switch for settings and config package from libnuke, improve docs (ekristen#28)

* switch for settings and config package from libnuke, improve docs

* fix: tests

* fix: do not upload to codeconv yet

Author: ekristen

.github/workflows/tests.yml

@@ -1,8 +1,13 @@
 name: tests
+
 on:
+  push:
+    branches:
+      - main
   pull_request:
     branches:
       - main
+
 jobs:
   test:
     name: test
@@ -11,10 +16,10 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: 1.21.x
+          go-version: '1.21.x'
       - name: download go mods
         run: |
           go mod download
       - name: run go tests
         run: |
-          go test -timeout 60s -run ./...
+          go test -timeout 60s -race -coverprofile=coverage.txt -covermode=atomic ./...

.golangci.yaml

@@ -0,0 +1,74 @@
+linters-settings:
+  dupl:
+    threshold: 100
+  funlen:
+    lines: 100
+    statements: 50
+  goconst:
+    min-len: 2
+    min-occurrences: 3
+  gocritic:
+    enabled-tags:
+      - diagnostic
+      - experimental
+      - opinionated
+      - performance
+      - style
+    disabled-checks:
+      - dupImport # https://github.com/go-critic/go-critic/issues/845
+      - ifElseChain
+      - octalLiteral
+      - whyNoLint
+  gocyclo:
+    min-complexity: 15
+  golint:
+    min-confidence: 0
+  lll:
+    line-length: 140
+  maligned:
+    suggest-new: true
+  misspell:
+    locale: US
+
+linters:
+  # please, do not use `enable-all`: it's deprecated and will be removed soon.
+  # inverted configuration with `enable-all` and `disable` is not scalable during updates of golangci-lint
+  disable-all: true
+  enable:
+    - bodyclose
+    - dogsled
+    - errcheck
+    - exportloopref
+    - funlen
+    - goconst
+    - gocritic
+    - gocyclo
+    - gofmt
+    - goimports
+    - goprintffuncname
+    - gosec
+    - gosimple
+    - govet
+    - ineffassign
+    - lll
+    - misspell
+    - nakedret
+    - nilnil
+    - noctx
+    - nolintlint
+    - staticcheck
+    - stylecheck
+    - typecheck
+    - unconvert
+    - unparam
+    - unused
+    - whitespace
+
+issues:
+  exclude-rules:
+    - path: _test\.go
+      linters:
+        - funlen
+
+run:
+  timeout: 2m

docs/custom-endpoints.md renamed to docs/config-custom-endpoints.md

@@ -0,0 +1,53 @@
+# Configuration Migration
+
+## Version 2.x to 3.x
+
+The configuration file format has changed from version 2.x to 3.x. However, it is still 100% backward compatible with
+the old format. The new format is more flexible and allows for more complex configurations.
+
+### Changes
+
+- The `targets` key has been deprecated in favor of `includes`.
+- The `feature-flags` key has been deprecated in favor of `settings`.
+
+### Migration
+
+The migration for `targets` is very simply, simply rename the key to `includes`
+
+```yaml
+resource-types:
+  targets:
+    - S3Object
+    - S3Bucket
+    - IAMRole
+```
+
+Becomes
+
+```yaml
+resource-types:
+  includes:
+    - S3Object
+    - S3Bucket
+    - IAMRole
+```
+
+The migration for `feature-flags` takes a little more than renaming the key. The `settings` key is now used to map
+settings to a specific resource and that resource's definition within the tool announces the need for a setting.
+
+```yaml
+feature-flags:
+  disable-deletion-protection:
+    RDSInstance: true
+    EC2Instance: true
+```
+
+Becomes
+
+```yaml
+settings:
+  EC2Instance:
+    DisableDeletionProtection: true
+  RDSInstance:
+    DisableDeletionProtection: true
+```

docs/filtering.md renamed to docs/config-filtering.md

@@ -0,0 +1,53 @@
+# Presets
+
+It might be the case that some filters are the same across multiple accounts. This especially could happen, if
+provisioning tools like Terraform are used or if IAM resources follow the same pattern.
+
+For this case *aws-nuke* supports presets of filters, that can applied on multiple accounts.
+
+`Presets` are defined globally. They can then be referenced in the `accounts` section of the configuration.
+
+A preset configuration could look like this:
+
+```yaml
+presets:
+  common:
+    filters:
+      IAMAccountSettingPasswordPolicy:
+        - custom
+      IAMRole:
+        - "OrganizationAccountAccessRole"
+```
+
+An account referencing a preset would then look something like this:
+
+```yaml
+accounts:
+  1234567890:
+    presets:
+      - common
+```
+
+Putting it all together it would look something like this:
+
+```yaml
+blocklist:
+  - 0012345678
+
+regions:
+  - global
+  - us-east-1
+
+accounts:
+  1234567890:
+    presets:
+      - common
+
+presets:
+  common:
+    filters:
+      IAMAccountSettingPasswordPolicy:
+        - custom
+      IAMRole:
+        - OrganizationAccountAccessRole
+```

docs/config-migration.md

@@ -0,0 +1,143 @@
+# Config
+
+The configuration is the user supplied configuration that is used to drive the nuke process. The configuration is a YAML file that is loaded from the path specified by the --config flag.
+
+## Sections
+
+The configuration is broken down into the following sections:
+
+- [blocklist](#blocklist)
+- [regions](#regions)
+- [accounts](#accounts)
+    - [presets](#presets)
+    - [filters](#filters)
+    - [resource-types](#resource-types)
+        - [includes](#includes)
+        - [excludes](#excludes)
+        - [cloud-control](#cloud-control)
+        - targets (deprecated, use includes)
+- [resource-types](#resource-types)
+    - [includes](#includes)
+    - [excludes](#excludes)
+    - [cloud-control](#cloud-control)
+    - targets (deprecated, use includes)
+- [feature-flags](#feature-flags) (deprecated, use settings instead)
+- [settings](#settings)
+- [presets](#global-presets)
+
+## Simple Example
+
+```yaml
+blocklist:
+  - 1234567890
+
+regions:
+  - global
+  - us-east-1
+
+accounts:
+  0987654321:
+    filters:
+      IAMUser:
+        - "admin"
+      IAMUserPolicyAttachment:
+        - "admin -> AdministratorAccess"
+      IAMUserAccessKey:
+        - "admin -> AKSDAFRETERSDF"
+        - "admin -> AFGDSGRTEWSFEY"
+
+resource-types:
+  includes:
+    - IAMUser
+    - IAMUserPolicyAttachment
+    - IAMUserAccessKey
+
+settings:
+  EC2Instance:
+    DisableDeletionProtection: true
+  RDSInstance:
+    DisableDeletionProtection: true
+```
+
+## Blocklist
+
+The blocklist is simply a list of Accounts that the tool cannot run against. This is to protect the user from accidentally
+running the tool against the wrong account. The blocklist must always be populated with at least one entry.
+
+## Regions
+
+The regions is a list of AWS regions that the tool will run against. The tool will run against all regions specified in the
+configuration. If no regions are listed, then the tool will **NOT** run against any region. Regions must be explicitly
+provided.
+
+## Accounts
+
+The accounts section is a map of AWS Account IDs to their configuration. The account ID is the key and the value is the
+configuration for that account.
+
+The configuration for each account is broken down into the following sections:
+
+- presets
+- filters
+- resource-types
+    - targets (deprecated, use includes)
+    - includes
+    - excludes
+    - cloud-control
+
+### Presets
+
+Presets under an account entry is a list of strings that must map to a globally defined preset in the configuration.
+
+### Filters
+
+Filters is a map of filters against resource types. To learn more about filters, see the [Filtering](./config-filtering.md)
+
+**Note:** filters can be defined at the account level and at the preset level.
+
+## Resource Types
+
+Resource types is a map of resource types to their configuration. The resource type is the key and the value is the
+configuration for that resource type.
+
+The configuration for each resource type is broken down into the following sections:
+
+- includes
+- excludes
+- cloud-control
+- targets (deprecated, use includes)
+
+### Includes
+
+Includes are a list of resource types the tool will run against. If no includes are specified, then the tool will run against
+all resource types.
+
+### Excludes
+
+Excludes are a list of resource types the tool will not run against. If no excludes are specified, then the tool will run
+against all resource types unless Includes is specified.
+
+### Cloud Control
+
+Cloud Control is a map of resource types to their cloud control configuration. This allows for alternative behavior when
+removing resources. If a resource has a Cloud Control alternative, and you'd like to use its behavior, then you can specify
+the resource type in the `cloud-control` section.
+
+## Feature Flags
+
+!!! warning
+    Deprecated. Please use settings instead.
+
+Feature flags are a map of resource types to their feature flag configuration. This allows for alternative behavior when
+removing resources. If a resource has a feature flag alternative, and you'd like to use its behavior, then you can specify
+the resource type in the `feature-flags` section.
+
+## Settings
+
+Settings are a map of resource types to their settings configuration. This allows for alternative behavior when removing
+resources. If a resource has a setting alternative, and you'd like to use its behavior, then you can specify the resource
+type in the `settings` section.
+
+## Global Presets
+
+To read more on global presets, see the [Presets](./config-presets.md) documentation.

docs/config-presets.md

@@ -25,3 +25,19 @@ aws-nuke, and [azure-nuke](https://github.com/ekristen/azure-nuke) and soon [gcp
 I also needed a version of this tool for Azure and GCP, and initially I just copied and altered the code I needed for
 Azure, but I didn't want to have to maintain multiple copies of the same code, so I decided to create
 [libnuke](https://github.com/ekristen/libnuke) to abstract all the code that was common between the two tools and write proper unit tests for it. 
+
+## Why a rewrite?
+
+I decided to rewrite this tool for a few reasons:
+
+- [x] I wanted to improve the build process by using `goreleaser`
+- [x] I wanted to improve the release process by using `goreleaser` and publishing multi-architecture images
+- [x] I also wanted to start signing all the releases
+- [x] I wanted to add additional tests and improve the test coverage, more tests on the way for individual resources.
+    - [libnuke](https://github.com/ekristen/libnuke) is at 94%+ overall test coverage.
+- [x] I wanted to reduce the maintenance burden by abstracting the core code into a library
+- [x] I wanted to make adding additional resources more easy and lowering the barrier to entry
+- [x] I wanted to add a lot more documentation and examples
+- [x] I wanted to take steps to make way for AWS SDK Version 2
+- [ ] I wanted to add a DAG for dependencies between resource types and individual resources (this is still a work in progress)
+    - This will improve the process of deleting resources that have dependencies on other resources and reduce errors and unnecessary API calls.

docs/config.md

@@ -4,7 +4,7 @@ go 1.21.6
 
 require (
 	github.com/aws/aws-sdk-go v1.49.21
-	github.com/ekristen/libnuke v0.0.0-20240116165357-96b399754078
+	github.com/ekristen/libnuke v0.0.0-20240122232527-922a9af6ba13
 	github.com/fatih/color v1.16.0
 	github.com/golang/mock v1.6.0
 	github.com/google/uuid v1.5.0
@@ -29,10 +29,7 @@ require (
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/stevenle/topsort v0.2.0 // indirect
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
-	golang.org/x/mod v0.4.2 // indirect
 	golang.org/x/sync v0.6.0 // indirect
-	golang.org/x/sys v0.14.0 // indirect
-	golang.org/x/tools v0.1.1 // indirect
-	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+	golang.org/x/sys v0.16.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 )