Open nimrodkor opened 3 years ago
I think the easiest way to implement this is to add Service: cloudformation.amazonaws.com
to the assume role policy of the role provided for running aws-nuke. Then only support needs to be added to add the --role-name <nuke role>
parameter when deleting stacks. Then you are independent of the order of deletion.
Any solution here? We've the same problem with resources created by cdk or terraform. If nuke destroys the deployer role before all resources are deleted, we ran into deadlock situations where only AWS Support could delete some keys etc.
regards Christian
Current solution for me is create 2 config files and run nuke twice. First time only delete CFN stacks, second time everything...
Anyone able to reliably reproduce this? I've run into it a few times, I've tried fixing it, but it's hard to reproduce. One idea I have is to allow for DAG graph processing for ordering and a second is to ignore roles owned by CF, since CF should be deleting them.
We are using CloudFormation templates with custom resources, and they are backed by lambdas. To delete these CF templates, one needs to keep the lambdas and roles in place.
The issue is this is not the order in which aws-nuke is deleting stuff.
Would you be open to contributions in this area?