search

ekristen / azure-nuke

Remove all resources from an Azure Tenant and it's Subscriptions.
https://ekristen.github.io/azure-nuke/
MIT License
32 stars 8 forks source link

feat!: v1 - rewrite to use libnuke - rewrite resources, docs, regions and more #45

Closed ekristen closed 4 months ago

ekristen commented 7 months ago

Quick Start

brew install ekristen/tap/azure-nuke@1

Overview

Next Releases

This is a complete rewrite of the azure-nuke tool to take advantage of the dedicated library libnuke of which I'm the author. This library was build by taking the code from the original aws-nuke tool and building a dedicated and well tested library from it. I've since rewritten my implementation of aws-nuke to use it.

Why the Rewrite

The original implementation was hacked together by pulling parts of the original aws-nuke code out and I wasn't really happy with how the resources were implemented and the concept of tenant, subscription and resource level resources was frustrating.

Feedback Wanted

I want your feedback on the terminology and anything else you've like to provide comment on.

What's New

Regions (aka locations)

To keep things consistent and not to re-implement things, I've opted to use the libnuke/config package as it's well tested.

Azure themselves are using Regions in the taxonomy on their website, while their API and docs refer to Location most places are starting to use the word Region, so we are going to stick with that.

Regions supported are global and all azure locations around the world. global refers to the tenant, again considering global vs tenant here, unsure at the moment, but using global, there is a special region called all this will automatically include the tenant (entra ID) and all regions.

So if you want to target anything scoped to your tenant + subscriptions + resources in eastus your configuration would need to look like:

regions:
  - global
  - eastus

Configuration Changes

Note: this is mainly due to standardization around libnuke's terminology.

Resource Scanning Behavior

If region all or global are in the regions list, tenant scoped (ie EntraID) resources will be scanned. This is primarily going to be users, groups, service principals, etc.

Azure's APIs are TERRIBLE and cannot filter on regions :facepalm:. Ugh. Therefore regions add a special global filter to your configuration and any region NOT in the regions configuration WILL BE FILTERED BY CONFIG if you do not run with --quiet you will see "filtered by config".

note: considering adding a way to add a custom message like "filtered by region" but at the moment that's not possible.

Resource Group Behavior

Because of how azure resources are organized we have to discover subscriptions and resource groups early. If the region list is only eastus and there's a resource group called "my-central-rg" in centralus, NO resources will be scanned from my-central-rg however it will show up in the resources list as "filtered by config".

Resource Changes

Any resource that was using an uuid by default to represent itself has been moved to it's name and the ID is now a property. This affects how you write filters.

Builds

macOS builds are now signed! You do not have to approve them in security preferences any longer.

ekristen commented 4 months ago

:tada: This PR is included in version 1.0.0-beta.1 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket:

ekristen commented 2 months ago

:tada: This PR is included in version 1.0.0 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket: