forked from aws-samples/aws-alien-attack
-
Notifications
You must be signed in to change notification settings - Fork 0
/
destroy.sh
executable file
·292 lines (271 loc) · 12.3 KB
/
destroy.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
#!/bin/bash
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
#
##
# Destroys all the elements created on the environment
##
txtgrn=$(tput setaf 2) # Green
txtylw=$(tput setaf 3) # Yellow
txtblu=$(tput setaf 4) # Blue
txtpur=$(tput setaf 5) # Purple
txtcyn=$(tput setaf 6) # Cyan
txtwht=$(tput setaf 7) # White
txtrst=$(tput sgr0) # Text reset
function title() {
tput rev
showHeader $@
tput sgr0
}
function showHeader() {
input=$@
echo ${txtgrn}
printf "%0.s-" $(seq 1 ${#input})
printf "\n"
echo $input
printf "%0.s-" $(seq 1 ${#input})
echo ${txtrst}
}
function showSectionTitle() {
echo
echo --- ${txtblu} $@ ${txtrst}
echo
}
_DEBUG="dryrun"
[ "$_DEBUG"=="dryrun" ] && title "EXECUTING DRY RUN"
function EXECUTE() {
case "$_DEBUG" in
"on")
echo $@
$@
;;
"dryrun")
echo $@
;;
*)
$@
;;
esac
}
function destroySSMParameters() {
showHeader "DESTROYING SSM PARAMETERS NOT HANDLED BY CDK"
envNameLowercase=$1
getSessionParameterName=$(echo "aws ssm describe-parameters --query 'Parameters[?starts_with(@.Name,\`/"$envnameLowercase"\`)] | [?contains(@.Name, \`session\`)].Name | [0]' | sed -e 's/^\"//' -e 's/\"$//'")
sessionParameterName=$(eval $getSessionParameterName)
getWebsocketParameterName=$(echo "aws ssm describe-parameters --query 'Parameters[?starts_with(@.Name,\`/"$envnameLowercase"\`)] | [?contains(@.Name, \`websocket\`)].Name | [0]' | sed -e 's/^\"//' -e 's/\"$//'")
websocketParameterName=$(eval $getWebsocketParameterName)
if [ "$sessionParameterName" == "null" ]; then
echo session Parameter not found for environment $envnameLowercase
else
echo Deleting session parameter $sessionParameterName
EXECUTE "aws ssm delete-parameter --parameter-name $sessionParameterName"
fi
if [ "$websocketParameterName" == "null" ]; then
echo websocket Parameter not found for environment $envnameLowercase
else
echo Deleting websocket parameter $websocketParameterName
EXECUTE "aws ssm delete-parameter --parameter-name $websocketParameterName"
fi
}
function destroyFirehoseIAM() {
envNameLowercase=$1
envNameUppercase=$2
getFirehoseRoleNameUC=$(echo "aws iam list-roles --query 'Roles[?starts_with(@.RoleName,\`"$envnameUppercase"\`)] | [?contains(@.RoleName, \`irehose\`)].RoleName | [0]' | sed -e 's/^\"//' -e 's/\"$//'")
firehoseRoleNameUC=$(eval $getFirehoseRoleNameUC)
getFirehoseRoleNameLC=$(echo "aws iam list-roles --query 'Roles[?starts_with(@.RoleName,\`"$envnameLowercase"\`)] | [?contains(@.RoleName, \`irehose\`)].RoleName | [0]' | sed -e 's/^\"//' -e 's/\"$//'")
firehoseRoleNameLC=$(eval $getFirehoseRoleNameLC)
if [ "$firehoseRoleNameLC" == "null" ] && [ "$firehoseRoleNameUC" == "null" ]; then
echo We could not find FIREHOSE ROLES containing the names $envNameLowercase or $envNameUppercase
export FIREHOSEROLE=""
else
if [ "$C9_HOSTNAME" != "" ]; then
## Cloud9 doesn't have permissions to change roles configurations.
echo "It seems that you are running the workshop on Cloud9"
echo "You are going to need to fix some things by hand."
echo " Go to IAM and delete the following role: "
if [ "$firehoseRoleNameLC" != "null" ]; then
echo $firehoseRoleNameLC
export FIREHOSEROLE=$firehoseRoleNameLC
else
echo $firehoseRoleNameUC
export FIREHOSEROLE=$firehoseRoleNameUC
fi
else
if [ "$firehoseRoleNameLC" != "null" ]; then
echo The Role $firehoseRoleNameLC still exists in the environment. You need to remove it manually
EXECUTE aws iam delete-role --role-name $firehoseRoleNameLC
fi
if [ "$firehoseRoleNameUC" != "null" ]; then
# Get the policies and remove it
echo Deleting the role $firehoseRoleNameUC
EXECUTE aws iam delete-role --role-name $firehoseRoleNameUC
fi
export FIREHOSEROLE=""
fi
fi
}
function destroyFirehoseResource() {
envNameLowercase=$1
envNameUppercase=$2
getfirehoseUC=$(echo "aws firehose list-delivery-streams --query 'DeliveryStreamNames | [?contains(@,\`"$envNameLowercase"\`)] | [0] ' | sed -e 's/^\"//' -e 's/\"$//'")
firehoseUC=$( eval $getfirehoseUC )
getfirehoseLC=$(echo "aws firehose list-delivery-streams --query 'DeliveryStreamNames | [?contains(@,\`"$envNameUppercase"\`)] | [0] ' | sed -e 's/^\"//' -e 's/\"$//'")
firehoseLC=$( eval $getfirehoseLC )
if [ $firehoseLC == null ] && [ $firehoseUC == null ]; then
echo We could not find FIREHOSE resources containing the names $envNameLowercase or $envNameUppercase
else
if [ $firehoseLC != null ]; then
echo Deleting the resource $firehoseLC
EXECUTE aws firehose delete-delivery-stream --delivery-stream-name $firehoseLC
fi
if [ $firehoseUC != null ]; then
echo Deleting the resource $firehoseUC
EXECUTE aws firehose delete-delivery-stream --delivery-stream-name $firehoseUC
fi
fi
}
function destroyFirehose() {
showHeader "DESTROYING FIREHOSE RESOURCES CREATED BY HAND"
showSectionTitle Destroying IAM resources
destroyFirehoseIAM $1 $2
showSectionTitle Destroying the Kinesis Firehose resource
destroyFirehoseResource $1 $2
}
function destroyWebsocketInlinePolicy() {
### it does not matter if it is uppercase or lowercase
envname=$1
getWebsocketPolicyName=$(echo "aws iam list-role-policies --role-name "$envname"WebSocketSynchronizeStartFn_Role --query 'PolicyNames[?contains(@,\`nvoke\`)] | [0]' | sed -e 's/^\"//' -e 's/\"$//'")
websocketPolicyName=$( eval $getWebsocketPolicyName )
if [ "$websocketPolicyName" == "" ]; then
echo
echo "We could not find an Invoke-Api-Policy attached. If you have used a different naming standard, please remove it manually."
export WEBSOCKETROLE=""
else
export WEBSOCKETROLE=$envname"WebSocketSynchronizeStartFn_Role"
if [ "$C9_HOSTNAME" != "" ]; then
## Cloud9 doesn't have permissions to change roles configurations.
echo "It seems that you are running the workshop on Cloud9"
echo "You are going to need to fix some things by hand."
echo Go to IAM and remove the policy $websocketPolicyName from the role $envname"WebSocketSynchronizeStartFn_Role"
else
if [ "$websocketPolicyName" != "null" ]; then
removeWebsocketPolicy=$(echo "aws iam delete-role-policy --role-name " $envname"WebSocketSynchronizeStartFn_Role --policy-name "$websocketPolicyName)
EXECUTE eval $removeWebsocketPolicy
echo "Policy $websocketPolicyName removed from $envname WebSocketSynchronizeStartFn_Role"
export WEBSOCKETROLE=
fi
fi
fi
}
function destroyWebsocketAPI() {
envNameLowercase=$1
envNameUppercase=$2
# checking uppercase
getWebsocketAPIIdUC=$(echo "aws apigatewayv2 get-apis --query 'Items[?contains(@.Name,\`$envNameUppercase\`)] | [0] | @.ApiId' | sed -e 's/^\"//' -e 's/\"$//'")
getWebsocketAPINameUC=$(echo "aws apigatewayv2 get-apis --query 'Items[?contains(@.Name,\`$envNameUppercase\`)] | [0] |@.Name ' | sed -e 's/^\"//' -e 's/\"$//'")
websocketAPIIdUC=$(eval $getWebsocketAPIIdUC )
websocketAPINameUC=$(eval $getWebsocketAPINameUC )
# checking lowercase
getWebsocketAPIIdLC=$(echo "aws apigatewayv2 get-apis --query 'Items[?contains(@.Name,\`$envNameLowercase\`)]| [0] | @.ApiId' | sed -e 's/^\"//' -e 's/\"$//'")
getWebsocketAPINameLC=$(echo "aws apigatewayv2 get-apis --query 'Items[?contains(@.Name,\`$envNameLowercase\`)] | [0] |@.Name ' | sed -e 's/^\"//' -e 's/\"$//'")
websocketAPIIdLC=$(eval $getWebsocketAPIIdLC )
websocketAPINameLC=$(eval $getWebsocketAPINameLC )
if [ "$websocketAPIIdUC" == "null" ] && [ "$websocketAPIIdLC" == "null" ] ; then
echo "We could not find an API related to either to $envNameUppercase or to $envNameLowercase. If you have used a different naming standard, please remove it manually."
else
if [ "$websocketAPIIdUC" != "null" ]; then
deleteWebsocketApiUC=$(echo "aws apigatewayv2 delete-api --api-id $websocketAPIIdUC" )
EXECUTE eval $deleteWebsocketApiUC
echo "API with Id "$websocketAPIIdUC" and name "$websocketAPINameUC" deleted successfully."
fi
if [ "$websocketAPIIdLC" != "null" ]; then
deleteWebsocketApiUC=$(echo "aws apigatewayv2 delete-api --api-id $websocketAPIIdLC" )
EXECUTE eval $deleteWebsocketApiUC
echo "API with Id "$websocketAPIIdLC" and name "$websocketAPINameLC" deleted successfully."
fi
fi
}
function destroyWebsocket() {
showHeader "DELETING WEBSOCKET CONFIGURATION NOT HANDLED BY CDK"
envNameLowercase=$1
envNameUppercase=$2
showSectionTitle "Remove the invoke policy added by hand in <envName>WebSocketSynchronizeStartFn_Role"
destroyWebsocketInlinePolicy $envNameLowercase
showSectionTitle "Destroy the websocket API"
destroyWebsocketAPI $envNameLowercase $envNameUppercase
}
function destroyLogGroups() {
showHeader "DELETING LOG GROUP"
envNameUppercase=$(echo $1 | tr 'a-z' 'A-Z' )
logDeleteCommand=$(echo "aws logs describe-log-groups --query 'logGroups[?contains(@.logGroupName,\`"$envNameUppercase"\`)].logGroupName' | grep aws | awk '{ gsub(/\"/, \"\", \$1) ; gsub(\",\",\"\",\$1); print \$1 } ' | xargs -I{} aws logs delete-log-group --log-group-name {}")
EXECUTE eval $logDeleteCommand
}
function destroyS3buckets() {
showHeader "DESTROYING BUCKETS"
envNameLowercase=$(echo $1 | tr 'A-Z' 'a-z' )
deleteAppBucketCmd=$(echo "aws s3 rb s3://$envNameLowercase.app/ --force")
EXECUTE eval $deleteAppBucketCmd
echo "Bucket $envNameLowercase.app deleted."
deleteRawBucketCmd=$(echo "aws s3 rb s3://$envNameLowercase.raw/ --force")
EXECUTE eval $deleteRawBucketCmd
echo "Bucket $envNameLowercase.raw deleted."
}
function destroyCDKEnvironment() {
canrun="false"
showHeader "CALLING CDK"
if [ "$FIREHOSEROLE" != "" ]; then
echo "You need to delete this role manually: $FIREHOSEROLE"
fi
if [ "$WEBSOCKETROLE" != "" ]; then
echo "You need to remove the policy added manually to the role: $WEBSOCKETROLE"
fi
[[ "$FIREHOSEROLE" == "" && "$WEBSOCKETROLE" == "" ]] && canrun="true" || canrun="false"
if [ "$canrun" == "true" ]; then
_curDir=$PWD
cd cdk
envnameUppercase=$(echo $1 | tr 'a-z' 'A-Z')
EXECUTE "cdk destroy -c envname=$envnameUppercase"
cd $_curDir
fi
}
function destroy() {
title DESTROYING THE environment $1
envname=$1
envnameUppercase=$(echo $envname | tr 'a-z' 'A-Z')
envnameLowercase=$(echo $envname | tr 'A-Z' 'a-z')
echo The environment to be destroyed is ${txtylw}$1${txtrst}
echo "All resources (IAM, Cognito, Firehose etc) having their names starting with $envnameLowercase or $envnameUppercase will be destroyed."
read -p "${txtylw} Do you confirm (Y/N)? ${txtrst}" answer
answer=$(echo ${answer:0:1} | tr 'a-z' 'A-Z')
if [ "$answer" != "Y" ]; then
echo
echo Exiting
echo
else
read -p "Do you want the BUCKETS $envnameLowercase.app and $envnameLowercase.raw ${txtylw}to be deleted (Y/N)? ${txtrst}" bucketAnswer
echo "${txtylw}Beginning destruction...${txtrst}"
bucketAnswer=$(echo ${bucketAnswer:0:1} | tr 'a-z' 'A-Z')
destroySSMParameters $envnameLowercase
destroyFirehose $envnameLowercase $envnameUppercase
destroyWebsocket $envnameLowercase $envnameUppercase
destroyLogGroups $envnameLowercase $envnameUppercase
destroyCDKEnvironment $envname
if [ "$bucketAnswer" == "Y" ]; then
destroyS3buckets $envNameLowercase
else
echo "The buckets $envnameLowercase.app and $envnameLowercase.raw are still available"
fi
fi
}
if [ "$envname" == "" ]; then
echo
echo "** DESTROY script**"
echo Your environment name is undefined.
echo
echo Usage:
echo "source destroy.sh"
echo
else
destroy $envname
title Finalizing
fi