feat: add support for AWS Shield resources (#731)

Author: rajramo61

docs/resources/shield-protection-group.md

@@ -0,0 +1,37 @@
+---
+generated: true
+---
+
+# ShieldProtectionGroup
+
+
+## Resource
+
+```text
+ShieldProtectionGroup
+```
+
+## Properties
+
+
+- `Aggregation`: The aggregation type for the protection group
+- `Members`: The list of resource ARNs that are members of the protection group
+- `Pattern`: The pattern for the protection group
+- `ProtectionGroupArn`: The ARN of the Shield protection group
+- `ProtectionGroupId`: The unique identifier of the Shield protection group
+- `ResourceType`: The resource type for the protection group
+- `tag:<key>:`: This resource has tags with property `Tags`. These are key/value pairs that are
+	added as their own property with the prefix of `tag:` (e.g. [tag:example: "value"]) 
+
+!!! note - Using Properties
+    Properties are what [Filters](../config-filtering.md) are written against in your configuration. You use the property
+    names to write filters for what you want to **keep** and omit from the nuke process.
+
+### String Property
+
+The string representation of a resource is generally the value of the Name, ID or ARN field of the resource. Not all
+resources support properties. To write a filter against the string representation, simply omit the `property` field in
+the filter.
+
+The string value is always what is used in the output of the log format when a resource is identified.
+

docs/resources/shield-protection.md

@@ -0,0 +1,35 @@
+---
+generated: true
+---
+
+# ShieldProtection
+
+
+## Resource
+
+```text
+ShieldProtection
+```
+
+## Properties
+
+
+- `ID`: The unique identifier of the Shield protection
+- `Name`: The name of the Shield protection
+- `ProtectionArn`: The ARN of the Shield protection
+- `ResourceArn`: The ARN of the AWS resource being protected
+- `tag:<key>:`: This resource has tags with property `Tags`. These are key/value pairs that are
+	added as their own property with the prefix of `tag:` (e.g. [tag:example: "value"]) 
+
+!!! note - Using Properties
+    Properties are what [Filters](../config-filtering.md) are written against in your configuration. You use the property
+    names to write filters for what you want to **keep** and omit from the nuke process.
+
+### String Property
+
+The string representation of a resource is generally the value of the Name, ID or ARN field of the resource. Not all
+resources support properties. To write a filter against the string representation, simply omit the `property` field in
+the filter.
+
+The string value is always what is used in the output of the log format when a resource is identified.
+

go.mod

@@ -6,7 +6,7 @@ toolchain go1.24.5
 
 require (
 	github.com/aws/aws-sdk-go v1.55.7
-	github.com/aws/aws-sdk-go-v2 v1.37.2
+	github.com/aws/aws-sdk-go-v2 v1.38.3
 	github.com/aws/aws-sdk-go-v2/config v1.28.11
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.68
 	github.com/aws/aws-sdk-go-v2/service/apigateway v1.28.12
@@ -27,7 +27,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ssmquicksetup v1.3.10
 	github.com/aws/aws-sdk-go-v2/service/sts v1.33.20
 	github.com/aws/aws-sdk-go-v2/service/transfer v1.55.5
-	github.com/aws/smithy-go v1.22.5
+	github.com/aws/smithy-go v1.23.0
 	github.com/ekristen/libnuke v1.3.0
 	github.com/fatih/color v1.18.0
 	github.com/golang/mock v1.6.0
@@ -46,14 +46,15 @@ require (
 require (
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.7 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.2 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.2 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.6 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.6 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.27 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.4.8 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/shield v1.34.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect
 	github.com/benbjohnson/clock v1.3.0 // indirect

go.sum

@@ -2,6 +2,8 @@ github.com/aws/aws-sdk-go v1.55.7 h1:UJrkFq7es5CShfBwlWAC8DA077vp8PyVbQd3lqLiztE
 github.com/aws/aws-sdk-go v1.55.7/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
 github.com/aws/aws-sdk-go-v2 v1.37.2 h1:xkW1iMYawzcmYFYEV0UCMxc8gSsjCGEhBXQkdQywVbo=
 github.com/aws/aws-sdk-go-v2 v1.37.2/go.mod h1:9Q0OoGQoboYIAJyslFyF1f5K1Ryddop8gqMhWx/n4Wg=
+github.com/aws/aws-sdk-go-v2 v1.38.3 h1:B6cV4oxnMs45fql4yRH+/Po/YU+597zgWqvDpYMturk=
+github.com/aws/aws-sdk-go-v2 v1.38.3/go.mod h1:sDioUELIUO9Znk23YVmIk86/9DOpkbyyVb1i/gUNFXY=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.7 h1:lL7IfaFzngfx0ZwUGOZdsFFnQ5uLvR0hWqqhyE7Q9M8=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.7/go.mod h1:QraP0UcVlQJsmHfioCrveWOC1nbiWUl3ej08h4mXWoc=
 github.com/aws/aws-sdk-go-v2/config v1.28.11 h1:7Ekru0IkRHRnSRWGQLnLN6i0o1Jncd0rHo2T130+tEQ=
@@ -12,8 +14,12 @@ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 h1:x793wxmUWVDhshP8WW2mln
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30/go.mod h1:Jpne2tDnYiFascUEs2AWHJL9Yp7A5ZVy3TNyxaAjD6M=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.2 h1:sPiRHLVUIIQcoVZTNwqQcdtjkqkPopyYmIX0M5ElRf4=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.2/go.mod h1:ik86P3sgV+Bk7c1tBFCwI3VxMoSEwl4YkRB9xn1s340=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.6 h1:uF68eJA6+S9iVr9WgX1NaRGyQ/6MdIyc4JNUo6TN1FA=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.6/go.mod h1:qlPeVZCGPiobx8wb1ft0GHT5l+dc6ldnwInDFaMvC7Y=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.2 h1:ZdzDAg075H6stMZtbD2o+PyB933M/f20e9WmCBC17wA=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.2/go.mod h1:eE1IIzXG9sdZCB0pNNpMpsYTLl4YdOQD3njiVN1e/E4=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.6 h1:pa1DEC6JoI0zduhZePp3zmhWvk/xxm4NB8Hy/Tlsgos=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.6/go.mod h1:gxEjPebnhWGJoaDdtDkA0JX46VRg1wcTHYe63OfX5pE=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.27 h1:AmB5QxnD+fBFrg9LcqzkgF/CaYvMyU/BTlejG4t1S7Q=
@@ -56,6 +62,8 @@ github.com/aws/aws-sdk-go-v2/service/s3 v1.72.3 h1:WZOmJfCDV+4tYacLxpiojoAdT5sxT
 github.com/aws/aws-sdk-go-v2/service/s3 v1.72.3/go.mod h1:xMekrnhmJ5aqmyxtmALs7mlvXw5xRh+eYjOjvrIIFJ4=
 github.com/aws/aws-sdk-go-v2/service/s3control v1.52.7 h1:cewH1fJ35N26pujUo8pXtqngf0QZio0ko62rT1x2Uak=
 github.com/aws/aws-sdk-go-v2/service/s3control v1.52.7/go.mod h1:zZ6ah0Hp8TqLZERFcwSQ2T5A4lMkX5vujkDvSkFiXh8=
+github.com/aws/aws-sdk-go-v2/service/shield v1.34.2 h1:daAMTHVfwUaAOdyBlGNtl09xqkjB9k3X3/BgEVpmJD4=
+github.com/aws/aws-sdk-go-v2/service/shield v1.34.2/go.mod h1:TWtjIQVEyCP4M8JXZ/ePx3Zw2XHe1fC2arN6p44C2PI=
 github.com/aws/aws-sdk-go-v2/service/ssmquicksetup v1.3.10 h1:3e9ZvkZB5NsDellLxPuaCJSeA5Hg7SeHY+Godotzizc=
 github.com/aws/aws-sdk-go-v2/service/ssmquicksetup v1.3.10/go.mod h1:UKtH07HzEWvg7zZ6R2JixYlmGYa/3i2niz7Lz2zJoeM=
 github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 h1:1Gw+9ajCV1jogloEv1RRnvfRFia2cL6c9cuKV2Ps+G8=
@@ -68,6 +76,8 @@ github.com/aws/aws-sdk-go-v2/service/transfer v1.55.5 h1:3CgAcyZciL7KG/8LCEWWoMJ
 github.com/aws/aws-sdk-go-v2/service/transfer v1.55.5/go.mod h1:NJBUE6GjnjqSvexXpU0pj/2w+VEhRk5XPL5rRZpj7bI=
 github.com/aws/smithy-go v1.22.5 h1:P9ATCXPMb2mPjYBgueqJNCA5S9UfktsW0tTxi+a7eqw=
 github.com/aws/smithy-go v1.22.5/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
+github.com/aws/smithy-go v1.23.0 h1:8n6I3gXzWJB2DxBDnfxgBaSX6oe0d/t10qGz7OKqMCE=
+github.com/aws/smithy-go v1.23.0/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
 github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A=
 github.com/benbjohnson/clock v1.3.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=

mkdocs.yml

@@ -618,6 +618,8 @@ nav:
     - Ses Receipt Rule Set: resources/ses-receipt-rule-set.md
     - Ses Template: resources/ses-template.md
     - Sfn State Machine: resources/sfn-state-machine.md
+    - Shield Protection Group: resources/shield-protection-group.md
+    - Shield Protection: resources/shield-protection.md
     - Signer Signing Job: resources/signer-signing-job.md
     - Simple Db Domain: resources/simple-db-domain.md
     - Storage Gateway File Share: resources/storage-gateway-file-share.md

resources/shield-protection-group.go

@@ -0,0 +1,100 @@
+package resources
+
+import (
+	"context"
+
+	"github.com/aws/aws-sdk-go-v2/service/shield"
+	shieldtypes "github.com/aws/aws-sdk-go-v2/service/shield/types"
+
+	"github.com/ekristen/libnuke/pkg/registry"
+	"github.com/ekristen/libnuke/pkg/resource"
+	"github.com/ekristen/libnuke/pkg/types"
+
+	"github.com/ekristen/aws-nuke/v3/pkg/nuke"
+)
+
+const ShieldProtectionGroupResource = "ShieldProtectionGroup"
+
+func init() {
+	registry.Register(&registry.Registration{
+		Name:     ShieldProtectionGroupResource,
+		Scope:    nuke.Account,
+		Resource: &ShieldProtectionGroup{},
+		Lister:   &ShieldProtectionGroupLister{},
+	})
+}
+
+type ShieldProtectionGroupLister struct{}
+
+func (l *ShieldProtectionGroupLister) List(ctx context.Context, o interface{}) ([]resource.Resource, error) {
+	opts := o.(*nuke.ListerOpts)
+
+	svc := shield.NewFromConfig(*opts.Config)
+
+	params := &shield.ListProtectionGroupsInput{}
+	resources := make([]resource.Resource, 0)
+
+	for {
+		resp, err := svc.ListProtectionGroups(ctx, params)
+		if err != nil {
+			return nil, err
+		}
+
+		for i := range resp.ProtectionGroups {
+			group := &resp.ProtectionGroups[i]
+
+			tags, err := svc.ListTagsForResource(ctx, &shield.ListTagsForResourceInput{
+				ResourceARN: group.ProtectionGroupArn,
+			})
+			if err != nil {
+				return nil, err
+			}
+
+			resources = append(resources, &ShieldProtectionGroup{
+				svc:                svc,
+				ProtectionGroupId:  group.ProtectionGroupId,
+				Aggregation:        &group.Aggregation,
+				Pattern:            &group.Pattern,
+				ResourceType:       &group.ResourceType,
+				Members:            &group.Members,
+				ProtectionGroupArn: group.ProtectionGroupArn,
+				Tags:               &tags.Tags,
+			})
+		}
+
+		if resp.NextToken == nil {
+			break
+		}
+		params.NextToken = resp.NextToken
+	}
+
+	return resources, nil
+}
+
+type ShieldProtectionGroup struct {
+	svc                *shield.Client
+	ProtectionGroupId  *string                                 `description:"The unique identifier of the Shield protection group"`
+	Aggregation        *shieldtypes.ProtectionGroupAggregation `description:"The aggregation type for the protection group"`
+	Pattern            *shieldtypes.ProtectionGroupPattern     `description:"The pattern for the protection group"`
+	ResourceType       *shieldtypes.ProtectedResourceType      `description:"The resource type for the protection group"`
+	Members            *[]string                               `description:"The list of resource ARNs that are members of the protection group"` //nolint:lll
+	ProtectionGroupArn *string                                 `description:"The ARN of the Shield protection group"`
+	Tags               *[]shieldtypes.Tag                      `description:"The tags associated with the Shield protection group"`
+}
+
+func (r *ShieldProtectionGroup) Remove(ctx context.Context) error {
+	params := &shield.DeleteProtectionGroupInput{
+		ProtectionGroupId: r.ProtectionGroupId,
+	}
+
+	_, err := r.svc.DeleteProtectionGroup(ctx, params)
+	return err
+}
+
+func (r *ShieldProtectionGroup) Properties() types.Properties {
+	return types.NewPropertiesFromStruct(r)
+}
+
+func (r *ShieldProtectionGroup) String() string {
+	return *r.ProtectionGroupId
+}

resources/shield-protection-group_test.go

@@ -0,0 +1,111 @@
+package resources
+
+import (
+	"testing"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	shieldtypes "github.com/aws/aws-sdk-go-v2/service/shield/types"
+	"github.com/gotidy/ptr"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_ShieldProtectionGroup_String(t *testing.T) {
+	a := assert.New(t)
+
+	shieldProtectionGroup := ShieldProtectionGroup{
+		ProtectionGroupId: ptr.String("protection-group-id"),
+	}
+
+	a.Equal("protection-group-id", shieldProtectionGroup.String())
+}
+
+func Test_ShieldProtectionGroup_Properties(t *testing.T) {
+	a := assert.New(t)
+
+	aggregation := shieldtypes.ProtectionGroupAggregationSum
+	pattern := shieldtypes.ProtectionGroupPatternAll
+	resourceType := shieldtypes.ProtectedResourceTypeCloudfrontDistribution
+
+	shieldProtectionGroup := ShieldProtectionGroup{
+		ProtectionGroupId:  ptr.String("protection-group-id"),
+		Aggregation:        &aggregation,
+		Pattern:            &pattern,
+		ResourceType:       &resourceType,
+		Members:            &[]string{"arn:aws:cloudfront::123456789012:distribution/EXAMPLE123"},
+		ProtectionGroupArn: ptr.String("arn:aws:shield::123456789012:protection-group/protection-group-id"),
+		Tags: &[]shieldtypes.Tag{
+			{
+				Key:   aws.String("Environment"),
+				Value: aws.String("production"),
+			},
+			{
+				Key:   aws.String("Team"),
+				Value: aws.String("security"),
+			},
+		},
+	}
+
+	properties := shieldProtectionGroup.Properties()
+
+	a.Equal("protection-group-id", properties.Get("ProtectionGroupId"))
+	a.Equal("SUM", properties.Get("Aggregation"))
+	a.Equal("ALL", properties.Get("Pattern"))
+	a.Equal("CLOUDFRONT_DISTRIBUTION", properties.Get("ResourceType"))
+	a.Equal("arn:aws:shield::123456789012:protection-group/protection-group-id", properties.Get("ProtectionGroupArn"))
+	a.Equal("production", properties.Get("tag:Environment"))
+	a.Equal("security", properties.Get("tag:Team"))
+}
+
+func Test_ShieldProtectionGroup_Properties_EmptyTags(t *testing.T) {
+	a := assert.New(t)
+
+	aggregation := shieldtypes.ProtectionGroupAggregationSum
+	pattern := shieldtypes.ProtectionGroupPatternAll
+
+	shieldProtectionGroup := ShieldProtectionGroup{
+		ProtectionGroupId:  ptr.String("protection-group-id"),
+		Aggregation:        &aggregation,
+		Pattern:            &pattern,
+		Members:            &[]string{},
+		ProtectionGroupArn: ptr.String("arn:aws:shield::123456789012:protection-group/protection-group-id"),
+		Tags:               &[]shieldtypes.Tag{},
+	}
+
+	properties := shieldProtectionGroup.Properties()
+
+	a.Equal("protection-group-id", properties.Get("ProtectionGroupId"))
+	a.Equal("SUM", properties.Get("Aggregation"))
+	a.Equal("ALL", properties.Get("Pattern"))
+	a.Equal("arn:aws:shield::123456789012:protection-group/protection-group-id", properties.Get("ProtectionGroupArn"))
+}
+
+func Test_ShieldProtectionGroup_Properties_SpecialCharactersInTags(t *testing.T) {
+	a := assert.New(t)
+
+	aggregation := shieldtypes.ProtectionGroupAggregationSum
+	pattern := shieldtypes.ProtectionGroupPatternAll
+
+	shieldProtectionGroup := ShieldProtectionGroup{
+		ProtectionGroupId:  ptr.String("protection-group-id"),
+		Aggregation:        &aggregation,
+		Pattern:            &pattern,
+		Members:            &[]string{"arn:aws:cloudfront::123456789012:distribution/EXAMPLE123"},
+		ProtectionGroupArn: ptr.String("arn:aws:shield::123456789012:protection-group/protection-group-id"),
+		Tags: &[]shieldtypes.Tag{
+			{
+				Key:   aws.String("Environment:Stage"),
+				Value: aws.String("prod/staging"),
+			},
+			{
+				Key:   aws.String("Cost-Center"),
+				Value: aws.String("security-team"),
+			},
+		},
+	}
+
+	properties := shieldProtectionGroup.Properties()
+
+	a.Equal("protection-group-id", properties.Get("ProtectionGroupId"))
+	a.Equal("prod/staging", properties.Get("tag:Environment:Stage"))
+	a.Equal("security-team", properties.Get("tag:Cost-Center"))
+}