From b0e03af4097d9501b1e0e09ecf68d1a0d38557c0 Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Thu, 17 Mar 2022 15:06:20 +0100 Subject: [PATCH] Add support for TGW VPC/Peering Attachments --- aws/policy/networking.yaml | 10 ++++++++++ aws/terminator/compute.py | 38 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/aws/policy/networking.yaml b/aws/policy/networking.yaml index 015e04cc..8c49477e 100644 --- a/aws/policy/networking.yaml +++ b/aws/policy/networking.yaml @@ -26,6 +26,8 @@ Statement: - Sid: AllowRegionalUnrestrictedResourceActionsWhichIncurNoFees Effect: Allow Action: + - ec2:AcceptTransitGatewayPeeringAttachment + - ec2:AcceptTransitGatewayVpcAttachment - ec2:AcceptVpcPeeringConnection - ec2:AllocateAddress - ec2:AssociateAddress @@ -46,6 +48,8 @@ Statement: - ec2:CreateInternetGateway - ec2:CreateNatGateway - ec2:CreateTransitGateway + - ec2:CreateTransitGatewayPeeringAttachment + - ec2:CreateTransitGatewayVpcAttachment - ec2:CreateNetworkAcl - ec2:CreateNetworkAclEntry - ec2:CreateNetworkInterface @@ -76,6 +80,8 @@ Statement: - ec2:DeleteVpnConnection - ec2:DeleteVpnGateway - ec2:DeleteTransitGateway + - ec2:DeleteTransitGatewayPeeringAttachment + - ec2:DeleteTransitGatewayVpcAttachment - ec2:DetachInternetGateway - ec2:DetachNetworkInterface - ec2:DetachVpnGateway @@ -85,8 +91,12 @@ Statement: - ec2:DisassociateVpcCidrBlock - ec2:ModifyNetworkInterfaceAttribute - ec2:ModifySubnetAttribute + - ec2:ModifyTransitGatewayPeeringAttachment + - ec2:ModifyTransitGatewayVpcAttachment - ec2:ModifyVpcAttribute - ec2:ModifyVpcEndpoint + - ec2:RejectTransitGatewayPeeringAttachment + - ec2:RejectTransitGatewayVpcAttachment - ec2:RejectVpcPeeringConnection - ec2:ReleaseAddress - ec2:ReplaceNetworkAclAssociation diff --git a/aws/terminator/compute.py b/aws/terminator/compute.py index 7b062f34..08ec8f08 100644 --- a/aws/terminator/compute.py +++ b/aws/terminator/compute.py @@ -175,6 +175,44 @@ def terminate(self): self.client.delete_transit_gateway(TransitGatewayId=self.id) +class Ec2TransitGatewayAttachment(Terminator): + @staticmethod + def create(credentials): + account = get_account_id(credentials) + filters = [{ + 'Name': 'transit-gateway-owner-id', + 'Values': [account] + }] + return Terminator._create(credentials, Ec2TransitGatewayAttachment, 'ec2', + lambda client: client.describe_transit_gateway_attachments(Filters=filters)['TransitGatewayAttachments']) + + @property + def id(self): + return self.instance['TransitGatewayAttachmentId'] + + @property + def name(self): + return "{0}/{1}".format( + self.instance['TransitGatewayId'], + self.instance['ResourceId']) + + @property + def created_time(self): + return self.instance['CreationTime'] + + @property + def ignore(self): + # We can only delete resources in specific states: + # https://docs.aws.amazon.com/vpc/latest/tgw/tgw-vpc-attachments.html#vpc-attachment-lifecycle + return self.instance['State'] not in ('available', 'pending-acceptance') + + def terminate(self): + if self.instance['ResourceType'] == 'vpc': + self.client.delete_transit_gateway_vpc_attachment(TransitGatewayAttachmentId=self.id) + elif self.instance['ResourceType'] in ('peering', 'tgw-peering'): + self.client.delete_transit_gateway_peering_attachment(TransitGatewayAttachmentId=self.id) + + class ElasticBeanstalk(Terminator): @staticmethod def create(credentials):