gruntwork-io · yorinasub17 · Aug 24, 2021 · Jul 13, 2021 · Jul 14, 2021 · Jul 14, 2021
@@ -8,6 +8,7 @@ The currently supported functionality includes:
 
 ## AWS
 
+- Deleting all ACM Private CA in an AWS account
 - Deleting all Auto scaling groups in an AWS account
 - Deleting all Elastic Load Balancers (Classic and V2) in an AWS account
 - Deleting all Transit Gateways in an AWS account
@@ -156,6 +157,9 @@ The following resources support the Config file:
 - IAM Access Analyzers
     - Resource type: `accessanalyzer`
     - Config key: `AccessAnalyzer`
+- ACM Private CAs
+    - Resource type: `acmpca`
+    - Config key: `ACMPCA`
 
 
 #### Example
@@ -248,6 +252,7 @@ To find out what we options are supported in the config file today, consult this
 | secretsmanager     | none  | ✅          | none | none       |
 | nat-gateway        | none  | ✅          | none | none       |
 | accessanalyzer     | none  | ✅          | none | none       |
+| acmpca             | none  | ✅          | none | none       |
 | ec2 instance       | none  | none        | none | none       |
 | iam role           | none  | none        | none | none       |
 | ... (more to come) | none  | none        | none | none       |
@@ -335,6 +340,13 @@ cd aws
 go test -v -run TestListAMIs
 ```
 
+Use env-vars to opt-in to special tests, which are expensive to run:
+
+```bash
+# Run acmpca tests
+TEST_ACMPCA_EXPENSIVE_ENABLE=1 go test -v ./...
+```
+
 ### Formatting
 
 Every source file in this project should be formatted with `go fmt`.

@@ -0,0 +1,120 @@
+package aws
+
+import (
+	"sync"
+	"time"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/acmpca"
+	"github.com/gruntwork-io/cloud-nuke/config"
+	"github.com/gruntwork-io/cloud-nuke/logging"
+	"github.com/gruntwork-io/go-commons/errors"
+	"github.com/hashicorp/go-multierror"
+)
+
+// getAllACMPCA returns a list of all arns of ACMPCA, which can be deleted.
+func getAllACMPCA(session *session.Session, region string, excludeAfter time.Time, configObj config.Config) ([]*string, error) {
+	svc := acmpca.New(session)
+	var arns []*string
+	if paginationErr := svc.ListCertificateAuthoritiesPages(&acmpca.ListCertificateAuthoritiesInput{}, func(p *acmpca.ListCertificateAuthoritiesOutput, lastPage bool) bool {
+		for _, ca := range p.CertificateAuthorities {
+			if shouldIncludeACMPCA(ca, excludeAfter, configObj) {
+				arns = append(arns, ca.Arn)
+			}
+		}
+		return !lastPage
+	}); paginationErr != nil {
+		return nil, errors.WithStackTrace(paginationErr)
+	}
+	return arns, nil
+}
+
+func shouldIncludeACMPCA(ca *acmpca.CertificateAuthority, excludeAfter time.Time, configObj config.Config) bool {
+	if ca == nil {
+		return false
+	}
+
+	// one can only delete CAs if they are 'ACTIVE' or 'DISABLED'
+	statusSafe := aws.StringValue(ca.Status)
+	isCandidateForDeletion := statusSafe == acmpca.CertificateAuthorityStatusActive || statusSafe == acmpca.CertificateAuthorityStatusDisabled
+	if !isCandidateForDeletion {
+		return false
+	}
+
+	// reference time for excludeAfter is lastStateChangeAt time,
+	// unless it was never changed and createAt time is used.
+	var referenceTime time.Time
+	if ca.LastStateChangeAt == nil {
+		referenceTime = aws.TimeValue(ca.CreatedAt)
+	} else {
+		referenceTime = aws.TimeValue(ca.LastStateChangeAt)
+	}
+	if excludeAfter.Before(referenceTime) {
+		return false
+	}
+
+	return config.ShouldInclude(
+		aws.StringValue(ca.Arn),
+		configObj.ACMPCA.IncludeRule.NamesRegExp,
+		configObj.ACMPCA.ExcludeRule.NamesRegExp,
+	)
+}
+
+// nukeAllACMPCA will delete all ACMPCA, which are given by a list of arns.
+func nukeAllACMPCA(session *session.Session, arns []*string) error {
+	if len(arns) == 0 {
+		logging.Logger.Infof("No ACMPCA to nuke in region %s", *session.Config.Region)
+		return nil
+	}
+	svc := acmpca.New(session)
+
+	logging.Logger.Infof("Deleting all ACMPCA in region %s", *session.Config.Region)
+	// There is no bulk delete acmpca API, so we delete the batch of ARNs concurrently using go routines.
+	wg := new(sync.WaitGroup)
+	wg.Add(len(arns))
+	errChans := make([]chan error, len(arns))
+	for i, arn := range arns {
+		errChans[i] = make(chan error, 1)
+		go deleteACMPCAASync(wg, errChans[i], svc, arn, aws.StringValue(session.Config.Region))
+	}
+	wg.Wait()
+
+	// Collect all the errors from the async delete calls into a single error struct.
+	var allErrs *multierror.Error
+	for _, errChan := range errChans {
+		if err := <-errChan; err != nil {
+			allErrs = multierror.Append(allErrs, err)
+			logging.Logger.Errorf("[Failed] %s", err)
+		}
+	}
+	return errors.WithStackTrace(allErrs.ErrorOrNil())
+}
+
+// deleteACMPCAASync deletes the provided ACMPCA arn. Intended to be run in a goroutine, using wait groups
+// and a return channel for errors.
+func deleteACMPCAASync(wg *sync.WaitGroup, errChan chan error, svc *acmpca.ACMPCA, arn *string, region string) {
+	defer wg.Done()
+
+	logging.Logger.Infof("Setting status to 'DISABLED' for ACMPCA %s in region %s", *arn, region)
+	if _, updateStatusErr := svc.UpdateCertificateAuthority(&acmpca.UpdateCertificateAuthorityInput{
+		CertificateAuthorityArn: arn,
+		Status:                  aws.String(acmpca.CertificateAuthorityStatusDisabled),
+	}); updateStatusErr != nil {
+		errChan <- updateStatusErr
+		return
+	}
+	logging.Logger.Infof("Did set status to 'DISABLED' for ACMPCA: %s in region %s", *arn, region)
+
+	if _, deleteErr := svc.DeleteCertificateAuthority(&acmpca.DeleteCertificateAuthorityInput{
+		CertificateAuthorityArn: arn,
+		// the range is 7 to 30 days.
+		// since cloud-nuke should not be used in production,
+		// we assume that the minimum (7 days) is fine.
+		PermanentDeletionTimeInDays: aws.Int64(7),
+	}); deleteErr != nil {
+		errChan <- deleteErr
+		return
+	}
+	logging.Logger.Infof("Deleted ACMPCA: %s", *arn)
+}
@@ -0,0 +1,126 @@
+package aws
+
+import (
+	"os"
+	"testing"
+	"time"
+
+	awsgo "github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/acmpca"
+	"github.com/gruntwork-io/cloud-nuke/config"
+	"github.com/gruntwork-io/cloud-nuke/util"
+	"github.com/gruntwork-io/go-commons/errors"
+	"github.com/stretchr/testify/assert"
+)
+
+// enableACMPCAExpensiveEnv is used to control whether to run
+// the following test or not. The idea is that the test are disabled
+// per default and one has to opt-in to enable the test as creating
+// and destroying a ACM PCA is expensive.
+// Upper bound, worst case: $400 / month per single CA create/delete.
+const enableACMPCAExpensiveEnv = "TEST_ACMPCA_EXPENSIVE_ENABLE"
+
+// runOrSkip decides whether to run or skip the test depending
+// whether the env-var `TEST_ACMPCA_EXPENSIVE_ENABLE` is set or not.
+func runOrSkip(t *testing.T) {
+	if _, isSet := os.LookupEnv(enableACMPCAExpensiveEnv); !isSet {
+		t.Skipf("Skipping the integration test for acmpca. Set the env-var '%s' to enable this expensive test.", enableACMPCAExpensiveEnv)
+	}
+}
+
+// createTestACMPCA will create am ACMPCA and return its ARN.
+func createTestACMPCA(t *testing.T, session *session.Session, name string) *string {
+	// As an additional safety guard, we are adding another check here
+	// to decide whether to run the test or not.
+	runOrSkip(t)
+
+	svc := acmpca.New(session)
+	ca, err := svc.CreateCertificateAuthority(&acmpca.CreateCertificateAuthorityInput{
+		CertificateAuthorityConfiguration: &acmpca.CertificateAuthorityConfiguration{
+			KeyAlgorithm:     awsgo.String(acmpca.KeyAlgorithmRsa2048),
+			SigningAlgorithm: awsgo.String(acmpca.SigningAlgorithmSha256withrsa),
+			Subject: &acmpca.ASN1Subject{
+				CommonName: awsgo.String(name),
+			},
+		},
+		CertificateAuthorityType: awsgo.String("ROOT"),
+		Tags: []*acmpca.Tag{
+			{
+				Key:   awsgo.String("Name"),
+				Value: awsgo.String(name),
+			},
+		},
+	})
+	if err != nil {
+		assert.Failf(t, "Could not create ACMPCA", errors.WithStackTrace(err).Error())
+	}
+	return ca.CertificateAuthorityArn
+}
+
+func TestListACMPCA(t *testing.T) {
+	runOrSkip(t)
+	t.Parallel()
+
+	region, err := getRandomRegion()
+	if err != nil {
+		assert.Fail(t, errors.WithStackTrace(err).Error())
+	}
+	session, err := session.NewSession(&awsgo.Config{
+		Region: awsgo.String(region)},
+	)
+
+	if err != nil {
+		assert.Fail(t, errors.WithStackTrace(err).Error())
+	}
+
+	uniqueTestID := "cloud-nuke-test-" + util.UniqueID()
+	arn := createTestACMPCA(t, session, uniqueTestID)
+	// clean up after this test
+	defer nukeAllACMPCA(session, []*string{arn})
+
+	newARNs, err := getAllACMPCA(session, region, time.Now().Add(1*time.Hour*-1), config.Config{})
+	if err != nil {
+		assert.Fail(t, "Unable to fetch list of ACMPCA arns")
+	}
+	assert.NotContains(t, awsgo.StringValueSlice(newARNs), awsgo.StringValue(arn))
+
+	allARNs, err := getAllACMPCA(session, region, time.Now().Add(1*time.Hour), config.Config{})
+	if err != nil {
+		assert.Fail(t, "Unable to fetch list of ACMPCA arns")
+	}
+
+	assert.Contains(t, awsgo.StringValueSlice(allARNs), awsgo.StringValue(arn))
+}
+
+func TestNukeACMPCA(t *testing.T) {
+	runOrSkip(t)
+	t.Parallel()
+
+	region, err := getRandomRegion()
+	if err != nil {
+		assert.Fail(t, errors.WithStackTrace(err).Error())
+	}
+
+	session, err := session.NewSession(&awsgo.Config{
+		Region: awsgo.String(region)},
+	)
+
+	if err != nil {
+		assert.Fail(t, errors.WithStackTrace(err).Error())
+	}
+
+	uniqueTestID := "cloud-nuke-test-" + util.UniqueID()
+	arn := createTestACMPCA(t, session, uniqueTestID)
+
+	if err := nukeAllACMPCA(session, []*string{arn}); err != nil {
+		assert.Fail(t, errors.WithStackTrace(err).Error())
+	}
+
+	arns, err := getAllACMPCA(session, region, time.Now().Add(1*time.Hour), config.Config{})
+	if err != nil {
+		assert.Fail(t, "Unable to fetch list of ACMPCA arns")
+	}
+
+	assert.NotContains(t, awsgo.StringValueSlice(arns), awsgo.StringValue(arn))
+}
@@ -0,0 +1,36 @@
+package aws
+
+import (
+	awsgo "github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/gruntwork-io/go-commons/errors"
+)
+
+// ACMPA - represents all ACMPA
+type ACMPCA struct {
+	ARNs []string
+}
+
+// ResourceName - the simple name of the aws resource
+func (ca ACMPCA) ResourceName() string {
+	return "acmpca"
+}
+
+// ResourceIdentifiers - The volume ids of the ebs volumes
+func (ca ACMPCA) ResourceIdentifiers() []string {
+	return ca.ARNs
+}
+
+func (ca ACMPCA) MaxBatchSize() int {
+	// Tentative batch size to ensure AWS doesn't throttle
+	return 10
+}
+
+// Nuke - nuke 'em all!!!
+func (ca ACMPCA) Nuke(session *session.Session, arns []string) error {
+	if err := nukeAllACMPCA(session, awsgo.StringSlice(arns)); err != nil {
+		return errors.WithStackTrace(err)
+	}
+
+	return nil
+}
@@ -220,6 +220,20 @@ func GetAllResources(targetRegions []string, excludeAfter time.Time, resourceTyp
 		// The order in which resources are nuked is important
 		// because of dependencies between resources
 
+		// ACMPCA arns
+		acmpca := ACMPCA{}
+		if IsNukeable(acmpca.ResourceName(), resourceTypes) {
+			arns, err := getAllACMPCA(session, region, excludeAfter, configObj)
+			if err != nil {
+				return nil, errors.WithStackTrace(err)
+			}
+			if len(arns) > 0 {
+				acmpca.ARNs = awsgo.StringValueSlice(arns)
+				resourcesInRegion.Resources = append(resourcesInRegion.Resources, acmpca)
+			}
+		}
+		// End ACMPCA arns
+
 		// ASG Names
 		asGroups := ASGroups{}
 		if IsNukeable(asGroups.ResourceName(), resourceTypes) {
@@ -634,6 +648,7 @@ func GetAllResources(targetRegions []string, excludeAfter time.Time, resourceTyp
 // ListResourceTypes - Returns list of resources which can be passed to --resource-type
 func ListResourceTypes() []string {
 	resourceTypes := []string{
+		ACMPCA{}.ResourceName(),
 		ASGroups{}.ResourceName(),
 		LaunchConfigs{}.ResourceName(),
 		LoadBalancers{}.ResourceName(),

diff --git a/config/config.go b/config/config.go
@@ -15,6 +15,7 @@ type Config struct {
 	SecretsManagerSecrets ResourceType `yaml:"SecretsManager"`
 	NatGateway            ResourceType `yaml:"NatGateway"`
 	AccessAnalyzer        ResourceType `yaml:"AccessAnalyzer"`
+	ACMPCA                ResourceType `yaml:"ACMPCA"`
 }
 
 type ResourceType struct {