feat: Add scripts to delete tagged SGs and EFS

dannysteenman · Feb 1, 2024 · be9bf71 · be9bf71
1 parent e4f617b
commit be9bf71
Show file tree

Hide file tree

Showing 3 changed files with 150 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -16,6 +16,7 @@ A Collection of Awesome Tools and Scripts for Cloud Engineers.
     - [CodePipeline](#codepipeline)
     - [EC2 scripts](#ec2-scripts)
     - [ECS scripts](#ecs-scripts)
+    - [EFS scripts](#efs-scripts)
     - [IAM scripts](#iam-scripts)
     - [Organizations \& IAM Identity Center scripts](#organizations--iam-identity-center-scripts)
     - [S3 scripts](#s3-scripts)
@@ -68,6 +69,7 @@ A Collection of Awesome Tools and Scripts for Cloud Engineers.
 - **[delete_all_unused_elastic_ips.py](ec2/delete_all_unused_elastic_ips.py)** - Finds and deletes all unused Elastic IPs in all AWS Regions
 - **[delete_all_unused_keypairs.py](ec2/delete_all_unused_keypairs.py)** - Deletes all unused EC2 keypairs in all AWS Region
 - **[delete_unused_keypairs.py](ec2/delete_unused_keypairs.py)** - Finds and deletes all unused EC2 keypairs in a single AWS Region
+- **[delete_tagged_security_groups.py](ec2/delete_tagged_security_groups.py)** - Finds and deletes all tagged security groups including in- and outbound rules
 - **[find_all_unattached_volumes.py](ec2/find_all_unattached_volumes.py)** - Finds all unattached EBS volumes in all AWS Regions
 - **[find_all_unused_keypairs.py](ec2/find_all_unused_keypairs.py)** - Finds all used and unused EC2 keypairs in all AWS Regions
 - **[find_unused_keypairs.py](ec2/find_unused_keypairs.py)** - Finds all used and unused EC2 keypairs in a single region
@@ -80,6 +82,9 @@ A Collection of Awesome Tools and Scripts for Cloud Engineers.
 - **[delete_all_inactive_task_definitions.py](ecs/delete_all_inactive_task_definitions.py)** - Deletes all inactive task definitions in the ECS service in all AWS Regions.
 - **[publish_ecr_image.sh](ecs/publish_ecr_image.sh)** - Build a Docker image and publish it to Amazon ECR.
 
+### EFS scripts
+- **[delete_tagged_efs.py](efs/delete_tagged_efs.py)** - Finds and deletes all tagged elastic file systems including mount targets
+
 ### IAM scripts
 
 - **[delete_iam_user](iam/delete_iam_user.py)** - This script deletes iam users.

diff --git a/ec2/delete_tagged_security_groups.py b/ec2/delete_tagged_security_groups.py
@@ -0,0 +1,72 @@
+#  https://github.com/dannysteenman/aws-toolbox
+#
+#  License: MIT
+#
+# This script finds and deletes all tagged security groups including in- and outbound rules
+
+import boto3
+
+
+def find_security_groups(ec2_client, tag_key, tag_value_contains):
+    # Get all security groups in the region
+    response = ec2_client.describe_security_groups()
+
+    # Filter security groups based on the specified tags
+    filtered_security_groups = []
+    for sg in response["SecurityGroups"]:
+        for tag in sg.get("Tags", []):
+            if tag.get("Key") == tag_key and tag_value_contains in tag.get("Value", ""):
+                filtered_security_groups.append(sg)
+
+    return filtered_security_groups
+
+
+def revoke_permissions(ec2_client, group_id, permissions):
+    for sg in permissions:
+        if sg.get("IpPermissions", []):
+            for rule in sg.get("IpPermissions", []):
+                ec2_client.revoke_security_group_ingress(GroupId=group_id, IpPermissions=[rule])
+                print("Revoked ingress IP permissions for Security Group ID: {}".format(group_id))
+        if sg.get("IpPermissionsEgress", []):
+            for rule in sg.get("IpPermissionsEgress", []):
+                ec2_client.revoke_security_group_egress(GroupId=group_id, IpPermissions=[rule])
+                print("Revoked egress IP permissions for Security Group ID: {}".format(group_id))
+
+
+def delete_security_group(ec2_client, group_id):
+    ec2_client.delete_security_group(GroupId=group_id)
+    print("Deleted Security Group ID: {}".format(group_id))
+
+
+def main():
+    # Fetch AWS account ID from boto3 session
+    account_id = boto3.client("sts").get_caller_identity().get("Account")
+
+    aws_region = "eu-central-1"
+    ec2_client = boto3.client("ec2", region_name=aws_region)
+
+    # Modify the tag key and value to your own liking
+    tag_key = "ManagedByAmazonSageMakerResource"
+    tag_value_contains = f"arn:aws:sagemaker:{aws_region}:{account_id}:domain"
+
+    # Find security groups
+    tagged_security_groups = find_security_groups(ec2_client, tag_key, tag_value_contains)
+
+    # Iterate through security groups, revoke permissions, and delete
+    for sg in tagged_security_groups:
+        group_id = sg["GroupId"]
+
+        # Fetch the current ingress and egress IP permissions
+        sg = ec2_client.describe_security_groups(Filters=[{"Name": "group-id", "Values": [group_id]}]).get(
+            "SecurityGroups", []
+        )
+
+        # Revoke permissions
+        revoke_permissions(ec2_client, group_id, sg)
+
+        # Delete the security group
+        delete_security_group(ec2_client, group_id)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/efs/delete_tagged_efs.py b/efs/delete_tagged_efs.py
@@ -0,0 +1,73 @@
+#  https://github.com/dannysteenman/aws-toolbox
+#
+#  License: MIT
+#
+# This script finds and deletes all tagged elastic file systems including mount targets
+
+import boto3
+import time
+import random
+
+
+def find_efs_filesystems(efs_client, tag_key, tag_value_contains):
+    response = efs_client.describe_file_systems()
+
+    filtered_filesystems = []
+    for fs in response["FileSystems"]:
+        for tag in fs.get("Tags", []):
+            if tag.get("Key") == tag_key and tag_value_contains in tag.get("Value", ""):
+                filtered_filesystems.append(fs)
+
+    return filtered_filesystems
+
+
+def delete_mount_targets(efs_client, filesystem_id):
+    response = efs_client.describe_mount_targets(FileSystemId=filesystem_id)
+
+    for mt in response["MountTargets"]:
+        efs_client.delete_mount_target(MountTargetId=mt["MountTargetId"])
+        print("Deleted Mount Target: {}".format(mt["MountTargetId"]))
+
+
+def delete_efs_filesystem(efs_client, filesystem_id):
+    max_retries = 5
+    current_retry = 0
+
+    while current_retry < max_retries:
+        try:
+            # Delete the mount targets for the EFS filesystem
+            delete_mount_targets(efs_client, filesystem_id)
+
+            # Wait with exponential backoff
+            delay = (2**current_retry) + random.uniform(0, 1)
+            print(f"Waiting for {delay} seconds before attempting to delete the EFS filesystem.")
+            time.sleep(delay)
+
+            # Delete the specified EFS filesystem
+            efs_client.delete_file_system(FileSystemId=filesystem_id)
+            print("Deleted EFS Filesystem: {}".format(filesystem_id))
+            break
+        except efs_client.exceptions.FileSystemInUse as e:
+            current_retry += 1
+            print(f"Retry {current_retry}/{max_retries}: {e}")
+
+
+def main():
+    # Fetch AWS account ID from boto3 session
+    account_id = boto3.client("sts").get_caller_identity().get("Account")
+    aws_region = "eu-central-1"
+
+    # Modify the tag key and value to your own liking
+    tag_key = "ManagedByAmazonSageMakerResource"
+    tag_value_contains = f"arn:aws:sagemaker:{aws_region}:{account_id}:domain"
+
+    efs_client = boto3.client("efs", region_name=aws_region)
+    efs_filesystems = find_efs_filesystems(efs_client, tag_key, tag_value_contains)
+
+    for fs in efs_filesystems:
+        filesystem_id = fs["FileSystemId"]
+        delete_efs_filesystem(efs_client, filesystem_id)
+
+
+if __name__ == "__main__":
+    main()