@@ -88,324 +88,3 @@ You can contribute to *aws-nuke* by forking this repository, making your changes
8888this repository. If you are unsure how to solve a problem or have other questions about a contributions, please create
8989a GitHub issue.
9090
91- ## Version 3
92-
93- Version 3 is a rewrite of this tool using [ libnuke] ( https://github.com/ekristen/libnuke ) with a focus on improving a number of the outstanding things
94- that I couldn't get done with the original project without separating out the core code into a library. See Goals
95- below for more.
96-
97- ### Changes
98-
99- - The root command will result in help now on v3, the primary nuke command moved to ` nuke ` . ** Breaking**
100- - CloudFormation Stacks now support a hold and wait for parent deletion process. ** Quasi-Breaking**
101- - Nested CloudFormation Stacks are now eligible for deletion and no longer omitted. ** Quasi-Breaking**
102- - The entire resource lister format has changed and requires a struct.
103- - Context is passed throughout the entire library now, including the listing function and the removal function.
104- - This is in preparation for supporting AWS SDK Go v2
105-
106- ### Goals
107-
108- - Adding additional tests
109- - Adding additional resources
110- - Adding documentation for adding resources and using the tool
111- - Consider adding DAG for dependencies between resource types and individual resources
112- - This will improve the process of deleting resources that have dependencies on other resources and reduce
113- errors and unnecessary API calls.
114-
115- ## Documentation
116-
117- The project is built to have the documentation right alongside the code in the ` docs/ ` directory leveraging
118- [ Material for Mkdocs] ( https://squidfunk.github.io/mkdocs-material/ )
119-
120- In the root of the project exists mkdocs.yml which drives the configuration for the documentation.
121-
122- This README.md is currently copied to ` docs/index.md ` and the documentation is automatically published to the GitHub
123- pages location for this repository using a GitHub Action workflow. It does not use the ` gh-pages ` branch.
124-
125-
126- ## Use Cases
127-
128- - We are testing our [ Terraform] ( https://www.terraform.io/ ) code with Jenkins. Sometimes a Terraform run fails during development and
129- messes up the account. With * aws-nuke* we can simply clean up the failed account, so it can be reused for the next
130- build.
131- - Our platform developers have their own AWS Accounts where they can create their own Kubernetes clusters for testing
132- purposes. With * aws-nuke* it is very easy to clean up these account at the end of the day and keep the costs low.
133-
134-
135- ### Feature Flags
136-
137- There are some features, which are quite opinionated. To make those work for
138- everyone, * aws-nuke* has flags to manually enable those features. These can be
139- configured on the root-level of the config, like this:
140-
141- ``` yaml
142- ---
143- feature-flags :
144- disable-deletion-protection :
145- RDSInstance : true
146- EC2Instance : true
147- CloudformationStack : true
148- force-delete-lightsail-addons : true
149- ` ` `
150-
151- ### Filtering Resources
152-
153- It is possible to filter this is important for not deleting the current user
154- for example or for resources like S3 Buckets which have a globally shared
155- namespace and might be hard to recreate. Currently the filtering is based on
156- the resource identifier. The identifier will be printed as the first step of
157- *aws-nuke* (eg ` i-01b489457a60298dd` for an EC2 instance).
158-
159- **Note: Even with filters you should not run aws-nuke on any AWS account, where
160- you cannot afford to lose all resources. It is easy to make mistakes in the
161- filter configuration. Also, since aws-nuke is in continous development, there
162- is always a possibility to introduce new bugs, no matter how careful we review
163- new code.**
164-
165- The filters are part of the account-specific configuration and are grouped by
166- resource types. This is an example of a config that deletes all resources but
167- the `admin` user with its access permissions and two access keys :
168-
169- ` ` ` yaml
170- ---
171- regions:
172- - global
173- - eu-west-1
174-
175- account-blocklist:
176- - 1234567890
177-
178- accounts:
179- 0987654321:
180- filters:
181- IAMUser:
182- - "admin"
183- IAMUserPolicyAttachment:
184- - "admin -> AdministratorAccess"
185- IAMUserAccessKey:
186- - "admin -> AKSDAFRETERSDF"
187- - "admin -> AFGDSGRTEWSFEY"
188- ` ` `
189-
190- Any resource whose resource identifier exactly matches any of the filters in
191- the list will be skipped. These will be marked as "filtered by config" on the
192- *aws-nuke* run.
193-
194- # ### Filter Properties
195-
196- Some resources support filtering via properties. When a resource support these
197- properties, they will be listed in the output like in this example :
198-
199- ` ` ` log
200- global - IAMUserPolicyAttachment - 'admin -> AdministratorAccess' - [RoleName: "admin", PolicyArn: "arn:aws:iam::aws:policy/AdministratorAccess", PolicyName: "AdministratorAccess"] - would remove
201- ` ` `
202-
203- To use properties, it is required to specify a object with `properties` and
204- ` value` instead of the plain string.
205-
206- These types can be used to simplify the configuration. For example, it is
207- possible to protect all access keys of a single user :
208-
209- ` ` ` yaml
210- IAMUserAccessKey:
211- - property: UserName
212- value: "admin"
213- ` ` `
214-
215- # ### Filter Types
216-
217- There are also additional comparision types than an exact match :
218-
219- - ` exact` – The identifier must exactly match the given string. This is the default.
220- - ` contains` – The identifier must contain the given string.
221- - ` glob` – The identifier must match against the given [glob
222- pattern](https://en.wikipedia.org/wiki/Glob_(programming)). This means the
223- string might contains wildcards like `*` and `?`. Note that globbing is
224- designed for file paths, so the wildcards do not match the directory
225- separator (`/`). Details about the glob pattern can be found in the [library
226- documentation](https://godoc.org/github.com/mb0/glob).
227- - ` regex` – The identifier must match against the given regular expression.
228- Details about the syntax can be found in the [library
229- documentation](https://golang.org/pkg/regexp/syntax/).
230- - ` dateOlderThan` - The identifier is parsed as a timestamp. After the offset is added
231- to it (specified in the `value` field), the resulting timestamp must be AFTER the
232- current time. Details on offset syntax can be found in the [library documentation](https://golang.org/pkg/time/#ParseDuration).
233- Supported date formats are epoch time, `2006-01-02`, `2006/01/02`, `2006-01-02T15:04:05Z`,
234- ` 2006-01-02T15:04:05.999999999Z07:00` , and `2006-01-02T15:04:05Z07:00`.
235-
236- To use a non-default comparision type, it is required to specify an object with
237- ` type` and `value` instead of the plain string.
238-
239- These types can be used to simplify the configuration. For example, it is
240- possible to protect all access keys of a single user by using `glob` :
241-
242- ` ` ` yaml
243- IAMUserAccessKey:
244- - type: glob
245- value: "admin -> *"
246- ` ` `
247-
248- # ### Using Them Together
249-
250- It is also possible to use Filter Properties and Filter Types together. For
251- example to protect all Hosted Zone of a specific TLD :
252-
253- ` ` ` yaml
254- Route53HostedZone:
255- - property: Name
256- type: glob
257- value: "*.rebuy.cloud."
258- ` ` `
259-
260- # ### Inverting Filter Results
261-
262- Any filter result can be inverted by using `invert : true`, for example:
263-
264- ` ` ` yaml
265- CloudFormationStack:
266- - property: Name
267- value: "foo"
268- invert: true
269- ` ` `
270-
271- In this case *any* CloudFormationStack ***but*** the ones called "foo" will be
272- filtered. Be aware that *aws-nuke* internally takes every resource and applies
273- every filter on it. If a filter matches, it marks the node as filtered.
274-
275- # ### Filter Presets
276-
277- It might be the case that some filters are the same across multiple accounts.
278- This especially could happen, if provisioning tools like Terraform are used or
279- if IAM resources follow the same pattern.
280-
281- For this case *aws-nuke* supports presets of filters, that can applied on
282- multiple accounts. A configuration could look like this :
283-
284- ` ` ` yaml
285- ---
286- regions:
287- - "global"
288- - "eu-west-1"
289-
290- account-blocklist:
291- - 1234567890
292-
293- accounts:
294- 555421337:
295- presets:
296- - "common"
297- 555133742:
298- presets:
299- - "common"
300- - "terraform"
301- 555134237:
302- presets:
303- - "common"
304- - "terraform"
305- filters:
306- EC2KeyPair:
307- - "notebook"
308-
309- presets:
310- terraform:
311- filters:
312- S3Bucket:
313- - type: glob
314- value: "my-statebucket-*"
315- DynamoDBTable:
316- - "terraform-lock"
317- common:
318- filters:
319- IAMRole:
320- - "OrganizationAccountAccessRole"
321- ` ` `
322-
323- # # Install
324-
325- # ## For macOS
326- ` brew install aws-nuke`
327-
328- # ## Use Released Binaries
329-
330- The easiest way of installing it, is to download the latest
331- [release](https://github.com/ekristen/aws-nuke/releases) from GitHub.
332-
333- # ### Example for Linux Intel/AMD
334-
335- Download and extract
336- ` $ wget -c https://github.com/rebuy-de/aws-nuke/releases/download/v2.25.0/aws-nuke-v2.25.0-linux-amd64.tar.gz -O - | tar -xz -C $HOME/bin`
337-
338- Run
339- ` $ aws-nuke-v2.25.0-linux-amd64`
340-
341- # ## Compile from Source
342-
343- To compile *aws-nuke* from source you need a working
344- [Golang](https://golang.org/doc/install) development environment.
345-
346- *aws-nuke* uses go modules and so the clone path should no matter.
347-
348- The easiest way to compile is by using [goreleaser](https://goreleaser.io)
349-
350- ` ` ` bash
351- goreleaser --rm-dist --snapshot --single-target
352- ` ` `
353-
354- **Note:** this will automatically build for your current architecture and place the result
355- in the releases directory.
356-
357- You may also use `make` to compile the binary, this was left over from before the fork.
358-
359- Also you need to install [golint](https://github.com/golang/lint/) and [GNU
360- Make](https://www.gnu.org/software/make/).
361-
362- Then you just need to run `make build` to compile a binary into the project
363- directory or `make install` go install *aws-nuke* into `$GOPATH/bin`. With
364- ` make xc` you can cross compile *aws-nuke* for other platforms.
365-
366- # ## Docker
367-
368- You can run *aws-nuke* with Docker by using a command like this :
369-
370- ` ` ` bash
371- $ docker run \
372- --rm -it \
373- -v /full-path/to/nuke-config.yml:/home/aws-nuke/config.yml \
374- -v /home/user/.aws:/home/aws-nuke/.aws \
375- quay.io/rebuy/aws-nuke:v2.25.0 \
376- --profile default \
377- --config /home/aws-nuke/config.yml
378- ` ` `
379-
380- To make it work, you need to adjust the paths for the AWS config and the
381- *aws-nuke* config.
382-
383- Also you need to specify the correct AWS profile. Instead of mounting the AWS
384- directory, you can use the `--access-key-id` and `--secret-access-key` flags.
385-
386- Make sure you use the latest version in the image tag. Alternatiely you can use
387- ` main` for the latest development version, but be aware that this is more
388- likely to break at any time.
389-
390- # # Testing
391-
392- # ## Unit Tests
393-
394- To unit test *aws-nuke*, some tests require [gomock](https://github.com/golang/mock) to run.
395- This will run via `go generate ./...`, but is automatically run via `make test`.
396- To run the unit tests :
397-
398- ` ` ` bash
399- make test
400- ` ` `
401-
402- # # Contact Channels
403-
404- For now GitHub issues, may open a Slack or Discord if warranted.
405-
406- # # Contribute
407-
408- You can contribute to *aws-nuke* by forking this repository, making your
409- changes and creating a Pull Request against our repository. If you are unsure
410- how to solve a problem or have other questions about a contributions, please
411- create a GitHub issue.
0 commit comments