ekristen / azure-nuke Goto Github PK

View Code? Open in Web Editor NEW

28.0 3.0 5.0 458 KB

Remove all resources from an Azure Tenant and it's Subscriptions.

Home Page: https://ekristen.github.io/azure-nuke/

License: MIT License

Go 99.34% Dockerfile 0.47% Makefile 0.19%

azure azure-tenant azure-nuke nuke golang goreleaser libnuke

azure-nuke's People

Contributors

Stargazers

Watchers

Forkers

atighineanu vfarah-if fergoid laurentsenta flabunsky

azure-nuke's Issues

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Detected dependencies

dockerfile

Dockerfile

docker/dockerfile 1.7-labs

alpine 3.16.0

ghcr.io/acorn-io/images-mirror/golang 1.21

github-actions

.github/workflows/docs.yml

actions/checkout v4

actions/configure-pages v5

actions/setup-python v5

actions/cache v4

actions/upload-pages-artifact v3

actions/deploy-pages v4

.github/workflows/golangci-lint.yml

actions/checkout v4

actions/setup-go v5

golangci/golangci-lint-action v5

.github/workflows/goreleaser.yml

actions/checkout v4

actions/checkout v4

actions/setup-go v5

docker/setup-qemu-action v3

docker/setup-buildx-action v3

docker/login-action v3

sigstore/cosign-installer v3

1password/load-secrets-action v2

goreleaser/goreleaser-action v5

actions/upload-artifact v4

.github/workflows/semantic-lint.yml

amannn/action-semantic-pull-request v5

.github/workflows/semantic.yml

actions/checkout v4

actions/setup-node v4

.github/workflows/tests.yml

actions/checkout v4

actions/setup-go v5

gomod

go.mod

go 1.21.6

github.com/Azure/azure-sdk-for-go v68.0.0+incompatible

github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0

github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0

github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/recoveryservices/armrecoveryservices v1.3.1

github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/recoveryservices/armrecoveryservicesbackup v1.0.0

github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity v0.11.0

github.com/Azure/go-autorest/autorest/to v0.4.0

github.com/ekristen/libnuke v0.14.2

github.com/fatih/camelcase v1.0.0

github.com/fatih/color v1.17.0

github.com/gotidy/ptr v1.4.0

github.com/hashicorp/go-azure-helpers v0.66.1

github.com/hashicorp/go-azure-sdk v0.20240125.1100331

github.com/iancoleman/strcase v0.3.0

github.com/manicminer/hamilton v0.61.0

github.com/sirupsen/logrus v1.9.3

github.com/stretchr/testify v1.9.0

github.com/urfave/cli/v2 v2.27.2

regex

.github/workflows/golangci-lint.yml

.github/workflows/goreleaser.yml

.github/workflows/tests.yml

Check this box to trigger a request for Renovate to run again on this repository

I am admittedly extremely naive when it comes to Azure, but I cannot seem to sort out what the issue is here. Any suggestions would be greatly appreciated. Note this is using azure-nuke version 1.0.0-next.4

I created a service principal like so:

az ad sp create-for-rbac --name nuke-role --role contributor --scopes /subscriptions/redacted-subscription-id

My config.yaml currently just looks like this, but I've also tried many other combos of config.yaml settings and get the same results:

regions:
    - global
    - eastus

I then run:

azure-nuke run --tenant-id=redacted --client-id=redacted --client-secret=redacted --subscription-id=redacted --log-level trace --log-caller

And get:

TRAC[0000]command.go:45 tenant id: redacted
DEBU[0000]auth.go:30 authentication type: client secret
TRAC[0000]command.go:55 preparing to run nuke
TRAC[0000]tenant.go:32 start: NewTenant                              handler=NewTenant
TRAC[0000]tenant.go:46 attempting to list tenants                    handler=NewTenant
TRAC[0000]command.go:31 2024/03/20 17:16:56 [DEBUG] POST https://login.microsoftonline.com/redacted/oauth2/v2.0/token  source=standard-logger
TRAC[0000]tenant.go:59 listing subscriptions
TRAC[0000]tenant.go:70 adding subscriptions id: redacted
TRAC[0000]tenant.go:73 listing resource groups
INFO[0000]tenant.go:77 configured locations[global eastus]
DEBU[0000]tenant.go:89 resource group name: redacted
DEBU[0000]tenant.go:89 resource group name: NetworkWatcherRG
DEBU[0000]tenant.go:89 resource group name: redacted
FATA[0000]main.go:46 account is not configured

exclude resources by specific tags

If it possible to exclude for example resource group by specific tag?
Thank you!

Do Not Error on Resource Not Found

time="2023-04-13T16:44:45Z" level=error msg="There are resources in failed state, but none are ready for deletion, anymore."
time="2023-04-13T16:44:45Z" level=error msg="storage.AccountsClient#ListByResourceGroup: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code=\"ResourceGroupNotFound\" Message=\"Resource group 'xxxx-7a6ba333862f' could not be found.\""

This is likely due to a race condition of deleting resource groups at the same time.

Is --resource-id/AZURE_RESOURCE_ID still needed?

The code snippet in the README.md file makes use of the cli flag --resource-id but upon reviewing the code at commands.go, it appears that the resource-id flag is no longer valid.

Can you confirm?

Limit to specific subscription(s)

Thank you for this project! Is it currently possible to limit the destruction to a subset of subscriptions owned by the tenant?

azure-nuke --version is reporting wrong version

0.6.0 release emits version as: azure-nuke version 1.0.0-dev

Exclude resources owned by resource group

At the moment resource group exclusions will prevent the group being destroyed but owned resources are still flagged for destruction. Could we add an option to also exclude the resources owned by the group?
Something like:
Filters:
ResourceGroup:
- foo
- bar
ResourceGroupAll:
- foofoo
- barbar

so current the exclusions filter method is unaffected by the change .

Support AzureDevops

Notes

This is an entirely separate API with a different authentication mechanism.
Might be possible to leverage application auth to generate a PAT then use the PAT to cleanup devops before cleaning up the application. (this should probably a special feature flag)
Potentially support providing a PAT to clean up azure devops.

ERRO[0016] the context used must have a deadline attached for polling purposes, but got no deadline

I'm seeing the following error when it tries to delete resource groups:

ERRO[0015] the context used must have a deadline attached for polling purposes, but got no deadline
eastus/rg2 - ResourceGroup - myResourceGroup - [Location: "eastus", Name: "myResourceGroup", SubscriptionId: "REDACTED"] - failed

Note I am able to successfully run the following while logged in as the same service principal:

az group create --name myResourceGroup --location eastus
az group delete --name myResourceGroup --yes --no-wait

Segfault with --no-dry-run

@ekristen thanks again for the help yesterday. I have a new issue with a segfault. Note I've omitted trace output, but there's no additional logging that happens after "scan complete..." and the panic.

config.yaml

regions:
    - eastus

blocklist:
    - fake-tenant-id

accounts:
    redacted-tenant-id:
        filters:
            ResourceGroup:
                - Default
                - NetworkWatcherRG
            PolicyAssignment:
                - SecurityCenterBuiltIn

--no-dry-run output:

INFO[0000] configured locations[eastus]

eastus/rg0 - ResourceGroup - delete-me_group - [Location: "eastus", Name: "delete-me_group"] - would remove
eastus/rg0 - ResourceGroup - deleteme - [Location: "eastus", Name: "deleteme"] - would remove
eastus/rg0 - VirtualNetwork - delete-me-vnet - [Name: "delete-me-vnet", ResourceGroup: "delete-me_group"] - would remove
eastus/rg0 - SSHPublicKey - somekey - [Name: "somekey", ResourceGroup: "delete-me_group"] - would remove
eastus/rg0 - NetworkSecurityGroup - delete-me-nsg - [Location: "eastus", Name: "delete-me-nsg"] - would remove
eastus/rg0 - VirtualMachine - delete-me - [Name: "delete-me", ResourceGroup: "delete-me_group"] - would remove
eastus/rg0 - NetworkInterface - delete-me293_z1 - [Name: "delete-me293_z1", ResourceGroup: "delete-me_group"] - would remove
eastus/rg0 - PublicIPAddresses - delete-me-ip - [Name: "delete-me-ip", ResourceGroup: "delete-me_group"] - would remove
eastus/rg0 - Disk - delete-me_disk1_23497234987234hjsdf - [Name: "delete-me_disk1_23497234987234hjsdf", ResourceGroup: "delete-me_group"] - would remove
eastus/rg1 - ResourceGroup - delete-me_group - [Location: "eastus", Name: "delete-me_group"] - would remove
eastus/rg1 - ResourceGroup - deleteme - [Location: "eastus", Name: "deleteme"] - would remove
eastus/rg2 - ResourceGroup - delete-me_group - [Location: "eastus", Name: "delete-me_group"] - would remove
eastus/rg2 - ResourceGroup - deleteme - [Location: "eastus", Name: "deleteme"] - would remove
Scan complete: 3123 total, 13 nukeable, 3110 filtered.

panic: runtime error: invalid memory address or nil pointer dereference [recovered]
	panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x19cc742]

goroutine 1 [running]:
main.main.func1()
	/home/runner/work/azure-nuke/azure-nuke/main.go:25 +0x54
panic({0x1adac40?, 0x2405950?})
	/opt/hostedtoolcache/go/1.21.6/x64/src/runtime/panic.go:914 +0x21f
github.com/ekristen/azure-nuke/resources.(*ResourceGroup).Remove(0x38?, {0x1d3f880?, 0x2448840?})
	/home/runner/work/azure-nuke/azure-nuke/resources/resource-group.go:38 +0x22
github.com/ekristen/libnuke/pkg/nuke.(*Nuke).HandleRemove(0xc0001a8f50?, {0x1d3f880?, 0x2448840?}, 0xc00150e840)
	/home/runner/go/pkg/mod/github.com/ekristen/[email protected]/pkg/nuke/nuke.go:474 +0x2e
github.com/ekristen/libnuke/pkg/nuke.(*Nuke).HandleQueue(0xc000213400, {0x1d3f880, 0x2448840})
	/home/runner/go/pkg/mod/github.com/ekristen/[email protected]/pkg/nuke/nuke.go:436 +0x105
github.com/ekristen/libnuke/pkg/nuke.(*Nuke).run(0xc000213400, {0x1d3f880, 0x2448840})
	/home/runner/go/pkg/mod/github.com/ekristen/[email protected]/pkg/nuke/nuke.go:225 +0x85
github.com/ekristen/libnuke/pkg/nuke.(*Nuke).Run(0xc000213400, {0x1d3f880, 0x2448840})
	/home/runner/go/pkg/mod/github.com/ekristen/[email protected]/pkg/nuke/nuke.go:209 +0x17a
github.com/ekristen/azure-nuke/pkg/commands/nuke.execute(0xc0001dac40)
	/home/runner/work/azure-nuke/azure-nuke/pkg/commands/nuke/command.go:183 +0x1cc5
github.com/urfave/cli/v2.(*Command).Run(0xc00014a6c0, 0xc0001da600)
	/home/runner/go/pkg/mod/github.com/urfave/cli/[email protected]/command.go:163 +0x583
github.com/urfave/cli/v2.(*App).RunContext(0xc00020ed00, {0x1d3f880?, 0x2448840}, {0xc000022100, 0x8, 0x8})
	/home/runner/go/pkg/mod/github.com/urfave/cli/[email protected]/app.go:313 +0xaa5
github.com/urfave/cli/v2.(*App).Run(...)
	/home/runner/go/pkg/mod/github.com/urfave/cli/[email protected]/app.go:224
main.main()
	/home/runner/work/azure-nuke/azure-nuke/main.go:45 +0x20d

Is it possible to add Client ID as a filter for application registrations?

Thank you for all the hard work on this nuke script.

The purpose of this issue is to see if it's possible to update this nuke script to allow its users to specify ClientID as a filter option for application registrations. The reason for this is that there are instances where there may be multiple applications with the same displayName and users may be interested in removing just one of them. Being able to specify the ClientID will make sure that we remove the correct app registration.

If there is a way to do this already, please let me know.