forked from ekristen/aws-nuke
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcloudcontrol.go
199 lines (176 loc) · 5.99 KB
/
cloudcontrol.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
package resources
import (
"context"
"encoding/json"
"fmt"
"github.com/google/uuid"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/service/cloudcontrolapi"
liberrors "github.com/ekristen/libnuke/pkg/errors"
"github.com/ekristen/libnuke/pkg/registry"
"github.com/ekristen/libnuke/pkg/resource"
"github.com/ekristen/libnuke/pkg/types"
"github.com/ekristen/aws-nuke/v3/pkg/nuke"
)
func init() {
// It is required to manually define Cloud Control API targets, because
// existing configs that already filter old-style resources could break,
// because the resource is also available via Cloud Control.
//
// To get an overview of available cloud control resource types run this
// command in the repo root:
// go run ./tools/list-cloudcontrol
//
// If there's a resource definition for the resource type, then there's no
// need to define it here as well, you should use the MapCloudControl func
// see ecr-public-repository.go for an example.
registerCloudControl("AWS::AppFlow::ConnectorProfile")
registerCloudControl("AWS::AppFlow::Flow")
registerCloudControl("AWS::AppRunner::Service")
registerCloudControl("AWS::ApplicationInsights::Application")
registerCloudControl("AWS::Backup::Framework")
registerCloudControl("AWS::ECR::PullThroughCacheRule")
registerCloudControl("AWS::ECR::RegistryPolicy")
registerCloudControl("AWS::ECR::ReplicationConfiguration")
registerCloudControl("AWS::MWAA::Environment")
registerCloudControl("AWS::Synthetics::Canary")
registerCloudControl("AWS::Timestream::Database")
registerCloudControl("AWS::Timestream::ScheduledQuery")
registerCloudControl("AWS::Timestream::Table")
registerCloudControl("AWS::Transfer::Workflow")
registerCloudControl("AWS::NetworkFirewall::Firewall")
registerCloudControl("AWS::NetworkFirewall::FirewallPolicy")
registerCloudControl("AWS::NetworkFirewall::RuleGroup")
}
func registerCloudControl(typeName string) {
registry.Register(®istry.Registration{
Name: typeName,
Scope: nuke.Account,
Lister: &CloudControlResourceLister{
TypeName: typeName,
},
AlternativeResource: typeName,
})
}
type CloudControlResourceLister struct {
TypeName string
}
func (l *CloudControlResourceLister) List(_ context.Context, o interface{}) ([]resource.Resource, error) {
opts := o.(*nuke.ListerOpts)
svc := cloudcontrolapi.New(opts.Session)
params := &cloudcontrolapi.ListResourcesInput{
TypeName: aws.String(l.TypeName),
}
resources := make([]resource.Resource, 0)
if err := svc.ListResourcesPages(params, func(page *cloudcontrolapi.ListResourcesOutput, lastPage bool) bool {
for _, desc := range page.ResourceDescriptions {
identifier := aws.StringValue(desc.Identifier)
properties, err := cloudControlParseProperties(aws.StringValue(desc.Properties))
if err != nil {
logrus.
WithError(errors.WithStack(err)).
WithField("type-name", l.TypeName).
WithField("identifier", identifier).
Error("failed to parse cloud control properties")
continue
}
properties = properties.Set("Identifier", identifier)
resources = append(resources, &CloudControlResource{
svc: svc,
clientToken: uuid.New().String(),
typeName: l.TypeName,
identifier: identifier,
properties: properties,
})
}
return true
}); err != nil {
// If a Type is not available in a region we shouldn't throw an error for it.
var awsError awserr.Error
if errors.As(err, &awsError) {
if awsError.Code() == "TypeNotFoundException" {
return nil, liberrors.ErrSkipRequest(
"cloudformation type not available in region: " + *opts.Session.Config.Region)
}
}
return nil, err
}
return resources, nil
}
func cloudControlParseProperties(payload string) (types.Properties, error) {
// Warning: The implementation of this function is not very straightforward,
// because the aws-nuke filter functions expect a very rigid structure and
// the properties from the Cloud Control API are very dynamic.
propMap := map[string]interface{}{}
err := json.Unmarshal([]byte(payload), &propMap)
if err != nil {
return nil, err
}
properties := types.NewProperties()
for name, value := range propMap {
switch v := value.(type) {
case string:
properties = properties.Set(name, v)
case []interface{}:
for _, value2 := range v {
switch v2 := value2.(type) {
case string:
properties.Set(
fmt.Sprintf("%s.[%q]", name, v2),
true,
)
case map[string]interface{}:
if len(v2) == 2 && v2["Key"] != nil && v2["Value"] != nil {
properties.Set(
fmt.Sprintf("%s.[%q]", name, v2["Key"]),
v2["Value"],
)
} else {
logrus.
WithField("value", fmt.Sprintf("%q", v)).
Debugf("nested cloud control property type []%T is not supported", value)
}
default:
logrus.
WithField("value", fmt.Sprintf("%q", v)).
Debugf("nested cloud control property type []%T is not supported", value)
}
}
default:
// We cannot rely on the default handling of
// properties.Set, because it would fall back to
// fmt.Sprintf. Since the cloud control properties are
// nested it would create properties that are not
// suitable for filtering. Therefore we have to
// implemented more sophisticated parsing.
logrus.
WithField("value", fmt.Sprintf("%q", v)).
Debugf("cloud control property type %T is not supported", v)
}
}
return properties, nil
}
type CloudControlResource struct {
svc *cloudcontrolapi.CloudControlApi
clientToken string
typeName string
identifier string
properties types.Properties
}
func (r *CloudControlResource) String() string {
return r.identifier
}
func (r *CloudControlResource) Remove(_ context.Context) error {
_, err := r.svc.DeleteResource(&cloudcontrolapi.DeleteResourceInput{
ClientToken: &r.clientToken,
Identifier: &r.identifier,
TypeName: &r.typeName,
})
return err
}
func (r *CloudControlResource) Properties() types.Properties {
return r.properties
}