If you have a lot of resources in a lot of regions, it can take a long time to process everything, it might be nice to allow for something like terraform where you can output a "plan" and review it, then run the command a second time with it as an input and then the tool doesn't have to query resources a second time, it can just immediately move to removal state.

It could be useful to add some Bedrock resources.

SDK go reference: https://docs.aws.amazon.com/sdk-for-go/api/service/bedrock/

• https://www.conventionalcommits.org/en/v1.0.0/
• https://semantic-release.gitbook.io/semantic-release/

We're tagging all of our resources we want to keep from nuking with a specific tag.

Is it possible to do something like this in the config:

presets:
  keep-tag:
    filters:
      *:
        - property: 'tag:nuke.keep'
          value: 'true'

Adding common templates that can help users get started that protect common resources like SSO or control tower would be useful.

Ideas:

• filter SSO
• filter Control Tower

Resources:

• https://github.com/mmunem/dcect/blob/master/cmd/codebuild/reset/default-nuke-config-template.yml

Unrelated, but mentioning, in case I did something wrong, or something wrong with the build process

I did try to build the docker image locally, and run the binary from the container, but something seemed to be not right with the resulting binary:

in aws-nuke on  fix-aws-parition-detection via 🐳 desktop-linux 🐹
❯ history | grep build
  522  rg build
  524  docker build -t aws-nuke:fix-aws-parition-detection .
  525  docker run -w /config -v $(pwd):/config --entrypont sh aws-nuke:fix-aws-parition-detection

/config $ /usr/local/bin/aws-nuke -c /config/forked-nuke.yaml  --force --quiet --assume-role-arn arn:aws:iam::983055175492:role/shared-services-nuke-role
sh: /usr/local/bin/aws-nuke: not found
/config $ ls /usr/local/bin/aws-nuke
/usr/local/bin/aws-nuke
/config $ /usr/local/bin/aws-nuke
sh: /usr/local/bin/aws-nuke: not found
/config $ file /usr/local/bin/aws-nuke
sh: file: not found
/config $ /usr/local/bin/aws-nuke
sh: /usr/local/bin/aws-nuke: not found
/config $ ls -lrtha /usr/local/bin/aws-nuke
-rwxr-xr-x    1 root     root      213.8M Apr 17 07:38 /usr/local/bin/aws-nuke
/config $ chmod +x /usr/local/bin/aws-nuke
chmod: /usr/local/bin/aws-nuke: Operation not permitted
/config $ cd /usr/local/bin/
/usr/local/bin $ ls
aws-nuke
/usr/local/bin $ ls -lrtha
total 214M
drwxr-xr-x    1 root     root        4.0K Jan 26 17:53 ..
-rwxr-xr-x    1 root     root      213.8M Apr 17 07:38 aws-nuke
drwxr-xr-x    1 root     root        4.0K Apr 17 07:38 .
/usr/local/bin $ ./aws-nuke
sh: ./aws-nuke: not found

Originally posted by @stv-io in #142 (comment)

Hi, I've been trying this fork after discovering it from rebuy-de/aws-nuke#1187 (comment)

I had CI pipelines which I adapted to use this image (keeping in mind the breaking changes). One thing which caused me a bit of pain, was that with the following env vars set AWS_REGION and AWS_DEFAULT_REGION (to eu-west-1 in my case) the cli was exiting with a misleading and confusing error:

time="2024-04-16T14:28:47Z" level=error msg="the custom region 'eu-west-1' must be specified in the configuration 'endpoints'"
time="2024-04-16T14:28:47Z" level=fatal msg="the custom region 'eu-west-1' must be specified in the configuration 'endpoints'"

I have just gotten around to figuring this out, let me know if I can provide additional context.

I plan to come back to this issue if I find anything out

I'm very happy to see this issue already exists, as I was disappointed to see that there are quite a lot of resource types where tags are not fetched. By my very rough count (grep'ing for tag in the resources/ folder) only 127 out of 471 resource types get tags, which is both better (total number) and worse (percentage) than the original rebuy.de version's 117 out of 428.

I would like to suggest that there may be a less time-consuming way to get tags for resource types that don't currently support this. The AWS Resource Groups Tagging API supports many, but not all, AWS services and it's not too hard to get tags for all resources using that API and it would then be possible to merge them into the properties for any resource.

If there's any interest in this, I'd be glad to contribute at least some initial code.

Originally posted by @dupuyarc in #118 (comment)

A common use case for aws-nuke is to run it on a schedule on sandbox / development account. AWS Even provides prescriptive guidance using eventBridge and CodeDeploy to run aws-nuke across multiple regions or in a hub-and-spoke setup.

Would it make sense to have a CDK Construct to deploy aws-nuke this way?

There are a few options here.

1. allow overriding all "strings" that are in the alias, i.e. people might use live vs prod and might want to prevent running against those.
2. allow bypassing this check, possibly implement like bypass alias check https://ekristen.github.io/aws-nuke/features/bypass-alias-check/

Recently discovered that the S3Bucket delete ends up blocking if there are a lot of objects and versions in the bucket. It would be good to refactor this to run as a goroutine in the background while other resources cleanup and the loops occur.

We tag our resources that we want to keep from nuking with key do-not-nuke and value true, then we add this to filter section - and for majority of resources it works. But for some resources it's ignored. For example we tagged a Sagemaker domain:

And using filter similar to this one:

accounts:
  '123456789':
    filters:
      SageMakerDomain:
      - property: "tag:do-not-nuke"
        value: "true"

Similar setup works for majority of other resources, yet here we're getting output

us-west-2 - SageMakerDomain - d-lkdfjldfadsf - [DomainID: "d-lkdfjldfadsf"] - would remove

is it a bug, or some omission on our side? How do we make it respect the tags?

SageMakerUserProfiles
ECSCluster
ServiceDiscoveryNamespace
SQSQueue
CognitoUserPoolDomain
CognitoUserPoolClient
CognitoUserPool
CognitoIdentityProvider
ElasticacheSubnetGroup
ElasticacheCacheCluster

Originally posted by @YuriGal in #110 (comment)

Reference: #76 (comment)

Part of my filter is set like this

      EC2InternetGatewayAttachment:
      - property: "vpc:OwnerID"
        value: "123456789"
      EC2RouteTable:
      - property: "OwnerID"
        value: "123456789"
      EC2DHCPOption:
      - property: "OwnerID"
        type: "regex"
        value: "(123456789|987654321)"

The account has resources with Owner ID that match the filter. The original nuke had those filtered out. The fork still goes

us-west-2 - EC2InternetGatewayAttachment - igw-03be1339519e46fa9 -> vpc-0debf6fec89321668 - [DefaultVPC: "false"] - would remove
us-west-2 - EC2DHCPOption - dopt-0c578847d991d4df5 - [DefaultVPC: "false"] - would remove
us-west-2 - EC2RouteTable - rtb-0d7b4aa83ad8d4a37 - [DefaultVPC: "false", vpcID: "vpc-0debf6fec89321668"] - would remove

Would it be possible to have those filtered out? Not sure if there're other resources with the same issue, but these 3 definetely have it.

Thanks for your work on this fork and maintaining aws-nuke! I noticed that there are several PRs in the original project repo (like this one) that might be a good idea to merge (manually) into this fork. Any plans to do this?

upstream issue rebuy-de/aws-nuke#817

Reference: #76 (comment)

Users want the ability to skip the AWS Alias check for a number of good reasons. This implements that request but in a way that keeps the safeguards in place.

Upstream References

• rebuy-de/aws-nuke#971
• rebuy-de/aws-nuke#983
• rebuy-de/aws-nuke#997

In rebuy.de/aws-nuke the current SageMakerApp implementation doesn't support deleting apps with a SpaceName. Also, SageMaker Spaces are not currently supported.

This issue duplicates rebuy-de/aws-nuke#1184 to implement the feature in ekristen/aws-nuke

When an EC2 instance is terminated, the instance stays in the terminated state for about an hour, then it disappears from the AWS account. The problem with this is that once aws-nuke finishes by terminating all EC2 instances in the AWS account, the EC2 instances are still leftover in the account. So if subsequent infrastructure migrations create EC2 instances with names (using the Name tag), then the migrations could run into issues because there are now multiple EC2 instances with the same name. For example, a running instance and a terminated instance both with the Name tag value of "webserver". So it might be a good idea if aws-nuke deletes the tags of all EC2 instances before terminating them.

During run the nuke logs errors about problems I have no control over, for example

time="2024-02-22T16:06:58Z" level=error msg="Listing FMSNotificationChannel failed:\n    AccessDeniedException: Operation GetNotificationChannel is only available to AWS Firewall Manager Administrators.\n    \tstatus code: 400, request id: db521f67-5dc4-40b4-b0b5-7cf7501841d0" error="AccessDeniedException: Operation GetNotificationChannel is only available to AWS Firewall Manager Administrators.\n\tstatus code: 400, request id: db521f67-5dc4-40b4-b0b5-7cf7501841d0"

time="2024-02-22T16:06:59Z" level=error msg="Listing ECRPublicRepository failed:\n    UnsupportedCommandException: DescribeRepositories command is only supported in us-east-1." error="UnsupportedCommandException: DescribeRepositories command is only supported in us-east-1."

time="2024-02-22T16:06:59Z" level=error msg="Listing FMSPolicy failed:\n    AccessDeniedException: Operation ListPolicies is only available to AWS Firewall Manager Administrators.\n    \tstatus code: 400, request id: 1765d4b5-1813-4e76-b8df-7ce3db7ee609" error="AccessDeniedException: Operation ListPolicies is only available to AWS Firewall Manager Administrators.\n\tstatus code: 400, request id: 1765d4b5-1813-4e76-b8df-7ce3db7ee609"

time="2024-02-22T16:07:00Z" level=fatal msg="*resources.SNSSubscription does not support custom properties"

If I remember correctly original nuke also detected these errors, but allowed execution to continue, with nuking the resources it could nuke. I believe the fork exits with the status code 1, which fails the entire run.

Is it possible to ignore errors such as mentioned above?

An upstream user @williamorrie requested Glue Security Configuration be added to the tool back on January 8th, 2024.

Ref: rebuy-de/aws-nuke#1177

Rather than rely on string parsing such as this tool oijkn/aws-nuke-exporter, aws-nuke could have an option to output structured logs (--output or --json flag).

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• fix(deps): update module github.com/aws/aws-sdk-go to v1.53.4
• fix(deps): update module github.com/ekristen/libnuke to v0.14.2
• fix(deps): update module github.com/fatih/color to v1.17.0
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Could you please add --max-wait-retries option that the original nuke had? it tells it how many times it can retry for waiting resources. e.g.

aws-nuke nuke --config nuke-config.yml  --max-wait-retries 10 

will retries 10 times and if not done by then - exits with status 255 and message "Error: Max wait retries of 10 exceeded"

There are times that secrets can be managed by AWS, they need to be automatically filtered.

Upstream Ref: rebuy-de/aws-nuke#1204