This repository is an example of how to execute aws-nuke within a serverless environment on AWS leveraging AWS CodePipeline and AWS CodeBuild.
AWS CodePipeline has been selected due to the native integration with Github, as opposed to AWS CodeBuild which requires a manual association with a git repository.
aws-nuke prerequisites must be followed and completed before deployment which can be found here: https://github.com/rebuy-de/aws-nuke#caution
A place holder exists in the aws-nuke config file for AWS CodeBuild to dynamically update with the current running AWS Account Id.
This allows for multiple deployments across many sandbox accounts without having to manage the AWS account Id.
cat aws-nuke-config/config.yaml | grep -A 1 accounts
-
Fork this repository https://help.github.com/en/articles/fork-a-repo
-
Install sceptre with pip
pip install sceptre
https://sceptre.cloudreach.com/latest/docs/install.html -
Install sceptre custom resolver for ssm
cd custom_resolvers/sceptre-ssm-resolver && pip install .
https://sceptre.cloudreach.com/latest/docs/resolvers.html#custom-resolvers -
Check Installation Successful
sceptre --version
-
Update GitHub Details for the source repository where the aws-nuke config file exists
cat sceptre/config/sandbox/executor.yaml | grep Git
-
Update Email address for CodePipeline notifications
cat sceptre/config/sandbox/executor.yaml | grep NotificationEmailAddress
-
Push this code to a repository you can access with a GitHub personal access token
For aws-nuke to access and delete all services the IAM Role AwsNukeRole
assumed by the AWS CodeBuild project with IAM policy AwsNukePolicy
is completely permissive. Please review these permissions in your environment to ensure suitable.
-
Create SSM Parameter
/github/token
with github personal access token
Follow the prompts to enter your CLI profile, region and token. SSM Parameter name can be changed if desired.
If so, it must also be updated here:cat sceptre/config/sandbox/executor.yaml | grep GitToken
chmod +x ./scripts/create-github-token-ssm.sh && ./scripts/create-github-token-ssm.sh
-
Deploy stack with sceptre
cd sceptre && sceptre launch sandbox
Deployment of this Cloudformation stack can be achieved without sceptre and just using the AWS Console.
cat sceptre/templates/aws-nuke-service.yaml
cat aws-nuke-config/config.yaml
Included in this config file are resources which the above Cloudformation template provisions.
presets: #Blocks of Filters to exclude resources
aws-nuke-service: #Exclude service deploy by this solution
filters:
SSMParameter:
- "/github/token"
IAMRole:
- type: contains
value: "aws-nuke"
IAMRolePolicyAttachment:
- type: contains
value: "aws-nuke"
IAMRolePolicy:
- type: contains
value: "aws-nuke"
S3Bucket:
- type: contains
value: "aws-nuke"
S3Object:
- type: contains
value: "aws-nuke"
CodePipelinePipeline:
- type: contains
value: "aws-nuke"
CodeBuildProject:
- type: contains
value: "aws-nuke"
SNSTopic:
- type: contains
value: "aws-nuke"
SNSTopicPolicy:
- type: contains
value: "aws-nuke"
CloudWatchLogsLogGroup:
- type: contains
value: "aws-nuke"
CloudWatchEventsRule:
- type: contains
value: "aws-nuke"
CloudWatchEventsTarget:
- type: contains
value: "aws-nuke"
CloudFormationStack:
- type: contains
value: "aws-nuke"
SNSSubscription:
- type: contains
value: "aws-nuke"
More information about the aws-nuke config file here
aws-nuke is a project which will nuke a whole AWS account and delete all its resources.
This example leverages Cloudreach's sceptre project to deploy the Cloudformation stack for this solution.