Closed ekristen closed 4 months ago
:tada: This PR is included in version 1.0.0-beta.1 :tada:
The release is available on GitHub release
Your semantic-release bot :package::rocket:
:tada: This PR is included in version 1.0.0 :tada:
The release is available on GitHub release
Your semantic-release bot :package::rocket:
Quick Start
Overview
Next Releases
This is a complete rewrite of the azure-nuke tool to take advantage of the dedicated library libnuke of which I'm the author. This library was build by taking the code from the original
aws-nuke
tool and building a dedicated and well tested library from it. I've since rewritten my implementation of aws-nuke to use it.Why the Rewrite
The original implementation was hacked together by pulling parts of the original aws-nuke code out and I wasn't really happy with how the resources were implemented and the concept of tenant, subscription and resource level resources was frustrating.
Feedback Wanted
I want your feedback on the terminology and anything else you've like to provide comment on.
What's New
Regions (aka locations)
To keep things consistent and not to re-implement things, I've opted to use the libnuke/config package as it's well tested.
Azure themselves are using Regions in the taxonomy on their website, while their API and docs refer to Location most places are starting to use the word Region, so we are going to stick with that.
Regions supported are
global
and all azure locations around the world.global
refers to the tenant, again consideringglobal
vstenant
here, unsure at the moment, but usingglobal
, there is a special region calledall
this will automatically include the tenant (entra ID) and all regions.So if you want to target anything scoped to your
tenant
+subscriptions
+ resources ineastus
your configuration would need to look like:Configuration Changes
tenants
is deprecated in favor ofaccounts
tenant-blocklist
is deprecated in favor ofblocklist
Note: this is mainly due to standardization around libnuke's terminology.
Resource Scanning Behavior
If region
all
orglobal
are in the regions list, tenant scoped (ie EntraID) resources will be scanned. This is primarily going to be users, groups, service principals, etc.Azure's APIs are TERRIBLE and cannot filter on regions :facepalm:. Ugh. Therefore regions add a special global filter to your configuration and any region NOT in the
regions
configuration WILL BE FILTERED BY CONFIG if you do not run with--quiet
you will see "filtered by config".note: considering adding a way to add a custom message like "filtered by region" but at the moment that's not possible.
Resource Group Behavior
Because of how azure resources are organized we have to discover subscriptions and resource groups early. If the region list is only
eastus
and there's a resource group called "my-central-rg" in centralus, NO resources will be scanned frommy-central-rg
however it will show up in the resources list as "filtered by config".Resource Changes
Any resource that was using an
uuid
by default to represent itself has been moved to it'sname
and the ID is now a property. This affects how you write filters.Builds
macOS builds are now signed! You do not have to approve them in security preferences any longer.