Skip to content

Latest commit

 

History

History
 
 

awsnukedocgen

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 

awsnukedocgen Tool

This tool is for generating both an example IAM policy and a list, in Markdown of the human-readable names of the AWS services that are supported and not supported by AWS Nuke.

AWS Nuke support

DCE currently uses AWS Nuke to clean up the resources in a leased account when the lease is terminated and before it is returned to the account pool. As a result, DCE requires delete support for resources in order to allow those resources to be created to avoid the resources being left behind when the account lease terminates.

AWS Nuke has a command aws-nuke resource-types that lists supported resources, but the names of these resource types are free-form text that is up to the developer to name--there is no mechanism that enforces the naming to make sure it matches the name of an AWS service or operation. For example:

func init() {
	register("RedshiftCluster", ListRedshiftClusters)
}

awsnukedocgen approach

The approach of the awsnukedocgen tool is to scan the AWS Nuke resources folder for handling resources. It looks through each file for a call to DeleteX or TerminateX, and then looks at the services reference at the top of the file to build a list of likely candidates for supported delete operations. Using this list, it then looks through the policy.js file from AWS. It compares its list of likely candidates with operations and service prefixes in that file to weed out false positives, and from there generates a list of supported delete operations with a pretty high degree of confidence.

For example, in that file to remove Amazon Redshift clusters, redshift-clusters.go (link to file in Github here) see the following:

The referenced import:

import (
	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/redshift"
)

The delete call:

func (f *RedshiftCluster) Remove() error {

	_, err := f.svc.DeleteCluster(&redshift.DeleteClusterInput{
		ClusterIdentifier:        f.clusterIdentifier,
		SkipFinalClusterSnapshot: aws.Bool(true),
	})

	return err
}

So the tool finds redshift and DeleteCluster to get redshift:DeleteCluster and looks for them in the JSON:

        "Amazon Redshift": {
            "StringPrefix": "redshift",
            "Actions": [
                "...snipped",
                "DeleteCluster",
                "...snipped",

The tool finds them and stores "Amazon Redshift" as a supported service and "redshift:DeleteCluster" as a supported delete operation.

Handling discrepencies

This approach is fairly accurate, but it's not perfect. AWS SDKs match up nearly 100% between reference names and service prefixes. Nearly. To accommodate the discrepencies (i.e., elb instead of elasticloadbalancing) there is a map called servicePrefixOverrides that maps the service's reference name to the IAM prefix.

Updating the sources

There are two sources that should be updated in order to keep the generated markdown list and sample policy current: the AWS Nuke source and the policy file

Both the AWS Nuke source location and the path to the policies file are arguments to the tool. So, in order to update the tool, run the following commands:

$ git clone https://github.com/rebuy-de/aws-nuke.git /path/to/local/aws-nuke
$ curl https://awspolicygen.s3.amazonaws.com/js/policies.js -o /path/to/policies.js
$ cat /path/to/policies.js | sed 's/app.PolicyEditorConfig=//' > /path/to/policy.json
# to generate the sample IAM policy (redirect STDOUT to a file if you wish)
$ awsnukedocgen -nuke-source-dir=/path/to/local/aws-nuke -policies-js-file=/path/to/policy.json
# to generate the markdown list (redirect STDOUT to a file if you wish)
$ awsnukedocgen -nuke-source-dir=/path/to/local/aws-nuke -policies-js-file=/path/to/policy.json -generate-markdown