diff --git a/.github/workflows/test-ci-cleanup-oss.yml b/.github/workflows/test-ci-cleanup-oss.yml new file mode 100644 index 0000000000..3b62d9c101 --- /dev/null +++ b/.github/workflows/test-ci-cleanup-oss.yml @@ -0,0 +1,92 @@ +name: test-ci-cleanup-oss +on: + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '05 02 * * *' + +jobs: + setup: + runs-on: ubuntu-latest + outputs: + regions: ${{steps.setup.outputs.regions}} + steps: + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1-node16 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }} + aws-region: us-east-1 + role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }} + role-skip-session-tagging: true + role-duration-seconds: 3600 + - name: Get all regions + id: setup + run: | + echo "regions=$(aws ec2 describe-regions --region us-east-1 --output json --query 'Regions[].RegionName' | tr -d '\n ')" >> $GITHUB_OUTPUT + echo "account_id=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | awk -F'"' '/"accountId"/ { print $4 }')" >> $GITHUB_OUTPUT + - name: Get account ID + id: setup_aws + run: | + echo "account_id=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | awk -F'"' '/"accountId"/ { print $4 }')" >> $GITHUB_OUTPUT + + aws-nuke: + needs: setup + runs-on: ubuntu-latest + container: + image: rebuy/aws-nuke + options: + --user root + -t + env: + AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }} + TIME_LIMIT: "72h" + timeout-minutes: 60 + steps: + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1-node16 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }} + aws-region: us-east-1 + role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }} + role-skip-session-tagging: true + role-duration-seconds: 3600 + - uses: actions/checkout@v3 + - name: Configure + run: | + cp enos/ci/aws-nuke.yml . + echo "test: ${{ needs.setup.output.account_num }}" + sed -i "s/ACCOUNT_NUM/${{ needs.setup.output.account_num }}/g" aws-nuke.yml + sed -i "s/TIME_LIMIT/${TIME_LIMIT}/g" aws-nuke.yml + # We don't care if cleanup succeeds or fails, because dependencies be dependenceies, + # we'll fail on actually actionable things in the quota steep afterwards. + - name: Clean up abandoned resources + # Filter STDERR because it's super noisy about things we don't have access to + run: | + aws-nuke -c aws-nuke.yml -q --no-dry-run --force 2>/tmp/aws-nuke-error.log || true + + check-quotas: + needs: [ setup, aws-nuke ] + runs-on: ubuntu-latest + container: + image: jantman/awslimitchecker + env: + AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID_CI }} + AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY_CI }} + strategy: + matrix: + region: ${{ fromJSON(needs.setup.outputs.regions) }} + steps: + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1-node16 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }} + aws-region: us-east-1 + role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }} + role-skip-session-tagging: true + role-duration-seconds: 3600 + # Currently just checking VPC limits across all region, can add more checks here in future + - name: Check AWS Quotas + run: awslimitchecker -S "VPC" -r ${{matrix.region}} diff --git a/.gitignore b/.gitignore index 7643f12a4f..63d63aa8d3 100644 --- a/.gitignore +++ b/.gitignore @@ -135,7 +135,8 @@ enos/.terraform/* enos/.terraform.lock.hcl enos/*.tfstate enos/*.tfstate.* - +enos/ci/*/.terraform/* +enos/ci/*/.terraform.lock.hcl # vim: set filetype=conf : # CRT (Common Release Tooling) diff --git a/enos/ci/aws-nuke.yml b/enos/ci/aws-nuke.yml new file mode 100644 index 0000000000..94cabc4fa5 --- /dev/null +++ b/enos/ci/aws-nuke.yml @@ -0,0 +1,395 @@ +regions: +- eu-north-1 +- ap-south-1 +- eu-west-3 +- eu-west-2 +- eu-west-1 +- ap-northeast-3 +- ap-northeast-2 +- ap-northeast-1 +- sa-east-1 +- ca-central-1 +- ap-southeast-1 +- ap-southeast-2 +- eu-central-1 +- us-east-1 +- us-east-2 +- us-west-1 +- us-west-2 +- global + +account-blocklist: + - 1234567890 + +accounts: + # replaced in CI + ACCOUNT_NUM: + presets: + - default + - olderthan + - honeybee + - enos + +presets: + default: + # Ignores default VPC resources + filters: + EC2VPC: + - property: IsDefault + value: "true" + EC2RouteTable: + - property: DefaultVPC + value: "true" + EC2DHCPOption: + - property: DefaultVPC + value: "true" + EC2InternetGateway: + - property: DefaultVPC + value: "true" + EC2Subnet: + - property: DefaultVPC + value: "true" + EC2InternetGatewayAttachment: + - property: DefaultVPC + value: "true" + olderthan: + # Filters resources by age (when available) + # TIME_LIMIT replaced in CI + filters: + EC2Instance: + - property: LaunchTime + type: dateOlderThan + value: "TIME_LIMIT" + EC2NetworkACL: + EC2RouteTable: + EC2SecurityGroup: + EC2Subnet: + EC2Volume: + EC2VPC: + - property: tag:cloud-nuke-first-seen + type: dateOlderThan + value: "TIME_LIMIT" + ELBv2: + - property: tag:cloud-nuke-first-seen + type: dateOlderThan + value: "TIME_LIMIT" + ELBv2TargetGroup: + EC2NetworkInterface: + EC2InternetGateway: + EC2InternetGatewayAttachment: + RDSInstance: + - property: InstanceCreateTime + type: dateOlderThan + value: "TIME_LIMIT" + + honeybee: + # Cloudsec + filters: + IAMRole: + - property: tag:hc-config-as-code + value: "honeybee" + IAMRolePolicy: + - property: tag:role:hc-config-as-code + value: "honeybee" + IAMRolePolicyAttachment: + - property: tag:role:hc-config-as-code + value: "honeybee" + + enos: + # Existing CI to be cleaned up later + filters: + LambdaFunction: + - property: Name + value: "enos_cleanup" + IAMRole: + - property: Name + type: glob + value: "github_actions-*" + - property: Name + value: "rds-monitoring-role" + IAMRolePolicy: + - property: role:RoleName + type: glob + value: "github_actions*" + - property: role:RoleName + type: glob + value: "rds-*" + IAMRolePolicyAttachment: + - "rds-monitoring-role -> AmazonRDSEnhancedMonitoringRole" + IAMUserPolicy: + - "github_actions-boundary_ci -> AssumeServiceUserRole" + - "github_actions-boundary_enterprise_ci -> AssumeServiceUserRole" + +resource-types: + # Run against everything, excluding these: + excludes: + # Avoid cloudsec things + - IAMUser + - IAMPolicy + - IAMUserAccessKey + - S3Object + - S3Bucket + - EC2KeyPair + - CloudWatchEventsTarget + - CloudWatchEventsRule + - CloudWatchLogsLogGroup + - ConfigServiceConfigurationRecorder + - ConfigServiceConfigRule + - ConfigServiceDeliveryChannel + - CloudTrailTrail + - RDSSnapshot + - RDSClusterSnapshot + - WAFWebACL + - WAFv2WebACL + - WAFRegionalWebACL + - GuardDutyDetector + + # Unused services, filtering these speeds up runs and + # removes errors about things we don't have enabled + - ACMCertificate + - ACMPCACertificateAuthority + - ACMPCACertificateAuthorityState + - AMGWorkspace + - AMPWorkspace + - APIGatewayAPIKey + - APIGatewayClientCertificate + - APIGatewayDomainName + - APIGatewayRestAPI + - APIGatewayUsagePlan + - APIGatewayV2API + - APIGatewayV2VpcLink + - APIGatewayVpcLink + - AWS::AppFlow::ConnectorProfile + - AWS::AppFlow::Flow + - AWS::AppRunner::Service + - AWS::ApplicationInsights::Application + - AWS::Backup::Framework + - AWS::MWAA::Environment + - AWS::NetworkFirewall::Firewall + - AWS::NetworkFirewall::FirewallPolicy + - AWS::NetworkFirewall::RuleGroup + - AWS::Synthetics::Canary + - AWS::Timestream::Database + - AWS::Timestream::ScheduledQuery + - AWS::Timestream::Table + - AWS::Transfer::Workflow + - AWSBackupPlan + - AWSBackupRecoveryPoint + - AWSBackupSelection + - AWSBackupVault + - AWSBackupVaultAccessPolicy + - AccessAnalyzer + - AppMeshMesh + - AppMeshRoute + - AppMeshVirtualGateway + - AppMeshVirtualNode + - AppMeshVirtualRouter + - AppMeshVirtualService + - AppStreamDirectoryConfig + - AppStreamFleet + - AppStreamFleetState + - AppStreamImage + - AppStreamImageBuilder + - AppStreamImageBuilderWaiter + - AppStreamStack + - AppStreamStackFleetAttachment + - AppSyncGraphqlAPI + - ApplicationAutoScalingScalableTarget + - ArchiveRule + - AthenaNamedQuery + - AthenaWorkGroup + - BatchComputeEnvironment + - BatchComputeEnvironmentState + - BatchJobQueue + - BatchJobQueueState + - BillingCostandUsageReport + - Budget + - Cloud9Environment + - CloudDirectoryDirectory + - CloudDirectorySchema + - CodeArtifactDomain + - CodeArtifactRepository + - CodeBuildProject + - CodeCommitRepository + - CodeDeployApplication + - CodePipelinePipeline + - CodeStarConnection + - CodeStarNotificationRule + - CodeStarProject + - CognitoIdentityPool + - CognitoIdentityProvider + - CognitoUserPool + - CognitoUserPoolClient + - CognitoUserPoolDomain + - ComprehendDocumentClassifier + - ComprehendDominantLanguageDetectionJob + - ComprehendEndpoint + - ComprehendEntitiesDetectionJob + - ComprehendEntityRecognizer + - ComprehendKeyPhrasesDetectionJob + - ComprehendSentimentDetectionJob + - ConfigServiceConfigRule + - ConfigServiceConfigurationRecorder + - ConfigServiceDeliveryChannel + - DAXCluster + - DAXParameterGroup + - DAXSubnetGroup + - DataPipelinePipeline + - DatabaseMigrationServiceCertificate + - DatabaseMigrationServiceEndpoint + - DatabaseMigrationServiceEventSubscription + - DatabaseMigrationServiceReplicationInstance + - DatabaseMigrationServiceReplicationTask + - DatabaseMigrationServiceSubnetGroup + - DeviceFarmProject + - DirectoryServiceDirectory + - EC2ClientVpnEndpointAttachment + - EC2ClientVpnEndpoint + - EC2DefaultSecurityGroupRule + - FMSNotificationChannel + - FMSPolicy + - FSxBackup + - FSxFileSystem + - FirehoseDeliveryStream + - GlobalAccelerator + - GlobalAcceleratorEndpointGroup + - GlobalAcceleratorListener + - GlueClassifier + - GlueConnection + - GlueCrawler + - GlueDatabase + - GlueDevEndpoint + - GlueJob + - GlueTrigger + - Inspector2 + - InspectorAssessmentRun + - InspectorAssessmentTarget + - InspectorAssessmentTemplate + - IoTAuthorizer + - IoTCACertificate + - IoTCertificate + - IoTJob + - IoTOTAUpdate + - IoTPolicy + - IoTRoleAlias + - IoTStream + - IoTThing + - IoTThingGroup + - IoTThingType + - IoTThingTypeState + - IoTTopicRule + - KendraIndex + - KinesisAnalyticsApplication + - KinesisStream + - KinesisVideoProject + - LexBot + - LexIntent + - LexModelBuildingServiceBotAlias + - LexSlotType + - LifecycleHook + - LightsailDisk + - LightsailDomain + - LightsailInstance + - LightsailKeyPair + - LightsailLoadBalancer + - LightsailStaticIP + - MQBroker + - MSKCluster + - MSKConfiguration + - MachineLearningBranchPrediction + - MachineLearningDataSource + - MachineLearningEvaluation + - MachineLearningMLModel + - Macie + - MediaConvertJobTemplate + - MediaConvertPreset + - MediaConvertQueue + - MediaLiveChannel + - MediaLiveInput + - MediaLiveInputSecurityGroup + - MediaPackageChannel + - MediaPackageOriginEndpoint + - MediaStoreContainer + - MediaStoreDataItems + - MediaTailorConfiguration + - MobileProject + - NeptuneCluster + - NeptuneInstance + - NetpuneSnapshot + - OpsWorksApp + - OpsWorksCMBackup + - OpsWorksCMServer + - OpsWorksCMServerState + - OpsWorksInstance + - OpsWorksLayer + - OpsWorksUserProfile + - QLDBLedger + - RoboMakerRobotApplication + - RoboMakerSimulationApplication + - RoboMakerSimulationJob + - SESConfigurationSet + - SESIdentity + - SESReceiptFilter + - SESReceiptRuleSet + - SESTemplate + - SSMActivation + - SSMAssociation + - SSMDocument + - SSMMaintenanceWindow + - SSMParameter + - SSMPatchBaseline + - SSMResourceDataSync + - SageMakerApp + - SageMakerDomain + - SageMakerEndpoint + - SageMakerEndpointConfig + - SageMakerModel + - SageMakerNotebookInstance + - SageMakerNotebookInstanceLifecycleConfig + - SageMakerNotebookInstanceState + - SageMakerUserProfiles + - ServiceCatalogConstraintPortfolioAttachment + - ServiceCatalogPortfolio + - ServiceCatalogPortfolioProductAttachment + - ServiceCatalogPortfolioShareAttachment + - ServiceCatalogPrincipalPortfolioAttachment + - ServiceCatalogProduct + - ServiceCatalogProvisionedProduct + - ServiceCatalogTagOption + - ServiceCatalogTagOptionPortfolioAttachment + - ServiceDiscoveryInstance + - ServiceDiscoveryNamespace + - ServiceDiscoveryService + - SimpleDBDomain + - StorageGatewayFileShare + - StorageGatewayGateway + - StorageGatewayTape + - StorageGatewayVolume + - TransferServer + - TransferServerUser + - WAFRegionalByteMatchSet + - WAFRegionalByteMatchSetIP + - WAFRegionalIPSet + - WAFRegionalIPSetIP + - WAFRegionalRateBasedRule + - WAFRegionalRateBasedRulePredicate + - WAFRegionalRegexMatchSet + - WAFRegionalRegexMatchTuple + - WAFRegionalRegexPatternSet + - WAFRegionalRegexPatternString + - WAFRegionalRule + - WAFRegionalRuleGroup + - WAFRegionalRulePredicate + - WAFRegionalWebACL + - WAFRegionalWebACLRuleAttachment + - WAFRule + - WAFWebACL + - WAFWebACLRuleAttachment + - WAFv2IPSet + - WAFv2RegexPatternSet + - WAFv2RuleGroup + - WAFv2WebACL + - WorkLinkFleet + - WorkSpacesWorkspace + - XRayGroup + - XRaySamplingRule diff --git a/enos/ci/service-user-iam/github-actions-doormat.tf b/enos/ci/service-user-iam/github-actions-doormat.tf index 20ce0f3f7b..dc9a050615 100644 --- a/enos/ci/service-user-iam/github-actions-doormat.tf +++ b/enos/ci/service-user-iam/github-actions-doormat.tf @@ -45,6 +45,6 @@ resource "aws_iam_role" "github_actions_doormat_role" { inline_policy { name = "AssumeServiceUserPolicy" // Use the service user policy for now - policy = data.aws_iam_policy_document.iam_policy_document.json + policy = data.aws_iam_policy_document.combined_policy_document.json } } diff --git a/enos/ci/service-user-iam/main.tf b/enos/ci/service-user-iam/main.tf index 66a95d117c..d03898d61e 100644 --- a/enos/ci/service-user-iam/main.tf +++ b/enos/ci/service-user-iam/main.tf @@ -51,112 +51,72 @@ resource "aws_iam_role_policy" "role_policy" { role = aws_iam_role.role[0].name name = "${local.service_user}_policy" - policy = data.aws_iam_policy_document.iam_policy_document.json + policy = data.aws_iam_policy_document.combined_policy_document.json } -data "aws_iam_policy_document" "iam_policy_document" { +data "aws_iam_policy_document" "combined_policy_document" { + source_policy_documents = [data.aws_iam_policy_document.enos_policy_document.json, data.aws_iam_policy_document.aws_nuke_policy_document.json] +} + +data "aws_iam_policy_document" "enos_policy_document" { provider = aws.us_east_1 statement { effect = "Allow" actions = [ - "iam:ListRoles", - "iam:CreateRole", - "iam:GetRole", - "iam:DeleteRole", - "iam:ListInstanceProfiles", - "iam:ListInstanceProfilesForRole", - "iam:CreateInstanceProfile", - "iam:GetInstanceProfile", - "iam:DeleteInstanceProfile", - "iam:ListPolicies", - "iam:CreatePolicy", - "iam:DeletePolicy", - "iam:ListRoles", - "iam:CreateRole", - "iam:AddRoleToInstanceProfile", - "iam:PassRole", - "iam:RemoveRoleFromInstanceProfile", - "iam:DeleteRole", - "iam:ListRolePolicies", - "iam:ListAttachedRolePolicies", - "iam:AttachRolePolicy", - "iam:GetRolePolicy", - "iam:PutRolePolicy", - "iam:DetachRolePolicy", - "iam:DeleteRolePolicy", - "iam:ListUsers", - "iam:GetUser", - "iam:GetUserId", - "iam:DescribeUser", - "iam:DeleteUser", - "iam:CreateUser", - "iam:TagUser", - "iam:UntagUser", - "iam:ListUserTags", - "iam:CreateUserTag", - "iam:DeleteUserTag", - "iam:ListUserPolicies", - "iam:CreateUserPolicy", - "iam:PutUserPolicy", - "iam:DeleteUserPolicy", - "iam:ListGroupsForUser", - "iam:ListAccessKeys", - "iam:CreateAccessKey", - "iam:DeleteAccessKey", - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstanceTypes", - "ec2:DescribeInstanceTypeOfferings", - "ec2:DescribeInstanceCreditSpecifications", - "ec2:DescribeImages", - "ec2:DescribeTags", - "ec2:DescribeVpcClassicLink", - "ec2:DescribeVpcClassicLinkDnsSupport", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeNetworkAcls", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeSecurityGroups", - "ec2:CreateSecurityGroup", - "ec2:AuthorizeSecurityGroupIngress", + "ec2:AssociateRouteTable", + "ec2:AttachInternetGateway", "ec2:AuthorizeSecurityGroupEgress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress", - "ec2:RevokeSecurityGroupEgress", - "ec2:DescribeInstances", - "ec2:DescribeInstanceAttribute", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateInternetGateway", + "ec2:CreateKeyPair", + "ec2:CreateRoute", + "ec2:CreateRouteTable", + "ec2:CreateSecurityGroup", + "ec2:CreateSubnet", "ec2:CreateTags", - "ec2:RunInstances", - "ec2:ModifyInstanceAttribute", - "ec2:TerminateInstances", - "ec2:ResetInstanceAttribute", - "ec2:DeleteTags", - "ec2:DescribeVolumes", "ec2:CreateVolume", - "ec2:DeleteVolume", - "ec2:DescribeVpcs", - "ec2:DescribeVpcAttribute", "ec2:CreateVPC", - "ec2:ModifyVPCAttribute", - "ec2:DeleteVPC", - "ec2:DescribeSubnets", - "ec2:CreateSubnet", - "ec2:ModifySubnetAttribute", + "ec2:DeleteInternetGateway", + "ec2:DeleteKeyPair", + "ec2:DeleteRouteTable", + "ec2:DeleteSecurityGroup", "ec2:DeleteSubnet", + "ec2:DeleteTags", + "ec2:DeleteVolume", + "ec2:DeleteVPC", + "ec2:DescribeAccountAttributes", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeImages", + "ec2:DescribeInstanceAttribute", + "ec2:DescribeInstanceCreditSpecifications", + "ec2:DescribeInstances", + "ec2:DescribeInstanceTypeOfferings", + "ec2:DescribeInstanceTypes", "ec2:DescribeInternetGateways", - "ec2:CreateInternetGateway", - "ec2:AttachInternetGateway", - "ec2:DetachInternetGateway", - "ec2:DeleteInternetGateway", + "ec2:DescribeKeyPairs", + "ec2:DescribeNetworkAcls", + "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", - "ec2:CreateRoute", - "ec2:CreateRouteTable", - "ec2:AssociateRouteTable", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVpcAttribute", + "ec2:DescribeVpcClassicLink", + "ec2:DescribeVpcClassicLinkDnsSupport", + "ec2:DescribeVpcs", + "ec2:DetachInternetGateway", "ec2:DisassociateRouteTable", - "ec2:DeleteRouteTable", - "ec2:CreateKeyPair", "ec2:ImportKeyPair", - "ec2:DeleteKeyPair", - "ec2:DescribeKeyPairs", + "ec2:ModifyInstanceAttribute", + "ec2:ModifySubnetAttribute", + "ec2:ModifyVPCAttribute", + "ec2:ResetInstanceAttribute", + "ec2:RevokeSecurityGroupEgress", + "ec2:RevokeSecurityGroupIngress", + "ec2:RunInstances", + "ec2:TerminateInstances", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -188,29 +148,100 @@ data "aws_iam_policy_document" "iam_policy_document" { "elasticloadbalancing:SetRulePriorities", "elasticloadbalancing:SetSecurityGroups", "elasticloadbalancing:SetSubnets", - "kms:ListKeys", - "kms:ListResourceTags", - "kms:GetKeyPolicy", - "kms:GetKeyRotationStatus", - "kms:DescribeKey", + "iam:AddRoleToInstanceProfile", + "iam:AttachRolePolicy", + "iam:CreateAccessKey", + "iam:CreateInstanceProfile", + "iam:CreatePolicy", + "iam:CreateRole", + "iam:CreateRole", + "iam:CreateUser", + "iam:CreateUserPolicy", + "iam:CreateUserTag", + "iam:DeleteAccessKey", + "iam:DeleteInstanceProfile", + "iam:DeletePolicy", + "iam:DeleteRole", + "iam:DeleteRole", + "iam:DeleteRolePolicy", + "iam:DeleteUser", + "iam:DeleteUserPolicy", + "iam:DeleteUserTag", + "iam:DescribeUser", + "iam:DetachRolePolicy", + "iam:GetInstanceProfile", + "iam:GetRole", + "iam:GetRolePolicy", + "iam:GetUser", + "iam:GetUserId", + "iam:ListAccessKeys", + "iam:ListAttachedRolePolicies", + "iam:ListGroupsForUser", + "iam:ListInstanceProfiles", + "iam:ListInstanceProfilesForRole", + "iam:ListPolicies", + "iam:ListRolePolicies", + "iam:ListRoles", + "iam:ListRoles", + "iam:ListUserPolicies", + "iam:ListUsers", + "iam:ListUserTags", + "iam:PassRole", + "iam:PutRolePolicy", + "iam:PutUserPolicy", + "iam:RemoveRoleFromInstanceProfile", + "iam:TagUser", + "iam:UntagUser", + "kms:CreateAlias", "kms:CreateKey", - "kms:Encrypt", "kms:Decrypt", - "kms:ScheduleKeyDeletion", - "kms:ListAliases", - "kms:CreateAlias", "kms:DeleteAlias", - "rds:DescribeDBSubnetGroups", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GetKeyPolicy", + "kms:GetKeyRotationStatus", + "kms:ListAliases", + "kms:ListKeys", + "kms:ListResourceTags", + "kms:ScheduleKeyDeletion", + "rds:AddTagsToResource", + "rds:CreateDBInstance", "rds:CreateDBSubnetGroup", - "rds:ModifyDBSubnetGroup", + "rds:DeleteDBInstance", "rds:DeleteDBSubnetGroup", "rds:DescribeDBInstances", - "rds:CreateDBInstance", - "rds:ModifyDBInstance", - "rds:DeleteDBInstance", + "rds:DescribeDBSubnetGroups", "rds:ListTagsForResource", - "rds:AddTagsToResource", - "rds:RemoveTagsFromResource", + "rds:ModifyDBInstance", + "rds:ModifyDBSubnetGroup", + "rds:RemoveTagsFromResource" + ] + resources = ["*"] + } +} + + +data "aws_iam_policy_document" "aws_nuke_policy_document" { + provider = aws.us_east_1 + statement { + effect = "Allow" + actions = [ + "ec2:DescribeInternetGateways", + "ec2:DescribeNatGateways", + "ec2:DescribeRegions", + "ec2:DescribeVpnGateways", + "iam:DeleteAccessKey", + "iam:DeleteUser", + "iam:DeleteUserPolicy", + "iam:GetUser", + "iam:ListAccessKeys", + "iam:ListAccountAliases", + "iam:ListGroupsForUser", + "iam:ListUserPolicies", + "iam:ListUserTags", + "iam:ListUsers", + "iam:UntagUser", + "servicequotas:ListServiceQuotas" ] resources = ["*"] }