aherman
/
boundary
mirror of https://github.com/hashicorp/boundary
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add automated cleanup for CI resources (#2814)

Browse Source 
* Add automated cleanup for CI resources
pull/2875/head
Josh Brand 3 years ago committed by GitHub
parent ed9f2b2730
commit 7d49a3a06b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 627 additions and 108 deletions
Show Stats Download Patch File Download Diff File

92
.github/workflows/test-ci-cleanup-oss.yml vendored
Unescape View File

@ -0,0 +1,92 @@
name: test-ci-cleanup-oss
on:
schedule:
# * is a special character in YAML so you have to quote this string
- cron: '05 02 * * *'
jobs:
setup:
runs-on: ubuntu-latest
outputs:
regions: ${{steps.setup.outputs.regions}}
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}
aws-region: us-east-1
role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }}
role-skip-session-tagging: true
role-duration-seconds: 3600
- name: Get all regions
id: setup
run: |
echo "regions=$(aws ec2 describe-regions --region us-east-1 --output json --query 'Regions[].RegionName' | tr -d '\n ')" >> $GITHUB_OUTPUT
echo "account_id=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | awk -F'"' '/"accountId"/ { print $4 }')" >> $GITHUB_OUTPUT
- name: Get account ID
id: setup_aws
run: |
echo "account_id=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | awk -F'"' '/"accountId"/ { print $4 }')" >> $GITHUB_OUTPUT
aws-nuke:
needs: setup
runs-on: ubuntu-latest
container:
image: rebuy/aws-nuke
options:
--user root
-t
env:
AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
TIME_LIMIT: "72h"
timeout-minutes: 60
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}
aws-region: us-east-1
role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }}
role-skip-session-tagging: true
role-duration-seconds: 3600
- uses: actions/checkout@v3
- name: Configure
run: |
cp enos/ci/aws-nuke.yml .
echo "test: ${{ needs.setup.output.account_num }}"
sed -i "s/ACCOUNT_NUM/${{ needs.setup.output.account_num }}/g" aws-nuke.yml
sed -i "s/TIME_LIMIT/${TIME_LIMIT}/g" aws-nuke.yml
# We don't care if cleanup succeeds or fails, because dependencies be dependenceies,
# we'll fail on actually actionable things in the quota steep afterwards.
- name: Clean up abandoned resources
# Filter STDERR because it's super noisy about things we don't have access to
run: |
aws-nuke -c aws-nuke.yml -q --no-dry-run --force 2>/tmp/aws-nuke-error.log || true
check-quotas:
needs: [ setup, aws-nuke ]
runs-on: ubuntu-latest
container:
image: jantman/awslimitchecker
env:
AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID_CI }}
AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY_CI }}
strategy:
matrix:
region: ${{ fromJSON(needs.setup.outputs.regions) }}
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}
aws-region: us-east-1
role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }}
role-skip-session-tagging: true
role-duration-seconds: 3600
# Currently just checking VPC limits across all region, can add more checks here in future
- name: Check AWS Quotas
run: awslimitchecker -S "VPC" -r ${{matrix.region}}

3
.gitignore vendored
Unescape View File

@ -135,7 +135,8 @@ enos/.terraform/*
enos/.terraform.lock.hcl
enos/*.tfstate
enos/*.tfstate.*
enos/ci/*/.terraform/*
enos/ci/*/.terraform.lock.hcl
# vim: set filetype=conf :
# CRT (Common Release Tooling)

395
enos/ci/aws-nuke.yml
Unescape View File

@ -0,0 +1,395 @@
regions:
- eu-north-1
- ap-south-1
- eu-west-3
- eu-west-2
- eu-west-1
- ap-northeast-3
- ap-northeast-2
- ap-northeast-1
- sa-east-1
- ca-central-1
- ap-southeast-1
- ap-southeast-2
- eu-central-1
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- global
account-blocklist:
- 1234567890
accounts:
# replaced in CI
ACCOUNT_NUM:
presets:
- default
- olderthan
- honeybee
- enos
presets:
default:
# Ignores default VPC resources
filters:
EC2VPC:
- property: IsDefault
value: "true"
EC2RouteTable:
- property: DefaultVPC
value: "true"
EC2DHCPOption:
- property: DefaultVPC
value: "true"
EC2InternetGateway:
- property: DefaultVPC
value: "true"
EC2Subnet:
- property: DefaultVPC
value: "true"
EC2InternetGatewayAttachment:
- property: DefaultVPC
value: "true"
olderthan:
# Filters resources by age (when available)
# TIME_LIMIT replaced in CI
filters:
EC2Instance:
- property: LaunchTime
type: dateOlderThan
value: "TIME_LIMIT"
EC2NetworkACL:
EC2RouteTable:
EC2SecurityGroup:
EC2Subnet:
EC2Volume:
EC2VPC:
- property: tag:cloud-nuke-first-seen
type: dateOlderThan
value: "TIME_LIMIT"
ELBv2:
- property: tag:cloud-nuke-first-seen
type: dateOlderThan
value: "TIME_LIMIT"
ELBv2TargetGroup:
EC2NetworkInterface:
EC2InternetGateway:
EC2InternetGatewayAttachment:
RDSInstance:
- property: InstanceCreateTime
type: dateOlderThan
value: "TIME_LIMIT"
honeybee:
# Cloudsec
filters:
IAMRole:
- property: tag:hc-config-as-code
value: "honeybee"
IAMRolePolicy:
- property: tag:role:hc-config-as-code
value: "honeybee"
IAMRolePolicyAttachment:
- property: tag:role:hc-config-as-code
value: "honeybee"
enos:
# Existing CI to be cleaned up later
filters:
LambdaFunction:
- property: Name
value: "enos_cleanup"
IAMRole:
- property: Name
type: glob
value: "github_actions-*"
- property: Name
value: "rds-monitoring-role"
IAMRolePolicy:
- property: role:RoleName
type: glob
value: "github_actions*"
- property: role:RoleName
type: glob
value: "rds-*"
IAMRolePolicyAttachment:
- "rds-monitoring-role -> AmazonRDSEnhancedMonitoringRole"
IAMUserPolicy:
- "github_actions-boundary_ci -> AssumeServiceUserRole"
- "github_actions-boundary_enterprise_ci -> AssumeServiceUserRole"
resource-types:
# Run against everything, excluding these:
excludes:
# Avoid cloudsec things
- IAMUser
- IAMPolicy
- IAMUserAccessKey
- S3Object
- S3Bucket
- EC2KeyPair
- CloudWatchEventsTarget
- CloudWatchEventsRule
- CloudWatchLogsLogGroup
- ConfigServiceConfigurationRecorder
- ConfigServiceConfigRule
- ConfigServiceDeliveryChannel
- CloudTrailTrail
- RDSSnapshot
- RDSClusterSnapshot
- WAFWebACL
- WAFv2WebACL
- WAFRegionalWebACL
- GuardDutyDetector
# Unused services, filtering these speeds up runs and
# removes errors about things we don't have enabled
- ACMCertificate
- ACMPCACertificateAuthority
- ACMPCACertificateAuthorityState
- AMGWorkspace
- AMPWorkspace
- APIGatewayAPIKey
- APIGatewayClientCertificate
- APIGatewayDomainName
- APIGatewayRestAPI
- APIGatewayUsagePlan
- APIGatewayV2API
- APIGatewayV2VpcLink
- APIGatewayVpcLink
- AWS::AppFlow::ConnectorProfile
- AWS::AppFlow::Flow
- AWS::AppRunner::Service
- AWS::ApplicationInsights::Application
- AWS::Backup::Framework
- AWS::MWAA::Environment
- AWS::NetworkFirewall::Firewall
- AWS::NetworkFirewall::FirewallPolicy
- AWS::NetworkFirewall::RuleGroup
- AWS::Synthetics::Canary
- AWS::Timestream::Database
- AWS::Timestream::ScheduledQuery
- AWS::Timestream::Table
- AWS::Transfer::Workflow
- AWSBackupPlan
- AWSBackupRecoveryPoint
- AWSBackupSelection
- AWSBackupVault
- AWSBackupVaultAccessPolicy
- AccessAnalyzer
- AppMeshMesh
- AppMeshRoute
- AppMeshVirtualGateway
- AppMeshVirtualNode
- AppMeshVirtualRouter
- AppMeshVirtualService
- AppStreamDirectoryConfig
- AppStreamFleet
- AppStreamFleetState
- AppStreamImage
- AppStreamImageBuilder
- AppStreamImageBuilderWaiter
- AppStreamStack
- AppStreamStackFleetAttachment
- AppSyncGraphqlAPI
- ApplicationAutoScalingScalableTarget
- ArchiveRule
- AthenaNamedQuery
- AthenaWorkGroup
- BatchComputeEnvironment
- BatchComputeEnvironmentState
- BatchJobQueue
- BatchJobQueueState
- BillingCostandUsageReport
- Budget
- Cloud9Environment
- CloudDirectoryDirectory
- CloudDirectorySchema
- CodeArtifactDomain
- CodeArtifactRepository
- CodeBuildProject
- CodeCommitRepository
- CodeDeployApplication
- CodePipelinePipeline
- CodeStarConnection
- CodeStarNotificationRule
- CodeStarProject
- CognitoIdentityPool
- CognitoIdentityProvider
- CognitoUserPool
- CognitoUserPoolClient
- CognitoUserPoolDomain
- ComprehendDocumentClassifier
- ComprehendDominantLanguageDetectionJob
- ComprehendEndpoint
- ComprehendEntitiesDetectionJob
- ComprehendEntityRecognizer
- ComprehendKeyPhrasesDetectionJob
- ComprehendSentimentDetectionJob
- ConfigServiceConfigRule
- ConfigServiceConfigurationRecorder
- ConfigServiceDeliveryChannel
- DAXCluster
- DAXParameterGroup
- DAXSubnetGroup
- DataPipelinePipeline
- DatabaseMigrationServiceCertificate
- DatabaseMigrationServiceEndpoint
- DatabaseMigrationServiceEventSubscription
- DatabaseMigrationServiceReplicationInstance
- DatabaseMigrationServiceReplicationTask
- DatabaseMigrationServiceSubnetGroup
- DeviceFarmProject
- DirectoryServiceDirectory
- EC2ClientVpnEndpointAttachment
- EC2ClientVpnEndpoint
- EC2DefaultSecurityGroupRule
- FMSNotificationChannel
- FMSPolicy
- FSxBackup
- FSxFileSystem
- FirehoseDeliveryStream
- GlobalAccelerator
- GlobalAcceleratorEndpointGroup
- GlobalAcceleratorListener
- GlueClassifier
- GlueConnection
- GlueCrawler
- GlueDatabase
- GlueDevEndpoint
- GlueJob
- GlueTrigger
- Inspector2
- InspectorAssessmentRun
- InspectorAssessmentTarget
- InspectorAssessmentTemplate
- IoTAuthorizer
- IoTCACertificate
- IoTCertificate
- IoTJob
- IoTOTAUpdate
- IoTPolicy
- IoTRoleAlias
- IoTStream
- IoTThing
- IoTThingGroup
- IoTThingType
- IoTThingTypeState
- IoTTopicRule
- KendraIndex
- KinesisAnalyticsApplication
- KinesisStream
- KinesisVideoProject
- LexBot
- LexIntent
- LexModelBuildingServiceBotAlias
- LexSlotType
- LifecycleHook
- LightsailDisk
- LightsailDomain
- LightsailInstance
- LightsailKeyPair
- LightsailLoadBalancer
- LightsailStaticIP
- MQBroker
- MSKCluster
- MSKConfiguration
- MachineLearningBranchPrediction
- MachineLearningDataSource
- MachineLearningEvaluation
- MachineLearningMLModel
- Macie
- MediaConvertJobTemplate
- MediaConvertPreset
- MediaConvertQueue
- MediaLiveChannel
- MediaLiveInput
- MediaLiveInputSecurityGroup
- MediaPackageChannel
- MediaPackageOriginEndpoint
- MediaStoreContainer
- MediaStoreDataItems
- MediaTailorConfiguration
- MobileProject
- NeptuneCluster
- NeptuneInstance
- NetpuneSnapshot
- OpsWorksApp
- OpsWorksCMBackup
- OpsWorksCMServer
- OpsWorksCMServerState
- OpsWorksInstance
- OpsWorksLayer
- OpsWorksUserProfile
- QLDBLedger
- RoboMakerRobotApplication
- RoboMakerSimulationApplication
- RoboMakerSimulationJob
- SESConfigurationSet
- SESIdentity
- SESReceiptFilter
- SESReceiptRuleSet
- SESTemplate
- SSMActivation
- SSMAssociation
- SSMDocument
- SSMMaintenanceWindow
- SSMParameter
- SSMPatchBaseline
- SSMResourceDataSync
- SageMakerApp
- SageMakerDomain
- SageMakerEndpoint
- SageMakerEndpointConfig
- SageMakerModel
- SageMakerNotebookInstance
- SageMakerNotebookInstanceLifecycleConfig
- SageMakerNotebookInstanceState
- SageMakerUserProfiles
- ServiceCatalogConstraintPortfolioAttachment
- ServiceCatalogPortfolio
- ServiceCatalogPortfolioProductAttachment
- ServiceCatalogPortfolioShareAttachment
- ServiceCatalogPrincipalPortfolioAttachment
- ServiceCatalogProduct
- ServiceCatalogProvisionedProduct
- ServiceCatalogTagOption
- ServiceCatalogTagOptionPortfolioAttachment
- ServiceDiscoveryInstance
- ServiceDiscoveryNamespace
- ServiceDiscoveryService
- SimpleDBDomain
- StorageGatewayFileShare
- StorageGatewayGateway
- StorageGatewayTape
- StorageGatewayVolume
- TransferServer
- TransferServerUser
- WAFRegionalByteMatchSet
- WAFRegionalByteMatchSetIP
- WAFRegionalIPSet
- WAFRegionalIPSetIP
- WAFRegionalRateBasedRule
- WAFRegionalRateBasedRulePredicate
- WAFRegionalRegexMatchSet
- WAFRegionalRegexMatchTuple
- WAFRegionalRegexPatternSet
- WAFRegionalRegexPatternString
- WAFRegionalRule
- WAFRegionalRuleGroup
- WAFRegionalRulePredicate
- WAFRegionalWebACL
- WAFRegionalWebACLRuleAttachment
- WAFRule
- WAFWebACL
- WAFWebACLRuleAttachment
- WAFv2IPSet
- WAFv2RegexPatternSet
- WAFv2RuleGroup
- WAFv2WebACL
- WorkLinkFleet
- WorkSpacesWorkspace
- XRayGroup
- XRaySamplingRule

2
enos/ci/service-user-iam/github-actions-doormat.tf
Unescape View File

@ -45,6 +45,6 @@ resource "aws_iam_role" "github_actions_doormat_role" {
inline_policy {
name = "AssumeServiceUserPolicy"
// Use the service user policy for now
policy = data.aws_iam_policy_document.iam_policy_document.json
policy = data.aws_iam_policy_document.combined_policy_document.json
}
}

243
enos/ci/service-user-iam/main.tf
Unescape View File

@ -51,112 +51,72 @@ resource "aws_iam_role_policy" "role_policy" {
role = aws_iam_role.role[0].name
name = "${local.service_user}_policy"
policy = data.aws_iam_policy_document.iam_policy_document.json
policy = data.aws_iam_policy_document.combined_policy_document.json
}
data "aws_iam_policy_document" "iam_policy_document" {
data "aws_iam_policy_document" "combined_policy_document" {
source_policy_documents = [data.aws_iam_policy_document.enos_policy_document.json, data.aws_iam_policy_document.aws_nuke_policy_document.json]
}
data "aws_iam_policy_document" "enos_policy_document" {
provider = aws.us_east_1
statement {
effect = "Allow"
actions = [
"iam:ListRoles",
"iam:CreateRole",
"iam:GetRole",
"iam:DeleteRole",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:CreateInstanceProfile",
"iam:GetInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:ListPolicies",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:ListRoles",
"iam:CreateRole",
"iam:AddRoleToInstanceProfile",
"iam:PassRole",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteRole",
"iam:ListRolePolicies",
"iam:ListAttachedRolePolicies",
"iam:AttachRolePolicy",
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:ListUsers",
"iam:GetUser",
"iam:GetUserId",
"iam:DescribeUser",
"iam:DeleteUser",
"iam:CreateUser",
"iam:TagUser",
"iam:UntagUser",
"iam:ListUserTags",
"iam:CreateUserTag",
"iam:DeleteUserTag",
"iam:ListUserPolicies",
"iam:CreateUserPolicy",
"iam:PutUserPolicy",
"iam:DeleteUserPolicy",
"iam:ListGroupsForUser",
"iam:ListAccessKeys",
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"ec2:DescribeAccountAttributes",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:DescribeImages",
"ec2:DescribeTags",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeNetworkAcls",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AssociateRouteTable",
"ec2:AttachInternetGateway",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:DescribeInstances",
"ec2:DescribeInstanceAttribute",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateInternetGateway",
"ec2:CreateKeyPair",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:RunInstances",
"ec2:ModifyInstanceAttribute",
"ec2:TerminateInstances",
"ec2:ResetInstanceAttribute",
"ec2:DeleteTags",
"ec2:DescribeVolumes",
"ec2:CreateVolume",
"ec2:DeleteVolume",
"ec2:DescribeVpcs",
"ec2:DescribeVpcAttribute",
"ec2:CreateVPC",
"ec2:ModifyVPCAttribute",
"ec2:DeleteVPC",
"ec2:DescribeSubnets",
"ec2:CreateSubnet",
"ec2:ModifySubnetAttribute",
"ec2:DeleteInternetGateway",
"ec2:DeleteKeyPair",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DeleteVPC",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInternetGateways",
"ec2:CreateInternetGateway",
"ec2:AttachInternetGateway",
"ec2:DetachInternetGateway",
"ec2:DeleteInternetGateway",
"ec2:DescribeKeyPairs",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRouteTables",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:AssociateRouteTable",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpcs",
"ec2:DetachInternetGateway",
"ec2:DisassociateRouteTable",
"ec2:DeleteRouteTable",
"ec2:CreateKeyPair",
"ec2:ImportKeyPair",
"ec2:DeleteKeyPair",
"ec2:DescribeKeyPairs",
"ec2:ModifyInstanceAttribute",
"ec2:ModifySubnetAttribute",
"ec2:ModifyVPCAttribute",
"ec2:ResetInstanceAttribute",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RunInstances",
"ec2:TerminateInstances",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
"elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -188,29 +148,100 @@ data "aws_iam_policy_document" "iam_policy_document" {
"elasticloadbalancing:SetRulePriorities",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:SetSubnets",
"kms:ListKeys",
"kms:ListResourceTags",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:DescribeKey",
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateAccessKey",
"iam:CreateInstanceProfile",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:CreateRole",
"iam:CreateUser",
"iam:CreateUserPolicy",
"iam:CreateUserTag",
"iam:DeleteAccessKey",
"iam:DeleteInstanceProfile",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DeleteUser",
"iam:DeleteUserPolicy",
"iam:DeleteUserTag",
"iam:DescribeUser",
"iam:DetachRolePolicy",
"iam:GetInstanceProfile",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUser",
"iam:GetUserId",
"iam:ListAccessKeys",
"iam:ListAttachedRolePolicies",
"iam:ListGroupsForUser",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:ListUserTags",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:PutUserPolicy",
"iam:RemoveRoleFromInstanceProfile",
"iam:TagUser",
"iam:UntagUser",
"kms:CreateAlias",
"kms:CreateKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:ScheduleKeyDeletion",
"kms:ListAliases",
"kms:CreateAlias",
"kms:DeleteAlias",
"rds:DescribeDBSubnetGroups",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListKeys",
"kms:ListResourceTags",
"kms:ScheduleKeyDeletion",
"rds:AddTagsToResource",
"rds:CreateDBInstance",
"rds:CreateDBSubnetGroup",
"rds:ModifyDBSubnetGroup",
"rds:DeleteDBInstance",
"rds:DeleteDBSubnetGroup",
"rds:DescribeDBInstances",
"rds:CreateDBInstance",
"rds:ModifyDBInstance",
"rds:DeleteDBInstance",
"rds:DescribeDBSubnetGroups",
"rds:ListTagsForResource",
"rds:AddTagsToResource",
"rds:RemoveTagsFromResource",
"rds:ModifyDBInstance",
"rds:ModifyDBSubnetGroup",
"rds:RemoveTagsFromResource"
]
resources = ["*"]
}
}
data "aws_iam_policy_document" "aws_nuke_policy_document" {
provider = aws.us_east_1
statement {
effect = "Allow"
actions = [
"ec2:DescribeInternetGateways",
"ec2:DescribeNatGateways",
"ec2:DescribeRegions",
"ec2:DescribeVpnGateways",
"iam:DeleteAccessKey",
"iam:DeleteUser",
"iam:DeleteUserPolicy",
"iam:GetUser",
"iam:ListAccessKeys",
"iam:ListAccountAliases",
"iam:ListGroupsForUser",
"iam:ListUserPolicies",
"iam:ListUserTags",
"iam:ListUsers",
"iam:UntagUser",
"servicequotas:ListServiceQuotas"
]
resources = ["*"]
}

Write Preview
Loading…
Cancel
Save