Closed atqhg23 closed 2 years ago
That's an interesting problem.
my-cluster
and the second my-cluster-1
, there is no way to target my-cluster
and not my-cluster-1
without also specifying if you're performing an exact compare or a wildcard compare (which just adds complexity).tag
and a tag value
. Then any resource with that combination becomes automatically allowlisted. I do like this as it keeps the allowlist clean, however, this requires significant rework to every cleanup script to include tag extraction and checking.Thanks for the response. One thing I’m thinking about that may possibly be simpler is trying to apply the tag filter directly in the cleanup scripts where it’ll exclude resources that have the tag specified, and this way the comparison / check won’t have to be done with the allowlist since it’s being “hard coded” in the cleanup script themselves if I’m thinking about this correctly.
Would create some redundancy with the tag values needing to be specified in each cleanup script, but the rest of the cleanup functionality would remain the same.
Will give this a go and post any updates here.
@atqhg23 was playing around with wildcard support this morning. I believe it's working now as intended. If you'd like to test it, you can grab it here https://github.com/servian/aws-auto-cleanup/tree/wildcard-match
It's using Python's fnmatch function which allows simply wildcarding per the below table:
Pattern | Meaning |
---|---|
* | matches everything |
? | matches any single character |
[seq] | matches any character in seq |
[!seq] | matches any character not in seq |
It would be great if you could test this out in your environment and let me know what you think.
Thanks for adding this. I tested this successfully with some CloudWatch log groups
There are a large number of resources that we need to protect from the cleanup, and while the cleanup has the temp/permanent allowlist to protect resources, it can be cumbersome to add each resource manually through the website.
Here are some of the ideas we had to resolve this issue:
One of the approaches that we’re currently using at the moment to handle this is using SCPs and permission boundaries to prevent the cleanup role from deleting certain resources. There are a few issues with this approach though:
What are your thoughts on this? Just wanted to bounce off a few ideas to determine a good approach.