Contents

Cloud Nuke

Managing resources and objects in your cloud account is an essential aspect of maintaining an efficient and cost-effective infrastructure. Occasionally, you may need to delete specific types of resources and objects to streamline your operations, optimize costs, or meet compliance requirements.

In this article, we will guide you through the process of deleting various types of resources and objects in your cloud account.

AWS-nuke

AWS only. See project repository and documentation

Install aws-nuke

1
brew install aws-nuke

Ensure your account has alias before running aws-nuke

1
2
3
4
5
# Get alias name
aws iam list-account-aliases

# Create one of missing
#aws iam create-account-alias --account-alias my-account-alias

Create config to list all resources

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
cat <<"EOF" > aws-list.yml
regions:
  - global

account-blocklist:
  - "999999999999" # production

accounts:
  "899999999999": {} # this account must have alias
EOF

List all resources in the account, no actual deletion

1
aws-nuke -c aws-list.yml --profile client-sandbox

User case

There are clusters created by eksctl, but no application configs exist. Therefore, it is not possible to delete the clusters using eksctl. Some of the resources were deleted already, but few left. Delete all resources created by eksctl

Create config

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
cat <<"EOF" > aws-nuke.yml
regions:
  - eu-west-2
  - global
# optional: restrict nuking to these resources
resource-types:
  targets:
  - IAMInstanceProfileRole
  - IAMInstanceProfile
  - IAMRole
  - IAMRolePolicy
  - IAMRolePolicyAttachment
  excludes:
  - S3Object

account-blocklist:
  - "999999999999" # production
accounts:
  "899999999999": # this account must have alias
    filters:
      IAMInstanceProfileRole:
      - type: regex
        value: "^eksctl-sandbox-west2-"
        invert: true
      IAMInstanceProfile:
      - type: regex
        value: "^eksctl-sandbox-west2-"
        invert: true
      IAMRole:
      - type: regex
        value: "^eksctl-sandbox-west2-"
        invert: true
      IAMRolePolicy:
      - type: regex
        value: "^eksctl-sandbox-west2-"
        invert: true
      IAMRolePolicyAttachment:
      - type: regex
        value: "^eksctl-sandbox-west2-"
        invert: true
EOF

Run removal, it will ask for approval twice

1
aws-nuke -c aws-nuke.yml --profile client-sandbox --no-dry-run

Cloud-nuke (AWS)

See project repository and documentation

Telemetry to Gruntwork

As of version v0.29.0 cloud-nuke sends telemetry back to Gruntwork to help us better prioritize bug fixes and feature improvements. The following metrics are included:

  • Command and Arguments
  • Version Number
  • Timestamps
  • Resource Types
  • Resource Counts
  • A randomly generated Run ID
  • AWS Account ID

We never collect:

  • IP Addresses
  • Resource Names

To disable it:

1
export DISABLE_TELEMETRY=TRUE

Getting started with cloud-nuke

Install

1
brew install cloud-nuke

Disable telemetry and set AWS_PROFILE

1
2
export DISABLE_TELEMETRY=TRUE 
export AWS_PROFILE=client-sandbox

Get all resources available in AWS account

1
2
3
4
cloud-nuke inspect-aws

# Alternative way
cloud-nuke aws --dry-run

Delete resources

Delete resources using --resource-type

1
2
3
4
5
6
cloud-nuke aws \
--region us-west-2 \
--resource-type ekscluster \
--resource-type asg \
--resource-type lt \
--dry-run

Create config file with list of resources

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
cat <<"EOF" > cloud-nuke.yml
iam-role:
  include:
    names_regex:
      - ^eksctl-.*$
      - .*-prod-alb-.*
  exclude:
    names_regex:
      - public
      - prod
transit-gateway:
  exclude:
    names_regex:
      - .*

EOF

Delete resources using config file

1
2
3
cloud-nuke aws \
--config values.yml \
--dry-run

Azure

Azure-cloud-nuke

TBD. Promising project https://gitlab.com/lmartz/azure-cloud-nuke

Powershell

Install Azure cli for your OS: https://learn.microsoft.com/en-us/powershell/azure/install-azure-powershell?view=azps-10.0.0

Install azure module

1
Install-Module -Name Az -Repository PSGallery -Force

Create ps1

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
cat <<"EOF" > azure.ps1
# Login
Connect-AzAccount 

# Get a list of all Azure subscript that the user can access
$allSubs = Get-azSubscription 
$allSubs | Sort-Object SubscriptionName | Format-Table -Property SubscriptionName, SubscriptionId, State
$theSub = Read-Host "Enter the subscriptionId you want to clean"

Write-Host "You select the following subscription. (it will be display 15 sec.)" -ForegroundColor Cyan
Get-azSubscription -SubscriptionId $theSub | Select-azSubscription 

#Get all the resources groups
$allRG = Get-azResourceGroup

foreach ($g in $allRG){

    Write-Host $g.ResourceGroupName -ForegroundColor Yellow 
    Write-Host "------------------------------------------------------`n" -ForegroundColor Yellow 
    $allResources = Get-azResource -ResourceGroupName $g.ResourceGroupName | FT

    if($allResources){
        $allResources | Format-Table -Property Name, ResourceName
    }
    else{
         Write-Host "-- empty--`n"
    } 
    Write-Host "`n`n------------------------------------------------------" -ForegroundColor Yellow 
}

$lastValidation = Read-Host "Do you want to delete ALL the resources previously listed? (YES/ NO)"

if($lastValidation.ToLower().Equals("yes")){

    foreach ($g in $allRG){

        Write-Host "Deleting " $g.ResourceGroupName 
        #Get-AzResourceGroup -Name $g.ResourceGroupName | Remove-AzResourceGroup -Verbose -Force

    }
}
else{
     Write-Host "Aborded. Nothing was deleted." -ForegroundColor Cyan
}

EOF