Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some AWS Control Tower Resources Being Deleted W/ Updated Community Config #466

Closed
BwL1289 opened this issue Dec 18, 2024 · 4 comments
Closed

Some AWS Control Tower Resources Being Deleted W/ Updated Community Config #466

BwL1289 opened this issue Dec 18, 2024 · 4 comments

Comments

@BwL1289
Copy link

BwL1289 commented Dec 18, 2024

Version: 3.29.1
Platform: Aarch64

Example of the config working as expected:

2024-12-17T07:48:48.805-06:00	us-east-1 - CloudFormationStack - StackSet-AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1-d28321d4-eb6f-4cad-9f68-ebe9ffd57070 - [CreationTime: "2023-03-06T15:24:38Z", LastUpdatedTime: "2023-03-06T15:24:38Z", Name: "StackSet-AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1-d28321d4-eb6f-4cad-9f68-ebe9ffd57070"] - filtered by config
2024-12-17T07:48:48.805-06:00	us-east-1 - CloudFormationStack - StackSet-AWSControlTowerBP-BASELINE-CONFIG-3af16700-ffa1-41c6-88c8-c3ab27f15029 - [CreationTime: "2023-03-06T15:18:37Z", LastUpdatedTime: "2023-03-06T15:18:37Z", Name: "StackSet-AWSControlTowerBP-BASELINE-CONFIG-3af16700-ffa1-41c6-88c8-c3ab27f15029"] - filtered by config
2024-12-17T07:48:48.805-06:00	us-east-1 - CloudFormationStack - StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-5220b1e8-74a0-45cf-9caf-6b059ac3e23c - [CreationTime: "2023-03-06T15:18:37Z", LastUpdatedTime: "2023-03-06T15:18:37Z", Name: "StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-5220b1e8-74a0-45cf-9caf-6b059ac3e23c"] - filtered by config
2024-12-17T07:48:48.805-06:00	us-east-1 - CloudFormationStack - StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES-ee2456bc-9f9d-49db-964c-054f884aa0b4 - [CreationTime: "2023-03-06T15:17:06Z", LastUpdatedTime: "2023-03-06T15:17:06Z", Name: "StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES-ee2456bc-9f9d-49db-964c-054f884aa0b4"] - filtered by config
2024-12-17T07:48:48.805-06:00	us-east-1 - CloudFormationStack - StackSet-AWSControlTowerBP-BASELINE-ROLES-f4a298ac-bf01-4e1e-8979-3a4d3ecea89b - [CreationTime: "2023-03-06T15:17:06Z", LastUpdatedTime: "2023-03-06T15:17:06Z", Name: "StackSet-AWSControlTowerBP-BASELINE-ROLES-f4a298ac-bf01-4e1e-8979-3a4d3ecea89b"] - filtered by config
2024-12-17T07:48:48.805-06:00	us-east-1 - CloudWatchLogsLogGroup - StackSet-AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1-d28321d4-eb6f-4cad-9f68-ebe9ffd57070-VPCFlowLogsLogGroup-w5xON2huWVcg - [CreatedTime: "1678116286195", LastEvent: "2023-03-06T15:24:46Z", logGroupName: "StackSet-AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1-d28321d4-eb6f-4cad-9f68-ebe9ffd57070-VPCFlowLogsLogGroup-w5xON2huWVcg", tag:aws:cloudformation:logical-id: "VPCFlowLogsLogGroup", tag:aws:cloudformation:stack-id: "arn:aws:cloudformation:us-east-1:<redacted>:stack/StackSet-AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1-d28321d4-eb6f-4cad-9f68-ebe9ffd57070/020e9ee0-bc33-11ed-ae52-1228ee828b09", tag:aws:cloudformation:stack-name: "StackSet-AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1-d28321d4-eb6f-4cad-9f68-ebe9ffd57070"] - filtered by config
2024-12-17T07:49:00.872-06:00	global - IAMRole - aws-controltower-AdministratorExecutionRole - [CreateDate: "2023-03-06T15:17:12Z", LastUsedDate: "2023-03-06T15:17:12Z", Name: "aws-controltower-AdministratorExecutionRole", Path: "/"] - filtered by config
2024-12-17T07:49:00.872-06:00	global - IAMRole - aws-controltower-ConfigRecorderRole - [CreateDate: "2023-03-06T15:17:12Z", LastUsedDate: "2023-03-06T15:17:12Z", Name: "aws-controltower-ConfigRecorderRole", Path: "/"] - filtered by config
2024-12-17T07:49:00.872-06:00	global - IAMRole - aws-controltower-ForwardSnsNotificationRole - [CreateDate: "2023-03-06T15:17:11Z", LastUsedDate: "2023-03-06T15:17:11Z", Name: "aws-controltower-ForwardSnsNotificationRole", Path: "/"] - filtered by config
2024-12-17T07:49:00.872-06:00	global - IAMRole - aws-controltower-ReadOnlyExecutionRole - [CreateDate: "2023-03-06T15:17:12Z", LastUsedDate: "2023-03-06T15:17:12Z", Name: "aws-controltower-ReadOnlyExecutionRole", Path: "/"] - filtered by config
2024-12-17T07:49:00.872-06:00	global - IAMRole - AWSControlTowerExecution - [CreateDate: "2023-03-06T15:13:57Z", LastUsedDate: "2024-12-17T04:03:51Z", Name: "AWSControlTowerExecution", Path: "/"] - filtered by config
2024-12-17T07:49:00.872-06:00	global - IAMRole - AWSControlTower_VPCFlowLogsRole - [CreateDate: "2023-03-06T15:24:21Z", LastUsedDate: "2023-03-06T15:24:21Z", Name: "AWSControlTower_VPCFlowLogsRole", Path: "/"] - filtered by config

Example of config working unexpectedly:

2024-12-17T07:52:31.133-06:00	us-east-1 - EC2Subnet - subnet-0b7b36888106a5e02 - [DefaultForAz: "false", DefaultVPC: "false", OwnerID: <redacted>, VpcID: "<redacted>", tag:Name: "aws-controltower-PrivateSubnet3A", tag:Network: "Private", tag:aws:cloudformation:logical-id: "PrivateSubnet3A", tag:aws:cloudformation:stack-id: "arn:aws:cloudformation:us-east-1:<redacted>:stack/StackSet-AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1-d28321d4-eb6f-4cad-9f68-ebe9ffd57070/020e9ee0-bc33-11ed-ae52-1228ee828b09", tag:aws:cloudformation:stack-name: "StackSet-AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1-d28321d4-eb6f-4cad-9f68-ebe9ffd57070"] - triggered remove
2024-12-17T07:52:31.133-06:00	us-east-1 - EC2Subnet - subnet-0573b6a332474908a - [DefaultForAz: "false", DefaultVPC: "false", OwnerID: "<redacted>", VpcID: "<redacted>, tag:Name: "aws-controltower-PrivateSubnet1A", tag:Network: "Private", tag:aws:cloudformation:logical-id: "PrivateSubnet1A", tag:aws:cloudformation:stack-id: "arn:aws:cloudformation:us-east-1:<redacted>:stack/StackSet-AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1-d28321d4-eb6f-4cad-9f68-ebe9ffd57070/020e9ee0-bc33-11ed-ae52-1228ee828b09", tag:aws:cloudformation:stack-name: "StackSet-AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1-d28321d4-eb6f-4cad-9f68-ebe9ffd57070"] - triggered remove
2024-12-17T07:52:31.133-06:00	us-east-1 - EC2Subnet - subnet-0ef788bec4905f44d - [DefaultForAz: "false", DefaultVPC: "false", OwnerID: "<redacted>", VpcID: "<redacted>", tag:Name: "aws-controltower-PrivateSubnet2A", tag:Network: "Private", tag:aws:cloudformation:logical-id: "PrivateSubnet2A", tag:aws:cloudformation:stack-id: "arn:aws:cloudformation:us-east-1:<redacted>:stack/StackSet-AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1-d28321d4-eb6f-4cad-9f68-ebe9ffd57070/020e9ee0-bc33-11ed-ae52-1228ee828b09", tag:aws:cloudformation:stack-name: "StackSet-AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1-d28321d4-eb6f-4cad-9f68-ebe9ffd57070"] - triggered remove

What is most strange is that there looks to be overlap between the config working as expected vs unexpected. In other words, the StackSet AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1-d28321d4-eb6f is filtered out in some cases (expected) but also deleted in others (unexpected).

Here's the section of our config I am using for this:

controltower:
    filters:
      __global__: # Catch all for all resources
        - type: "contains"
          value: "aws-controltower"
        - type: "contains"
          value: "AWSControlTower"
        - type: "contains"
          value: "AWSReservedSSO_"
        - type: "contains"
          value: "DO_NOT_DELETE"
      CloudTrailTrail:
        - type: "contains"
          value: "aws-controltower"
      CloudWatchEventsRule:
        - type: "contains"
          value: "aws-controltower"
        - property: "Name"
          type: glob
          value: "AWSControlTower*"
      EC2VPCEndpoint:
        - type: "contains"
          value: "aws-controltower"
      EC2VPC:
        - type: "contains"
          value: "aws-controltower"
      OpsWorksUserProfile:
        - type: "contains"
          value: "AWSControlTowerExecution"
      CloudWatchLogsLogGroup:
        - type: "contains"
          value: "aws-controltower"
        - type: "contains"
          value: "AWSControlTowerBP"
      CloudWatchEventsTarget:
        - type: "contains"
          value: "aws-controltower"
        - type: "glob"
          value: "Rule: AWSControlTower*"
      SNSSubscription:
        - type: "contains"
          value: "aws-controltower"
      SNSTopic:
        - type: "contains"
          value: "aws-controltower"
      EC2Subnet:
        - type: "contains"
          value: "aws-controltower"
      ConfigServiceDeliveryChannel:
        - type: "contains"
          value: "aws-controltower"
      ConfigServiceConfigurationRecorder:
        - type: "contains"
          value: "aws-controltower"
      CloudFormationStack:
        - type: "contains"
          value: "AWSControlTower"
      EC2RouteTable:
        - type: "contains"
          value: "aws-controltower"
      LambdaFunction:
        - type: "contains"
          value: "aws-controltower"
      EC2DHCPOption:
        - type: "contains"
          value: "aws-controltower"
      IAMRole:
        - type: "contains"
          value: "aws-controltower"
        - type: "contains"
          value: "AWSControlTower"
      IAMRolePolicyAttachment:
        - type: "contains"
          value: "aws-controltower"
        - type: "contains"
          value: "AWSControlTower"
      IAMRolePolicy:
        - type: "contains"
          value: "aws-controltower"
        - type: glob
          value: "AWSReservedSSO_*"

Does the community preset/my config need to be updated?
@ekristen
Copy link
Owner

Any filter where you do not specify a property it defaults to the "stringer" which various resource to resource but for example it would be subnet-xxxxxxxxxx and so none of your filters will actually match therefore it is triggered for removal.

@BwL1289
Copy link
Author

BwL1289 commented Dec 18, 2024

So in this case the global section wouldn't filter out the subnets?

What should I update to filter them? (And should the community preset be updated to include this?)

@ekristen
Copy link
Owner

All filters global or not have to be tied to a property if a property isn't given it uses the stringer property.

There is no concept of a global property filter at this time.

So in this case you want a tag.

@BwL1289
Copy link
Author

BwL1289 commented Dec 18, 2024

Understood and thank you. Happy to add this to the community preset as well.

For anyone who finds this in the interim, I am adding:

controltower:
    filters:
      __global__: # Catch all for all resources
        - property: tag:aws:cloudformation:stack-name
          type: "glob"
          value: "*aws-controltower*"
        - property: tag:aws:cloudformation:stack-id
          type: "glob"
          value: "*AWSControlTower*"
        - property: tag:Name
          type: "glob"
          value: "*controltower*"

@BwL1289 BwL1289 closed this as completed Dec 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ekristen @BwL1289