Fix nukeSecurityGroup for delete chained-security-group (#317)

Author: wsscc2021

aws/ec2.go

@@ -343,6 +343,44 @@ func (v Vpc) nukeSecurityGroups() error {
 			},
 		},
 	)
+
+	for _, securityGroup := range securityGroups.SecurityGroups {
+		securityGroupRules, _ := v.svc.DescribeSecurityGroupRules(
+			&ec2.DescribeSecurityGroupRulesInput{
+				Filters: []*ec2.Filter{
+					{
+						Name:   awsgo.String("group-id"),
+						Values: []*string{securityGroup.GroupId},
+					},
+				},
+			},
+		)
+		for _, securityGroupRule := range securityGroupRules.SecurityGroupRules {
+			logging.Logger.Infof("...deleting Security Group Rule %s", awsgo.StringValue(securityGroupRule.SecurityGroupRuleId))
+			if *securityGroupRule.IsEgress {
+				_, err := v.svc.RevokeSecurityGroupEgress(
+					&ec2.RevokeSecurityGroupEgressInput{
+						GroupId: securityGroup.GroupId,
+						SecurityGroupRuleIds: []*string{securityGroupRule.SecurityGroupRuleId},
+					},
+				)
+				if err != nil {
+					return errors.WithStackTrace(err)
+				}
+			} else {
+				_, err := v.svc.RevokeSecurityGroupIngress(
+					&ec2.RevokeSecurityGroupIngressInput{
+						GroupId: securityGroup.GroupId,
+						SecurityGroupRuleIds: []*string{securityGroupRule.SecurityGroupRuleId},
+					},
+				)
+				if err != nil {
+					return errors.WithStackTrace(err)
+				}
+			}
+		}
+	}
+
 	for _, securityGroup := range securityGroups.SecurityGroups {
 		logging.Logger.Infof("...deleting Security Group %s", awsgo.StringValue(securityGroup.GroupId))
 		if *securityGroup.GroupName != "default" {

aws/ec2_test.go

@@ -32,6 +32,7 @@ const (
 	ExampleSecurityGroupId      = "sg-" + ExampleId
 	ExampleSecurityGroupIdTwo   = "sg-" + ExampleIdTwo
 	ExampleSecurityGroupIdThree = "sg-" + ExampleIdThree
+	ExampleSecurityGroupRuleId  = "sgr-" + ExampleId
 	ExampleInternetGatewayId    = "igw-" + ExampleId
 	ExampleEndpointId           = "vpce-" + ExampleId
 )

aws/ec2_unit_test.go

@@ -149,6 +149,14 @@ func TestNukeMockVpcs(t *testing.T) {
 		}
 		deleteNetworkAclInput := getDeleteNetworkAclInput(ExampleNetworkAclId)
 
+		describeSecurityGroupRulesInput := getDescribeSecurityGroupRulesInput(ExampleSecurityGroupId)
+		describeSecurityGroupRulesOutput := getDescribeSecurityGroupRulesOutput([]string{ExampleSecurityGroupRuleId})
+		describeSecurityGroupRulesFunc := func(input *ec2.DescribeSecurityGroupRulesInput) (*ec2.DescribeSecurityGroupRulesOutput, error) {
+			return describeSecurityGroupRulesOutput, nil
+		}
+		revokeSecurityGroupEgressInput := getRevokeSecurityGroupEgressInput(ExampleSecurityGroupId ,ExampleSecurityGroupRuleId)
+		revokeSecurityGroupIngressInput := getRevokeSecurityGroupIngressInput(ExampleSecurityGroupId, ExampleSecurityGroupRuleId)
+
 		describeSecurityGroupsInput := getDescribeSecurityGroupsInput(vpc.VpcId)
 		describeSecurityGroupsOutput := getDescribeSecurityGroupsOutput([]string{ExampleSecurityGroupId})
 		describeSecurityGroupsFunc := func(input *ec2.DescribeSecurityGroupsInput) (*ec2.DescribeSecurityGroupsOutput, error) {
@@ -174,6 +182,9 @@ func TestNukeMockVpcs(t *testing.T) {
 			mockEC2.EXPECT().DescribeNetworkAcls(describeNetworkAclsInput).DoAndReturn(describeNetworkAclsFunc),
 			mockEC2.EXPECT().DeleteNetworkAcl(deleteNetworkAclInput),
 			mockEC2.EXPECT().DescribeSecurityGroups(describeSecurityGroupsInput).DoAndReturn(describeSecurityGroupsFunc),
+			mockEC2.EXPECT().DescribeSecurityGroupRules(describeSecurityGroupRulesInput).DoAndReturn(describeSecurityGroupRulesFunc),
+			mockEC2.EXPECT().RevokeSecurityGroupEgress(revokeSecurityGroupEgressInput),
+			mockEC2.EXPECT().RevokeSecurityGroupIngress(revokeSecurityGroupIngressInput),
 			mockEC2.EXPECT().DeleteSecurityGroup(deleteSecurityGroupInput),
 			mockEC2.EXPECT().DeleteVpc(deleteVpcInput),
 		)

aws/mock_ec2_utils_for_test.go

@@ -127,6 +127,46 @@ func getDeleteNetworkAclInput(networkAclId string) *ec2.DeleteNetworkAclInput {
 	}
 }
 
+func getDescribeSecurityGroupRulesInput(securityGroupId string) *ec2.DescribeSecurityGroupRulesInput {
+	return &ec2.DescribeSecurityGroupRulesInput{
+		Filters: []*ec2.Filter{
+			&ec2.Filter{
+				Name:   awsgo.String("group-id"),
+				Values: []*string{awsgo.String(securityGroupId)},
+			},
+		},
+	}
+}
+
+func getDescribeSecurityGroupRulesOutput(securityGroupRuleIds []string) *ec2.DescribeSecurityGroupRulesOutput {
+	var securityGroupRules []*ec2.SecurityGroupRule
+	for _, securityGroupRule := range securityGroupRuleIds {
+		securityGroupRules = append(securityGroupRules, &ec2.SecurityGroupRule{
+			IsEgress: awsgo.Bool(true), // egress rule
+			SecurityGroupRuleId: awsgo.String(securityGroupRule),
+		})
+		securityGroupRules = append(securityGroupRules, &ec2.SecurityGroupRule{
+			IsEgress: awsgo.Bool(false), // ingress rule
+			SecurityGroupRuleId: awsgo.String(securityGroupRule),
+		})
+	}
+	return &ec2.DescribeSecurityGroupRulesOutput{SecurityGroupRules: securityGroupRules}
+}
+
+func getRevokeSecurityGroupEgressInput(securityGroupId string, securityGroupRuleId string) *ec2.RevokeSecurityGroupEgressInput {
+	return &ec2.RevokeSecurityGroupEgressInput{
+		GroupId: awsgo.String(securityGroupId),
+		SecurityGroupRuleIds: []*string{awsgo.String(securityGroupRuleId)},
+	}
+}
+
+func getRevokeSecurityGroupIngressInput(securityGroupId string, securityGroupRuleId string) *ec2.RevokeSecurityGroupIngressInput {
+	return &ec2.RevokeSecurityGroupIngressInput{
+		GroupId: awsgo.String(securityGroupId),
+		SecurityGroupRuleIds: []*string{awsgo.String(securityGroupRuleId)},
+	}
+}
+
 func getDescribeSecurityGroupsInput(vpcId string) *ec2.DescribeSecurityGroupsInput {
 	return &ec2.DescribeSecurityGroupsInput{
 		Filters: []*ec2.Filter{