aws-nuke-v0.0.1

[tonerdo]

This PR contains a reimplementation of the original aws-nuke bash shell script in golang.

Changes Include:

• Complete rewrite of cli utility in golang
• Support for nuking only EC2 instances
• Unit tests

[brikis98]

Woohoo! First PR :)

Overall: the code looks great. The structure is perfect and I'm very happy to see solid docs & tests.

I went through and left lots of detailed comments :)

[brikis98]

It's probably a good idea to add two more things to this intro section:

1. Motivation: explain why aws-nuke exists and you might want to use it. E.g., you have an account you use for testing and need to clean up left over resources so AWS doesn't charge you for them.

2. Warning: big, bold text explaining that this tool is destructive, irreversibly deletes things in your account, and that you must be very careful with its use.

[brikis98]

Update name of the binary here.

[brikis98]

Could you add an MIT license to this repo? See the license section in fetch for an example.

[tonerdo]

Done!

[brikis98]

I think you can get the list of regions programmatically from this API: https://docs.aws.amazon.com/sdk-for-go/api/aws/endpoints/

[brikis98]

I'm guessing the second parameter is an error object. If so, do not ignore it. Although it's verbose, the idiomatic code style in Go is for every function (including this GetAllResources function) to return a value (e.g., []string and an error):

func GetAllResources() ([]string, error) {
  // ...
  session, err := session.NewSession(&awsgo.Config{ ... })
  if err != nil {
    return nil, errors.WithStackTrace(err)
  }
}

[brikis98]

We often run tests in parallel, and I'm afraid if some other tests happens to fire up an EC2 instance in the same account, this test will pass, even if the code isn't actually working. Consider tagging the instances you launch from the aws-nuke test and make sure the instance you find with getAllEc2Instances includes the tag you expect.

In fact, it's probably a good idea to tag ALL resources created by aws-nuke tests with "aws-nuke-test-<UNIQUE_ID>" so if aws-nuke's own tests leave resources around, we know what the cause is. We typically use this UniqueId function to generate unique IDs for all our tests.

[tonerdo]

This particular test line simply checks that the creation of an instance succeeded and the next line ensures that the instance created by the test is present in the returned list. If in the TestNukeInstances we ensure we only delete appropriately tagged instances then, I feel this line will be fine

[brikis98]

Consider the following:

1. We have two automated tests running in the same AWS account at the same time. The first test, foo, creates an EC2 instance. The second test, this one for aws-nuke, tries to create the EC2 Instance, but due to some bug in the test, fails.
2. Now you do your check, which is merely seeing that there are more than 0 instances created. The check will pass, as foo created an EC2 Instance, but it should fail, as the instance created by aws-nuke didn't actually succeed.

[tonerdo]

Ah makes sense, thanks for the clarification. I've removed this line and I now specifically check for the presence of the instance that was created

[brikis98]

error handling

[brikis98]

This won't work if other things are deploying into the same account or this test is running multiple times in parallel. See my note on tagging above.

[brikis98]

We should definitely have a big warning text in the usage description!

[brikis98]

As well as a list of what resources are currently supported

[brikis98]

Add a big, huge WARNING here. Yell at the user to tell them this is irreversible! Make the warning red (example of using colors on the CLI here).

[tonerdo]

Add a big, huge WARNING here. Yell at the user to tell them this is irreversible! Make the warning red (example of using colors on the CLI here).

The text is printed by the PromptUserForYesNo function which defaults to BRIGHT_GREEN with no way of specifying a custom color

[brikis98]

The text is printed by the PromptUserForYesNo function which defaults to BRIGHT_GREEN with no way of specifying a custom color

Sure, but you can add a separate logging statement just before that in red! This is a hugely dangerous tools, so we need to very seriously warn users. In fact, even "yes/no" might not be the right prompt here. We might want to force users to type "nuke" or something where you can't possibly do it by accident.

[tonerdo]

We might want to force users to type "nuke" or something where you can't possibly do it by accident.

Good idea!

[brikis98]

OK, almost there. Just some nitpicky code maintainability stuff to clean up 👍

[brikis98]

👍

[brikis98]

s/gruntwork_darwin_amd64/aws-nuke_darwin_amd64/

[brikis98]

Hm, that's quite a nested return value. Very hard to know what'll be in it! I had to read through all the code to figure out that it's a map of resource type -> map of region -> resource unique ID. I think.

This is a perfect opportunity to create some custom struct types with named parameters. Example:

type AwsAccountResources {
  ResourcesInRegion map[string]AwsRegionResources 
}

type AwsRegionResources struct {
  Instances []Ec2Instance
}

type Ec2Instance struct {
  InstanceId string
}

func GetAllResources() (*AwsAccountResources, error) {

}

Now I can read the function signature and types and know exactly what is being returned.

[brikis98]

Same thing here. To someone who isn't intimately familiar with the code, there's no way to guess what this map of maps should contain. See my comment above on using types to make this easier to understand.

[brikis98]

In go, you can combine these into one statement:

if err := nukeAllEc2Instances(session, resourceMaps["ec2"][region]); err != nil {

}

[brikis98]

I wonder if, due to AWS eventual consistency, this API call can fail, as the information about this instance ID has not yet propagated... You may need to call WaitUntilInstanceExists.

[tonerdo]

Done

[brikis98]

Create this variable within each test function and not out here, as multiple test functions may run in parallel, and should each have their own unique IDs.

In fact, as a general rule, avoid any sort of global state by default!

[brikis98]

This code here, plus the for-loop below, should be extracted into a method called findEC2InstancesByNameTag(name string) to make it easier to read this code.

[brikis98]

Check for an error returned by this method!

[brikis98]

I would still add a log line before this with a big red warning. It's very important to get the user's attention here.

[brikis98]

OK, one last change and we're there :)

[brikis98]

I'm not sure I like having a map with arbitrary resource strings in it. It won't be obvious to a maintainer later what kind of resources may be in the map and it's prone to typos ("EC2" vs "ec2").

I'd recommend using the type system here and having lists of specific resources types, such as EC2Instance and (in the future), ASG, ELB, etc.

[brikis98]

Ah, in fact, given your need to loop over all the resources and nuke them, it probably makes sense to do something like this:

interface AwsResources {
  Nuke(session *aws.Session) error 
}

type AwsRegionResources struct {
	RegionName         string
	Resources          []AwsResources
}

type EC2Instances struct {
  InstanceIds []string
}

// Implement the AwsResources interface
func (instance EC2Instance) Nuke(session *aws.Session) error {
    // This is what's currently in the nukeAllEc2Instances method
}

Now NukeAllResources can just loop over all the resources:

for _, region := range getAllRegions() {
  resourcesInRegion := account.Resources[region]
  for _, resources := resourcesInRegion.Resources {
    if err := resources.Nuke(session); err != nil {
      // ...
    }
  }
}

[brikis98]

LGTM. Merging! 👍