Merge pull request ekristen#505 from ekristen/fix-cloud-control

fix: cloud control resources

Author: ekristen

docs/config-cloud-control.md

@@ -1,3 +1,85 @@
 # Config - Cloud Control
 
-Coming Soon
+aws-nuke supports removing resources via the AWS Cloud Control API.
+
+There are number of Cloud Control resources that are automatically registered as resources that can be removed by 
+aws-nuke. Additionally, there are a number of resources implemented in aws-nuke that have a Cloud Control equivalent,
+this is called an **alternative resource**.
+
+For the subset of Cloud Control supported resources that are registered with aws-nuke they work like any other resource,
+but they are registered with their Cloud Control API name (i.e. `AWS::Bedrock::Agent`). 
+
+However, there are resources that have already been implemented in aws-nuke that have a Cloud Control equivalent. For
+these resources an **alternative resource** has been defined. They are **MUTUALLY EXCLUSIVE**, if you include the Cloud
+Control resource in your config file, the native resource will be disabled. 
+
+Furthermore, there are some Cloud Control resources that need special handling which are not yet supported by aws-nuke.
+
+Finally, even though the subset of automatically supported Cloud Control resources is limited, you can configure
+aws-nuke to make it try any additional resource. Either via command line flags of via the config file.
+
+## Why Use Cloud Control Resources
+
+The Cloud Control API is a standardized API that potentially allows you to nuke any resource regardless if it is defined
+within aws-nuke or not. This is especially useful for new resources that are not yet supported by aws-nuke.
+
+## Impact on Filters
+
+Because of how Cloud Control API resources work vs native implemented resources in aws-nuke, not all properties are
+available for filtering. For example, the `AWS::EC2::VPC` resource has a `VpcId` only, whereas the `EC2VPC` resource has
+`VpcID`, `Tags`, `OwnerID` and more.
+
+## Configuration
+
+For the config file you have to add the resource to the `resource-types.alternatives` list:
+
+!!! note
+    If you are migrating from aws-nuke@v2 `cloud-control` is deprecated but still supported for backwards compatibility
+    in the configuration file. The new key is `resource-types.alternatives`.
+
+```yaml
+resource-types:
+  alternatives:
+    - `AWS::EC2::TransitGateway
+    - `AWS::EC2::VPC
+```
+
+If you want to use the command line, you have to add a `--cloud-control` flag for each resource you want to add:
+
+!!! important
+    This will not limit the resources to only these two resources, but will add them to the list of resources that are
+    automatically removed via Cloud Control.
+
+```console
+aws-nuke run \
+  -c nuke-config.yaml \
+  --cloud-control `AWS::EC2::TransitGateway \
+  --cloud-control `AWS::EC2::VPC
+```
+
+## Supported Resources
+
+These are the resources that are automatically supported by aws-nuke directly as Cloud Control resources that are
+automatically scanned.
+
+- `AWS::AppFlow::ConnectorProfile`
+- `AWS::AppFlow::Flow`
+- `AWS::AppRunner::Service`
+- `AWS::ApplicationInsights::Application`
+- `AWS::Backup::Framework`
+- `AWS::ECR::PullThroughCacheRule`
+- `AWS::ECR::RegistryPolicy`
+- `AWS::ECR::ReplicationConfiguration`
+- `AWS::MWAA::Environment`
+- `AWS::Synthetics::Canary`
+- `AWS::Timestream::Database`
+- `AWS::Timestream::ScheduledQuery`
+- `AWS::Timestream::Table`
+- `AWS::Transfer::Workflow`
+- `AWS::NetworkFirewall::Firewall`
+- `AWS::NetworkFirewall::FirewallPolicy`
+- `AWS::NetworkFirewall::RuleGroup`
+
+## References
+
+- [Supported Resources](https://docs.aws.amazon.com/cloudcontrolapi/latest/userguide/supported-resources.html)

docs/resources/access-analyzer.md

@@ -13,9 +13,11 @@ AccessAnalyzer
 
 ### Alternative Resource
 
-!!! note - Cloud Control API - Alternative Resource
-    This resource can also be controlled and used via Cloud Control API. Please refer to the documentation for
-    [Cloud Control Resources](../config-cloud-control.md) for more information.
+!!! warning - Cloud Control API - Alternative Resource
+    This resource conflicts with an alternative resource that can be controlled and used via Cloud Control API. If you
+    use this alternative resource, please note that any properties listed on this page may not be valid. You will need
+    run the tool to determine what properties are available for the alternative resource via the Cloud Control API.
+    Please refer to the documentation for [Cloud Control Resources](../config-cloud-control.md) for more information.
 
 ```text
 AWS::AccessAnalyzer::Analyzer

docs/resources/acmpca-certificate-authority.md

@@ -13,9 +13,11 @@ ACMPCACertificateAuthority
 
 ### Alternative Resource
 
-!!! note - Cloud Control API - Alternative Resource
-    This resource can also be controlled and used via Cloud Control API. Please refer to the documentation for
-    [Cloud Control Resources](../config-cloud-control.md) for more information.
+!!! warning - Cloud Control API - Alternative Resource
+    This resource conflicts with an alternative resource that can be controlled and used via Cloud Control API. If you
+    use this alternative resource, please note that any properties listed on this page may not be valid. You will need
+    run the tool to determine what properties are available for the alternative resource via the Cloud Control API.
+    Please refer to the documentation for [Cloud Control Resources](../config-cloud-control.md) for more information.
 
 ```text
 AWS::ACMPCA::CertificateAuthority

docs/resources/amg-workspace.md

@@ -13,15 +13,3 @@ AMGWorkspace
 
 
 
-!!! note - Using Properties
-    Properties are what [Filters](../config-filtering.md) are written against in your configuration. You use the property
-    names to write filters for what you want to **keep** and omit from the nuke process.
-
-### String Property
-
-The string representation of a resource is generally the value of the Name, ID or ARN field of the resource. Not all
-resources support properties. To write a filter against the string representation, simply omit the `property` field in
-the filter.
-
-The string value is always what is used in the output of the log format when a resource is identified.
-

docs/resources/amp-workspace.md

@@ -13,15 +13,3 @@ AMPWorkspace
 
 
 
-!!! note - Using Properties
-    Properties are what [Filters](../config-filtering.md) are written against in your configuration. You use the property
-    names to write filters for what you want to **keep** and omit from the nuke process.
-
-### String Property
-
-The string representation of a resource is generally the value of the Name, ID or ARN field of the resource. Not all
-resources support properties. To write a filter against the string representation, simply omit the `property` field in
-the filter.
-
-The string value is always what is used in the output of the log format when a resource is identified.
-

docs/resources/api-gateway-api-key.md

@@ -13,9 +13,11 @@ APIGatewayAPIKey
 
 ### Alternative Resource
 
-!!! note - Cloud Control API - Alternative Resource
-    This resource can also be controlled and used via Cloud Control API. Please refer to the documentation for
-    [Cloud Control Resources](../config-cloud-control.md) for more information.
+!!! warning - Cloud Control API - Alternative Resource
+    This resource conflicts with an alternative resource that can be controlled and used via Cloud Control API. If you
+    use this alternative resource, please note that any properties listed on this page may not be valid. You will need
+    run the tool to determine what properties are available for the alternative resource via the Cloud Control API.
+    Please refer to the documentation for [Cloud Control Resources](../config-cloud-control.md) for more information.
 
 ```text
 AWS::ApiGateway::ApiKey

docs/resources/api-gateway-client-certificate.md

@@ -13,24 +13,14 @@ APIGatewayClientCertificate
 
 ### Alternative Resource
 
-!!! note - Cloud Control API - Alternative Resource
-    This resource can also be controlled and used via Cloud Control API. Please refer to the documentation for
-    [Cloud Control Resources](../config-cloud-control.md) for more information.
+!!! warning - Cloud Control API - Alternative Resource
+    This resource conflicts with an alternative resource that can be controlled and used via Cloud Control API. If you
+    use this alternative resource, please note that any properties listed on this page may not be valid. You will need
+    run the tool to determine what properties are available for the alternative resource via the Cloud Control API.
+    Please refer to the documentation for [Cloud Control Resources](../config-cloud-control.md) for more information.
 
 ```text
 AWS::ApiGateway::ClientCertificate
 ```
 
 
-!!! note - Using Properties
-    Properties are what [Filters](../config-filtering.md) are written against in your configuration. You use the property
-    names to write filters for what you want to **keep** and omit from the nuke process.
-
-### String Property
-
-The string representation of a resource is generally the value of the Name, ID or ARN field of the resource. Not all
-resources support properties. To write a filter against the string representation, simply omit the `property` field in
-the filter.
-
-The string value is always what is used in the output of the log format when a resource is identified.
-

docs/resources/api-gateway-domain-name.md

@@ -13,15 +13,3 @@ APIGatewayDomainName
 
 
 
-!!! note - Using Properties
-    Properties are what [Filters](../config-filtering.md) are written against in your configuration. You use the property
-    names to write filters for what you want to **keep** and omit from the nuke process.
-
-### String Property
-
-The string representation of a resource is generally the value of the Name, ID or ARN field of the resource. Not all
-resources support properties. To write a filter against the string representation, simply omit the `property` field in
-the filter.
-
-The string value is always what is used in the output of the log format when a resource is identified.
-

docs/resources/api-gateway-rest-api.md

@@ -13,15 +13,3 @@ APIGatewayRestAPI
 
 
 
-!!! note - Using Properties
-    Properties are what [Filters](../config-filtering.md) are written against in your configuration. You use the property
-    names to write filters for what you want to **keep** and omit from the nuke process.
-
-### String Property
-
-The string representation of a resource is generally the value of the Name, ID or ARN field of the resource. Not all
-resources support properties. To write a filter against the string representation, simply omit the `property` field in
-the filter.
-
-The string value is always what is used in the output of the log format when a resource is identified.
-

docs/resources/api-gateway-usage-plan.md

@@ -13,9 +13,11 @@ APIGatewayUsagePlan
 
 ### Alternative Resource
 
-!!! note - Cloud Control API - Alternative Resource
-    This resource can also be controlled and used via Cloud Control API. Please refer to the documentation for
-    [Cloud Control Resources](../config-cloud-control.md) for more information.
+!!! warning - Cloud Control API - Alternative Resource
+    This resource conflicts with an alternative resource that can be controlled and used via Cloud Control API. If you
+    use this alternative resource, please note that any properties listed on this page may not be valid. You will need
+    run the tool to determine what properties are available for the alternative resource via the Cloud Control API.
+    Please refer to the documentation for [Cloud Control Resources](../config-cloud-control.md) for more information.
 
 ```text
 AWS::ApiGateway::UsagePlan