KMS keys not scheduled for deletion if unrelated key is unmanagable

[wushingmushine]

Issue
If your account (and targeted regions) includes a KMS key that the user running aws-nuke is unable to describe, aws-nuke will stop trying to delete any other KMS keys.

Steps to reproduce

• Create some KMS keys and include your aws-nuke user/ role as a key administrator (with administrators allowed to delete the key)

resource "aws_kms_key" "deletable_key" {
 description             = "deletable-key"
 deletion_window_in_days = 7
 policy = jsonencode({
   Version = "2012-10-17"
   Statement = [
     {
       Effect = "Allow"
       Principal = {
         "AWS" : "arn:aws:I am::<accountID>:root"
       }
       Action   = "kms:*"
       Resource = "*"
     },
     {
       Effect = "Allow"
       Principal = {
         "AWS" : "<Arn of your aws-nuke user>"
       }
       Action   = [
               "kms:Create*",
               "kms:Describe*",
               "kms:Enable*",
               "kms:List*",
               "kms:Put*",
               "kms:Update*",
               "kms:Revoke*",
               "kms:Disable*",
               "kms:Get*",
               "kms:Delete*",
               "kms:TagResource",
               "kms:UntagResource",
               "kms:ScheduleKeyDeletion",
               "kms:CancelKeyDeletion"
           ]
       Resource = "*"
     }
   ]
 })
}

• Create some keys with key policies explicitly denying your aws-nuke user/ role from performing any action on the key

resource "aws_kms_key" "non_deletable_key" {
 description             = "non-deletable-key"
 deletion_window_in_days = 7
 policy = jsonencode({
   Version = "2012-10-17"
   Statement = [
     {
       Effect = "Allow"
       Principal = {
         "AWS" : "arn:aws:iam::<accountID>:root"
       }
       Action   = "kms:*"
       Resource = "*"
     },
     {
       Effect = "Deny"
       Principal = {
         "AWS" : "<Arn of your aws-nuke user>"
       }
       Action   = "kms:*"
       Resource = "*"
     }
   ]
 })
}

• Run aws-nuke. You should see that some manageable KMS keys have not been scheduled for deletion.

Cause
The return false on line 36 here causes aws-nuke to prematurely exit the ListKMSKeys function if it encounters an error. This results in any listed KMS keys that haven't already been iterated over from being added to the resources for deletion (line 63), and aws-nuke therefore doesn't attempt to delete other keys.

Preferred solution
Don't return out of listing the KMS keys when encountering a key that can't be described. Instead, continue iterating over the remaining keys in the list

[ekristen]

@wushingmushine this was fixed in the newly promoted fork of aws-nuke that's the successor to this project, please see ekristen/aws-nuke#260, this has been fixed since 3.13.1 over there.

---

Please see a copy of the notice from the README about the deprecation of this project. Sven was kind enough to grant me access to help triage and close issues and pull requests that have already been addressed in the actively maintained fork. Some additional information is located in the welcome issue for more information.

Caution

This repository for aws-nuke is no longer being actively maintained. We recommend users to switch to the actively maintained fork of this project at ekristen/aws-nuke.
We appreciate all the support and contributions we've received throughout the life of this project. We believe that the fork will continue to provide the functionality and support that you have come to expect from aws-nuke.
Please note that this deprecation means we will not be addressing issues, accepting pull requests, or making future releases from this repository.
Thank you for your understanding and support.