search

ekristen / aws-nuke

Remove all the resources from an AWS account
https://ekristen.github.io/aws-nuke/
MIT License
247 stars 25 forks source link

EC2Snapshot can't be deleted if registered with AMI image #369

Closed fridim closed 1 month ago

fridim commented 1 month ago

If a snapshot is registered with an AMI, the deletion of the snapshot by aws-nuke fails.

Is there a way to force aws-nuke to deregister the AMI? If not should we add it?

When deleting from the UI, the error message looks like this: 2024-10-08_16-43

ekristen commented 1 month ago

EC2Image handles de-registering AMIs. Unfortunately last I checked there's no simply and easy way to associate a snapshot with an AMI

fridim commented 1 month ago

So aws-nuke should have de-registered them? What i see is that it fails deleting EC2snapshot

ekristen commented 1 month ago

Please provide your configuration? Are you including EC2Image or are you excluding them?

fridim commented 1 month ago

Yes, this is including EC2Image (i mean not excluding it from the configuration). Conf:

regions: ["ap-south-1", "eu-north-1", "eu-west-3", "eu-west-2", "eu-west-1", "ap-northeast-3", "ap-northeast-2", "ap-northeast-1", "ca-central-1", "sa-east-1", "ap-southeast-1", "ap-southeast-2", "eu-central-1", "us-east-1", "us-east-2", "us-west-1", "us-west-2", "global"]

blocklist: [ ___EDITED___ ]

settings:
  EC2Instance:
    DisableDeletionProtection: true
    DisableStopProtection: true
  RDSInstance:
    DisableDeletionProtection: true
  CloudformationStack:
    DisableDeletionProtection: true
  ELBv2:
    DisableDeletionProtection: true
  QLDBLedger:
    DisableDeletionProtection: true

accounts:
  "xxx_EDITED_xxxxx":
    filters:
        IAMRole:
        - config-rule-role
        - OrganizationAccountAccessRole
        - AWSServiceRoleForCloudTrail
        - AWSServiceRoleForElasticLoadBalancing
        - AWSServiceRoleForOrganizations
        - AWSServiceRoleForSupport
        - AWSServiceRoleForTrustedAdvisor
        IAMRolePolicy:
        - OrganizationAccountAccessRole -> AdministratorAccess
        - config-rule-role -> config-rule-policy
        IAMRolePolicyAttachment:
        - property: RoleName
            value: OrganizationAccountAccessRole
        - AWSServiceRoleForCloudTrail -> CloudTrailServiceRolePolicy
        - AWSServiceRoleForElasticLoadBalancing -> AWSElasticLoadBalancingServiceRolePolicy
        - AWSServiceRoleForOrganizations -> AWSOrganizationsServiceTrustPolicy
        - AWSServiceRoleForSupport -> AWSSupportServiceRolePolicy
        - AWSServiceRoleForTrustedAdvisor -> AWSTrustedAdvisorServiceRolePolicy
        CloudFormationStack:
        - roles
        CloudTrailTrail:
        - RHOrganization
        KMSAlias:
        - alias/aws/dynamodb
        - alias/aws/ebs
        - alias/aws/elasticfilesystem
        - alias/aws/es
        - alias/aws/glue
        - alias/aws/kinesisvideo
        - alias/aws/rds
        - alias/aws/redshift
        - alias/aws/s3
        - alias/aws/ssm
        - alias/aws/xray
        - type: glob
            value: alias/eks/*
        MediaConvertQueue:
        - Default
        AWSBackupSelection:
        - property: Name
            value: aws/efs/automatic-backup-selection
        AWSBackupPlan:
        - property: Name
            value: aws/efs/automatic-backup-plan
        AWSBackupVault:
        - property: Name
            value: aws/efs/automatic-backup-vault
        AWSBackupVaultAccessPolicy:
        - aws/efs/automatic-backup-vault
        EC2VPCEndpointConnection:
        - property: State
            value: rejected

resource-types:
  excludes:
    # don't nuke OpenSearch Packages, see https://github.com/rebuy-de/aws-nuke/issues/1123
    - AmazonML
    - Cloud9Environment
    - CloudSearchDomain
    - CodeStarProject
    - FMSNotificationChannel
    - FMSPolicy
    - MachineLearningBranchPrediction
    - MachineLearningDataSource
    - MachineLearningEvaluation
    - MachineLearningMLModel
    - OSPackage
    - OpsWorksApp
    - OpsWorksCMBackup
    - OpsWorksCMServer
    - OpsWorksCMServerState
    - OpsWorksInstance
    - OpsWorksLayer
    - OpsWorksUserProfile
    - RoboMakerRobotApplication
    - RoboMakerSimulationApplication
    - RoboMakerSimulationJob

To illustrate, the following python code allows the cleanup to proceed:

client = boto3.client('ec2')
try:
    response = client.describe_images(Owners=['self'], IncludeDeprecated=True, IncludeDisabled=True)

    for image in response['Images']:
        print("Deregistering AMI: " + image['ImageId'])
        client.deregister_image(
            ImageId=image['ImageId']
        )
        print("Deregistered AMI: " + image['ImageId'])
        for device in image.get('BlockDeviceMappings', []):
            snapshot_id = device.get('Ebs', {}).get('SnapshotId')
            if snapshot_id:
                print("Deleting snapshot: %s associated with AMI: %s" % (snapshot_id, image['ImageId']))
                client.delete_snapshot(SnapshotId=snapshot_id)
                print("Successfully deleted snapshot: %s" % (snapshot_id))
        changed = True
    # Delete all snapshots
    response = client.describe_snapshots(OwnerIds=['self'])

    for snapshot in response['Snapshots']:
        client.delete_snapshot(
            SnapshotId=snapshot['SnapshotId']
        )
        print("Deleted snapshot: " + snapshot['SnapshotId'])
        changed = True
except botocore.exceptions.ClientError as e:
    print(e)

Mind the IncludeDisabled=True.

But if i understand correctly, aws-nuke should de-register them ( https://github.com/ekristen/aws-nuke/blob/main/resources/ec2-image.go#L52 ), so not sure why it isn't doing it.

ekristen commented 1 month ago

@fridim I'm working on improving the documentation but in the mean time, there are 3 newer settings for the EC2Image resource https://github.com/ekristen/aws-nuke/blob/main/resources/ec2-image.go#L23-L25

IncludeDeprecated, IncludeDisabled, and DisableDeregistrationProtection.

It's possible that the EC2Image that the EC2Snapshot is tied to is either in a disabled or deprecated state. I would recommend running aws-nuke against the account with the --include EC2Image flag, this will limit it to only the EC2Image and without the --quiet flag and you can see if the EC2Image is being discovered and whether or not it is being filtered out.

fridim commented 1 month ago

Oh so those are not by default?

settings:
  EC2Image:
    IncludeDisabled: true
    IncludeDeprecated: true
    DisableDeregistrationProtection: true

Thanks, i'll add that to my configuration. It's probably just that then.

ekristen commented 1 month ago

They are not as that would have unexpected changed the behavior of the tool, next major release, they will be set to true.

ekristen commented 1 month ago

Also please let me know if that resolves the issue. Thanks!

ekristen commented 1 month ago

@fridim did the settings resolve the issues for you?

alexandrosgkesos commented 1 month ago

Thanks. Had the same issue and it worked with the provided solution

ekristen commented 1 month ago

@alexandrosgkesos glad to hear it. Just so you know any anyone else that stumbles upon this, this resource is now documented here https://ekristen.github.io/aws-nuke/resources/ec2-image/