aws-nuke Resources without tags not filtered

Resources without tags not filtered

Open iuliancristea opened this issue 7 months ago • 9 comments

Version: 3.3.2

When resource filtering is in place via tags, some resources aren't filtered out. For this preset:

presets:
  common:
    filters:
      global:
        - property: "tag:delete/.*"
          type: "regex"
          value: "true"
          invert: "true"

the following occur:

`global - Route53ResourceRecordSet`

global - Route53ResourceRecordSet - <NS_RECORD>. - [Name: "<NS_RECORD>.", Type: "NS"] - cannot delete NS record <<<<<----- EXPECTED NOT TO SHOW
global - Route53ResourceRecordSet - <SOA_RECORD>. - [Name: "<SOA_RECORD>.", Type: "SOA"] - cannot delete SOA record <<<<<----- EXPECTED NOT TO SHOW
global - Route53ResourceRecordSet - <A_RECORD>. - [Name: "<A_RECORD>.", Type: "A"] - would remove <<<<<----- EXPECTED NOT TO BE REMOVED DUE TO NOT HAVING TAGS
global - Route53ResourceRecordSet - <CNAME_RECORD>. - [Name: "<CNAME_RECORD>.", Type: "TXT"] - would remove <<<<<----- EXPECTED NOT TO BE REMOVED DUE TO NOT HAVING TAGS

`global - IAMPolicy`

global - IAMPolicy - arn:aws:iam::<aws_account>:policy/<custom_policy> - [ARN: "arn:aws:iam::<aws_account>:policy/<custom_policy>", Name: "<custom_policy>", Path: "/", PolicyID: "<policy_id>"] - would remove <<<<<----- EXPECTED NOT TO BE REMOVED DUE TO NOT HAVING TAGS

`global - IAMRole`

# most omitted for clarity, but this list includes SSO roles, etc. too

global - IAMRole - aws-controltower-AdministratorExecutionRole - [] - would remove <<<<<----- EXPECTED NOT TO BE REMOVED DUE TO NOT HAVING TAGS
global - IAMRole - aws-controltower-ConfigRecorderRole - [] - would remove <<<<<----- EXPECTED NOT TO BE REMOVED DUE TO NOT HAVING TAGS

`global - IAMRolePolicy`

global - IAMRolePolicy - <iam_role_policy>-ap-northeast-1 -> <iam_role_policy> - [PolicyName: "<iam_role_policy>", role:Path: "/", role:RoleID: "<role_id>", role:RoleName: "<iam_role_policy>-ap-northeast-1", tag:role:Availability: "3", tag:role:Environment: "production"] - would remove <<<<<----- EXPECTED NOT TO BE REMOVED DUE TO NOT HAVING EXPECTED TAG

`global - IAMRolePolicyAttachment`

global - IAMRolePolicyAttachment - AWSServiceRoleForIPAM -> AWSIPAMServiceRolePolicy - [PolicyArn: "arn:aws:iam::aws:policy/aws-service-role/AWSIPAMServiceRolePolicy", PolicyName: "AWSIPAMServiceRolePolicy", RoleCreateDate: "2024-02-15T15:23:09Z", RoleLastUsed: "2024-07-08T21:13:51Z", RoleName: "AWSServiceRoleForIPAM", RolePath: "/aws-service-role/ipam.amazonaws.com/"] - cannot detach from service roles <<<<<----- EXPECTED NOT TO BE REMOVED DUE TO NOT HAVING EXPECTED TAG
global - IAMRolePolicyAttachment - AWSServiceRoleForMarketplaceLicenseManagement -> AWSMarketplaceLicenseManagementServiceRolePolicy - [PolicyArn: "arn:aws:iam::aws:policy/aws-service-role/AWSMarketplaceLicenseManagementServiceRolePolicy", PolicyName: "AWSMarketplaceLicenseManagementServiceRolePolicy", RoleCreateDate: "2024-02-15T15:23:05Z", RoleLastUsed: "2024-02-15T15:23:05Z", RoleName: "AWSServiceRoleForMarketplaceLicenseManagement", RolePath: "/aws-service-role/license-management.marketplace.amazonaws.com/"] - cannot detach from service roles <<<<<----- EXPECTED NOT TO BE REMOVED DUE TO NOT HAVING EXPECTED TAG

`regional - KMSAlias`

eu-central-1 - KMSAlias - alias/aws/acm - [Name: "alias/aws/acm"] - cannot delete AWS alias <<<<<----- EXPECTED NOT TO BE REMOVED DUE TO NOT HAVING EXPECTED TAG
eu-central-1 - KMSAlias - alias/aws/dynamodb - [Name: "alias/aws/dynamodb"] - cannot delete AWS alias <<<<<----- EXPECTED NOT TO BE REMOVED DUE TO NOT HAVING EXPECTED TAG

`regional - ElasticacheUserGroup`

eu-central-1 - ElasticacheUserGroup - aasjpfhi - [ID: "aasjpfhi"] - would remove <<<<<----- EXPECTED NOT TO BE REMOVED DUE TO NOT HAVING EXPECTED TAG
eu-central-1 - ElasticacheUserGroup - asdwfasf - [ID: "asdwfasf"] - would remove <<<<<----- EXPECTED NOT TO BE REMOVED DUE TO NOT HAVING EXPECTED TAG

`regional - ElasticacheReplicationGroup`

eu-central-1 - ElasticacheReplicationGroup - asjfhqei-gloo-redis - would remove <<<<<----- EXPECTED NOT TO BE REMOVED DUE TO NOT HAVING EXPECTED TAG
eu-central-1 - ElasticacheReplicationGroup - oqzrwbie-gloo-redis - would remove <<<<<----- EXPECTED NOT TO BE REMOVED DUE TO NOT HAVING EXPECTED TAG

`regional - ElasticacheCacheParameterGroup`

eu-central-1 - ElasticacheCacheParameterGroup - default.memcached1.4 - [GroupFamily: "memcached1.4", GroupName: "default.memcached1.4"] - cannot delete default cache parameter group <<<<<----- EXPECTED NOT TO BE REMOVED DUE TO NOT HAVING EXPECTED TAG
eu-central-1 - ElasticacheCacheParameterGroup - default.memcached1.5 - [GroupFamily: "memcached1.5", GroupName: "default.memcached1.5"] - cannot delete default cache parameter group <<<<<----- EXPECTED NOT TO BE REMOVED DUE TO NOT HAVING EXPECTED TAG

`regional - ElasticacheUser`

eu-central-1 - ElasticacheUser - aasjpfhi-default-custom - [ID: "aasjpfhi-default-custom", UserName: "default"] - cannot delete default user <<<<<----- EXPECTED NOT TO BE REMOVED DUE TO NOT HAVING EXPECTED TAG

`regional - S3Bucket`

eu-central-1 - S3Bucket - s3://<bucket_name>-<aws_account>-eu-central-1 - [CreationDate: "2024-03-15T15:51:00Z", Name: "<bucket_name>-<aws_account>-eu-central-1", tag:Availability: "3", tag:Environment: "production"] - would remove <<<<<----- EXPECTED NOT TO BE REMOVED DUE TO NOT HAVING EXPECTED TAG
eu-central-1 - S3Bucket - s3://<bucket_name>-eu-central-1 - [CreationDate: "2024-04-10T16:29:48Z", Name: "<bucket_name>-eu-central-1"] - would remove <<<<<----- EXPECTED NOT TO BE REMOVED DUE TO NOT HAVING EXPECTED TAG

`regional - CloudWatchAlarm`

eu-central-1 - CloudWatchAlarm - ProvisionerFaiureAlarm - [Name: "ProvisionerFaiureAlarm"] - would remove <<<<<----- EXPECTED NOT TO BE REMOVED DUE TO NOT HAVING EXPECTED TAG
eu-central-1 - CloudWatchAlarm - <alarm>-ConfigChanges - [Name: "<alarm>-ConfigChanges", tag:exists: "true"] - would remove <<<<<----- EXPECTED NOT TO BE REMOVED DUE TO NOT HAVING EXPECTED TAG

`regional - LifecycleHook`

eu-central-1 - LifecycleHook - GracefulShutdown - would remove <<<<<----- EXPECTED NOT TO BE REMOVED DUE TO NOT HAVING EXPECTED TAG

Some errors which come from resources that wouldn't be deleted anyway are fine. The true problem lies where there's resources that are expected to be filtered but aren't because they do not have the right tag or do not have tags at all.

Should the default behaviour be "ignore" if a resource cannot be filtered?

Jul 08 '24 22:07 iuliancristea

aws-nuke aws-nuke copied to clipboard

Resources without tags not filtered

global - Route53ResourceRecordSet

global - IAMPolicy

global - IAMRole

global - IAMRolePolicy

global - IAMRolePolicyAttachment

regional - KMSAlias

regional - ElasticacheUserGroup

regional - ElasticacheReplicationGroup

regional - ElasticacheCacheParameterGroup

regional - ElasticacheUser

regional - S3Bucket

regional - CloudWatchAlarm

regional - LifecycleHook

aws-nuke
aws-nuke copied to clipboard

`global - Route53ResourceRecordSet`

`global - IAMPolicy`

`global - IAMRole`

`global - IAMRolePolicy`

`global - IAMRolePolicyAttachment`

`regional - KMSAlias`

`regional - ElasticacheUserGroup`

`regional - ElasticacheReplicationGroup`

`regional - ElasticacheCacheParameterGroup`

`regional - ElasticacheUser`

`regional - S3Bucket`

`regional - CloudWatchAlarm`

`regional - LifecycleHook`