AWS Nuke Process Attempts to Delete ECRRepository Resource in Unsupported Regions #1206
Comments
|
The logs you have provided only include a failure to list, nothing to do with removing. |
|
We exclude the "ECRRepository" resource but the Nuke is still still trying to remove this resource. |
|
I try to explain what we do and what we expect: Firstly, this is how we try to run Nuke: function runNuke(cfgYml: string, statusVar: string) {
return `
cat <<NUKE_YAML > nuke.yaml\n${cfgYml}\nNUKE_YAML\n
timeout 60m ./aws-nuke-$AWS_NUKE_VERSION-linux-amd64 --config nuke.yaml --access-key-id $AWS_ACCESS_KEY_ID --secret-access-key $AWS_SECRET_ACCESS_KEY --session-token $AWS_SESSION_TOKEN --assume-role-arn=arn:aws:iam::$ACCOUNT_ID:role/OrganizationAccountAccessRole --force $NO_DRY_RUN_ARG
nukeExitCode=$?
if [ $nukeExitCode -eq 124 ]; then
${statusVar}='TIMEOUT'
elif [ $nukeExitCode -gt 0 ]; then
${statusVar}="Exit with code: $nukeExitCode"
else
${statusVar}='SUCCESS'
fi
`;
}and this is our config, where we exclude some resources: const nuke_everything_but_iam_and_cf_stacks = `${nukeBasicCfg}
$(if [[ "${CDK_PRESET_ACCOUNTS.join(" ")}" =~ "$ACCOUNT_ID" ]]; then echo "${cdk_account_presets}"; else echo "${basic_account_setting}"; fi)
resource-types:
excludes:
- IAMRole
- IAMPolicy
- IAMRolePolicyAttachment
- IAMRolePolicy
- IAMVirtualMFADevice
- CloudFormationStack
- EC2TGW
- GuardDutyDetector
- CloudTrailTrail
- MachineLearningBranchPrediction
- MachineLearningDataSource
- MachineLearningEvaluation
- MachineLearningMLModel
- FMSNotificationChannel
- FMSPolicy
- **ECRRepository**
- OpsWorksCMBackup
- OpsWorksCMServer
- OpsWorksCMServerState
- OSPackage
presets:
cdk:
filters:
SSMParameter:
- type: contains
value: "hnb659fds"
S3Bucket:
- type: contains
value: "hnb659fds"
- type: contains
value: "CDKToolkit"
IAMPolicy:
- type: regex
value: "cdk-hnb659fds-.*"
- type: regex
value: "base-cdk-execution"
IAMRole:
- type: regex
value: "cdk-hnb659fds-.*"
feature-flags:
disable-deletion-protection:
RDSInstance: true
EC2Instance: true
`;After running the script in our service, we expect that Nuke will not look for ECRRepository resource, since we are excluding this in our config. Btw we using version v2.25.0 |
|
Listing is not the same as removing. ECRRepository is not the same as AWS::ECR::PublicRepository. Add AWS::ECR::PublicRepository to your exclude list as well. |
|
Thanks, it helped. |
|
Solution was to add |
Hello,
I am encountering an issue with the AWS Nuke process where it attempts to delete the
ECRRepositoryresource, despite this resource only being available in theus-east-1region as per this PR.In our project, we have explicitly excluded the
ECRRepositoryresource in our template, but we are still encountering an error during the nuking process. The error message is as follows:Here is the relevant part of our code where we exclude the
ECRRepositoryresource:Despite this exclusion, the AWS Nuke process still attempts to delete the
ECRRepositoryresource, leading to the error.Any assistance in resolving this issue would be greatly appreciated.
Thank you.
The text was updated successfully, but these errors were encountered: