Improve aws-nuke filtering, don't delete resources that cannot be

Guillaume Coré

2019-09-03 979600e31b34f01348cb16de4a06353d8446c9e4

Improve aws-nuke filtering, don't delete resources that cannot be

 ansible/roles/infra-aws-sandbox/defaults/main.yml

@@ -54,13 +54,23 @@
    - config-rule-role
    - OrganizationAccountAccessRole
    - AWSServiceRoleForCloudTrail
    - AWSServiceRoleForElasticLoadBalancing
    - AWSServiceRoleForOrganizations
    - AWSServiceRoleForSupport
    - AWSServiceRoleForTrustedAdvisor

  IAMRolePolicy:
    - "OrganizationAccountAccessRole -> AdministratorAccess"

  IAMRolePolicyAttachment:
    - property: RoleName
      value: "OrganizationAccountAccessRole"
      value: OrganizationAccountAccessRole

    - AWSServiceRoleForCloudTrail -> CloudTrailServiceRolePolicy
    - AWSServiceRoleForElasticLoadBalancing -> AWSElasticLoadBalancingServiceRolePolicy
    - AWSServiceRoleForOrganizations -> AWSOrganizationsServiceTrustPolicy
    - AWSServiceRoleForSupport -> AWSSupportServiceRolePolicy
    - AWSServiceRoleForTrustedAdvisor -> AWSTrustedAdvisorServiceRolePolicy

  IAMPolicy:
    - arn:aws:iam::{{ account_id }}:policy/config-rule-policy
@@ -74,6 +84,31 @@
  CloudTrailTrail:
    - RHOrganization

  # The following resources cannot be delete, so skip them by default
  KMSAlias:
    - alias/aws/dynamodb
    - alias/aws/ebs
    - alias/aws/elasticfilesystem
    - alias/aws/es
    - alias/aws/glue
    - alias/aws/kinesisvideo
    - alias/aws/rds
    - alias/aws/redshift
    - alias/aws/s3
    - alias/aws/ssm
    - alias/aws/xray
  KMSKey:
    # AWS managed key
    - 019e63a9-089e-42d8-9125-9e8461923851
    - 73df181b-38b8-44b6-8488-f8226933e7bf
    - 6cadef27-c9cf-4024-82a3-1e0cdab6431f
    - af193208-b881-44d0-b420-aaa43bbce83c
    - f4b1b7ab-8d6f-464b-9ff3-c1a9e2520039
    - 5e386636-7213-40f4-a3eb-843a4072e755
    - 9c0396a9-72be-4d1e-8298-4615c07d03ab

  MediaConvertQueue:
    - Default

##############################
# POOL management