search

ekristen / aws-nuke

Remove all the resources from an AWS account
https://ekristen.github.io/aws-nuke/
MIT License
256 stars 26 forks source link

IAMUserKey is filtered when IAMUser is filtered #379

Closed fridim closed 1 month ago

fridim commented 1 month ago

I noticed IAMUserKeys are not deleted with aws-nuke recent version if the user is filtered.

With aws-nuke v3.26.0:

"> aws-nuke - v3.26.0 - 5e33e8901f8786f2839fabbbc3bb26086b01fc2a",
            "Do you really want to nuke the account with the ID EDITED and the alias 'EDITED'?",
            "Waiting 10s before continuing.",
            "Scan complete: 2492 total, 0 nukeable, 2492 filtered.",
            "",
            "No resource to delete."

With the same config, using the legacy aws-nuke v2.25.0 it does remove the IAMUserAccessKey and IAMUserPolicyAttachment:

            "global - IAMUserAccessKey - student -> EDITED - [AccessKeyID: \"EDITED\", CreateDate: \"2024-10-14T18:17
:05Z\", UserName: \"student\"] - removed",
            "global - IAMUserPolicyAttachment - student -> AdministratorAccess - [PolicyArn: \"arn:aws:iam::aws:policy/AdministratorAccess\", Pol
icyName: \"AdministratorAccess\", UserName: \"student\"] - removed",
            "",
            "Removal requested: 0 waiting, 0 failed, 1141 skipped, 2 finished",
            "",
            "Nuke complete: 0 failed, 1141 skipped, 2 finished."

i'm not sure this is intended?

Confs:

accounts:
  "..EDITED..":
    filters: 
      IAMUser: ["student"]
ekristen commented 1 month ago

I cannot reproduce this behavior.

Please provide full configuration to include any flags used to run the tool and provide logs.

With no filters I get this.

> aws-nuke - v3.27.0 - 5d5a72014aa823ce2655ca925f8449f96c47acbf
Do you really want to nuke the account with the ID XXXXXXXXXXXX and the alias 'no-alias-XXXXXXXXXXXX'?
Do you want to continue? Enter account alias to continue.
> no-alias-XXXXXXXXXXXX

global - IAMUser - test - [CreateDate: "2024-10-14T20:13:06Z", Name: "test", Path: "/", UserID: "AIDAZI2LHXQ54PI3C6UPO"] - would remove
global - IAMUserAccessKey - test -> AKIAZI2LHXQ54NJTQOBX - [AccessKeyID: "AKIAZI2LHXQ54NJTQOBX", CreateDate: "2024-10-14T20:13:19Z", UserName: "test"] - would remove
Scan complete: 2 total, 2 nukeable, 0 filtered.

With your specific filter I get this 

> aws-nuke - v3.27.0 - 5d5a72014aa823ce2655ca925f8449f96c47acbf
Do you really want to nuke the account with the ID XXXXXXXXXXXX and the alias 'no-alias-XXXXXXXXXXXX'?
Waiting 3s before continuing.
global - IAMUserAccessKey - test -> AKIAZI2LHXQ54NJTQOBX - [AccessKeyID: "AKIAZI2LHXQ54NJTQOBX", CreateDate: "2024-10-14T20:13:19Z", UserName: "test"] - would remove
Scan complete: 2 total, 1 nukeable, 1 filtered.

The user is omitted as I'm running the --quiet flag.

fridim commented 1 month ago

Mh, i see stderr is not empty when that happened. Could be related to https://github.com/ekristen/aws-nuke/issues/372

        "ansible_job_id": "j282585541288.4913",
        "attempts": 1,
        "changed": true,
        "cmd": [
            "aws-nuke",
            "nuke",
            "--profile",
            "sandbox.edited...",
            "-c",
            "nuke-config.yml",
            "--quiet",
            "--log-level",
            "error",
            "--no-dry-run",
            "--force"
        ],
        "delta": "0:02:44.189456",
        "end": "2024-10-14 18:08:04.421684",
        "failed": false,
        "finished": 1,
        "msg": "",
        "rc": 0,
        "results_file": "/home/opentlc-mgr/.ansible_async/j282585541288.4913",
        "start": "2024-10-14 18:05:20.232228",
        "started": 1,
        "stderr_lines": [
            "time=\"2024-10-14T18:05:45Z\" level=error msg=\"Listing GameLiftMatchmakingConfiguration failed:\\n    RequestError: send request failed\\n    caused by: Post
            "time=\"2024-10-14T18:05:45Z\" level=error msg=\"Listing GameLiftQueue failed:\\n    RequestError: send request failed\\n    caused by: Post \\\"https://gamelif
            "time=\"2024-10-14T18:05:45Z\" level=error msg=\"Listing GameLiftFleet failed:\\n    RequestError: send request failed\\n    caused by: Post \\\"https://gamelif
            "time=\"2024-10-14T18:05:46Z\" level=error msg=\"Listing GameLiftBuild failed:\\n    RequestError: send request failed\\n    caused by: Post \\\"https://gamelif
            "time=\"2024-10-14T18:05:46Z\" level=error msg=\"Listing TranscribeLanguageModel failed:\\n    BadRequestException: Your account isn't authorized to call this o
            "time=\"2024-10-14T18:05:49Z\" level=error msg=\"Listing GameLiftMatchmakingRuleSet failed:\\n    RequestError: send request failed\\n    caused by: Post \\\"ht
            "time=\"2024-10-14T18:05:52Z\" level=error msg=\"Listing GameLiftMatchmakingConfiguration failed:\\n    RequestError: send request failed\\n    caused by: Post
            "time=\"2024-10-14T18:05:52Z\" level=error msg=\"Listing GameLiftQueue failed:\\n    RequestError: send request failed\\n    caused by: Post \\\"https://gamelif
            "time=\"2024-10-14T18:05:53Z\" level=error msg=\"Listing GameLiftFleet failed:\\n    RequestError: send request failed\\n    caused by: Post \\\"https://gamelif
            "time=\"2024-10-14T18:05:53Z\" level=error msg=\"Listing GameLiftBuild failed:\\n    RequestError: send request failed\\n    caused by: Post \\\"https://gamelif
            "time=\"2024-10-14T18:05:55Z\" level=error msg=\"Listing GameLiftMatchmakingRuleSet failed:\\n    RequestError: send request failed\\n    caused by: Post \\\"ht
            "time=\"2024-10-14T18:06:13Z\" level=error msg=\"Listing GameLiftMatchmakingConfiguration failed:\\n    RequestError: send request failed\\n    caused by: Post
            "time=\"2024-10-14T18:06:13Z\" level=error msg=\"Listing GameLiftQueue failed:\\n    RequestError: send request failed\\n    caused by: Post \\\"https://gamelif
            "time=\"2024-10-14T18:06:14Z\" level=error msg=\"Listing GameLiftFleet failed:\\n    RequestError: send request failed\\n    caused by: Post \\\"https://gamelif
            "time=\"2024-10-14T18:06:15Z\" level=error msg=\"Listing GameLiftBuild failed:\\n    RequestError: send request failed\\n    caused by: Post \\\"https://gamelif
            "time=\"2024-10-14T18:06:16Z\" level=error msg=\"Listing BackupReportPlan failed:\\n    AccessDeniedException: This API is not available in current Region.\\n    \\tstatus code: 403, request id: 7ec45129-68e3-46f3-b290-9dbe1dac5e66\" error=\"AccessDeniedException: This API is not available in current Region.\\n\\tstatus code: 403, request id: 7ec45129-68e3-46f3-b290-9dbe1dac5e66\"",
            "time=\"2024-10-14T18:06:16Z\" level=error msg=\"Listing RedshiftServerlessNamespace failed:\\n    ValidationException: The Namespaces operation isn't supported.\" error=\"ValidationException: The Namespaces operation isn't supported.\"",
            "time=\"2024-10-14T18:06:16Z\" level=error msg=\"Listing RedshiftServerlessSnapshot failed:\\n    ValidationException: The ServerlessToServerlessRestore operation isn't supported.\" error=\"ValidationException: The ServerlessToServerlessRestore operation isn't supported.\"",
            "time=\"2024-10-14T18:06:18Z\" level=error msg=\"Listing GameLiftMatchmakingRuleSet failed:\\n    RequestError: send request failed\\n    caused by: Post \\\"https://gamelift.ap-northeast-3.amazonaws.com/\\\": dial tcp: lookup gamelift.ap-northeast-3.amazonaws.com on 172.30.0.10:53: no such host\" error=\"RequestError: send request failed\\ncaused by: Post \\\"https://gamelift.ap-northeast-3.amazonaws.com/\\\": dial tcp: lookup gamelift.ap-northeast-3.amazonaws.com on 172.30.0.10:53: no such host\"",
            "time=\"2024-10-14T18:06:18Z\" level=error msg=\"Listing RedshiftServerlessWorkgroup failed:\\n    ValidationException: The Workgroups operation isn't supported.\" error=\"ValidationException: The Workgroups operation isn't supported.\"",
            "time=\"2024-10-14T18:06:44Z\" level=error msg=\"Listing RekognitionProject failed:\\n    AccessDeniedException: \" error=\"AccessDeniedException: \"",
            "time=\"2024-10-14T18:06:45Z\" level=error msg=\"Listing RekognitionDataset failed:\\n    AccessDeniedException: \" error=\"AccessDeniedException: \"",
            "time=\"2024-10-14T18:07:50Z\" level=error msg=\"Listing RekognitionProject failed:\\n    AccessDeniedException: \" error=\"AccessDeniedException: \"",
            "time=\"2024-10-14T18:07:53Z\" level=error msg=\"Listing RekognitionDataset failed:\\n    AccessDeniedException: \" error=\"AccessDeniedException: \""
        ],
                "stdout_lines": [
            "> aws-nuke - v3.26.0 - 5e33e8901f8786f2839fabbbc3bb26086b01fc2a",
            "Do you really want to nuke the account with the ID EDITED and the alias 'EDITED'?",
            "Waiting 10s before continuing.",
            "Scan complete: 2492 total, 0 nukeable, 2492 filtered.",
            "",
            "No resource to delete."
        ]
ekristen commented 1 month ago

These errors are not going to affect this. If you are worried about that add every resource in stdout to your exclude list.

ekristen commented 1 month ago

@fridim since I've not heard from you and I haven't been able to reproduce this I'm going to close this out.

fridim commented 1 month ago

i still observe this happening from time to time where aws-nuke doesn't delete the resource and aws-nuke-legacy (v2) does.

            "global - IAMUserAccessKey - student -> AKIA3VJTCB55L3HZDHOZ - [AccessKeyID: \"AKIA3VJTCB55L3HZDHOZ\", CreateDate: \"2024-10-21T12:38:28Z\", UserName: \"student\"] - removed",
            "global - IAMUserPolicyAttachment - student -> AdministratorAccess - [PolicyArn: \"arn:aws:iam::aws:policy/AdministratorAccess\", PolicyName: \"AdministratorAccess\", UserName: \"student\"] - removed

It could be a concurrent issue on our side since this doesn't happen all the time.