Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ACM Support #466

Merged
merged 15 commits into from
Jun 30, 2023
Merged

Add ACM Support #466

merged 15 commits into from
Jun 30, 2023

Conversation

robpickerill
Copy link
Contributor

@robpickerill robpickerill commented May 30, 2023

Description

Fixes #445.

Adds support for nuking AWS Certificate Manager Certificates.

TODOs

Read the Gruntwork contribution guidelines.

  • Update the docs.
  • Run the relevant tests successfully, including pre-commit checks.
  • Ensure any 3rd party code adheres with our license policy or delete this line if its not applicable.
  • Include release notes. If this PR is backward incompatible, include a migration guide.
  • Attention Grunts - if this PR adds support for a new resource, ensure the nuke_sandbox and nuke_phxdevops jobs in .circleci/config.yml have been updated with appropriate exclusions (either directly in the job or via the .circleci/nuke_config.yml file) to prevent nuking IAM roles, groups, resources, etc that are important for the test accounts.

Release Notes (draft)

Added ACM support

Migration Guide

@robpickerill
Copy link
Contributor Author

robpickerill commented May 30, 2023

First PR, so feedback is welcome. I wasn't sure how to add tests here, it looks like you create resources in your test accounts then delete them - did you want to wire up a test domain here for the validation for certificates, or I can refactor the code that discovers the certificates to allow for us to mock the ACM API response via an interface, passing in ListCertificatesOutput that we create.

@robpickerill
Copy link
Contributor Author

robpickerill commented May 31, 2023

mock the ACM API response

I opted to mock the ACM API via the httptest package, passing the URL to the session struct that is then passed into the Cloud Nuke ACM functions.

I figured if you wanted to wire in a certification and domain validation then it could be tested behind a flag as certs can be slow to provision and validate. I also didn't have permission to set up any certifications or domain validation, so did what I could here.

Please let me know what you think.

@ellisonc
Copy link

ellisonc commented Jun 1, 2023

@robpickerill This is looking great, thanks for putting this together. I think the approach you took to testing makes sense given the limitations, we will likely set something up on our internal testing accounts eventually. I think the only thing missing is adding a new line to config/config_test.go to allow the tests to build correctly. You'll see a bunch of rows like this: ResourceType{FilterRule{}, FilterRule{}}, and just need to add another one to the end to make the counts match up.

Once that's fixed I'll kick of the tests and get this merged in!

@robpickerill
Copy link
Contributor Author

Thanks @ellisonc - let me patch up the config tests shortly then you can run it through CI

@robpickerill robpickerill changed the title [WIP] add ACM Add ACM Support Jun 1, 2023
@robpickerill
Copy link
Contributor Author

robpickerill commented Jun 1, 2023

Tests failed due to: TooManyRequestsException: Too Many Requests in the APIGateway test suite. I can push an empty git commit to restart the test job if you want that.


Edit: still the same so I dropped the commit to keep history clean, I'll look into the session creation later, maybe we can increase the exponential backoff on the retryer.

// The defaultretryer is overridden here as the default values for MinRetryDelay and MinThrottleDelay
// are too low for the API Gateway API.
// https://pkg.go.dev/github.com/aws/[email protected]/aws/client#DefaultRetryer
Retryer: client.DefaultRetryer{
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if you'd want this here, but offering the ability to increase the min retry on the session as a way to get over the rate limit exceptions on the API Gateway createrestapi in the tests.

If useful it would be better as a generic test function, that all tests can reference.

Also happy to back this out if you don't want to adjust the session config.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for bringing this up. Can you create a new issue to introduce retry logic similar to this? I think it would be better to revert this change for this PR, as it's irrelevant to ACM support.

@robpickerill
Copy link
Contributor Author

@ellisonc - if you have any free time, would you have another look over this PR. The apigateway tests failed due to throttling, I added a change to try to accomodate it, but I'm not sure if you want to modify the session.

Thanks!

Copy link
Contributor

@james03160927 james03160927 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Left one small nit comment. Will trigger the test pipeline for this.

// The defaultretryer is overridden here as the default values for MinRetryDelay and MinThrottleDelay
// are too low for the API Gateway API.
// https://pkg.go.dev/github.com/aws/[email protected]/aws/client#DefaultRetryer
Retryer: client.DefaultRetryer{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for bringing this up. Can you create a new issue to introduce retry logic similar to this? I think it would be better to revert this change for this PR, as it's irrelevant to ACM support.

aws/acm_types.go Outdated
return "acm"
}

// ResourceIdentifiers - The volume ids of the ebs volumes
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is the resource identifiers referring to ebs volumes?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks, fixed that comment

@zackproser
Copy link
Contributor

Thanks @robpickerill! I've kicked off tests for this one.

Copy link
Contributor

@james03160927 james03160927 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test pipeline passed. LGTM

@james03160927 james03160927 merged commit 8d9464b into gruntwork-io:master Jun 30, 2023
@james03160927
Copy link
Contributor

Thanks for the contribution @robpickerill !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

ACM certificates are n't supported by cloud nuke
4 participants