search

rebuy-de / aws-nuke

Nuke a whole AWS account and delete all its resources.
MIT License
5.49k stars 708 forks source link

[DirectoryService] AWS Managed Microsoft AD fails to nuke if AD is shared with other accounts #1196

Open alpaca012 opened 4 months ago

alpaca012 commented 4 months ago

As per title, DirectoryServiceDirectory (AWS Managed Microsoft AD) fails to delete without any explanation why.

Upon investigation, it was because it is shared with other AWS accounts. Using the unshare-directory on AWS CLI, aws ds unshare-directory --directory-id d-xxxxxxxx --unshare-target Id=<account_id>,Type=ACCOUNT, the account(s) are successfully unlinked.

After that, running aws-nuke deletes the AD successfully.

ekristen commented 4 months ago

Do you know if there's any way to programmatically know what accounts the directory is shared with, or is this information you have to know some other way?

alpaca012 commented 3 months ago

Do you know if there's any way to programmatically know what accounts the directory is shared with, or is this information you have to know some other way?

We can use ds describe-shared-directories. Here is the link to the CLI reference

$ aws ds describe-shared-directories --owner-directory-id d-xxxxxxxxxx
{
    "SharedDirectories": [
        {
            "OwnerAccountId": "REDACTED",
            "OwnerDirectoryId": "d-xxxxxxxxxx",
            "ShareMethod": "HANDSHAKE",
            "SharedAccountId": "REDACTED",
            "SharedDirectoryId": "d-yyyyyyyyyy",
            "ShareStatus": "REDACTED",
            "ShareNotes": "REDACTED",
            "CreatedDateTime": "REDACTED",
            "LastUpdatedDateTime": "REDACTED"
        }
    ]
}

We can get the shared account IDs from the SharedAccountId key.