang/mock) to run.
This will run via `go generate ./...`, but is automatically run via `make test`.
To run the unit tests:

```bash
make test
```

## Contact Channels

For now GitHub issues, may open a Slack or Discord if warranted.

## Contribute

You can contribute to *aws-nuke* by forking this repository, making your
changes and creating a Pull Request against our repository. If you are unsure
how to solve a problem or have other questions about a contributions, please
create a GitHub issue.
Loading

0 comments on commit d43ed42

Please sign in to comment.