Managing resources and objects in your cloud account is an essential aspect of maintaining an efficient and cost-effective
infrastructure. Occasionally, you may need to delete specific types of resources and objects to streamline your
operations, optimize costs, or meet compliance requirements.
In this article, we will guide you through the process of deleting various types of resources and objects in your cloud
account.
AWS-nuke
AWS only. See project repository and documentation
Install aws-nuke
Ensure your account has alias before running aws-nuke
1
2
3
4
5
|
# Get alias name
aws iam list-account-aliases
# Create one of missing
#aws iam create-account-alias --account-alias my-account-alias
|
Create config to list all resources
1
2
3
4
5
6
7
8
9
10
|
cat <<"EOF" > aws-list.yml
regions:
- global
account-blocklist:
- "999999999999" # production
accounts:
"899999999999": {} # this account must have alias
EOF
|
List all resources in the account, no actual deletion
1
|
aws-nuke -c aws-list.yml --profile client-sandbox
|
User case
There are clusters created by eksctl
, but no application configs exist.
Therefore, it is not possible to delete the clusters using eksctl
.
Some of the resources were deleted already, but few left.
Delete all resources created by eksctl
Create config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
cat <<"EOF" > aws-nuke.yml
regions:
- eu-west-2
- global
# optional: restrict nuking to these resources
resource-types:
targets:
- IAMInstanceProfileRole
- IAMInstanceProfile
- IAMRole
- IAMRolePolicy
- IAMRolePolicyAttachment
excludes:
- S3Object
account-blocklist:
- "999999999999" # production
accounts:
"899999999999": # this account must have alias
filters:
IAMInstanceProfileRole:
- type: regex
value: "^eksctl-sandbox-west2-"
invert: true
IAMInstanceProfile:
- type: regex
value: "^eksctl-sandbox-west2-"
invert: true
IAMRole:
- type: regex
value: "^eksctl-sandbox-west2-"
invert: true
IAMRolePolicy:
- type: regex
value: "^eksctl-sandbox-west2-"
invert: true
IAMRolePolicyAttachment:
- type: regex
value: "^eksctl-sandbox-west2-"
invert: true
EOF
|
Run removal, it will ask for approval twice
1
|
aws-nuke -c aws-nuke.yml --profile client-sandbox --no-dry-run
|
Cloud-nuke (AWS)
See project repository and documentation
Telemetry to Gruntwork
As of version v0.29.0 cloud-nuke sends telemetry back to Gruntwork to help us better prioritize bug fixes and feature improvements. The following metrics are included:
- Command and Arguments
- Version Number
- Timestamps
- Resource Types
- Resource Counts
- A randomly generated Run ID
- AWS Account ID
We never collect:
- IP Addresses
- Resource Names
To disable it:
1
|
export DISABLE_TELEMETRY=TRUE
|
Getting started with cloud-nuke
Install
1
|
brew install cloud-nuke
|
Disable telemetry and set AWS_PROFILE
1
2
|
export DISABLE_TELEMETRY=TRUE
export AWS_PROFILE=client-sandbox
|
Get all resources available in AWS account
1
2
3
4
|
cloud-nuke inspect-aws
# Alternative way
cloud-nuke aws --dry-run
|
Delete resources
Delete resources using --resource-type
1
2
3
4
5
6
|
cloud-nuke aws \
--region us-west-2 \
--resource-type ekscluster \
--resource-type asg \
--resource-type lt \
--dry-run
|
Create config file with list of resources
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
cat <<"EOF" > cloud-nuke.yml
iam-role:
include:
names_regex:
- ^eksctl-.*$
- .*-prod-alb-.*
exclude:
names_regex:
- public
- prod
transit-gateway:
exclude:
names_regex:
- .*
EOF
|
Delete resources using config file
1
2
3
|
cloud-nuke aws \
--config values.yml \
--dry-run
|
Azure
Azure-cloud-nuke
TBD. Promising project https://gitlab.com/lmartz/azure-cloud-nuke
Powershell
Install Azure cli for your OS: https://learn.microsoft.com/en-us/powershell/azure/install-azure-powershell?view=azps-10.0.0
Install azure module
1
|
Install-Module -Name Az -Repository PSGallery -Force
|
Create ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
cat <<"EOF" > azure.ps1
# Login
Connect-AzAccount
# Get a list of all Azure subscript that the user can access
$allSubs = Get-azSubscription
$allSubs | Sort-Object SubscriptionName | Format-Table -Property SubscriptionName, SubscriptionId, State
$theSub = Read-Host "Enter the subscriptionId you want to clean"
Write-Host "You select the following subscription. (it will be display 15 sec.)" -ForegroundColor Cyan
Get-azSubscription -SubscriptionId $theSub | Select-azSubscription
#Get all the resources groups
$allRG = Get-azResourceGroup
foreach ($g in $allRG){
Write-Host $g.ResourceGroupName -ForegroundColor Yellow
Write-Host "------------------------------------------------------`n" -ForegroundColor Yellow
$allResources = Get-azResource -ResourceGroupName $g.ResourceGroupName | FT
if($allResources){
$allResources | Format-Table -Property Name, ResourceName
}
else{
Write-Host "-- empty--`n"
}
Write-Host "`n`n------------------------------------------------------" -ForegroundColor Yellow
}
$lastValidation = Read-Host "Do you want to delete ALL the resources previously listed? (YES/ NO)"
if($lastValidation.ToLower().Equals("yes")){
foreach ($g in $allRG){
Write-Host "Deleting " $g.ResourceGroupName
#Get-AzResourceGroup -Name $g.ResourceGroupName | Remove-AzResourceGroup -Verbose -Force
}
}
else{
Write-Host "Aborded. Nothing was deleted." -ForegroundColor Cyan
}
EOF
|