SIGSEGV: segmentation violation

[heinosasshallik]

Starting from October 24th, I started seeing failures:

 error="AccessDenied: User: arn:aws:sts::REDACTED:assumed-role/REDACTED/REDACTED is not authorized to perform: iam:GetRole on resource: role OrganizationAccountAccessRole with an explicit deny in a service control policy

The errors occur because I have a service control policy in place that denies access to OrganizationAccountAccessRole:

{
  "Statement": [
    {
      "Action": "*",
      "Effect": "Deny",
      "Resource": "arn:aws:iam::*:role/OrganizationAccountAccessRole",
      "Sid": "ProtectAccessRole"
    },
    {
      "Action": "*",
      "Effect": "Allow",
      "Resource": "*",
      "Sid": "AllowAllActionsByDefault"
    }
  ],
  "Version": "2012-10-17"
}

However, aws-nuke shouldn't be trying to access it because I've got a filter in place:

config = {
        'regions': regions,
        'account-blocklist': [REDACTED],
        'accounts': {
            target_account_id: {
                'filters': {
                    'IAMRole': ['OrganizationAccountAccessRole']
                }
            }
        }
    }
    yaml_config = yaml.dump(config)

Prior to October 24th I didn't receive any errors and after that I started receiving them. I haven't updated my application or aws-nuke recently, so perhaps it's due to a change on the AWS side?

Tested on the following aws-nuke versions:

• aws-nuke-v2.19.0-linux-amd64
• aws-nuke-v2.25.0-linux-amd64

[heinosasshallik]

Actually I'm not sure that's what's causing the issue anymore. I edited my SCP to get rid of those SCP-based failures, but it's still failing:

{
  "Statement": [
    {
      "NotAction": [
        "iam:getRole",
        "iam:ListAttachedRolePolicies",
        "iam:ListRolePolicies"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:iam::*:role/OrganizationAccountAccessRole",
      "Sid": "DenyExceptSpecifiedActions"
    },
    {
      "Action": "*",
      "Effect": "Allow",
      "Resource": "*",
      "Sid": "AllowAllActionsByDefault"
    }
  ],
  "Version": "2012-10-17"
}

The stderr output is massive, but looking at the end of the stderr output, I can see this:

level=info msg="MachineLearningBranchPrediction: AmazonML is no longer available to new customers. Ignore if you haven\'t set it up."
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x3b13692]

goroutine 1 [running]:
github.com/rebuy-de/aws-nuke/v2/resources.(*Route53ResolverRule).Filter(0xc0012d7430?)
\t/home/runner/work/aws-nuke/aws-nuke/resources/route53-resolver-rules.go:103 +0x12
github.com/rebuy-de/aws-nuke/v2/cmd.(*Nuke).Filter(0xc000617340, 0xc001ba3300)
\t/home/runner/work/aws-nuke/aws-nuke/cmd/nuke.go:196 +0x53
github.com/rebuy-de/aws-nuke/v2/cmd.(*Nuke).Scan(0xc000617340)
\t/home/runner/work/aws-nuke/aws-nuke/cmd/nuke.go:173 +0x9cb
github.com/rebuy-de/aws-nuke/v2/cmd.(*Nuke).Run(0xc000617340)
\t/home/runner/work/aws-nuke/aws-nuke/cmd/nuke.go:61 +0x325
github.com/rebuy-de/aws-nuke/v2/cmd.NewRootCommand.func2(0xc0003ac700?, {0x57e047d?, 0x4?, 0x57e0481?})
\t/home/runner/work/aws-nuke/aws-nuke/cmd/root.go:92 +0x613
github.com/spf13/cobra.(*Command).execute(0xc000004600, {0xc00003e0c0, 0xa, 0xa})
\t/home/runner/work/aws-nuke/aws-nuke/vendor/github.com/spf13/cobra/command.go:940 +0x87c
github.com/spf13/cobra.(*Command).ExecuteC(0xc000004600)
\t/home/runner/work/aws-nuke/aws-nuke/vendor/github.com/spf13/cobra/command.go:1068 +0x3a5
github.com/spf13/cobra.(*Command).Execute(0xc0000061a0?)
\t/home/runner/work/aws-nuke/aws-nuke/vendor/github.com/spf13/cobra/command.go:992 +0x13
main.main()
\t/home/runner/work/aws-nuke/aws-nuke/main.go:10 +0x18
'"

This occurred with aws-nuke-v2.19.0-linux-amd64.

[glarizza]

I just recently started to get a similar stacktrace within the past week:

ERRO[0017] Listing AWS::AppRunner::Service failed:
    TypeNotFoundException: The type 'AWS::AppRunner::Service' cannot be found.
us-west-1 - MemoryDBUser - default - [Name: "default"] - Cannot delete default user
ERRO[0017] Listing AWS::Timestream::ScheduledQuery failed:
    TypeNotFoundException: The type 'AWS::Timestream::ScheduledQuery' cannot be found.
INFO[0017] MGNSourceServer: Account not initialized for Application Migration Service. Ignore if you haven't set it up.
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x4715352]

goroutine 1 [running]:
github.com/rebuy-de/aws-nuke/v2/resources.(*Route53ResolverRule).Filter(0x5823500?)
        github.com/rebuy-de/aws-nuke/v2/resources/route53-resolver-rules.go:103 +0x12
github.com/rebuy-de/aws-nuke/v2/cmd.(*Nuke).Filter(0xc0000d3340, 0xc0005483c0)
        github.com/rebuy-de/aws-nuke/v2/cmd/nuke.go:196 +0x53
github.com/rebuy-de/aws-nuke/v2/cmd.(*Nuke).Scan(0xc0000d3340)
        github.com/rebuy-de/aws-nuke/v2/cmd/nuke.go:173 +0x9cb
github.com/rebuy-de/aws-nuke/v2/cmd.(*Nuke).Run(0xc0000d3340)
        github.com/rebuy-de/aws-nuke/v2/cmd/nuke.go:61 +0x325
github.com/rebuy-de/aws-nuke/v2/cmd.NewRootCommand.func2(0xc0003c0700?, {0x63e4ef9?, 0x4?, 0x63e4efd?})
        github.com/rebuy-de/aws-nuke/v2/cmd/root.go:92 +0x613
github.com/spf13/cobra.(*Command).execute(0xc000124600, {0xc00011c690, 0xc, 0xc})
        github.com/spf13/[email protected]/command.go:940 +0x87c
github.com/spf13/cobra.(*Command).ExecuteC(0xc000124600)
        github.com/spf13/[email protected]/command.go:1068 +0x3a5
github.com/spf13/cobra.(*Command).Execute(0xc0000061a0?)
        github.com/spf13/[email protected]/command.go:992 +0x13
main.main()
        github.com/rebuy-de/aws-nuke/v2/main.go:10 +0x18
      

I'm on 2.25.0 via Homebrew on MacOS:

❯ aws-nuke version
version:     2.25.0
build date:  2023-08-31
scm hash:    2bd22d5e5c0cf6a4011b3c08a5b1c25e2e6c75bd
environment: Homebrew
go version:  go1.21.0

[SSKale1]

@glarizza faced a similar issue, is a part of #1134

[tmax22]

any update? a solution is proposed on the PR

[ekristen]

The nil pointer issue has been fixed in the new active fork. See the comment on #1134 - #1134 (comment)

If you are still having issues around OrganizationAccountAccessRole @heinosasshallik I would encourage you to open an issue over on the forked project.

However to answer the question here, even if you have a filter in place, the tool will attempt to iterate all roles in an account, to include the OrganizationAccountAccessRole, resources only are filtered after they are discovered.

--

Please see a copy of the notice from the README about the deprecation of this project. Sven was kind enough to grant me access to help triage and close issues and pull requests that have already been addressed in the actively maintained fork. Some additional information is located in the welcome issue for more information.

Caution

This repository for aws-nuke is no longer being actively maintained. We recommend users to switch to the actively maintained fork of this project at ekristen/aws-nuke.
We appreciate all the support and contributions we've received throughout the life of this project. We believe that the fork will continue to provide the functionality and support that you have come to expect from aws-nuke.
Please note that this deprecation means we will not be addressing issues, accepting pull requests, or making future releases from this repository.
Thank you for your understanding and support.