AWS RAM Shared Resources failing to be removed (Subnet, VPC, Route Table, DHCP Option Sets, IGW+Attachments)

[mystcb]

First time here, so apologies if I have reported this incorrectly. I am happy to re-do this if I have missed something.

I know issue #336 was closed, as no other resources had been reported however, in our Sandbox account we do have an issue with a RAM share that causes a number of resources to be shared and ends up being recognised by aws-nuke to be deleted when it can't.

Error Message

eu-west-2 - EC2VPC - vpc-12345678901234567 - [ID: "vpc-12345678901234567", IsDefault: "false", OwnerID: "123456789101"] - failed
UnauthorizedOperation: You are not authorized to perform DeleteVpc operation. A subnet in this vpc is shared but the provided object is not owned by you
        status code: 403, request id:xxxx
eu-west-2 - EC2RouteTable - rtb-12345678901234567 - [DefaultVPC: "false", OwnerID: "123456789101", vpc:ID: "vpc-12345678901234567", vpcID: "vpc-12345678901234567"] - failed
UnauthorizedOperation: You are not authorized to perform DeleteRouteTable operation. A subnet in this vpc is shared but the provided object is not owned by you
        status code: 403, request id: xxxx
eu-west-2 - EC2RouteTable - rtb-12345678907654321 - [DefaultVPC: "false", OwnerID: "123456789101", vpc:ID: "vpc-12345678901234567", vpcID: "vpc-12345678901234567"] - failed
UnauthorizedOperation: You are not authorized to perform DeleteRouteTable operation. A subnet in this vpc is shared but the provided object is not owned by you
        status code: 403, request id: xxxx
eu-west-2 - EC2Subnet - subnet-00000000000000001 - [DefaultForAz: "false", DefaultVPC: "false", OwnerID: "123456789101", VpcID: "vpc-12345678901234567"] - failed
UnauthorizedOperation: You are not authorized to perform DeleteSubnet operation. A subnet in this vpc is shared but the provided object is not owned by you
        status code: 403, request id: xxxx
eu-west-2 - EC2Subnet - subnet-00000000000000002 - [DefaultForAz: "false", DefaultVPC: "false", OwnerID: "123456789101", VpcID: "vpc-12345678901234567"] - failed
UnauthorizedOperation: You are not authorized to perform DeleteSubnet operation. A subnet in this vpc is shared but the provided object is not owned by you
        status code: 403, request id: xxxx
eu-west-2 - EC2DHCPOption - dopt-00000000000000616 - [DefaultVPC: "false", OwnerID: "123456789101"] - failed
UnauthorizedOperation: You are not authorized to perform DeleteDhcpOptions operation. A subnet in this vpc is shared but the provided object is not owned by you
        status code: 403, request id: xxxx
eu-west-2 - EC2InternetGateway - igw-000000000000008524 - [DefaultVPC: "false", OwnerID: "123456789101"] - failed
UnauthorizedOperation: You are not authorized to perform DeleteInternetGateway operation. A subnet in this vpc is shared but the provided object is not owned by you
        status code: 403, request id: xxx
eu-west-2 - EC2InternetGatewayAttachment - igw-000000000000008524 -> vpc-12345678901234567 - [DefaultVPC: "false", igw:OwnerID: "123456789101", vpc:OwnerID: "123456789101"] - failed
UnauthorizedOperation: You are not authorized to perform DetachInternetGateway operation. A subnet in this vpc is shared but the provided object is not owned by you
        status code: 403, request id: xxx
FATA[0047] failed                                                                           

To generate this, I created a VPC in another Organization Member account, specifically created 2x Public Subnets (IGW, Route Tables, etc) and then shared the Public Subnets to our Sandbox account. This automatically appears in the VPC console with the associated additional resources it needs to run, with the OwnerID of the origin account. (This is why there are two separate EC2Subnet resource attempting to be removed.

I couldn't see anything within the config to exclude based on the OwnerID being different, but I could have completely missed this, but looking at the docs, I don't think this is possible at this time?

Apologies if this isn't everything you need, more than happy to add more

aws-nuke --version 
aws-nuke version v3.42.0

Running MacOS 15.2 (but also running on Ubuntu 22.04 and 24.04 in a GitHub Actions pipeline).

Thank you again for this tool, it is amazing, and has saved us quite a bit! Please let me know if you need anything else, or if I have logged this incorrectly.

[ekristen]

Just keep calling out resources is the best I can say and I'll do my best to fix them. It's really hard to cover all RAM shareable resources.

[mystcb]

Incase anyone needs it - I got around it for the moment by doing two updates to the filter: for this account. Its a workaround for now, but hopefully it helps:

    filters:
      __global__:
        - property: "OwnerID"
          value: "123456789101" 
        - property: "igw:OwnerID"
          value: "123456789101"

This at least covers it for the resources in question. The OwnerID seemed to pick up everything except the Transit Gateway, which for some reason has very different properties attached to it. Guessing it is possible to have an IGW shared from another account attached to a VPC that is then shared into a different account.

[DefaultVPC: "false", igw:OwnerID: "123456789101", vpc:OwnerID: "123456789101"]

I hope the above filter helps people, it meant my pipeline reported back without failing this time!

Thanks again for your continued work on this!

[ekristen]

Thanks! I'll release an update this weekend (hopefully) for any resource with OwnerID to filter if it doesn't match the account.