feat: Implement MRAP cleanup and bucket version deletion#76
Conversation
Added robust cleanup for Multi-Region Access Points (MRAPs) and bucket versions, including safety checks for jq installation.
github-actions
Bot
added
include-in-release-notes
enhancement
There was a problem hiding this comment.
Pull request overview
Adds a pre-aws-nuke cleanup phase to remove S3 Multi-Region Access Points (MRAPs) and fully empty associated regional buckets (including object versions and delete markers) before running the existing account nuke workflow.
Changes:
- Added MRAP discovery and per-region bucket cleanup (delete versions, delete markers, remove bucket).
- Added MRAP deletion via
s3control delete-multi-region-access-point. - Added a
jqpresence check around the MRAP cleanup block.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| while true; do | ||
| # Fetch batch of versions (suppress errors if bucket is already gone) | ||
| versions=$(aws s3api list-object-versions --bucket "$bucket_name" --region "$region_id" --max-items 1000 --query '{Objects: Versions[].{Key:Key,VersionId:VersionId}}' --output json 2>/dev/null || echo "") | ||
|
|
||
| # Check if empty (jq returns null or empty list) | ||
| count=$(echo "$versions" | jq '.Objects | length' 2>/dev/null || echo "0") | ||
|
|
||
| if [ "$count" == "0" ] || [ "$versions" == "" ] || [ "$count" == "null" ]; then | ||
| break | ||
| fi | ||
|
|
||
| echo " - Deleting batch of $count versions..." | ||
| aws s3api delete-objects --bucket "$bucket_name" --region "$region_id" --delete "$versions" >/dev/null 2>&1 || true | ||
| done |
There was a problem hiding this comment.
These deletion loops can become infinite if delete-objects fails (e.g., AccessDenied, Object Lock, invalid region) because the failure is ignored (|| true) and the next iteration will re-list the same versions and keep retrying forever. Capture and check the exit status (and/or add a max-iterations/timeout or break when a delete attempt makes no progress) so the script can fail fast or skip with a clear warning instead of hanging indefinitely.
| # 5. Loop to delete ALL Delete Markers (Handles >1000 items pagination) | ||
| while true; do | ||
| markers=$(aws s3api list-object-versions --bucket "$bucket_name" --region "$region_id" --max-items 1000 --query '{Objects: DeleteMarkers[].{Key:Key,VersionId:VersionId}}' --output json 2>/dev/null || echo "") | ||
|
|
||
| count=$(echo "$markers" | jq '.Objects | length' 2>/dev/null || echo "0") | ||
|
|
||
| if [ "$count" == "0" ] || [ "$markers" == "" ] || [ "$count" == "null" ]; then | ||
| break | ||
| fi | ||
|
|
||
| echo " - Deleting batch of $count markers..." | ||
| aws s3api delete-objects --bucket "$bucket_name" --region "$region_id" --delete "$markers" >/dev/null 2>&1 || true | ||
| done |
There was a problem hiding this comment.
Same infinite-loop risk as the versions loop: if delete-objects fails, the marker count may never decrease and this while true will run indefinitely because errors are suppressed. Add failure handling/progress detection (or a bounded retry policy) so the cleanup phase can terminate predictably with actionable output.
| # 0. Safety Check: Ensure jq is installed | ||
| if ! command -v jq &> /dev/null; then | ||
| echo -e "\e[31mError: 'jq' is not installed. MRAP cleanup requires jq. Skipping.\e[0m" | ||
| else |
There was a problem hiding this comment.
The jq “safety check” here is ineffective because this script already uses jq earlier (e.g., parsing list-accounts and assume-role output) and will exit due to set -e before reaching this block if jq is missing. Move the jq dependency check to the top before the first jq usage (or remove this block-level check) so the behavior matches the message about skipping MRAP cleanup.
Added robust cleanup for Multi-Region Access Points (MRAPs) and bucket versions, including safety checks for jq installation.