From f6d99521d5dd8f6469fcf26226b9b5eb13c8669c Mon Sep 17 00:00:00 2001 From: Curtis Date: Sat, 4 Dec 2021 02:09:34 -0600 Subject: [PATCH] fix: remove predicates before rule delete (#704) Co-authored-by: curtis --- resources/waf-rules.go | 47 +++++++++++++++++++++++++++++++--- resources/wafregional-rules.go | 28 ++++++++++++++++++++ 2 files changed, 71 insertions(+), 4 deletions(-) diff --git a/resources/waf-rules.go b/resources/waf-rules.go index 873da7dd..828a4b5d 100644 --- a/resources/waf-rules.go +++ b/resources/waf-rules.go @@ -4,11 +4,13 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/waf" + "github.com/rebuy-de/aws-nuke/pkg/types" ) type WAFRule struct { - svc *waf.WAF - ID *string + svc *waf.WAF + ID *string + rule *waf.Rule } func init() { @@ -30,9 +32,13 @@ func ListWAFRules(sess *session.Session) ([]Resource, error) { } for _, rule := range resp.Rules { + ruleResp, _ := svc.GetRule(&waf.GetRuleInput{ + RuleId: rule.RuleId, + }) resources = append(resources, &WAFRule{ - svc: svc, - ID: rule.RuleId, + svc: svc, + ID: rule.RuleId, + rule: ruleResp.Rule, }) } @@ -53,6 +59,29 @@ func (f *WAFRule) Remove() error { return err } + ruleUpdates := []*waf.RuleUpdate{} + for _, predicate := range f.rule.Predicates { + ruleUpdates = append(ruleUpdates, &waf.RuleUpdate{ + Action: aws.String(waf.ChangeActionDelete), + Predicate: predicate, + }) + } + + _, err = f.svc.UpdateRule(&waf.UpdateRuleInput{ + ChangeToken: tokenOutput.ChangeToken, + RuleId: f.ID, + Updates: ruleUpdates, + }) + + if err != nil { + return err + } + + tokenOutput, err = f.svc.GetChangeToken(&waf.GetChangeTokenInput{}) + if err != nil { + return err + } + _, err = f.svc.DeleteRule(&waf.DeleteRuleInput{ RuleId: f.ID, ChangeToken: tokenOutput.ChangeToken, @@ -64,3 +93,13 @@ func (f *WAFRule) Remove() error { func (f *WAFRule) String() string { return *f.ID } + +func (f *WAFRule) Properties() types.Properties { + properties := types.NewProperties() + + properties. + Set("ID", f.ID). + Set("Name", f.rule.Name) + + return properties +} diff --git a/resources/wafregional-rules.go b/resources/wafregional-rules.go index bc8df3e3..cca80bf7 100644 --- a/resources/wafregional-rules.go +++ b/resources/wafregional-rules.go @@ -12,6 +12,7 @@ type WAFRegionalRule struct { svc *wafregional.WAFRegional ID *string name *string + rule *waf.Rule } func init() { @@ -33,10 +34,14 @@ func ListWAFRegionalRules(sess *session.Session) ([]Resource, error) { } for _, rule := range resp.Rules { + ruleResp, _ := svc.GetRule(&waf.GetRuleInput{ + RuleId: rule.RuleId, + }) resources = append(resources, &WAFRegionalRule{ svc: svc, ID: rule.RuleId, name: rule.Name, + rule: ruleResp.Rule, }) } @@ -57,6 +62,29 @@ func (f *WAFRegionalRule) Remove() error { return err } + ruleUpdates := []*waf.RuleUpdate{} + for _, predicate := range f.rule.Predicates { + ruleUpdates = append(ruleUpdates, &waf.RuleUpdate{ + Action: aws.String(waf.ChangeActionDelete), + Predicate: predicate, + }) + } + + _, err = f.svc.UpdateRule(&waf.UpdateRuleInput{ + ChangeToken: tokenOutput.ChangeToken, + RuleId: f.ID, + Updates: ruleUpdates, + }) + + if err != nil { + return err + } + + tokenOutput, err = f.svc.GetChangeToken(&waf.GetChangeTokenInput{}) + if err != nil { + return err + } + _, err = f.svc.DeleteRule(&waf.DeleteRuleInput{ RuleId: f.ID, ChangeToken: tokenOutput.ChangeToken,