cloud-nuke
cloud-nuke copied to clipboard
gruntwork-io
Partition aware resource selection
I believe Macie support has broken govcloud for the tool. Once I upgraded I could no longer run the tool in govcloud, I got this error:
[cloud-nuke] INFO[2022-08-04T17:37:57-04:00] Retrieving active AWS resources in [us-gov-west-1]
[cloud-nuke] INFO[2022-08-04T17:37:57-04:00] Checking region [1/1]: us-gov-west-1
[cloud-nuke] INFO[2022-08-04T17:38:05-04:00] Getting - 1-5 buckets of batch 1/1
ERROR: RequestError: send request failed
caused by: Get "https://macie2.us-gov-west-1.amazonaws.com/administrator": dial tcp: lookup macie2.us-gov-west-1.amazonaws.com: no such host
Macie isn't supported in govcloud, so it would be nice if cloud-nuke can identify the resources that the different partitions don't support and actively filter them out.
Originally posted by @ddvdozuki in https://github.com/gruntwork-io/cloud-nuke/issues/322#issuecomment-1205796278
Macie is not supported in GovCloud, so you need to actively filter it out using --exclude-resource-type macie-member.
@ddvdozuki Apologies if that came off abrasive, as that was not the intention!
Given our small team, it's hard for us to implement features where cloud-nuke can intelligently discover which services are supported in which clouds, so we rely on the user to actively filter resource types that are not supported in the different partitions.
I'm reopening the issue under a different feature request to track the request of being partition aware so that the community can contribute, but we most likely won't be able to implement it any time soon.
I hate to add on to this issue but I think the issue title is relevant. For GovCloud, cloud-nuke does not work against the "global" region. I haven't looked at the source but I would assume it's related to the bulk of the resources with hardcoded partitions like IAM.
[cloud-nuke] INFO[2022-08-10T18:29:24-04:00] Checking region [3/3]: global
ERROR: InvalidClientTokenId: The security token included in the request is invalid. status code: 403, request id: 968ae7f3-b89e-4429-94bd-87a647ccb4bc
I am able to run against each region without issue ex.
cloud-nuke aws --region us-gov-west-1 --exclude-resource-type macie-member --exclude-resource-type sagemaker-notebook-instance
Good point @sms-astanley. We only use us-gov-west-1 due to certain services not being available in the east coast region but with the way cloud-nuke seems to work, it will only delete iam resources if it's in "global" mode so it's something we've had to work around in govcloud. To be honest I've had to use 2 nuke tools in series to clean up our whole stack as none of them handle all the resources we use sigh. This one and awsweeper.
Good point @sms-astanley. We only use us-gov-west-1 due to certain services not being available in the east coast region but with the way cloud-nuke seems to work, it will only delete iam resources if it's in "global" mode so it's something we've had to work around in govcloud. To be honest I've had to use 2 nuke tools in series to clean up our whole stack as none of them handle all the resources we use sigh. This one and
awsweeper.
Thanks for the tip, I don't mind working around the feature parity. Not even AWS can keep track of that. But I think it's probably worth resolving the "global" region issue if possible.
For GovCloud, cloud-nuke does not work against the "global" region. I haven't looked at the source but I would assume it's related to the bulk of the resources with hardcoded partitions like IAM.
Ah yes that is definitely a bigger issue, if cloud-nuke can't delete resources that are actually supported by GovCloud. I'll look into this to see if I can get to the bottom of it.
I have a PR out now for the global region fix: https://github.com/gruntwork-io/cloud-nuke/pull/350 You can subscribe to that to be notified when it gets released.
Seems like the issue has been fixed with this PR - https://github.com/gruntwork-io/cloud-nuke/pull/350. Closing this issue
