Skip to content

Commit

Permalink
Merge pull request #505 from ekristen/fix-cloud-control
Browse files Browse the repository at this point in the history
fix: cloud control resources
  • Loading branch information
ekristen authored Jan 10, 2025
2 parents 553175e + 6902c1f commit 5f9ab5f
Show file tree
Hide file tree
Showing 357 changed files with 258 additions and 4,350 deletions.
84 changes: 83 additions & 1 deletion docs/config-cloud-control.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,85 @@
# Config - Cloud Control

Coming Soon
aws-nuke supports removing resources via the AWS Cloud Control API.

There are number of Cloud Control resources that are automatically registered as resources that can be removed by
aws-nuke. Additionally, there are a number of resources implemented in aws-nuke that have a Cloud Control equivalent,
this is called an **alternative resource**.

For the subset of Cloud Control supported resources that are registered with aws-nuke they work like any other resource,
but they are registered with their Cloud Control API name (i.e. `AWS::Bedrock::Agent`).

However, there are resources that have already been implemented in aws-nuke that have a Cloud Control equivalent. For
these resources an **alternative resource** has been defined. They are **MUTUALLY EXCLUSIVE**, if you include the Cloud
Control resource in your config file, the native resource will be disabled.

Furthermore, there are some Cloud Control resources that need special handling which are not yet supported by aws-nuke.

Finally, even though the subset of automatically supported Cloud Control resources is limited, you can configure
aws-nuke to make it try any additional resource. Either via command line flags of via the config file.

## Why Use Cloud Control Resources

The Cloud Control API is a standardized API that potentially allows you to nuke any resource regardless if it is defined
within aws-nuke or not. This is especially useful for new resources that are not yet supported by aws-nuke.

## Impact on Filters

Because of how Cloud Control API resources work vs native implemented resources in aws-nuke, not all properties are
available for filtering. For example, the `AWS::EC2::VPC` resource has a `VpcId` only, whereas the `EC2VPC` resource has
`VpcID`, `Tags`, `OwnerID` and more.

## Configuration

For the config file you have to add the resource to the `resource-types.alternatives` list:

!!! note
If you are migrating from aws-nuke@v2 `cloud-control` is deprecated but still supported for backwards compatibility
in the configuration file. The new key is `resource-types.alternatives`.

```yaml
resource-types:
alternatives:
- `AWS::EC2::TransitGateway
- `AWS::EC2::VPC
```
If you want to use the command line, you have to add a `--cloud-control` flag for each resource you want to add:

!!! important
This will not limit the resources to only these two resources, but will add them to the list of resources that are
automatically removed via Cloud Control.

```console
aws-nuke run \
-c nuke-config.yaml \
--cloud-control `AWS::EC2::TransitGateway \
--cloud-control `AWS::EC2::VPC
```

## Supported Resources

These are the resources that are automatically supported by aws-nuke directly as Cloud Control resources that are
automatically scanned.

- `AWS::AppFlow::ConnectorProfile`
- `AWS::AppFlow::Flow`
- `AWS::AppRunner::Service`
- `AWS::ApplicationInsights::Application`
- `AWS::Backup::Framework`
- `AWS::ECR::PullThroughCacheRule`
- `AWS::ECR::RegistryPolicy`
- `AWS::ECR::ReplicationConfiguration`
- `AWS::MWAA::Environment`
- `AWS::Synthetics::Canary`
- `AWS::Timestream::Database`
- `AWS::Timestream::ScheduledQuery`
- `AWS::Timestream::Table`
- `AWS::Transfer::Workflow`
- `AWS::NetworkFirewall::Firewall`
- `AWS::NetworkFirewall::FirewallPolicy`
- `AWS::NetworkFirewall::RuleGroup`

## References

- [Supported Resources](https://docs.aws.amazon.com/cloudcontrolapi/latest/userguide/supported-resources.html)
8 changes: 5 additions & 3 deletions docs/resources/access-analyzer.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,11 @@ AccessAnalyzer

### Alternative Resource

!!! note - Cloud Control API - Alternative Resource
This resource can also be controlled and used via Cloud Control API. Please refer to the documentation for
[Cloud Control Resources](../config-cloud-control.md) for more information.
!!! warning - Cloud Control API - Alternative Resource
This resource conflicts with an alternative resource that can be controlled and used via Cloud Control API. If you
use this alternative resource, please note that any properties listed on this page may not be valid. You will need
run the tool to determine what properties are available for the alternative resource via the Cloud Control API.
Please refer to the documentation for [Cloud Control Resources](../config-cloud-control.md) for more information.

```text
AWS::AccessAnalyzer::Analyzer
Expand Down
8 changes: 5 additions & 3 deletions docs/resources/acmpca-certificate-authority.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,11 @@ ACMPCACertificateAuthority

### Alternative Resource

!!! note - Cloud Control API - Alternative Resource
This resource can also be controlled and used via Cloud Control API. Please refer to the documentation for
[Cloud Control Resources](../config-cloud-control.md) for more information.
!!! warning - Cloud Control API - Alternative Resource
This resource conflicts with an alternative resource that can be controlled and used via Cloud Control API. If you
use this alternative resource, please note that any properties listed on this page may not be valid. You will need
run the tool to determine what properties are available for the alternative resource via the Cloud Control API.
Please refer to the documentation for [Cloud Control Resources](../config-cloud-control.md) for more information.

```text
AWS::ACMPCA::CertificateAuthority
Expand Down
12 changes: 0 additions & 12 deletions docs/resources/amg-workspace.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,3 @@ AMGWorkspace



!!! note - Using Properties
Properties are what [Filters](../config-filtering.md) are written against in your configuration. You use the property
names to write filters for what you want to **keep** and omit from the nuke process.

### String Property

The string representation of a resource is generally the value of the Name, ID or ARN field of the resource. Not all
resources support properties. To write a filter against the string representation, simply omit the `property` field in
the filter.

The string value is always what is used in the output of the log format when a resource is identified.

12 changes: 0 additions & 12 deletions docs/resources/amp-workspace.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,3 @@ AMPWorkspace



!!! note - Using Properties
Properties are what [Filters](../config-filtering.md) are written against in your configuration. You use the property
names to write filters for what you want to **keep** and omit from the nuke process.

### String Property

The string representation of a resource is generally the value of the Name, ID or ARN field of the resource. Not all
resources support properties. To write a filter against the string representation, simply omit the `property` field in
the filter.

The string value is always what is used in the output of the log format when a resource is identified.

8 changes: 5 additions & 3 deletions docs/resources/api-gateway-api-key.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,11 @@ APIGatewayAPIKey

### Alternative Resource

!!! note - Cloud Control API - Alternative Resource
This resource can also be controlled and used via Cloud Control API. Please refer to the documentation for
[Cloud Control Resources](../config-cloud-control.md) for more information.
!!! warning - Cloud Control API - Alternative Resource
This resource conflicts with an alternative resource that can be controlled and used via Cloud Control API. If you
use this alternative resource, please note that any properties listed on this page may not be valid. You will need
run the tool to determine what properties are available for the alternative resource via the Cloud Control API.
Please refer to the documentation for [Cloud Control Resources](../config-cloud-control.md) for more information.

```text
AWS::ApiGateway::ApiKey
Expand Down
20 changes: 5 additions & 15 deletions docs/resources/api-gateway-client-certificate.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,24 +13,14 @@ APIGatewayClientCertificate

### Alternative Resource

!!! note - Cloud Control API - Alternative Resource
This resource can also be controlled and used via Cloud Control API. Please refer to the documentation for
[Cloud Control Resources](../config-cloud-control.md) for more information.
!!! warning - Cloud Control API - Alternative Resource
This resource conflicts with an alternative resource that can be controlled and used via Cloud Control API. If you
use this alternative resource, please note that any properties listed on this page may not be valid. You will need
run the tool to determine what properties are available for the alternative resource via the Cloud Control API.
Please refer to the documentation for [Cloud Control Resources](../config-cloud-control.md) for more information.

```text
AWS::ApiGateway::ClientCertificate
```


!!! note - Using Properties
Properties are what [Filters](../config-filtering.md) are written against in your configuration. You use the property
names to write filters for what you want to **keep** and omit from the nuke process.

### String Property

The string representation of a resource is generally the value of the Name, ID or ARN field of the resource. Not all
resources support properties. To write a filter against the string representation, simply omit the `property` field in
the filter.

The string value is always what is used in the output of the log format when a resource is identified.

12 changes: 0 additions & 12 deletions docs/resources/api-gateway-domain-name.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,3 @@ APIGatewayDomainName



!!! note - Using Properties
Properties are what [Filters](../config-filtering.md) are written against in your configuration. You use the property
names to write filters for what you want to **keep** and omit from the nuke process.

### String Property

The string representation of a resource is generally the value of the Name, ID or ARN field of the resource. Not all
resources support properties. To write a filter against the string representation, simply omit the `property` field in
the filter.

The string value is always what is used in the output of the log format when a resource is identified.

12 changes: 0 additions & 12 deletions docs/resources/api-gateway-rest-api.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,3 @@ APIGatewayRestAPI



!!! note - Using Properties
Properties are what [Filters](../config-filtering.md) are written against in your configuration. You use the property
names to write filters for what you want to **keep** and omit from the nuke process.

### String Property

The string representation of a resource is generally the value of the Name, ID or ARN field of the resource. Not all
resources support properties. To write a filter against the string representation, simply omit the `property` field in
the filter.

The string value is always what is used in the output of the log format when a resource is identified.

8 changes: 5 additions & 3 deletions docs/resources/api-gateway-usage-plan.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,11 @@ APIGatewayUsagePlan

### Alternative Resource

!!! note - Cloud Control API - Alternative Resource
This resource can also be controlled and used via Cloud Control API. Please refer to the documentation for
[Cloud Control Resources](../config-cloud-control.md) for more information.
!!! warning - Cloud Control API - Alternative Resource
This resource conflicts with an alternative resource that can be controlled and used via Cloud Control API. If you
use this alternative resource, please note that any properties listed on this page may not be valid. You will need
run the tool to determine what properties are available for the alternative resource via the Cloud Control API.
Please refer to the documentation for [Cloud Control Resources](../config-cloud-control.md) for more information.

```text
AWS::ApiGateway::UsagePlan
Expand Down
12 changes: 0 additions & 12 deletions docs/resources/api-gateway-v2-api.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,3 @@ APIGatewayV2API



!!! note - Using Properties
Properties are what [Filters](../config-filtering.md) are written against in your configuration. You use the property
names to write filters for what you want to **keep** and omit from the nuke process.

### String Property

The string representation of a resource is generally the value of the Name, ID or ARN field of the resource. Not all
resources support properties. To write a filter against the string representation, simply omit the `property` field in
the filter.

The string value is always what is used in the output of the log format when a resource is identified.

12 changes: 0 additions & 12 deletions docs/resources/api-gateway-v2-vpc-link.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,3 @@ APIGatewayV2VpcLink



!!! note - Using Properties
Properties are what [Filters](../config-filtering.md) are written against in your configuration. You use the property
names to write filters for what you want to **keep** and omit from the nuke process.

### String Property

The string representation of a resource is generally the value of the Name, ID or ARN field of the resource. Not all
resources support properties. To write a filter against the string representation, simply omit the `property` field in
the filter.

The string value is always what is used in the output of the log format when a resource is identified.

12 changes: 0 additions & 12 deletions docs/resources/api-gateway-vpc-link.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,3 @@ APIGatewayVpcLink



!!! note - Using Properties
Properties are what [Filters](../config-filtering.md) are written against in your configuration. You use the property
names to write filters for what you want to **keep** and omit from the nuke process.

### String Property

The string representation of a resource is generally the value of the Name, ID or ARN field of the resource. Not all
resources support properties. To write a filter against the string representation, simply omit the `property` field in
the filter.

The string value is always what is used in the output of the log format when a resource is identified.

12 changes: 0 additions & 12 deletions docs/resources/app-config-application.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,18 +13,6 @@ AppConfigApplication



!!! note - Using Properties
Properties are what [Filters](../config-filtering.md) are written against in your configuration. You use the property
names to write filters for what you want to **keep** and omit from the nuke process.

### String Property

The string representation of a resource is generally the value of the Name, ID or ARN field of the resource. Not all
resources support properties. To write a filter against the string representation, simply omit the `property` field in
the filter.

The string value is always what is used in the output of the log format when a resource is identified.

### DependsOn

!!! important - Experimental Feature
Expand Down
12 changes: 0 additions & 12 deletions docs/resources/app-config-configuration-profile.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,18 +13,6 @@ AppConfigConfigurationProfile



!!! note - Using Properties
Properties are what [Filters](../config-filtering.md) are written against in your configuration. You use the property
names to write filters for what you want to **keep** and omit from the nuke process.

### String Property

The string representation of a resource is generally the value of the Name, ID or ARN field of the resource. Not all
resources support properties. To write a filter against the string representation, simply omit the `property` field in
the filter.

The string value is always what is used in the output of the log format when a resource is identified.

### DependsOn

!!! important - Experimental Feature
Expand Down
12 changes: 0 additions & 12 deletions docs/resources/app-config-deployment-strategy.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,3 @@ AppConfigDeploymentStrategy



!!! note - Using Properties
Properties are what [Filters](../config-filtering.md) are written against in your configuration. You use the property
names to write filters for what you want to **keep** and omit from the nuke process.

### String Property

The string representation of a resource is generally the value of the Name, ID or ARN field of the resource. Not all
resources support properties. To write a filter against the string representation, simply omit the `property` field in
the filter.

The string value is always what is used in the output of the log format when a resource is identified.

12 changes: 0 additions & 12 deletions docs/resources/app-config-environment.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,3 @@ AppConfigEnvironment



!!! note - Using Properties
Properties are what [Filters](../config-filtering.md) are written against in your configuration. You use the property
names to write filters for what you want to **keep** and omit from the nuke process.

### String Property

The string representation of a resource is generally the value of the Name, ID or ARN field of the resource. Not all
resources support properties. To write a filter against the string representation, simply omit the `property` field in
the filter.

The string value is always what is used in the output of the log format when a resource is identified.

12 changes: 0 additions & 12 deletions docs/resources/app-config-hosted-configuration-version.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,3 @@ AppConfigHostedConfigurationVersion



!!! note - Using Properties
Properties are what [Filters](../config-filtering.md) are written against in your configuration. You use the property
names to write filters for what you want to **keep** and omit from the nuke process.

### String Property

The string representation of a resource is generally the value of the Name, ID or ARN field of the resource. Not all
resources support properties. To write a filter against the string representation, simply omit the `property` field in
the filter.

The string value is always what is used in the output of the log format when a resource is identified.

12 changes: 0 additions & 12 deletions docs/resources/app-mesh-gateway-route.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,3 @@ AppMeshGatewayRoute



!!! note - Using Properties
Properties are what [Filters](../config-filtering.md) are written against in your configuration. You use the property
names to write filters for what you want to **keep** and omit from the nuke process.

### String Property

The string representation of a resource is generally the value of the Name, ID or ARN field of the resource. Not all
resources support properties. To write a filter against the string representation, simply omit the `property` field in
the filter.

The string value is always what is used in the output of the log format when a resource is identified.

Loading

0 comments on commit 5f9ab5f

Please sign in to comment.