fixup! Merge branch 'main' of rebuy/nuke into add_budgets

rebuy-de · Sep 10, 2021 · 44ea18d · 44ea18d
1 parent eab5b39
commit 44ea18d
Show file tree

Hide file tree

Showing 27 changed files with 950 additions and 24 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -32,7 +32,7 @@ jobs:
   docker_build:
     runs-on: ubuntu-20.04
     name: Docker Build
-    if: "github.repository == 'rebuy-de/aws-nuke'"
+    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == 'rebuy-de/aws-nuke' }}
 
     steps:
     - uses: actions/checkout@v2

diff --git a/cmd/root.go b/cmd/root.go
@@ -5,6 +5,7 @@ import (
 	"os"
 	"sort"
 
+	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"github.com/rebuy-de/aws-nuke/pkg/awsutil"
 	"github.com/rebuy-de/aws-nuke/pkg/config"
 	"github.com/rebuy-de/aws-nuke/resources"
@@ -63,10 +64,17 @@ func NewRootCommand() *cobra.Command {
 
 		if defaultRegion != "" {
 			awsutil.DefaultRegionID = defaultRegion
-			if config.CustomEndpoints.GetRegion(defaultRegion) == nil {
-				err = fmt.Errorf("The custom region '%s' must be specified in the configuration 'endpoints'", defaultRegion)
-				log.Error(err.Error())
-				return err
+			switch defaultRegion {
+			case endpoints.UsEast1RegionID, endpoints.UsEast2RegionID, endpoints.UsWest1RegionID, endpoints.UsWest2RegionID:
+				awsutil.DefaultAWSPartitionID = endpoints.AwsPartitionID
+			case endpoints.UsGovEast1RegionID, endpoints.UsGovWest1RegionID:
+				awsutil.DefaultAWSPartitionID = endpoints.AwsUsGovPartitionID
+			default:
+				if config.CustomEndpoints.GetRegion(defaultRegion) == nil {
+					err = fmt.Errorf("The custom region '%s' must be specified in the configuration 'endpoints'", defaultRegion)
+					log.Error(err.Error())
+					return err
+				}
 			}
 		}
 
@@ -109,6 +117,11 @@ func NewRootCommand() *cobra.Command {
 		"AWS session token for accessing the AWS API. "+
 			"Must be used together with --access-key-id and --secret-access-key. "+
 			"Cannot be used together with --profile.")
+	command.PersistentFlags().StringVar(
+		&creds.AssumeRoleArn, "assume-role-arn", "",
+		"AWS IAM role arn to assume. "+
+		    "The credentials provided via --access-key-id or --profile must "+
+			"be allowed to assume this role. ")
 	command.PersistentFlags().StringVar(
 		&defaultRegion, "default-region", "",
 		"Custom default region name.")

diff --git a/go.mod b/go.mod
@@ -3,7 +3,7 @@ module github.com/rebuy-de/aws-nuke
 go 1.16
 
 require (
-	github.com/aws/aws-sdk-go v1.37.12
+	github.com/aws/aws-sdk-go v1.40.39
 	github.com/fatih/color v1.10.0
 	github.com/golang/mock v1.4.4
 	github.com/mb0/glob v0.0.0-20160210091149-1eb79d2de6c4

diff --git a/go.sum b/go.sum
@@ -24,6 +24,10 @@ github.com/aws/aws-sdk-go v1.34.12 h1:7UbBEYDUa4uW0YmRnOd806MS1yoJMcaodBWDzvBShA
 github.com/aws/aws-sdk-go v1.34.12/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
 github.com/aws/aws-sdk-go v1.37.12 h1:rPdjZTlzHn+sbLEO+i535g+WpGf7QBDLYI7rDok+FHo=
 github.com/aws/aws-sdk-go v1.37.12/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
+github.com/aws/aws-sdk-go v1.38.42 h1:94blpbGDe2q5e0Xoop7131uzI2CH2qitQoptSMrkJP8=
+github.com/aws/aws-sdk-go v1.38.42/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
+github.com/aws/aws-sdk-go v1.40.39 h1:Q88WMQH14vKWV95hMvJGzqZKL3s3gPFX3KXKfrqxb50=
+github.com/aws/aws-sdk-go v1.40.39/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
@@ -261,6 +265,7 @@ golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -294,10 +299,15 @@ golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f h1:+Nyd8tzPX9R7BWHguqsrbFdRx3WQ/1ib8I44HXV5yTA=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da h1:b3NXsE2LusjYGGjL5bxEVZZORm/YEFFrWFjR8eFrw/c=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

diff --git a/pkg/awsutil/session.go b/pkg/awsutil/session.go
@@ -24,6 +24,9 @@ const (
 var (
 	// DefaultRegionID The default region. Can be customized for non AWS implementations
 	DefaultRegionID = endpoints.UsEast1RegionID
+
+	// DefaultAWSPartitionID The default aws partition. Can be customized for non AWS implementations
+	DefaultAWSPartitionID = endpoints.AwsPartitionID
 )
 
 type Credentials struct {
@@ -32,6 +35,7 @@ type Credentials struct {
 	AccessKeyID     string
 	SecretAccessKey string
 	SessionToken    string
+	AssumeRoleArn   string
 
 	Credentials *credentials.Credentials
 
@@ -107,6 +111,11 @@ func (c *Credentials) rootSession() (*session.Session, error) {
 			return nil, err
 		}
 
+		// if given a role to assume, overwrite the session credentials with assume role credentials
+		if c.AssumeRoleArn != "" {
+			sess.Config.Credentials = stscreds.NewCredentials(sess, c.AssumeRoleArn)
+		}
+
 		c.session = sess
 	}
 
@@ -193,7 +202,7 @@ func skipMissingServiceInRegionHandler(r *request.Request) {
 	region := *r.Config.Region
 	service := r.ClientInfo.ServiceName
 
-	rs, ok := endpoints.RegionsForService(endpoints.DefaultPartitions(), endpoints.AwsPartitionID, service)
+	rs, ok := endpoints.RegionsForService(endpoints.DefaultPartitions(), DefaultAWSPartitionID, service)
 	if !ok {
 		// This means that the service does not exist and this shouldn't be handled here.
 		return
@@ -216,7 +225,7 @@ func skipGlobalHandler(global bool) func(r *request.Request) {
 	return func(r *request.Request) {
 		service := r.ClientInfo.ServiceName
 
-		rs, ok := endpoints.RegionsForService(endpoints.DefaultPartitions(), endpoints.AwsPartitionID, service)
+		rs, ok := endpoints.RegionsForService(endpoints.DefaultPartitions(), DefaultAWSPartitionID, service)
 		if !ok {
 			// This means that the service does not exist in the endpoints list.
 			if global {
@@ -237,7 +246,7 @@ func skipGlobalHandler(global bool) func(r *request.Request) {
 			return
 		}
 
-		if len(rs) > 0 && global {
+		if (len(rs) > 0 && global) && service != "sts" {
 			r.Error = ErrSkipRequest(fmt.Sprintf("service '%s' is not global, but the session is", service))
 			return
 		}

diff --git a/resources/accessanalyzer-analyzers.go b/resources/accessanalyzer-analyzers.go
@@ -0,0 +1,71 @@
+package resources
+
+import (
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/accessanalyzer"
+	"github.com/rebuy-de/aws-nuke/pkg/types"
+)
+
+type AccessAnalyzer struct {
+	svc    *accessanalyzer.AccessAnalyzer
+	arn    string
+	name   string
+	status string
+	tags   map[string]*string
+}
+
+func init() {
+	register("AccessAnalyzer", ListAccessAnalyzer)
+}
+
+func ListAccessAnalyzer(sess *session.Session) ([]Resource, error) {
+	svc := accessanalyzer.New(sess)
+
+	params := &accessanalyzer.ListAnalyzersInput{
+		Type: aws.String("ACCOUNT"),
+	}
+
+	resources := make([]Resource, 0)
+	err := svc.ListAnalyzersPages(params,
+		func(page *accessanalyzer.ListAnalyzersOutput, lastPage bool) bool {
+			for _, analyzer := range page.Analyzers {
+				resources = append(resources, &AccessAnalyzer{
+					svc:    svc,
+					arn:    *analyzer.Arn,
+					name:   *analyzer.Name,
+					status: *analyzer.Status,
+					tags:   analyzer.Tags,
+				})
+			}
+			return true
+		})
+	if err != nil {
+		return nil, err
+	}
+
+	return resources, nil
+}
+
+func (a *AccessAnalyzer) Remove() error {
+	_, err := a.svc.DeleteAnalyzer(&accessanalyzer.DeleteAnalyzerInput{AnalyzerName: &a.name})
+
+	return err
+}
+
+func (a *AccessAnalyzer) Properties() types.Properties {
+	properties := types.NewProperties()
+
+	properties.Set("ARN", a.arn)
+	properties.Set("Name", a.name)
+	properties.Set("Status", a.status)
+	for k, v := range a.tags {
+		properties.SetTag(&k, v)
+	}
+
+	return properties
+}
+
+func (a *AccessAnalyzer) String() string {
+	return a.name
+}
diff --git a/resources/accessanalyzer-archiverules.go b/resources/accessanalyzer-archiverules.go
@@ -0,0 +1,78 @@
+package resources
+
+import (
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/accessanalyzer"
+	"github.com/rebuy-de/aws-nuke/pkg/types"
+)
+
+type ArchiveRule struct {
+	svc          *accessanalyzer.AccessAnalyzer
+	ruleName     string
+	analyzerName string
+}
+
+func init() {
+	register("ArchiveRule", ListArchiveRule)
+}
+
+func ListArchiveRule(sess *session.Session) ([]Resource, error) {
+	svc := accessanalyzer.New(sess)
+
+	analyzers, err := ListAccessAnalyzer(sess)
+	if err != nil {
+		return nil, err
+	}
+
+	resources := make([]Resource, 0)
+
+	for _, analyzer := range analyzers {
+		a, ok := analyzer.(*AccessAnalyzer)
+		if !ok {
+			continue
+		}
+
+		params := &accessanalyzer.ListArchiveRulesInput{
+			AnalyzerName: &a.name,
+		}
+
+		err = svc.ListArchiveRulesPages(params,
+			func(page *accessanalyzer.ListArchiveRulesOutput, lastPage bool) bool {
+				for _, archiveRule := range page.ArchiveRules {
+					resources = append(resources, &ArchiveRule{
+						svc:          svc,
+						ruleName:     *archiveRule.RuleName,
+						analyzerName: a.name,
+					})
+				}
+				return true
+			})
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return resources, nil
+}
+
+func (a *ArchiveRule) Remove() error {
+	_, err := a.svc.DeleteArchiveRule(&accessanalyzer.DeleteArchiveRuleInput{
+		AnalyzerName: &a.analyzerName,
+		RuleName:     &a.ruleName,
+	})
+
+	return err
+}
+
+func (a *ArchiveRule) Properties() types.Properties {
+	properties := types.NewProperties()
+
+	properties.Set("RuleName", a.ruleName)
+	properties.Set("AnalyzerName", a.analyzerName)
+
+	return properties
+}
+
+func (a *ArchiveRule) String() string {
+	return a.ruleName
+}
diff --git a/resources/backup-plans.go b/resources/backup-plans.go
@@ -5,6 +5,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/backup"
 	"github.com/rebuy-de/aws-nuke/pkg/types"
+	"strings"
 )
 
 type BackupPlan struct {
@@ -76,3 +77,10 @@ func (b *BackupPlan) Remove() error {
 func (b *BackupPlan) String() string {
 	return b.arn
 }
+
+func (b *BackupPlan) Filter() error {
+	if strings.HasPrefix(b.name, "aws/efs/") {
+		return fmt.Errorf("cannot delete EFS automatic backups backup plan")
+	}
+	return nil
+}
diff --git a/resources/backup-selections.go b/resources/backup-selections.go
@@ -5,6 +5,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/backup"
 	"github.com/rebuy-de/aws-nuke/pkg/types"
+	"strings"
 )
 
 type BackupSelection struct {
@@ -75,3 +76,10 @@ func (b *BackupSelection) Remove() error {
 func (b *BackupSelection) String() string {
 	return fmt.Sprintf("%s (%s)", b.planId, b.selectionId)
 }
+
+func (b *BackupSelection) Filter() error {
+	if strings.HasPrefix(b.selectionName, "aws/efs/") {
+		return fmt.Errorf("cannot delete EFS automatic backups backup selection")
+	}
+	return nil
+}