search

gruntwork-io / cloud-nuke

A tool for cleaning up your cloud accounts by nuking (deleting) all resources within it
https://gruntwork.io/
MIT License
2.75k stars 354 forks source link

EFS names_regex is not applied when the EFS file system has no name #754

Closed Macaw-DJP closed 1 month ago

Macaw-DJP commented 1 month ago

For using cloud-nuke aws --config test_config.yaml --dry-run --region eu-west-1 a config files was set up called cloud-nuke.yaml

This included the following block

ElasticFileSystem:
  include:
    names_regex:
    - test_cm

The name property for AWS Elastic File Systems is optional. The expectation is that EFS with no names would be excluded as they do not match the include names_regex.

Behaviour type Description
Expected Where a names_regex is specified, only those items whose name matches the RegEx are retrieved. Objects without names are excluded
Actual Object whose names match the RegEx are correctly chosen. Objects with no names are incorrectly included
james03160927 commented 1 month ago

Hi @Macaw-DJP, are you sure you've included the followings in your test_config.yaml file? Make sure you have this inside your test_config.yaml, not the cloud-nuke.yaml file. 

ElasticFileSystem:
  include:
    names_regex:
    - test_cm

I just tested your command with the latest change and it seems to work fine. image

Without Config image

With Config image

Macaw-DJP commented 1 month ago

As you spotted, here was a typo in the example command I gave, it should have said cloud-nuke.yaml rather than test_config.yaml. However the results I am seeing are as described earlier.

This sounds like one of those problems that is hard to reproduce.

cloud-nuke aws --config cloud-nuke.yaml --dry-run --region eu-west-1

I have also tried

cloud-nuke aws --config cloud-nuke.yaml --dry-run --region eu-west-1 --resource-type efs

I've double checked cloud-nuke.yaml and it does have

ElasticFileSystem:
  include:
    names_regex:
    - test_cm

I'm experimenting with cloud-nuke on a MacBook running OSX Sonoma 14.5.

# The following returns 0.37.1
cloud-nuke --version
james03160927 commented 1 month ago

I wasn't able to reproduce this issue. Are you using the latest version of cloud-nuke or some specific version? As you can see from my screenshots, I created EFS with specific name and tested running the command and it worked fine.

Macaw-DJP commented 1 month ago

Just using cloud-nuke installed on a MacBook as per the README.md. brew install cloud-nuke which installed 0.37.1.

I'm going to try running it with --log-level debug. It's going to be an embarrassing PEBCAK error at my end, I just can't see it at the moment.

I will feed back ASAP though I think this issue may need to be closed with "Cannot reproduce".

Great product though, wish I'd had it a couple of months ago when I had to do a complete tear-down of a legacy environment.

Macaw-DJP commented 1 month ago

--log-level debug did not reveal anything new.

Re-ran my scenarios and got the same resultas before.

james03160927 commented 1 month ago

Interesting. Seems like you are using the latest version so using the same version as mine. Yeah since we cannot reproduce, won't be able to help with further troubleshooting.

Will close this issue for now but let us know if you have further issue with this.

Macaw-DJP commented 1 month ago

I have a suspicion as to what may be going on but I am not a GO developer so can't confirm.

EFS objects do not have a Name property. They use a Tags list property of Key:Value pairs with a Key of Name where the Value holds the name.

If I deliberately create an EFS object from the AWS console without a name then this still gets a Name tag 

"Tags": [
        {
          "Key": "Name",
          "Value": ""
        },
        {
          "Key": "aws:elasticfilesystem:default-backup",
          "Value": "enabled"
        }
      ]

This EFS object is correctly ignored by cloud-nuke because, as expected, the empty string value for Name does not match the test_cm listed in names_regex.

The 2 empty named EFS objects that are showing up unexpectedly DO NOT have a Name tag.

      "Tags": [
        {
          "Key": "Customer",
          "Value": "cm"
        },
        {
          "Key": "EFSCreationToken",
          "Value": "ttanyw"
        },
        {
          "Key": "Environment",
          "Value": "test"
        },
        {
          "Key": "Project",
          "Value": "ttanyw"
        }
      ]

As there is no Name tag, cloud-nuke cannot filter on Name therefore does not exclude these items.

HOWEVER - The Terraform resource aws_efs_file_system does not insist on a Name tag and will therefore create an object that cannot be filtered out.

Our work around is to ensure our Terraform module for creating EFS objects always includes a Name tag.

If my diagnosis is correct then my recommendation for cloud-nuke would be that (for AWS objects who rely on a tag with a Name key for the object name) items an include names_regex filter exclude any objects that DO NOT have the desired Name key in their tags.