feat(cloudformation-stack): new setting CreateRoleToDeleteStack

ekristen · ekristen · commit 1c42a86c16f6 · 2025-01-03T20:03:21.000-07:00
diff --git a/go.mod b/go.mod
@@ -31,6 +31,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.26 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.26 // indirect
+	github.com/aws/aws-sdk-go-v2/service/iam v1.38.3 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.4.7 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.7 // indirect
diff --git a/go.sum b/go.sum
@@ -18,6 +18,8 @@ github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvK
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.26 h1:GeNJsIFHB+WW5ap2Tec4K6dzcVTsRbsT1Lra46Hv9ME=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.26/go.mod h1:zfgMpwHDXX2WGoG84xG2H+ZlPTkJUU4YUvx2svLQYWo=
+github.com/aws/aws-sdk-go-v2/service/iam v1.38.3 h1:2sFIoFzU1IEL9epJWubJm9Dhrn45aTNEJuwsesaCGnk=
+github.com/aws/aws-sdk-go-v2/service/iam v1.38.3/go.mod h1:KzlNINwfr/47tKkEhgk0r10/OZq3rjtyWy0txL3lM+I=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 h1:iXtILhvDxB6kPvEXgsDhGaZCSC6LQET5ZHSdJozeI0Y=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1/go.mod h1:9nu0fVANtYiAePIBh2/pFUSwtJ402hLnp854CNoDOeE=
 github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.4.7 h1:tB4tNw83KcajNAzaIMhkhVI2Nt8fAZd5A5ro113FEMY=
diff --git a/resources/cloudformation-stack.go b/resources/cloudformation-stack.go
@@ -15,6 +15,9 @@ import (
 	"github.com/aws/aws-sdk-go/service/cloudformation"
 	"github.com/aws/aws-sdk-go/service/cloudformation/cloudformationiface"
 
+	"github.com/aws/aws-sdk-go-v2/service/iam"
+	iamtypes "github.com/aws/aws-sdk-go-v2/service/iam/types"
+
 	liberrors "github.com/ekristen/libnuke/pkg/errors"
 	"github.com/ekristen/libnuke/pkg/registry"
 	"github.com/ekristen/libnuke/pkg/resource"
@@ -36,6 +39,7 @@ func init() {
 		Lister:   &CloudFormationStackLister{},
 		Settings: []string{
 			"DisableDeletionProtection",
+			"CreateRoleToDeleteStack",
 		},
 	})
 }
@@ -46,6 +50,7 @@ func (l *CloudFormationStackLister) List(_ context.Context, o interface{}) ([]re
 	opts := o.(*nuke.ListerOpts)
 
 	svc := cloudformation.New(opts.Session)
+	iamSvc := iam.NewFromConfig(*opts.Config)
 
 	params := &cloudformation.DescribeStacksInput{}
 	resources := make([]resource.Resource, 0)
@@ -56,11 +61,26 @@ func (l *CloudFormationStackLister) List(_ context.Context, o interface{}) ([]re
 			return nil, err
 		}
 		for _, stack := range resp.Stacks {
-			resources = append(resources, &CloudFormationStack{
+			newResource := &CloudFormationStack{
 				svc:               svc,
-				stack:             stack,
+				iamSvc:            iamSvc,
+				logger:            opts.Logger,
 				maxDeleteAttempts: CloudformationMaxDeleteAttempt,
-			})
+				Name:              stack.StackName,
+				Status:            stack.StackStatus,
+				description:       stack.Description,
+				parentID:          stack.ParentId,
+				roleARN:           stack.RoleARN,
+				CreationTime:      stack.CreationTime,
+				LastUpdatedTime:   stack.LastUpdatedTime,
+				Tags:              stack.Tags,
+			}
+
+			if newResource.LastUpdatedTime == nil {
+				newResource.LastUpdatedTime = newResource.CreationTime
+			}
+
+			resources = append(resources, newResource)
 		}
 
 		if resp.NextToken == nil {
@@ -75,58 +95,106 @@ func (l *CloudFormationStackLister) List(_ context.Context, o interface{}) ([]re
 
 type CloudFormationStack struct {
 	svc               cloudformationiface.CloudFormationAPI
-	stack             *cloudformation.Stack
-	maxDeleteAttempts int
+	iamSvc            *iam.Client
 	settings          *settings.Setting
+	logger            *logrus.Entry
+	Name              *string
+	Status            *string
+	CreationTime      *time.Time
+	LastUpdatedTime   *time.Time
+	Tags              []*cloudformation.Tag
+	description       *string
+	parentID          *string
+	roleARN           *string
+	maxDeleteAttempts int
 }
 
-func (cfs *CloudFormationStack) Filter() error {
-	if ptr.ToString(cfs.stack.Description) == "DO NOT MODIFY THIS STACK! This stack is managed by Config Conformance Packs." {
+func (r *CloudFormationStack) Filter() error {
+	if ptr.ToString(r.description) == "DO NOT MODIFY THIS STACK! This stack is managed by Config Conformance Packs." {
 		return fmt.Errorf("stack is managed by Config Conformance Packs")
 	}
 	return nil
 }
 
-func (cfs *CloudFormationStack) Settings(setting *settings.Setting) {
-	cfs.settings = setting
+func (r *CloudFormationStack) Settings(setting *settings.Setting) {
+	r.settings = setting
 }
 
-func (cfs *CloudFormationStack) Remove(_ context.Context) error {
-	return cfs.removeWithAttempts(0)
+func (r *CloudFormationStack) Remove(ctx context.Context) error {
+	return r.removeWithAttempts(ctx, 0)
 }
 
-func (cfs *CloudFormationStack) removeWithAttempts(attempt int) error {
-	if err := cfs.doRemove(); err != nil {
-		// TODO: pass logrus in via ListerOpts so that it can be used here instead of global
+func (r *CloudFormationStack) createRole(ctx context.Context) error {
+	roleParts := strings.Split(ptr.ToString(r.roleARN), "/")
+	_, err := r.iamSvc.CreateRole(ctx, &iam.CreateRoleInput{
+		RoleName: ptr.String(roleParts[len(roleParts)-1]),
+		AssumeRolePolicyDocument: ptr.String(`{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "cloudformation.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}`),
+		Tags: []iamtypes.Tag{
+			{
+				Key:   ptr.String("Managed"),
+				Value: ptr.String("aws-nuke"),
+			},
+		},
+	})
+
+	return err
+}
 
-		logrus.Errorf("CloudFormationStack stackName=%s attempt=%d maxAttempts=%d delete failed: %s",
-			*cfs.stack.StackName, attempt, cfs.maxDeleteAttempts, err.Error())
+func (r *CloudFormationStack) removeWithAttempts(ctx context.Context, attempt int) error {
+	if err := r.doRemove(); err != nil {
+		r.logger.Errorf("CloudFormationStack stackName=%s attempt=%d maxAttempts=%d delete failed: %s",
+			*r.Name, attempt, r.maxDeleteAttempts, err.Error())
 
 		var awsErr awserr.Error
 		ok := errors.As(err, &awsErr)
-		if ok && awsErr.Code() == "ValidationError" &&
-			awsErr.Message() == "Stack ["+*cfs.stack.StackName+"] cannot be deleted while TerminationProtection is enabled" {
-			// check if the setting for the resource is set to allow deletion protection to be disabled
-			if cfs.settings.GetBool("DisableDeletionProtection") {
-				logrus.Infof("CloudFormationStack stackName=%s attempt=%d maxAttempts=%d updating termination protection",
-					*cfs.stack.StackName, attempt, cfs.maxDeleteAttempts)
-				_, err = cfs.svc.UpdateTerminationProtection(&cloudformation.UpdateTerminationProtectionInput{
-					EnableTerminationProtection: aws.Bool(false),
-					StackName:                   cfs.stack.StackName,
-				})
-				if err != nil {
+		if ok && awsErr.Code() == "ValidationError" {
+			if awsErr.Message() == fmt.Sprintf("Role %s is invalid or cannot be assumed", *r.roleARN) {
+				if r.settings.GetBool("CreateRoleToDeleteStack") {
+					r.logger.Infof("CloudFormationStack stackName=%s attempt=%d maxAttempts=%d creating role to delete stack",
+						*r.Name, attempt, r.maxDeleteAttempts)
+					if err := r.createRole(ctx); err != nil {
+						return err
+					}
+				} else {
+					r.logger.Warnf("CloudFormationStack stackName=%s attempt=%d maxAttempts=%d set feature flag to create role to delete stack",
+						*r.Name, attempt, r.maxDeleteAttempts)
+					return err
+				}
+			} else if awsErr.Message() == fmt.Sprintf("Stack [%s] cannot be deleted while TerminationProtection is enabled", *r.Name) {
+				// check if the setting for the resource is set to allow deletion protection to be disabled
+				if r.settings.GetBool("DisableDeletionProtection") {
+					r.logger.Infof("CloudFormationStack stackName=%s attempt=%d maxAttempts=%d updating termination protection",
+						*r.Name, attempt, r.maxDeleteAttempts)
+					_, err = r.svc.UpdateTerminationProtection(&cloudformation.UpdateTerminationProtectionInput{
+						EnableTerminationProtection: aws.Bool(false),
+						StackName:                   r.Name,
+					})
+					if err != nil {
+						return err
+					}
+				} else {
+					r.logger.Warnf("CloudFormationStack stackName=%s attempt=%d maxAttempts=%d set feature flag to disable deletion protection",
+						*r.Name, attempt, r.maxDeleteAttempts)
 					return err
 				}
-			} else {
-				logrus.Warnf("CloudFormationStack stackName=%s attempt=%d maxAttempts=%d set feature flag to disable deletion protection",
-					*cfs.stack.StackName, attempt, cfs.maxDeleteAttempts)
-				return err
 			}
 		}
-		if attempt >= cfs.maxDeleteAttempts {
+
+		if attempt >= r.maxDeleteAttempts {
 			return errors.New("CFS might not be deleted after this run")
 		} else {
-			return cfs.removeWithAttempts(attempt + 1)
+			return r.removeWithAttempts(ctx, attempt+1)
 		}
 	} else {
 		return nil
@@ -148,9 +216,9 @@ func GetParentStack(svc cloudformationiface.CloudFormationAPI, stackID string) (
 	return nil, nil //nolint:nilnil
 }
 
-func (cfs *CloudFormationStack) doRemove() error { //nolint:gocyclo
-	if cfs.stack.ParentId != nil {
-		p, err := GetParentStack(cfs.svc, *cfs.stack.ParentId)
+func (r *CloudFormationStack) doRemove() error { //nolint:gocyclo
+	if r.parentID != nil {
+		p, err := GetParentStack(r.svc, *r.parentID)
 		if err != nil {
 			return err
 		}
@@ -160,14 +228,14 @@ func (cfs *CloudFormationStack) doRemove() error { //nolint:gocyclo
 		}
 	}
 
-	o, err := cfs.svc.DescribeStacks(&cloudformation.DescribeStacksInput{
-		StackName: cfs.stack.StackName,
+	o, err := r.svc.DescribeStacks(&cloudformation.DescribeStacksInput{
+		StackName: r.Name,
 	})
 	if err != nil {
 		var awsErr awserr.Error
 		if errors.As(err, &awsErr) {
 			if awsErr.Code() == "ValidationFailed" && strings.HasSuffix(awsErr.Message(), " does not exist") {
-				logrus.Infof("CloudFormationStack stackName=%s no longer exists", *cfs.stack.StackName)
+				r.logger.Infof("CloudFormationStack stackName=%s no longer exists", *r.Name)
 				return nil
 			}
 		}
@@ -179,16 +247,16 @@ func (cfs *CloudFormationStack) doRemove() error { //nolint:gocyclo
 		// stack already deleted, no need to re-delete
 		return nil
 	} else if *stack.StackStatus == cloudformation.StackStatusDeleteInProgress {
-		logrus.Infof("CloudFormationStack stackName=%s delete in progress. Waiting", *cfs.stack.StackName)
-		return cfs.svc.WaitUntilStackDeleteComplete(&cloudformation.DescribeStacksInput{
-			StackName: cfs.stack.StackName,
+		r.logger.Infof("CloudFormationStack stackName=%s delete in progress. Waiting", *r.Name)
+		return r.svc.WaitUntilStackDeleteComplete(&cloudformation.DescribeStacksInput{
+			StackName: r.Name,
 		})
 	} else if *stack.StackStatus == cloudformation.StackStatusDeleteFailed {
-		logrus.Infof("CloudFormationStack stackName=%s delete failed. Attempting to retain and delete stack", *cfs.stack.StackName)
+		r.logger.Infof("CloudFormationStack stackName=%s delete failed. Attempting to retain and delete stack", *r.Name)
 		// This means the CFS has undetectable resources.
 		// In order to move on with nuking, we retain them in the deletion.
-		retainableResources, err := cfs.svc.ListStackResources(&cloudformation.ListStackResourcesInput{
-			StackName: cfs.stack.StackName,
+		retainableResources, err := r.svc.ListStackResources(&cloudformation.ListStackResourcesInput{
+			StackName: r.Name,
 		})
 		if err != nil {
 			return err
@@ -202,71 +270,59 @@ func (cfs *CloudFormationStack) doRemove() error { //nolint:gocyclo
 			}
 		}
 
-		_, err = cfs.svc.DeleteStack(&cloudformation.DeleteStackInput{
-			StackName:       cfs.stack.StackName,
+		if _, err = r.svc.DeleteStack(&cloudformation.DeleteStackInput{
+			StackName:       r.Name,
 			RetainResources: retain,
-		})
-		if err != nil {
+		}); err != nil {
 			return err
 		}
-		return cfs.svc.WaitUntilStackDeleteComplete(&cloudformation.DescribeStacksInput{
-			StackName: cfs.stack.StackName,
+
+		return r.svc.WaitUntilStackDeleteComplete(&cloudformation.DescribeStacksInput{
+			StackName: r.Name,
 		})
 	} else {
-		if err := cfs.waitForStackToStabilize(*stack.StackStatus); err != nil {
+		if err := r.waitForStackToStabilize(*stack.StackStatus); err != nil {
 			return err
-		} else if _, err := cfs.svc.DeleteStack(&cloudformation.DeleteStackInput{
-			StackName: cfs.stack.StackName,
+		} else if _, err := r.svc.DeleteStack(&cloudformation.DeleteStackInput{
+			StackName: r.Name,
 		}); err != nil {
 			return err
-		} else if err := cfs.svc.WaitUntilStackDeleteComplete(&cloudformation.DescribeStacksInput{
-			StackName: cfs.stack.StackName,
+		} else if err := r.svc.WaitUntilStackDeleteComplete(&cloudformation.DescribeStacksInput{
+			StackName: r.Name,
 		}); err != nil {
 			return err
 		} else {
 			return nil
 		}
 	}
 }
-func (cfs *CloudFormationStack) waitForStackToStabilize(currentStatus string) error {
+
+func (r *CloudFormationStack) waitForStackToStabilize(currentStatus string) error {
 	switch currentStatus {
 	case cloudformation.StackStatusUpdateInProgress,
 		cloudformation.StackStatusUpdateRollbackCompleteCleanupInProgress,
 		cloudformation.StackStatusUpdateRollbackInProgress:
-		logrus.Infof("CloudFormationStack stackName=%s update in progress. Waiting to stabalize", *cfs.stack.StackName)
+		r.logger.Infof("CloudFormationStack stackName=%s update in progress. Waiting to stabalize", *r.Name)
 
-		return cfs.svc.WaitUntilStackUpdateComplete(&cloudformation.DescribeStacksInput{
-			StackName: cfs.stack.StackName,
+		return r.svc.WaitUntilStackUpdateComplete(&cloudformation.DescribeStacksInput{
+			StackName: r.Name,
 		})
 	case cloudformation.StackStatusCreateInProgress,
 		cloudformation.StackStatusRollbackInProgress:
-		logrus.Infof("CloudFormationStack stackName=%s create in progress. Waiting to stabalize", *cfs.stack.StackName)
+		r.logger.Infof("CloudFormationStack stackName=%s create in progress. Waiting to stabalize", *r.Name)
 
-		return cfs.svc.WaitUntilStackCreateComplete(&cloudformation.DescribeStacksInput{
-			StackName: cfs.stack.StackName,
+		return r.svc.WaitUntilStackCreateComplete(&cloudformation.DescribeStacksInput{
+			StackName: r.Name,
 		})
 	default:
 		return nil
 	}
 }
 
-func (cfs *CloudFormationStack) Properties() types.Properties {
-	properties := types.NewProperties()
-	properties.Set("Name", cfs.stack.StackName)
-	properties.Set("CreationTime", cfs.stack.CreationTime.Format(time.RFC3339))
-	if cfs.stack.LastUpdatedTime == nil {
-		properties.Set("LastUpdatedTime", cfs.stack.CreationTime.Format(time.RFC3339))
-	} else {
-		properties.Set("LastUpdatedTime", cfs.stack.LastUpdatedTime.Format(time.RFC3339))
-	}
-
-	for _, tagValue := range cfs.stack.Tags {
-		properties.SetTag(tagValue.Key, tagValue.Value)
-	}
-
-	return properties
+func (r *CloudFormationStack) Properties() types.Properties {
+	return types.NewPropertiesFromStruct(r)
 }
 
-func (cfs *CloudFormationStack) String() string {
-	return *cfs.stack.StackName
+func (r *CloudFormationStack) String() string {
+	return *r.Name
 }
diff --git a/resources/cloudformation-stack_test.go b/resources/cloudformation-stack_test.go
