Skip to content

Commit

Permalink
fix: no name tag resources are listing for nuke with include filter
Browse files Browse the repository at this point in the history
  • Loading branch information
james03160927 committed Aug 8, 2024
1 parent 6c07bd2 commit 1abf414
Show file tree
Hide file tree
Showing 8 changed files with 22 additions and 46 deletions.
2 changes: 0 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,6 @@ Cloud-nuke suppports 🔎 inspecting and 🔥💀 deleting the following AWS res
| EC2 | Endpoint |
| EC2 | Security Group |
| EC2 | Network Interface |
| EC2 | Placement Group |
| Certificate Manager | ACM Private CA |
| Direct Connect | Transit Gateways |
| Elasticache | Clusters |
Expand Down Expand Up @@ -578,7 +577,6 @@ of the file that are supported are listed here.
| ec2-ipam-pool | EC2IPAMPool | ✅ (IPAM Pool name) | ✅ (Creation Time) | ✅ | ✅ |
| ec2-ipam-resource-discovery | EC2IPAMResourceDiscovery | ✅ (IPAM Discovery Name) | ✅ (Creation Time) | ✅ | ✅ |
| ec2-ipam-scope | EC2IPAMScope | ✅ (IPAM Scope Name) | ✅ (Creation Time) | ✅ | ✅ |
| ec2-placement-groups | EC2PlacementGroups | ✅ (Placement Group Name) | ✅ (First Seen Tag Time) | ✅ | ✅ |
| ec2-subnet | EC2Subnet | ✅ (Subnet Name) | ✅ (Creation Time) | ✅ | ❌ |
| ec2-endpoint | EC2Endpoint | ✅ (Endpoint Name) | ✅ (Creation Time) | ✅ | ✅ |
| ecr | ECRRepository | ✅ (Repository Name) | ✅ (Creation Time) | ❌ | ✅ |
Expand Down
1 change: 0 additions & 1 deletion aws/resource_registry.go
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,6 @@ func getRegisteredRegionalResources() []AwsResource {
&resources.EC2Instances{},
&resources.EC2DedicatedHosts{},
&resources.EC2KeyPairs{},
&resources.EC2PlacementGroups{},
&resources.TransitGateways{},
&resources.TransitGatewaysRouteTables{},
// Note: nuking transitgateway vpc attachement before nuking the vpc since vpc could be associated with it.
Expand Down
2 changes: 1 addition & 1 deletion aws/resources/kms_customer_key.go
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ func (kck *KmsCustomerKeys) shouldInclude(
includedByName := false
// verify if key aliases matches configurations
for _, alias := range aliases {
if config.ShouldInclude(alias, configObj.KMSCustomerKeys.IncludeRule.NamesRegExp,
if config.ShouldInclude(&alias, configObj.KMSCustomerKeys.IncludeRule.NamesRegExp,
configObj.KMSCustomerKeys.ExcludeRule.NamesRegExp) {
includedByName = true
}
Expand Down
2 changes: 1 addition & 1 deletion aws/resources/sns.go
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@ func shouldIncludeSNS(topicArn string, excludeAfter, firstSeenTime time.Time, co
return false
}

return config.ShouldInclude(topicName, configObj.SNS.IncludeRule.NamesRegExp, configObj.SNS.ExcludeRule.NamesRegExp)
return config.ShouldInclude(&topicName, configObj.SNS.IncludeRule.NamesRegExp, configObj.SNS.ExcludeRule.NamesRegExp)
}

func (s *SNSTopic) nukeAll(identifiers []*string) error {
Expand Down
18 changes: 2 additions & 16 deletions aws/resources/transit_gateway.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,6 @@ import (

const (
TransitGatewayAttachmentTypePeering = "peering"
TransitGatewayAttachmentTypeVPC = "vpc"
TransitGatewayAttachmentTypeConnect = "connect"
)

// [Note 1] : NOTE on the Apporach used:-Using the `dry run` approach on verifying the nuking permission in case of a scoped IAM role.
Expand Down Expand Up @@ -121,31 +119,19 @@ func (tgw *TransitGateways) nukeAttachments(id *string) error {
switch attachmentType {
case TransitGatewayAttachmentTypePeering:
logging.Debugf("[Execution] deleting the attachments of type %v for %v ", attachmentType, awsgo.StringValue(id))
// Delete the Transit Gateway Peering Attachment
_, err = tgw.Client.DeleteTransitGatewayPeeringAttachmentWithContext(tgw.Context, &ec2.DeleteTransitGatewayPeeringAttachmentInput{
TransitGatewayAttachmentId: attachments.TransitGatewayAttachmentId,
})
case TransitGatewayAttachmentTypeVPC:
logging.Debugf("[Execution] deleting the attachments of type %v for %v ", attachmentType, awsgo.StringValue(id))
// Delete the Transit Gateway VPC Attachment
_, err = tgw.Client.DeleteTransitGatewayVpcAttachmentWithContext(tgw.Context, &ec2.DeleteTransitGatewayVpcAttachmentInput{
TransitGatewayAttachmentId: attachments.TransitGatewayAttachmentId,
})
case TransitGatewayAttachmentTypeConnect:
logging.Debugf("[Execution] deleting the attachments of type %v for %v ", attachmentType, awsgo.StringValue(id))
// Delete the Transit Gateway Connect Attachment
_, err = tgw.Client.DeleteTransitGatewayConnectWithContext(tgw.Context, &ec2.DeleteTransitGatewayConnectInput{
TransitGatewayAttachmentId: attachments.TransitGatewayAttachmentId,
})
default:
err = fmt.Errorf("%v typed transit gateway attachment nuking not handled", attachmentType)
}
if err != nil {
logging.Errorf("[Failed] unable to delete the transit gateway peernig attachment for %v : %s", awsgo.StringValue(id), err)
return err
}

if err := tgw.WaitUntilTransitGatewayAttachmentDeleted(id, attachmentType); err != nil {
logging.Errorf("[Failed] unable to wait until nuking the transit gateway attachment with type %v for %v : %s", attachmentType,awsgo.StringValue(id), err)
logging.Errorf("[Failed] unable to wait until nuking the transit gateway attachment with type %v for %v : %s", attachmentType, awsgo.StringValue(id), err)
return errors.WithStackTrace(err)
}

Expand Down
11 changes: 0 additions & 11 deletions aws/resources/transit_gateway_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,6 @@ type mockedTransitGateway struct {
DeleteTransitGatewayOutput ec2.DeleteTransitGatewayOutput
DescribeTransitGatewayAttachmentsOutput ec2.DescribeTransitGatewayAttachmentsOutput
DeleteTransitGatewayPeeringAttachmentOutput ec2.DeleteTransitGatewayPeeringAttachmentOutput
DeleteTransitGatewayVpcAttachmentOutput ec2.DeleteTransitGatewayVpcAttachmentOutput
DeleteVpnConnectionOutput ec2.DeleteVpnConnectionOutput
DeleteTransitGatewayConnectOutput ec2.DeleteTransitGatewayConnectOutput

}

func (m mockedTransitGateway) DescribeTransitGatewaysWithContext(_ awsgo.Context, _ *ec2.DescribeTransitGatewaysInput, _ ...request.Option) (*ec2.DescribeTransitGatewaysOutput, error) {
Expand All @@ -41,13 +37,6 @@ func (m mockedTransitGateway) DescribeTransitGatewayAttachmentsWithContext(awsgo
func (m mockedTransitGateway) DeleteTransitGatewayPeeringAttachmentWithContext(aws.Context, *ec2.DeleteTransitGatewayPeeringAttachmentInput, ...request.Option) (*ec2.DeleteTransitGatewayPeeringAttachmentOutput, error) {
return &m.DeleteTransitGatewayPeeringAttachmentOutput, nil
}
func (m mockedTransitGateway) DeleteTransitGatewayVpcAttachmentWithContext(_ awsgo.Context, _ *ec2.DeleteTransitGatewayVpcAttachmentInput, _ ...request.Option) (*ec2.DeleteTransitGatewayVpcAttachmentOutput, error) {
return &m.DeleteTransitGatewayVpcAttachmentOutput, nil
}

func (m mockedTransitGateway) DeleteTransitGatewayConnectWithContext(_ awsgo.Context, _ *ec2.DeleteTransitGatewayConnectInput, _ ...request.Option) (*ec2.DeleteTransitGatewayConnectOutput, error) {
return &m.DeleteTransitGatewayConnectOutput, nil
}
func (m mockedTransitGateway) WaitUntilTransitGatewayAttachmentDeleted(*string, string) error {
return nil
}
Expand Down
15 changes: 10 additions & 5 deletions config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,6 @@ type Config struct {
EC2IPAMResourceDiscovery ResourceType `yaml:"EC2IPAMResourceDiscovery"`
EC2IPAMScope ResourceType `yaml:"EC2IPAMScope"`
EC2Endpoint ResourceType `yaml:"EC2Endpoint"`
EC2PlacementGroups ResourceType `yaml:"EC2PlacementGroups"`
EC2Subnet EC2ResourceType `yaml:"EC2Subnet"`
EgressOnlyInternetGateway ResourceType `yaml:"EgressOnlyInternetGateway"`
ECRRepository ResourceType `yaml:"ECRRepository"`
Expand Down Expand Up @@ -320,19 +319,25 @@ func matches(name string, regexps []Expression) bool {
}

// ShouldInclude - Checks if a resource's Name should be included according to the inclusion and exclusion rules
func ShouldInclude(name string, includeREs []Expression, excludeREs []Expression) bool {
func ShouldInclude(name *string, includeREs []Expression, excludeREs []Expression) bool {
var resourceName string
if name != nil {
resourceName = *name
}


if len(includeREs) == 0 && len(excludeREs) == 0 {
// If no rules are defined, should always include
return true
} else if matches(name, excludeREs) {
} else if matches(resourceName, excludeREs) {
// If a rule that exclude matches, should not include
return false
} else if len(includeREs) == 0 {
// Given the 'Name' is not in the 'exclude' list, should include if there is no 'include' list
return true
} else {
// Given there is a 'include' list, and 'Name' is there, should include
return matches(name, includeREs)
return matches(resourceName, includeREs)
}
}

Expand Down Expand Up @@ -403,7 +408,7 @@ func (r ResourceType) ShouldIncludeBasedOnTag(tags map[string]string) bool {
}

func (r ResourceType) ShouldInclude(value ResourceValue) bool {
if value.Name != nil && !ShouldInclude(*value.Name, r.IncludeRule.NamesRegExp, r.ExcludeRule.NamesRegExp) {
if !ShouldInclude(value.Name, r.IncludeRule.NamesRegExp, r.ExcludeRule.NamesRegExp) {
return false
} else if value.Time != nil && !r.ShouldIncludeBasedOnTime(*value.Time) {
return false
Expand Down
17 changes: 8 additions & 9 deletions config/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,6 @@ func emptyConfig() *Config {
EC2IPAMResourceDiscovery: ResourceType{FilterRule{}, FilterRule{}, "",false},
EC2IPAMScope: ResourceType{FilterRule{}, FilterRule{}, "",false},
EC2Endpoint: ResourceType{FilterRule{}, FilterRule{}, "",false},
EC2PlacementGroups: ResourceType{FilterRule{}, FilterRule{}, "",false},
EC2Subnet: EC2ResourceType{false, ResourceType{FilterRule{}, FilterRule{}, "",false}},
EgressOnlyInternetGateway: ResourceType{FilterRule{}, FilterRule{}, "",false},
ECRRepository: ResourceType{FilterRule{}, FilterRule{}, "",false},
Expand Down Expand Up @@ -161,7 +160,7 @@ func TestShouldInclude_AllowWhenEmpty(t *testing.T) {
var includeREs []Expression
var excludeREs []Expression

assert.True(t, ShouldInclude("test-open-vpn", includeREs, excludeREs),
assert.True(t, ShouldInclude(aws.String("test-open-vpn"), includeREs, excludeREs),
"Should include when both lists are empty")
}

Expand All @@ -172,9 +171,9 @@ func TestShouldInclude_ExcludeWhenMatches(t *testing.T) {
require.NoError(t, err)
excludeREs := []Expression{{RE: *exclude}}

assert.False(t, ShouldInclude("test-openvpn-123", includeREs, excludeREs),
assert.False(t, ShouldInclude(aws.String("test-openvpn-123"), includeREs, excludeREs),
"Should not include when matches from the 'exclude' list")
assert.True(t, ShouldInclude("tf-state-bucket", includeREs, excludeREs),
assert.True(t, ShouldInclude(aws.String("tf-state-bucket"), includeREs, excludeREs),
"Should include when doesn't matches from the 'exclude' list")
}

Expand All @@ -185,9 +184,9 @@ func TestShouldInclude_IncludeWhenMatches(t *testing.T) {

var excludeREs []Expression

assert.True(t, ShouldInclude("test-openvpn-123", includeREs, excludeREs),
assert.True(t, ShouldInclude(aws.String("test-openvpn-123"), includeREs, excludeREs),
"Should include when matches the 'include' list")
assert.False(t, ShouldInclude("test-vpc-123", includeREs, excludeREs),
assert.False(t, ShouldInclude(aws.String("test-vpc-123"), includeREs, excludeREs),
"Should not include when doesn't matches the 'include' list")
}

Expand All @@ -200,11 +199,11 @@ func TestShouldInclude_WhenMatchesIncludeAndExclude(t *testing.T) {
require.NoError(t, err)
excludeREs := []Expression{{RE: *exclude}}

assert.True(t, ShouldInclude("test-eks-cluster-123", includeREs, excludeREs),
assert.True(t, ShouldInclude(aws.String("test-eks-cluster-123"), includeREs, excludeREs),
"Should include when matches the 'include' list but not matches the 'exclude' list")
assert.False(t, ShouldInclude("test-openvpn-123", includeREs, excludeREs),
assert.False(t, ShouldInclude(aws.String("test-openvpn-123"), includeREs, excludeREs),
"Should not include when matches 'exclude' list")
assert.False(t, ShouldInclude("terraform-tf-state", includeREs, excludeREs),
assert.False(t, ShouldInclude(aws.String("terraform-tf-state"), includeREs, excludeREs),
"Should not include when doesn't matches 'include' list")
}

Expand Down

0 comments on commit 1abf414

Please sign in to comment.