search

rebuy-de / aws-nuke

Nuke a whole AWS account and delete all its resources.
https://github.com/ekristen/aws-nuke
MIT License
5.77k stars 725 forks source link

Issues with Resource Deletion in AWS-Nuke: Ignoring Tag Filters for Protected Users #1259

Closed franciscojose-sanchezsanchez closed 2 months ago

franciscojose-sanchezsanchez commented 2 months ago

aws-nuke deletes the IAMUserGroupAttachment, IAMLoginProfile, and IAMUserPolicyAttachment resources of a user despite the user being specified in the filters (by tags) for protection. It seems that aws-nuke ignores the tag filters.

I provided the filter configuration in two different ways to facilitate the information.

The user has a tag "exception-nuke" with the value "value-for-exception" when we want to prevent deletion.

  tags-exclusion:
    filters:
      IAMLoginProfile:
      - property: tag:user:exception-nuke
        value: "value-for-exception"
      - property: tag:exception-nuke
        value: "value-for-exception"

      IAMUserGroupAttachment:
      - property: tag:user:exception-nuke
        value: "value-for-exception"
      - property: tag:exception-nuke
        value: "value-for-exception"
ekristen commented 2 months ago

@franciscojose-sanchezsanchez it looks like the IAMLoginProfile does not support tags at the moment, you have to exclude by the username.

The IAMUserGroupAttachment only supports filtering by UserName or GroupName.

Typically filtering looks something like this for both.

filters:
  IAMUserGroupAttachment:
    - UserName -> GroupName
filters:
  IAMLoginProfile:
    - UserName