Implement support for IAM Roles #330
Conversation
zackproser
requested review from
yorinasub17,
rhoboat and
denis256
as code owners
| @@ -106,3 +106,7 @@ IAMUsers: | |||
| names_regex: | |||
| # We want to make sure the main circle-ci-test user is never deleted | |||
| - "^circle-ci-test$" | |||
| IAMRoles: | |||
| include: | |||
There was a problem hiding this comment.
@yorinasub17 I looked through sandbox and phxdevops and it's diffcult to see what is actually important from a role perspective, as you know.
I know you suggested using an exclude for the critical roles, but I did notice that the vast majority of roles seemed to be created for tests - they're used for those test runs and then hang out forever, so I thought one thing that might make sense initially is to explicitly delete those roles that match the test names and are older than some number of hours.
FWIW, this cloud-nuke feature intentionally ignores all AWS-managed roles, which we also seem to have a good number of in play in both accounts.
LMK if there's a common format of names we use for the critical roles in both accounts.
There was a problem hiding this comment.
Let's start with this, and then later on we can identify which ones we want to keep during a ticket jam. FWIW, I believe the critical IAM roles are actually the cross account ones referenced in dogfood-infrastructure-live. We can probably recover with relative ease if any of the others are deleted.
There was a problem hiding this comment.
Roger - sounds good!
| @@ -106,3 +106,7 @@ IAMUsers: | |||
| names_regex: | |||
| # We want to make sure the main circle-ci-test user is never deleted | |||
| - "^circle-ci-test$" | |||
| IAMRoles: | |||
| include: | |||
There was a problem hiding this comment.
Let's start with this, and then later on we can identify which ones we want to keep during a ticket jam. FWIW, I believe the critical IAM roles are actually the cross account ones referenced in dogfood-infrastructure-live. We can probably recover with relative ease if any of the others are deleted.
There was a problem hiding this comment.
Code mostly LGTM! Given the criticality of IAM Roles, I'd like to do a quick sanity check run with go run before approving, but I ran out of time for today. Will do that check tomorrow.
Also, looks like there are build failures for unit tests in CircleCI that should be fixed.
Tests are fixed. Looks like the two failing now are:
which are both marked as Flaky |
Thanks for reviews! It also behaved as expected for me locally, so I'm going to merge this in now. |
Description
These changes are based on #251, but also introduce concurrent deletion of roles for speed. They introduce support for inspecting and nuking IAM Roles.
TODOs
Read the Gruntwork contribution guidelines.
Release Notes (draft)
Added / Removed / Updated [X].
Migration Guide