Merge pull request rebuy-de#2 from aws-samples/feature-publish-apg

Update stack to add SNS resources, and modify Nuke with latest version

Author: awsree

README.md

@@ -70,26 +70,25 @@ $ aws-nuke -c $line.yaml --force --no-dry-run --access-key-id $ACCESS_KEY_ID --s
 
 * Clone the repo
 * Determine the ID of the account to be deployed for clean up ( This is only to be deployed to Dev/Test/Sandbox environments )
-* Verify and Update your nuke config file as needed with specific filters for the resources/accounts
-* Deploy the stack using the below command. You can run it in any desired region. Replace the required parameter with the SNS Topic Arn for  notification email
+* Verify and Update your nuke configuration file as needed with specific filters for the resources/accounts
+* Deploy the stack using the below command. You can run it in any desired region.
 ```sh
-aws cloudformation create-stack --stack-name NukeCleanser --template-body file://nuke-cfn-stack.yaml --region us-east-2 --capabilities CAPABILITY_NAMED_IAM --parameters ParameterKey=NukeTopicArn,ParameterValue='arn:aws:sns:us-east-2:{ACCT_ID}:TestSNSTopic'
+aws cloudformation create-stack --stack-name NukeCleanser --template-body file://nuke-cfn-stack.yaml --region us-east-2 --capabilities CAPABILITY_NAMED_IAM
 ```
-* Once the S3 bucket is created using the cfn template, upload the Nuke generic config file and the config update python script
+* Once the stack is created, upload the nuke generic config file and the python script to the S3 bucket using the commands below. You can find the name of the S3 bucket generated from the CloudFormation console `Outputs` tab.
 ```sh
-aws s3 cp config/nuke_generic_config.yaml --region us-east-2 s3://nuke-account-cleanser-config
-aws s3 cp config/nuke_config_update.py --region us-east-2 s3://nuke-account-cleanser-config
+aws s3 cp config/nuke_generic_config.yaml --region us-east-2 s3://{your-bucket-name}
+aws s3 cp config/nuke_config_update.py --region us-east-2 s3://{your-bucket-name}
 ```
 * Run the stack manually by triggering the StepFunctions with the below sample input payload. (which is pre-configured in the EventBridge Target as a Constant JSON input). You can configure this to run in parallel on the required number of regions by updating the region_list parameter.
 
 ```sh
 {
   "InputPayLoad": {
     "nuke_dry_run": "true",
-    "nuke_version": "2.5",
-    "nuke_config_bucket": "nuke-account-cleanser-config",
-    "sns_notification_arn": "sns_topic_arn",
+    "nuke_version": "2.21.2",
     "region_list": [
+      "global",
       "us-west-1",
       "us-east-1"
     ]
@@ -117,11 +116,19 @@ Account Cleansing Process Completed;
   Build State                  : JOB SUCCEEDED
   Build ID                     : AccountNuker-NukeCleanser:4509a9b5
   CodeBuild Project Name       : AccountNuker-NukeCleanser
-  Process Start Time           : Thu Dec  2 02:04:40 UTC 2021
-  Process End Time             : Thu Dec  2 02:06:45 UTC 2021
+  Process Start Time           : Thu Feb 23 04:05:21 UTC 2023
+  Process End Time             : Thu Feb 23 04:05:54 UTC 2023
   Log Stream Path              : AccountNuker-NukeCleanser/logPath
   ------------------------------------------------------------------
-  ################ Removed the following resources #################
+  ################ Nuke Cleanser Logs #################
+
+  FAILED RESOURCES
+-------------------------------
+Total number of Resources that would be removed:
+3
+us-west-1 - SQSQueue - https://sqs.us-east-1.amazonaws.com/123456789012/test-nuke-queue - would remove
+us-west-1 - SNSTopic - TopicARN: arn:aws:sns:us-east-1:123456789012:test-nuke-topic - [TopicARN: "arn:aws:sns:us-east-1:123456789012:test-topic"] - would remove
+us-west-1 - S3Bucket - s3://test-nuke-bucket-us-west-1 - [CreationDate: "2023-01-25 11:13:14 +0000 UTC", Name: "test-nuke-bucket-us-west-1"] - would remove
 
 ```
 * By default the stack runs aws-nuke in DryRun mode, To actually delete resources update the stack with AWSNukeDryRunFlag parameter flipped to false OR udpate manually in the CodeBuild environment variables section.

config/nuke_config_update.py

@@ -7,7 +7,7 @@
 import argparse
 import copy
 
-GLOBAL_EXCEPTIONS = [
+GLOBAL_RESOURCE_EXCEPTIONS = [
     {"property": "tag:DoNotNuke", "value": "True"},
     {"property": "tag:Permanent", "value": "True"},
     {"type": "regex", "value": ".*auto-account-cleanser*.*"},
@@ -27,10 +27,10 @@ def __init__(self, account, target_regions):
         self.account = account
 
     def Populate(self):
-        self.BuildResourceList()
-        self.MergeWithDefaultConfig()
+        self.UpdateCFNStackList()
+        self.OverrideDefaultConfig()
 
-    def BuildResourceList(self):
+    def UpdateCFNStackList(self):
         try:
             for region in self.regions:
                 cfn_client = self.session.client("cloudformation", region_name=region)
@@ -46,12 +46,12 @@ def BuildResourceList(self):
                 )
                 for page in responses:
                     for stack in page.get("StackSummaries"):
-                        self.GetStackResources(stack, cfn_client)
+                        self.GetCFNResources(stack, cfn_client)
                 self.BuildIamExclusionList(region)
         except Exception as e:
-            print("Exception calling BuildResourceList:\n {}".format(e))
+            print("Error in calling UpdateCFNStackList:\n {}".format(e))
 
-    def GetStackResources(self, stack, cfn_client):
+    def GetCFNResources(self, stack, cfn_client):
         try:
             stack_name = stack.get("StackName")
 
@@ -76,10 +76,9 @@ def GetStackResources(self, stack, cfn_client):
                     )
                     for resource in stack_resources.get("StackResourceSummaries"):
                         if resource.get("ResourceType") == "AWS::CloudFormation::Stack":
-                            # recurse if the resource type is a stack (nested stacks)
-                            self.GetStackResources(resource, cfn_client)
+                            self.GetCFNResources(resource, cfn_client)
                         else:
-                            nuke_type = self.FixResourceName(resource["ResourceType"])
+                            nuke_type = self.UpdateResourceName(resource["ResourceType"])
                             if nuke_type in self.resources:
                                 self.resources[nuke_type].append(
                                     {
@@ -95,9 +94,9 @@ def GetStackResources(self, stack, cfn_client):
                                     }
                                 ]
         except Exception as e:
-            print("Exception calling GetStackResources:\n {}".format(e))
+            print("Error calling GetCFNResources:\n {}".format(e))
 
-    def FixResourceName(self, resource):
+    def UpdateResourceName(self, resource):
         nuke_type = str.replace(resource, "AWS::", "")
         nuke_type = str.replace(nuke_type, "::", "")
         nuke_type = str.replace(nuke_type, "Config", "ConfigService", 1)
@@ -126,7 +125,7 @@ def BuildIamExclusionList(self, region):
                                             role.get("RoleName")
                                         ]
 
-    def MergeWithDefaultConfig(self):
+    def OverrideDefaultConfig(self):
         # Open the nuke_generic_config.yaml and merge the captured resources/exclusions with it
         try:
             with open(r"nuke_generic_config.yaml") as config_file:
@@ -148,7 +147,7 @@ def MergeWithDefaultConfig(self):
                     self.config["accounts"].pop("ACCOUNT", None)
             # Global exclusions apply to every type of resource
             for resource in self.config["accounts"][self.account]["filters"]:
-                for exception in GLOBAL_EXCEPTIONS:
+                for exception in GLOBAL_RESOURCE_EXCEPTIONS:
                     self.config["accounts"][self.account]["filters"][resource].append(
                         exception.copy()
                     )
@@ -184,7 +183,7 @@ def WriteConfig(self):
     exit(1)
 
 if __name__ == "__main__":
-
+    print("Incoming Args: ", args)
     stackInfo = StackInfo(args.account, [args.region])
     stackInfo.Populate()
     stackInfo.WriteConfig()

config/nuke_generic_config.yaml

@@ -1,4 +1,5 @@
 regions:
+  # add `global` here to include IAM entities to be nuked
   - TARGET_REGION # will be overridden during run time based on region parameter
 
 account-blocklist:
@@ -16,15 +17,20 @@ resource-types:
   - S3Bucket
   - SNSTopic
   - SQSQueue
+  - CloudTrailTrail
 
 accounts:
   ACCOUNT: # will be overridden during run time based on account param
     filters:
       IAMRole:
       - "ProdRoles"
       - "DoNotDeleteRoles"
+      - type: regex
+        value: ".*"
       IAMUser:
       - "admin"
+      - type: regex
+        value: ".*"
       IAMUserPolicyAttachment:
       - property: RoleName
         value: "admin"
@@ -33,5 +39,10 @@ accounts:
         value: "admin"
       S3Bucket:
       - "s3://my-bucket"
-      SNSTopic: [] # delete all SNS
+      CloudTrailTrail: # filter all CloudTrail
+      - type: regex
+        value: ".*"
+      SNSTopic: [] # SNS is protected based on global exception tags inside the nuke_config_update.py
+      - type: regex
+        value: ".*"
       SQSQueue: [] # delete all SQS