feature: cloud-nuke-after tag to protect the resources (#741)

Co-authored-by: James Kwon <[email protected]>

README.md

@@ -341,6 +341,11 @@ cloud-nuke aws --resource-type s3 --timeout 10m
 ```
 This will attempt to nuke the specified resources within a 10-minute timeframe.
 
+
+### Protect Resources with `cloud-nuke-after` Tag
+By tagging resources with `cloud-nuke-after` and specifying a future date in ISO 8601 format (e.g., 2024-07-09T00:00:00Z), you can ensure that these resources are protected from accidental or premature deletion until the specified date. This method helps to keep important resources intact until their designated expiration date.
+
+
 ### Using cloud-nuke as a library
 
 You can import cloud-nuke into other projects and use it as a library for programmatically inspecting and counting

aws/aws.go

@@ -30,6 +30,9 @@ func GetAllResources(c context.Context, query *Query, configObj config.Config) (
 	// This function only sets the objects that have the `DefaultOnly` field, currently VPC, Subnet, and Security Group.
 	configObj.AddEC2DefaultOnly(query.DefaultOnly)
 
+	// This will protect dated resources by nuking them until the specified date has passed
+	configObj.AddProtectUntilExpireFlag(query.ProtectUntilExpire)
+
 	account := AwsAccountResources{
 		Resources: make(map[string]AwsResources),
 	}

aws/query.go

@@ -16,6 +16,7 @@ type Query struct {
 	Timeout              *time.Duration
 	ExcludeFirstSeen     bool
 	DefaultOnly          bool
+	ProtectUntilExpire   bool
 }
 
 // NewQuery configures and returns a Query struct that can be passed into the InspectResources method
@@ -35,6 +36,7 @@ func NewQuery(regions, excludeRegions, resourceTypes, excludeResourceTypes []str
 		Timeout:              timeout,
 		DefaultOnly:          defaultOnly,
 		ExcludeFirstSeen:     excludeFirstSeen,
+		ProtectUntilExpire:   false,
 	}
 
 	validationErr := q.Validate()

commands/cli.go

@@ -252,6 +252,9 @@ func awsNuke(c *cli.Context) error {
 		return errors.WithStackTrace(err)
 	}
 
+	// Enable date checking for protecting the resources
+	// Note: This should only be enabled with AWS-Nuke, and it will not be enabled with force.
+	query.ProtectUntilExpire = !c.Bool("force")
 	return awsNukeHelper(c, configObj, query)
 }
 

config/config.go

@@ -8,10 +8,16 @@ import (
 	"strings"
 	"time"
 
+	"github.com/gruntwork-io/cloud-nuke/logging"
 	"gopkg.in/yaml.v2"
 )
 
-const DefaultAwsResourceExclusionTagKey = "cloud-nuke-excluded"
+const (
+	DefaultAwsResourceExclusionTagKey = "cloud-nuke-excluded"
+	CloudNukeAfterExclusionTagKey     = "cloud-nuke-after"
+	CloudNukeAfterTimeFormat          = time.RFC3339
+	CloudNukeAfterTimeFormatLegacy    = time.DateTime
+)
 
 // Config - the config object we pass around
 type Config struct {
@@ -183,6 +189,30 @@ func (c *Config) addDefautlOnly(flag bool) {
 	}
 }
 
+func (c *Config) addBoolFlag(flag bool, fieldName string) {
+	// Do nothing if the flag filter is false, by default it will be false
+	if flag == false {
+		return
+	}
+
+	v := reflect.ValueOf(c).Elem()
+	for i := 0; i < v.NumField(); i++ {
+		field := v.Field(i)
+		if field.Kind() != reflect.Struct {
+			continue
+		}
+
+		defaultOnlyField := field.FieldByName(fieldName)
+		// IsValid reports whether v represents a value.
+		// It returns false if v is the zero Value.
+		// If IsValid returns false, all other methods except String panic.
+		if defaultOnlyField.IsValid() {
+			defaultOnlyVal := defaultOnlyField.Addr().Interface().(*bool)
+			*defaultOnlyVal = flag
+		}
+	}
+}
+
 func (c *Config) AddIncludeAfterTime(includeAfter *time.Time) {
 	// include after filter has been applied to all resources via `newer-than` flag, we are
 	// setting this rule across all resource types.
@@ -204,7 +234,12 @@ func (c *Config) AddTimeout(timeout *time.Duration) {
 func (c *Config) AddEC2DefaultOnly(flag bool) {
 	// The flag filter has been applied to all resources via the default-only flag.
 	// We are now setting this rule across all resource types that have a field named `DefaultOnly`.
-	c.addDefautlOnly(flag)
+	c.addBoolFlag(flag, "DefaultOnly")
+}
+
+func (c *Config) AddProtectUntilExpireFlag(flag bool) {
+	// We are now setting this rule across all resource types that have a field named `ProtectUntilExpire`.
+	c.addBoolFlag(flag, "ProtectUntilExpire")
 }
 
 type KMSCustomerKeyResourceType struct {
@@ -217,9 +252,10 @@ type EC2ResourceType struct {
 }
 
 type ResourceType struct {
-	IncludeRule FilterRule `yaml:"include"`
-	ExcludeRule FilterRule `yaml:"exclude"`
-	Timeout     string     `yaml:"timeout"`
+	IncludeRule        FilterRule `yaml:"include"`
+	ExcludeRule        FilterRule `yaml:"exclude"`
+	Timeout            string     `yaml:"timeout"`
+	ProtectUntilExpire bool       `yaml:"protect_until_expire"`
 }
 
 type FilterRule struct {
@@ -327,6 +363,20 @@ func (r ResourceType) getExclusionTag() string {
 	return DefaultAwsResourceExclusionTagKey
 }
 
+func ParseTimestamp(timestamp string) (*time.Time, error) {
+	parsed, err := time.Parse(CloudNukeAfterTimeFormat, timestamp)
+	if err != nil {
+		logging.Debugf("Error parsing the timestamp into a `%v` Time format. Trying parsing the timestamp using the legacy `time.DateTime` format.", CloudNukeAfterTimeFormat)
+		parsed, err = time.Parse(CloudNukeAfterTimeFormatLegacy, timestamp)
+		if err != nil {
+			logging.Debugf("Error parsing the timestamp into legacy `time.DateTime` Time format")
+			return nil, err
+		}
+	}
+
+	return &parsed, nil
+}
+
 func (r ResourceType) ShouldIncludeBasedOnTag(tags map[string]string) bool {
 	// Handle exclude rule first
 	exclusionTag := r.getExclusionTag()
@@ -336,6 +386,18 @@ func (r ResourceType) ShouldIncludeBasedOnTag(tags map[string]string) bool {
 		}
 	}
 
+	if r.ProtectUntilExpire {
+		// Check if the tags contain "cloud-nuke-after" and if the date is before today.
+		if value, ok := tags[CloudNukeAfterExclusionTagKey]; ok {
+			nukeDate, err := ParseTimestamp(value)
+			if err == nil {
+				if !nukeDate.Before(time.Now()) {
+					logging.Debugf("[Skip] the resource is protected until %v", nukeDate)
+					return false
+				}
+			}
+		}
+	}
 	return true
 }