New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Macie support - CORE-387 #459
Conversation
// Macie cannot be disabled with an active administrator account | ||
adminAccount, err := svc.GetAdministratorAccount(&macie2.GetAdministratorAccountInput{}) | ||
if err != nil { | ||
if strings.Contains(err.Error(), "there isn't a delegated Macie administrator") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we key off the error's numeric code instead of string matching? My fear is that AWS changes the value out from under us without us knowing and this starts to break.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@zackproser I thought about using it, unfortunately it's just a generic ResourceNotFoundException (which is the same error that gets returned if Macie isn't enabled). I figured it might be better to key off of the specific message in this case, but I am definitely open to going the other way, I could see AWS potentially changing the error message breaking this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@arsci No problem - I was thinking this could be the case. Let's not obsess over it in that case! 👍
Nicely done! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Description
Closes CORE-387
Updated ability to nuke Macie resources
Macie itself is simply enabled/disabled for each region, however each instance must be cleared of Member Account links and administrator account links.
Added support for the use of time filter, but does not support the use of configObj regex filtering
Additional testing was done manually with multiple AWS accounts to ensure the proper functionality of the member disassociation/deletion and administrator deletion.
TODOs
Read the Gruntwork contribution guidelines.
nuke_sandbox
andnuke_phxdevops
jobs in.circleci/config.yml
have been updated with appropriate exclusions (either directly in the job or via the.circleci/nuke_config.yml
file) to prevent nuking IAM roles, groups, resources, etc that are important for the test accounts.Release Notes
Updated Macie nuke support