search

jckuester / awsweeper

A tool for cleaning your AWS account
Mozilla Public License 2.0
468 stars 45 forks source link

IAM role filter id ignored? #40

Closed lvh closed 4 years ago

lvh commented 5 years ago

Hi! I'm using awsweeper v0.3.2 (binary release off github) with the following config file:

aws_ami:
aws_autoscaling_group:
aws_cloudformation_stack:
aws_ebs_snapshot:
aws_ebs_volume:
aws_efs_file_system:
aws_eip:
aws_elb:
aws_iam_group:
aws_iam_instance_profile:
aws_iam_policy:
aws_iam_role:
    - id: OrganizationAccountAccessRole
aws_iam_user:
aws_instance:
aws_internet_gateway:
aws_key_pair:
#aws_kms_alias:
#aws_kms_key:
aws_launch_configuration:
aws_nat_gateway:
aws_network_acl:
aws_network_interface:
aws_route53_zone:
aws_route_table:
aws_s3_bucket:
aws_security_group:
aws_subnet:
aws_vpc:
aws_vpc_endpoint:

The role with id OrganizationAccountAccessRole is deleted anyway. --dry-run shows OrganizationAccountAccessRole as the id of the resource, so it's not like the problem is it's secretly using an ARN as the id or anything.

lvh commented 5 years ago

FWIW making id be .*OrganizationAccountAccessRole.* did not help.

jckuester commented 4 years ago

The role with id OrganizationAccountAccessRole is deleted anyway.

Just to make sure that I understand what you want to achieve: You DON'T want to delete (ie keep) the IAM role with OrganizationAccountAccessRole but delete all other IAM roles?

The semantics of

aws_iam_role:
    - id: OrganizationAccountAccessRole

however, is to delete the resource aws_iam_role wit id OrganizationAccountAccessRole. The filter selects the resources that should be deleted not the resources that should be kept.

In your case, you might want to negate the regular expression to delete all roles except the one starting with string OrganizationAccountAccessRole

Possible solution (not tested)

aws_iam_role:
    - id: ^(?!OrganizationAccountAccessRole.*$).*
lvh commented 4 years ago

Duh, I definitely feel silly now :-) Yep, that worked.