jckuester / awsweeper Goto Github PK
View Code? Open in Web Editor NEWA tool for cleaning your AWS account
License: Mozilla Public License 2.0
A tool for cleaning your AWS account
License: Mozilla Public License 2.0
I would like to filter by a relative date instead of an absolute one. An example might be:
aws_instance:
- created:
before: 5d
This would delete all resources that are older than 5 days at the time of running awsweeper
. We could use the standard Go terms like 5d
, 2h
, 2m
etc.
I've this config:
aws_cloudformation_stack:
- id: awsweeper-del-me
running it I get these logs:
awsweeper --region eu-west-1 --parallel 1 --debug --force config.yaml
• downloaded and installed provider name=aws version=2.59.0
• configured provider name=aws version=2.59.0
• SHOWING RESOURCES THAT WOULD BE DELETED (DRY RUN)
<snipping>
• failed to import resource; trying to read resource without import error=Throttling: Rate exceeded
status code: 400, request id: 18399ea7-5742-409a-9e62-14cf0a14cb51 id=arn:aws:cloudformation:eu-west-1:<redacted-aws-account-id>:stack/awsweeper-del-me/80789cf0-b9ec-11ea-8cc3-02aed67d8a72 type=aws_cloudformation_stack
Error: failed to read current state of resource: Throttling: Rate exceeded
status code: 400, request id: dca88124-cc18-4375-8aaf-39bcd0bbd6dd
Error: failed to read current state of resource: Throttling: Rate exceeded
status code: 400, request id: cc2e00e1-1554-4bd3-9ca9-f235fd738e37
Error: failed to read current state of resource: Throttling: Rate exceeded
status code: 400, request id: f78f05c8-a354-4465-92d1-5e1099bae9b5
<snipping>
• failed to get tags error=state is nil: <nil> id=arn:aws:cloudformation:eu-west-1:<redacted-aws-account-id>:stack/awsweeper-del-me/80789cf0-b9ec-11ea-8cc3-02aed67d8a72 type=aws_cloudformation_stack
<snipping>
---
Type: aws_cloudformation_stack
Found: 1
Id: arn:aws:cloudformation:eu-west-1:<redacted-aws-account-id>:stack/awsweeper-del-me/80789cf0-b9ec-11ea-8cc3-02aed67d8a72
Created: 2020-06-29 09:40:07.952 +0000 UTC
---
• TOTAL NUMBER OF RESOURCES THAT WOULD BE DELETED: 1
• USER WILL NOT BE ASKED FOR CONFIRMATION (FORCE MODE)
• STARTING TO DELETE RESOURCES
• start distributing resources to workers for this run
• unable to delete resource error=resource state is nil; need to call update first resource_id=arn:aws:cloudformation:eu-west-1:<redacted-aws-account-id>:stack/awsweeper-del-me/80789cf0-b9ec-11ea-8cc3-02aed67d8a72 type=aws_cloudformation_stack
• TOTAL NUMBER OF DELETED RESOURCES: 0
and I can still see the cfn stack in the aws console :(
I've tried it with version 0.7 and it seems to work:
awsweeper --region eu-west-1 --debug --force config.yaml
• downloaded and installed provider name=aws version=2.43.0
• configured provider name=aws version=2.43.0
• using region: eu-west-1
• SHOWING RESOURCES THAT WOULD BE DELETED (DRY RUN)
---
Type: aws_cloudformation_stack
Found: 1
Id: arn:aws:cloudformation:eu-west-1:<redacted>/:stack/awsweeper-del-me/80789cf0-b9ec-11ea-8cc3-02aed67d8a72
Created: 2020-06-29 09:40:07.952 +0000 UTC
---
• TOTAL NUMBER OF RESOURCES THAT WOULD BE DELETED: 1
• USER WILL NOT BE ASKED FOR CONFIRMATION (FORCE MODE)
• STARTING TO DELETE RESOURCES
• start distributing resources to workers for this run
• worker starts deleting resource id=arn:aws:cloudformation:eu-west-1:<redacted>:stack/awsweeper-del-me/80789cf0-b9ec-11ea-8cc3-02aed67d8a72 type=aws_cloudformation_stack worker_id=5
⨯ aws_cloudformation_stack id=arn:aws:cloudformation:eu-west-1:<redacted>:stack/awsweeper-del-me/80789cf0-b9ec-11ea-8cc3-02aed67d8a72
• TOTAL NUMBER OF DELETED RESOURCES: 1
As far I understand, we can filter resources based on a specific tag's value. For example, the following is going to select all ecs clusters based on a tag named environment whose value is not play
aws_ecs_cluster:
- tags:
environment: NOT(play)
Is there any way we can filter resources, if a specific tag is not present altogether. So based on previous example, I want to delete all ecs_clusters where the tag environment is not present.
Thanks.
my config:
aws_cloudformation_stack:
- id: NOT(mystackname1|mystackname2)
created:
after: 2020-01-01
my command: ./awsweeper --profile my-sandbox --region eu-west-1 --dry-run --output string ./config.yml
gives an empty result (so nothing to be deleted)
INFO[0000] using region: eu-west-1
INFO[0001] This is a test run, nothing will be deleted!
If I check the json by removing the date filter I will see an object like this one:
[
{
"Type": "aws_cloudformation_stack",
"ID": "arn:aws:cloudformation:eu-west-1:*****:stack/*****/****-****-****-***-****",
"Tags": {
"***": "****"
},
"Created": null,
"Attrs": null
},
... <redacted>
You can see here that the date field is null
Update 1: To be noted that i'm using version v0.4.1
because of #81
Update 2: I've cloned the project and compiled it, same result
Using UPX you can shrink the size of the binaries from ~100mb to ~25mb. The settings I used were upx -9 <BINARY>
.
$ upx -9 awsweeper
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2018
UPX git-716d20 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 27th 2018
File size Ratio Format Name
-------------------- ------ ----------- -----------
118215644 -> 25976848 21.97% macho/amd64 awsweeper
Packed 1 file.
delete aws_ecs_snapshot failed with the following error:
error=failed to import resource: resource aws_ebs_snapshot doesn't support import
Hi,
some reason I'm not able to install on my Mac os is there any help or guide,
Thanks you in advance.
$ curl -sSfL https://raw.githubusercontent.com/cloudetc/awsweeper/master/install.sh | sh -s v0.5.0
cloudetc/awsweeper info checking GitHub for tag 'v0.5.0'
cloudetc/awsweeper info found version: 0.5.0 for v0.5.0/darwin/amd64
localuser@xxxxxxxxx ~/allstate_Devops/awsweeper (master)
$ awsweeper --help
bash: awsweeper: command not found
It would be great if I could set a config for all supported resource types. An example config might be:
"*":
- tags:
environment: test
or
all:
- tags:
environment: test
Weired stuff
Didn't investigate much, but I figured it's useful to leave this stacktrace:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x26db73b]
goroutine 177 [running]:
github.com/cloudetc/awsweeper/vendor/github.com/terraform-providers/terraform-provider-aws/aws.resourceAwsKmsAliasRead(0xc420134000, 0x300f2a0, 0xc4200cca00, 0xc420134000, 0x0)
/home/janck/go/src/github.com/cloudetc/awsweeper/vendor/github.com/terraform-providers/terraform-provider-aws/aws/resource_aws_kms_alias.go:122 +0x35b
github.com/cloudetc/awsweeper/vendor/github.com/hashicorp/terraform/helper/schema.(*Resource).Refresh(0xc4203d4540, 0xc42056a000, 0x300f2a0, 0xc4200cca00, 0xc42024d408, 0x1, 0x3286980)
/home/janck/go/src/github.com/cloudetc/awsweeper/vendor/github.com/hashicorp/terraform/helper/schema/resource.go:354 +0x167
github.com/cloudetc/awsweeper/vendor/github.com/hashicorp/terraform/helper/schema.(*Provider).Refresh(0xc4204e6460, 0xc42070c2d0, 0xc42056a000, 0xa, 0xc4205aa088, 0x0)
/home/janck/go/src/github.com/cloudetc/awsweeper/vendor/github.com/hashicorp/terraform/helper/schema/provider.go:308 +0x9a
github.com/cloudetc/awsweeper/command.(*Wipe).wipe.func1(0xc42063d800, 0xc420920480, 0xc42070c2d0, 0xc4206d9660, 0xc4204cec50)
/home/janck/go/src/github.com/cloudetc/awsweeper/command/wipe.go:126 +0x26c
created by github.com/cloudetc/awsweeper/command.(*Wipe).wipe
/home/janck/go/src/github.com/cloudetc/awsweeper/command/wipe.go:100 +0x210
Hello,
I'm running awsweeper (macOS Mojave 10.14.1) with a config.yml with inside :
aws_ami:
i got an error :
---
panic: interface conversion: interface {} is *string, not *time.Time
goroutine 1 [running]:
github.com/cloudetc/awsweeper/resource.DeletableResources(0xc000618958, 0x7, 0x32e4280, 0xc0005bf100, 0xc0005bf100, 0x0, 0x0, 0xc00071ae80, 0xc000a5d400)
/home/janck/git/github.com/cloudetc/awsweeper/resource/resource.go:37 +0x71a
github.com/cloudetc/awsweeper/command.(*Wipe).Run(0xc000a892c0, 0xc00028c2d0, 0x1, 0x1, 0xc000a89230)
/home/janck/git/github.com/cloudetc/awsweeper/command/wipe.go:65 +0x1ea
github.com/mitchellh/cli.(*CLI).Run(0xc00028e8c0, 0xc000a89200, 0x3d13023, 0x4)
/home/janck/go/pkg/mod/github.com/mitchellh/[email protected]/cli.go:255 +0x207
github.com/cloudetc/awsweeper/command.WrappedMain(0xc00003a0b8)
/home/janck/git/github.com/cloudetc/awsweeper/command/wrapped_main.go:92 +0x753
main.main()
/home/janck/git/github.com/cloudetc/awsweeper/main.go:14 +0x22
other supported resources works fine.
We have some corporate governance stuff applied over my company's 100+ AWS accounts. We developers use Terraform, the corporate governance resources are created using a variety of other tools.
I'm trying to clean-up all IAM policies that are created by developers, and not managed by these governance tools. But it would appear that regex support is not working correctly against aws_iam_policies
→ id
field.
I've tried:
aws_iam_policy:
- id: NOT(CloudTrail_CloudWatchLogs_Policy)
- id: NOT(DatapipeOpsAccessPolicy)
- id: NOT(Kentik)
- id: NOT(turbot)
…as well as…
aws_iam_policy:
- id: NOT(.*CloudTrail_CloudWatchLogs_Policy.*)
- id: NOT(.*DatapipeOpsAccessPolicy.*)
- id: NOT(.*Kentik.*)
- id: NOT(.*turbot.*)
Am I applying the values correctly?
A common scenario in AWS deployments is to have a production account and a test account. To ensure that the deployment is only run against the test account, it would be really helpful if the awsweeper could check the account id passed in on the command line or environment variable and then verify that the credentials its using are for that account. If they don't match, then fail before executing.
If this feature sounds worthwhile, I'd be happy to submit a PR for it.
Requesting addition of AWS Kinesis Data Streams as time permits.
This is what it currently looks like:
{
"Type": "aws_iam_role",
"ID": "AWSServiceRoleForAutoScaling",
"Tags": null,
"Created": null,
"Attrs": null
},
- type: aws_iam_role
id: AWSServiceRoleForAutoScaling
tags: {}
created: null
attrs: {}
It would be neat if the tool supported deleting aws_lambda_function
s.
I'm using MacOS and I'm testing the tool with all.yml, I think there is a bug with the option: aws_kms_alias. If I comment this option #aws_kms_alias works well.
Regards!
---
Type: aws_kms_alias
Found: 14
Id: alias/aws/acm
Id: alias/aws/connect
Id: alias/aws/dynamodb
Id: alias/aws/ebs
Id: alias/aws/elasticfilesystem
Id: alias/aws/es
Id: alias/aws/glue
Id: alias/aws/kinesisvideo
Id: alias/aws/rds
Id: alias/aws/lambda
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x26db73b]
goroutine 619 [running]:
github.com/cloudetc/awsweeper/vendor/github.com/terraform-providers/terraform-provider-aws/aws.resourceAwsKmsAliasRead(0xc420298700, 0x300f2a0, 0xc4200b4a00, 0xc420298700, 0x0)
/home/janck/go/src/github.com/cloudetc/awsweeper/vendor/github.com/terraform-providers/terraform-provider-aws/aws/resource_aws_kms_alias.go:122 +0x35b
github.com/cloudetc/awsweeper/vendor/github.com/hashicorp/terraform/helper/schema.(*Resource).Refresh(0xc42038ff10, 0xc420502640, 0x300f2a0, 0xc4200b4a00, 0xc420462390, 0x1, 0x3286980)
/home/janck/go/src/github.com/cloudetc/awsweeper/vendor/github.com/hashicorp/terraform/helper/schema/resource.go:354 +0x167
github.com/cloudetc/awsweeper/vendor/github.com/hashicorp/terraform/helper/schema.(*Provider).Refresh(0xc42044b5e0, 0xc420502460, 0xc420502640, 0xa, 0xc420734ce8, 0x0)
/home/janck/go/src/github.com/cloudetc/awsweeper/vendor/github.com/hashicorp/terraform/helper/schema/provider.go:308 +0x9a
github.com/cloudetc/awsweeper/command.(*Wipe).wipe.func1(0xc4205e34a0, 0xc42052acf0, 0xc420502460, 0xc4208876e0, 0xc420510cc0)
/home/janck/go/src/github.com/cloudetc/awsweeper/command/wipe.go:126 +0x26c
created by github.com/cloudetc/awsweeper/command.(*Wipe).wipe
/home/janck/go/src/github.com/cloudetc/awsweeper/command/wipe.go:100 +0x210
Hi,
Using awsls I can retreive some IAM Roles, for example :
My goal, delete all IAM Roles except :
So awsweeper should delete :
I try to build a filter.yml file to do this... but without success. How can I build a multi filtering on one attribute like "id" here.
Any help please ?
Thanks.
It would be nice if I could specify all available regions to be swept. An example might be:
$ awsweep --region all config.yml
Hi @jckuester , recently I got the following error while cleanup ecs resource. the weird thing is current region doesn't have any ecs cluster, but it still happens each time.
Type: aws_ecs_cluster
Found: 1
Id: arn:aws:ecs:ap-southeast-2:xxxxxxxxxxxx:cluster/default
---
• TOTAL NUMBER OF RESOURCES THAT WOULD BE DELETED: 1
• USER WILL NOT BE ASKED FOR CONFIRMATION (FORCE MODE)
• STARTING TO DELETE RESOURCES
panic: can't use ElementIterator on null value
goroutine 194 [running]:
github.com/zclconf/go-cty/cty.Value.ElementIterator(0x5f98800, 0xc00048b450, 0x0, 0x0, 0x7, 0x0)
/home/jan/go/pkg/mod/github.com/zclconf/[email protected]/cty/value_ops.go:1038 +0x11a
github.com/zclconf/go-cty/cty.Value.AsValueMap(0x5f98800, 0xc00048b450, 0x0, 0x0, 0x1)
/home/jan/go/pkg/mod/github.com/zclconf/[email protected]/cty/value_ops.go:1243 +0xfe
github.com/jckuester/terradozer/pkg/provider.enableForceDestroyAttributes(0x5f98800, 0xc00048b450, 0x0, 0x0, 0x203000, 0x203000, 0x203000, 0xf4a6622f9a8800fb)
/home/jan/go/pkg/mod/github.com/jckuester/[email protected]/pkg/provider/provider.go:236 +0xf7
github.com/jckuester/terradozer/pkg/provider.TerraformProvider.DestroyResource.func1(0x4c0da0)
/home/jan/go/pkg/mod/github.com/jckuester/[email protected]/pkg/provider/provider.go:200 +0x86
github.com/hashicorp/terraform/helper/resource.Retry.func1(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
/home/jan/go/pkg/mod/github.com/hashicorp/[email protected]/helper/resource/wait.go:22 +0x5e
github.com/hashicorp/terraform/helper/resource.(*StateChangeConf).WaitForState.func1(0xc00926e720, 0xc0001d4540, 0xc000850600, 0xc007e240c0, 0xc0082242d0, 0xc0082242c8)
/home/jan/go/pkg/mod/github.com/hashicorp/[email protected]/helper/resource/state.go:103 +0x298
created by github.com/hashicorp/terraform/helper/resource.(*StateChangeConf).WaitForState
/home/jan/go/pkg/mod/github.com/hashicorp/[email protected]/helper/resource/state.go:80 +0x1bf
The awsweeper policy is following with latest version v.0.10.1
aws_ecs_cluster:
- tags:
NOT(Owner): .*
Could you help to take a look?
It would be very useful if you can provide possibility delete any resource by ARN
Hi There,
Awesome project, it would be fantastic if Creation Date filter would exist for all type of objects.
Cheers,
smarunich
Great tool, by far the best out the several I've used.
I'd like to add some more resources, starting with aws_athena_named_query
but possibly more in the future.
Is this guide still relevant, #21? It seems like you're working on a way to auto-generate the code. Would it be better to wait?
Thanks,
Requesting addition of AWS CloudTrail trails as time permits.
Hi @jckuester , just let you know there may be a bug happened for aws_iam_user of #101
I confirmed all the iam users in my aws account have already tagged the Owner
and the awsweeper policy with following:
aws_iam_user:
- tags:
NOT(Owner): .*
The result after applying this policy shows up it will filler out entire iam users which actually shouldn't be filler out.
For the other resources applying the same #101 pattern, they look good for now.
Feel free to let me know if anything miss-config from my side.
The fear I have with deleting by creation time is that I have old resources that are still being used. This is meaningful for things like CloudWatch Log Groups and IAM Access Keys.
Some of these are easy (e.g., IAM Access Keys have a last-used property) and some are less so (e.g., CloudWatch Log Groups last use time would be defined by the latest event in each Log Stream).
The addition of this functionality would make this tool incredibly useful to me.
Hi @jckuester, I just have a specific scenario
I want to run the awsweeper in AWS Lambda.
Things are quite good if I just deploy each Lambda with awsweeper in different region
And awsweeper is working as expected in each Lambda of regions
But for cost reason, setup 4 NAT GATEWAY for Lambda use in each region is quite expensive as awsweeper need to download something when running the CMD in Lambda
So I just try to setup 1 Lambda in a region basically running 4 CMD cleanup for save cost purpose with following:
./bin/awsweeper --region ap-northeast-1 --dry-run ./config/aws_resource.yml
./bin/awsweeper --region ap-northeast-2 --dry-run ./config/aws_resource.yml
./bin/awsweeper --region ap-southeast-1 --dry-run ./config/aws_resource.yml
./bin/awsweeper --region ap-southeast-2 --dry-run ./config/aws_resource.yml
But I got the issue in CloudWatch Loggroup which implies CMD not running correctly.
• downloaded and installed provider name=aws version=2.59.0
--
| 2020-06-03T20:00:07.051+08:00 | • configured provider name=aws version=2.59.0
| 2020-06-03T20:00:07.095+08:00 | • SHOWING RESOURCES THAT WOULD BE DELETED (DRY RUN)
| 2020-06-03T20:00:09.369+08:00 | panic: can't use ElementIterator on null value
| 2020-06-03T20:00:09.369+08:00 | goroutine 1 [running]:
| 2020-06-03T20:00:09.369+08:00 | github.com/zclconf/go-cty/cty.Value.ElementIterator(0x6378ba0, 0xc000506410, 0x0, 0x0, 0x10, 0x2)
| 2020-06-03T20:00:09.369+08:00 | /home/jan/go/pkg/mod/github.com/zclconf/[email protected]/cty/value_ops.go:1038 +0x101
| 2020-06-03T20:00:09.369+08:00 | github.com/zclconf/go-cty/cty.Value.AsValueMap(0x6378ba0, 0xc000506410, 0x0, 0x0, 0x1)
| 2020-06-03T20:00:09.369+08:00 | /home/jan/go/pkg/mod/github.com/zclconf/[email protected]/cty/value_ops.go:1243 +0xe5
| 2020-06-03T20:00:09.369+08:00 | github.com/cloudetc/awsweeper/pkg/resource.GetTags(0xc0008f3770, 0xb, 0xb, 0x0)
| 2020-06-03T20:00:09.369+08:00 | /home/jan/git/github.com/cloudetc/awsweeper/pkg/resource/select.go:54 +0xe7
| 2020-06-03T20:00:09.369+08:00 | github.com/cloudetc/awsweeper/pkg/resource.Filter.Apply(0xc0004633e0, 0xc000ba2ea0, 0x3, 0x4, 0xc000ba2ea0, 0x3, 0x4)
| 2020-06-03T20:00:09.369+08:00 | /home/jan/git/github.com/cloudetc/awsweeper/pkg/resource/select.go:15 +0x10a
| 2020-06-03T20:00:09.369+08:00 | github.com/cloudetc/awsweeper/pkg/resource.List(0xc000528170, 0xc000bc0000, 0xc00068e400, 0xc000440b20, 0x5ab8ee6, 0x6, 0xc00032a390, 0x0, 0x0)
| 2020-06-03T20:00:09.369+08:00 | /home/jan/git/github.com/cloudetc/awsweeper/pkg/resource/list.go:56 +0x61f
| 2020-06-03T20:00:09.369+08:00 | main.mainExitCode(0x0)
| 2020-06-03T20:00:09.369+08:00 | /home/jan/git/github.com/cloudetc/awsweeper/main.go:157 +0xd77
| 2020-06-03T20:00:09.369+08:00 | main.main()
| 2020-06-03T20:00:09.369+08:00 | /home/jan/git/github.com/cloudetc/awsweeper/main.go:30 +0x22
| 2020-06-03T20:00:09.373+08:00 | [ERROR] CalledProcessError: Command '['./bin/awsweeper', '--region', 'ap-northeast-1', '--dry-run', './config/aws_resource.yml']' returned non-zero exit status 2. Traceback (most recent call last): File "/var/task/src/awsweeper.py", line 17, in lambda_handler output2 = subprocess.check_output(CMD2, universal_newlines=True) File "/var/lang/lib/python3.8/subprocess.py", line 411, in check_output return run(*popenargs, stdout=PIPE, timeout=timeout, check=True, File "/var/lang/lib/python3.8/subprocess.py", line 512, in run raise CalledProcessError(retcode, process.args,
| 2020-06-03T20:00:09.374+08:00 | END RequestId: ae1b42fc-50be-4e77-8b27-ceb92a1664a1
The above 4 CMD is running good in my local laptop.
So just want to know if something happen with the code that is not compatible for executing CMD with --region ap-northeast-1
and this specific region is not what Lambda deployed in.
i.e. I run ./bin/awsweeper --region ap-northeast-1 --dry-run ./config/aws_resource.yml
in one Lambda and the Lambda is deployed in ap-northeast-2
The Lambda role is quite loose as I give Lambda most power to running anything, so I think this error is not related to permission issue.
Requesting addition of AWS Lambda functions as time permits.
Hi,
since you're rely on terraform resources, can you add aws_eks_cluster
support?
Thanks!
Requesting addition of AWS GuardDuty as time permits.
Was testing this running in an ec2 instance with admin iam role and it hangs:
./awsweeper --region us-east-1 --dry-run dev.yml
INFO[0000] using region: us-east-1
Haven't had time to dig into why it would be permanently hanging here. Initial permissions tested were:
"ec2:Delete*",
"ec2:Describe*",
"ec2:Disassociate*",
"ec2:TerminateInstances"
Changed that to an admin role and still hangs. Any ideas?
Requesting addition of AWS SNS Topics and Subscriptions as time permits.
Requesting addition of AWS Directory Service and AWS Workspaces as time permits.
When executing awsweeper 0.4.1
on macos 10.15.3
against either us-gov-west-1
or us-gov-east-1
, AWS GovCloud regions, the route53 hosted zones appear in --dry-run
mode but are not deleted when the parameter is removed. Command was invoked with full administrator privileges with no policies prohibiting hosted zone deletion.
The following explanation hopefully makes it easy contributing the resources you need to this project. As an example, we go through adding the resource aws_vpc
(which is already supported).
1) Add Terraform type ID of the new resource type
Fine the terraform name of the AWS resource type to support (here is a list of all existing resource types) and add it to resource/supported.go.
Vpc TerraformResourceType = "aws_vpc"
2) Add function to list resources
Add here a function that lists all resources of the new resource type. For this you need to find the method of the AWS go API to list all VPCs (you find it by looking in the go doc of the AWS API)
func (a *AWS) vpcs() (interface{}, error) {
output, err := a.DescribeVpcs(&ec2.DescribeVpcsInput{})
if err != nil {
return nil, err
}
return output.Vpcs, nil
}
Supported resources need to be added to resource/supported.go.
3) Add delete ID
The field name of the ID used by Terraform to delete the resource. For this we actually have to look in the delete method of the AWS provider for the VPC
var (
deleteIDs = map[TerraformResourceType]string{
...
Vpc: "VpcId",
...
}
)
4) Add custom filter method
In most cases can be left as filterGeneric
. Some resources require custom filter methods.
5) Integration tests
Solid testing is necessary, since we don't want this tool to delete resources unexpectedly :-) Integration tests for each resource have its own file; the ones for aws_vpc
are in test/vpc_test.go.
The test for each resource is structured as follows:
aws_vpc
(one with ID/tag foo, another with ID/tag bar)Suggestion to not use aws sdk describe-* API to enumerate instances, instead use output of terraform data lookups. This makes more sense we use terraform to delete resources so why not offload discovery too.
`
data "aws_instances" "ec2" {
instance_tags {
Name = "*"
}
instance_state_names = ["running", "stopped"]
}
output "ec2" {
value = "${data.aws_instances.ec2.ids}"
}
`
Hey,
There are few parts in the code structure that can be improved.
For instance, wipe
functionality can not be imported and get executed by another project because it's highly coupled to CLI args and printing the output directly to stdout.
By decoupling wiping functionality and keep command/* only to convert cli args to input params to existing functionalities the project can be used in both way, either from cli or by code.
Another thing that I think can be improved is logging.
I can see currently the project is using all log
, logrus
and cli.UI
to output messages and logs.
This can be unified as well.
Let me know if you agree and need help to improve this. :)
Would be happy to help if I can.
Regards
Hello folks,
I just discovered awseeper and I'm wondering about the usage of --region
option.
With no AWS related environment variables, I have something strange:
$ env | grep AWS
$ awsweeper --region eu-west-3 --dry-run --output yaml awsweeper.yml | cksum
INFO[0001] This is a test run, nothing will be deleted!
3240463751 18140
awsweeper --region eu-west-1 --dry-run --output yaml awsweeper.yml | cksum
INFO[0001] This is a test run, nothing will be deleted!
3240463751 18140
Both call list me the same resources, but if I set AWS_DEFAULT_REGION
:
export AWS_DEFAULT_REGION=eu-west-3
awsweeper --dry-run --output yaml awsweeper.yml | cksum
INFO[0001] This is a test run, nothing will be deleted!
3240463751 18140
export AWS_DEFAULT_REGION=eu-west-1
awsweeper --dry-run --output yaml awsweeper.yml | cksum
INFO[0001] This is a test run, nothing will be deleted!
3032715009 2173
My awsweeper.yml
is just a list of resources without any filters, like:
head awsweeper.yml
---
aws_instance:
aws_autoscaling_group:
aws_ebs_snapshot:
aws_ebs_volume:
Thanks for feedbacks!
When executing awsweeper 0.4.1
on macos 10.15.3
against either us-gov-west-1
or us-gov-east-1
, AWS GovCloud regions, the s3 buckets appear in --dry-run
mode but are not deleted when the parameter is removed. Command was invoked with full administrator privileges with no policies prohibiting bucket deletion.
Hi - I am trying to get the project and try it out, but this error, please advise, thank you.
`github.com/aws/aws-sdk-go/service/ec2/ec2iface
github.com/cloudetc/awsweeper/resource
github.com/cloudetc/awsweeper/command
go/src/github.com/cloudetc/awsweeper/command/wrapped_main.go:137:27: cannot use conf (type *"github.com/hashicorp/terraform/terraform".ResourceConfig) as type *"github.com/terraform-providers/terraform-provider-aws/vendor/github.com/hashicorp/terraform/terraform".ResourceConfig in argument to p.Validate
go/src/github.com/cloudetc/awsweeper/command/wrapped_main.go:146:23: cannot use conf (type *"github.com/hashicorp/terraform/terraform".ResourceConfig) as type *"github.com/terraform-providers/terraform-provider-aws/vendor/github.com/hashicorp/terraform/terraform".ResourceConfig in argument to p.Configure
go/src/github.com/cloudetc/awsweeper/command/wrapped_main.go:151:9: cannot use &p (type *"github.com/terraform-providers/terraform-provider-aws/vendor/github.com/hashicorp/terraform/terraform".ResourceProvider) as type *"github.com/hashicorp/terraform/terraform".ResourceProvider in return argument:
*"github.com/hashicorp/terraform/terraform".ResourceProvider is pointer to interface, not interface
`
Requesting addition of AWS Certificate Manager (ACM) as time permits.
We have some corporate governance stuff applied over my company's 100+ AWS accounts. We developers use Terraform, the corporate governance resources are created using CloudFormation.
I'm trying to nuke all security groups created by developers, while not touching the ones generated by our overlords.
aws_security_group:
- tags
"aws:cloudformation:logical-id": NOT(.*)
tags
is supposed to be a map, and since the key has colons in it, I believe I'm supposed to wrap it in quotation marks so the parser doesn't freak out. But when I do this (0.5.0 release), I get the following error message:
failed to unmarshal config: config.yml error=yaml: line 67: mapping values are not allowed in this context
Is there a schema I can look at, are the docs incorrect, or is is because of my weird YAML key? This issue seems a little different from #45, but maybe I'm wrong and they're related?
Requesting addition of load balancer (ALB) and network load balancer (NLB) support within the AWS EC2 service as only elastic load balancers are supported.
Requesting addition of AWS Relational Database (RDS) as time permits. Initially focusing on the deletion of the database instances themselves.
FYI I submitted a pr to get awsweeper into Homebrew: Homebrew/homebrew-core#33984
Requesting addition of AWS CloudWatch Logs, Alarms, and Events as time permits.
I have a number of users defined in my aws credentials
file that I would like to run awsweeper against, but in different regions. I have observed the following behaviour (all done using the --dry-run
option)
credentials
do not contain a region (which is what I want), I get the following response:err: Not a valid region:
That is what I expected. However, when supplying the --region
override for any region in which I have resources (along with the relevant --profile
), it returns no resources. Running a describe on the resource with the same --profile
and --region
using the aws cli, I see the resources I expect.
When my credentials
do contain a region, everything works fine.
When my credentials
do contain a region, and I try to override it with the --region
flag, it still just runs against the region defined in the credentials
. So the override does not seem to work.
The behaviour I expected was that if I had credentials
defined with or without a region, using the --region
override would cause awsweeper to honour this override.
Hi! I'm using awsweeper v0.3.2 (binary release off github) with the following config file:
aws_ami:
aws_autoscaling_group:
aws_cloudformation_stack:
aws_ebs_snapshot:
aws_ebs_volume:
aws_efs_file_system:
aws_eip:
aws_elb:
aws_iam_group:
aws_iam_instance_profile:
aws_iam_policy:
aws_iam_role:
- id: OrganizationAccountAccessRole
aws_iam_user:
aws_instance:
aws_internet_gateway:
aws_key_pair:
#aws_kms_alias:
#aws_kms_key:
aws_launch_configuration:
aws_nat_gateway:
aws_network_acl:
aws_network_interface:
aws_route53_zone:
aws_route_table:
aws_s3_bucket:
aws_security_group:
aws_subnet:
aws_vpc:
aws_vpc_endpoint:
The role with id OrganizationAccountAccessRole
is deleted anyway. --dry-run shows OrganizationAccountAccessRole
as the id of the resource, so it's not like the problem is it's secretly using an ARN as the id or anything.
When leveraging the entire all.yml
services list and using 0.4.1
on macos 10.15.3
against AWS GovCloud regions, us-gov-west-1
and us-gov-east-1
where resource counts are higher than 800 per service awsweeper
hangs and often needs to have the config file only include a subset or each service individually.
Had to break out ebs, eip, and security groups out to individual executions. Also, it appears as though vpc peering and public ip associations make it difficult to easily delete vpc's.
For me, the tags filter is not working... I have multiple resources that have the tag environment: test
. However, when I run the following config:
aws_ami:
- tags:
environment: test
aws_autoscaling_group:
- tags:
environment: test
aws_cloudformation_stack:
- tags:
environment: test
aws_ebs_snapshot:
- tags:
environment: test
aws_ebs_volume:
- tags:
environment: test
aws_efs_file_system:
- tags:
environment: test
aws_eip:
- tags:
environment: test
aws_elb:
- tags:
environment: test
aws_iam_group:
- tags:
environment: test
aws_iam_instance_profile:
- tags:
environment: test
aws_iam_policy:
- tags:
environment: test
aws_iam_role:
- tags:
environment: test
aws_iam_user:
- tags:
environment: test
aws_instance:
- tags:
environment: test
aws_internet_gateway:
- tags:
environment: test
aws_key_pair:
- tags:
environment: test
aws_kms_alias:
- tags:
environment: test
aws_kms_key:
- tags:
environment: test
aws_launch_configuration:
- tags:
environment: test
aws_nat_gateway:
- tags:
environment: test
aws_network_acl:
- tags:
environment: test
aws_network_interface:
- tags:
environment: test
aws_route53_zone:
- tags:
environment: test
aws_route_table:
- tags:
environment: test
aws_s3_bucket:
- tags:
environment: test
aws_security_group:
- tags:
environment: test
aws_subnet:
- tags:
environment: test
aws_vpc:
- tags:
environment: test
aws_vpc_endpoint:
- tags:
environment: test
To me it looks like awsweeper
doesn't support filtering by tags for all the AWS resources that officially support tags (e.g. aws_iam_role
) in Terraform. Is that possible?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.