The nuclear option to housekeeping
cloud-nuke is a tool you can use to completely obliterate resources in your AWS account. That’s right. Completely. Obliterate.
This repo contains a CLI tool to delete all resources in an AWS account. cloud-nuke was created for situations when you…
Why on earth would you want to do that, I hear you cry? We’re in the business of building clouds, not destroying them. Well, there are actually several very good reasons.
Several very good reasons
- Training accounts
We have an AWS account we call “The Playground.” The sole purpose of the playground account is to facilitate training and skill development for our staff. It’s a great tool to have, but inevitably, someone creates resources and then forgets about them. They then sit there wasting energy and money. Nuke ‘em!
Every so often, we need to wind down an AWS account completely. I’ve often spent a day or more going through the bills, seeing what we’re still being charged for, and deleting it. Nuke ‘em!
- Fresh starts
Sometimes resources have been created in a test environment, and you want to start over. I’m a big believer in “build one to throw one away.” Also I love to bury my head in the sand and pretend my mistakes never happened, so I nuke ‘em.
- Cost reduction
You can use this to clear out resources older than X amount of time. For example, clearing down any EBS snapshots older than 1 week. Go check your EBS snapshots, I guarantee* there’s a ton of old ones sitting around costing you money.
*No actual guarantee
- Very brave/stupid chaos engineering
OK, this one is a real edge case, but you can use cloud-nuke to wipe out entire regions or entire resource types. AWS region or AZ failures are rare, but when they do happen, disaster ensues. A recent eu-west-2 outage in London took out Slack for most of the UK, for example. Failing over to another region can mitigate this. I’m also a big believer in being able to completely rebuild your stack from scratch easily. NUKE ‘EM!
How to install it
Real simple if you use homebrew. Which if you don’t, why not it’s awesome go get it now. I’ll wait…
Got it installed? Good. Now run this.
brew install cloud-nuke
Run a noddy command to check it’s installed properly
➜ cloud-nuke -v
cloud-nuke version v0.1.20
If you don’t want to install homebrew, then go to the git project and read the instructions to flagellate yourself… I mean build from source.
Now you’re ready to start setting fire to your cloud. BURN IT ALL DOWN.
!!! WARNING !!!
In case the name wasn’t a huge giveaway, this tool is extremely destructive. It reads the aws credentials file when deleting things, so seriously BE FUCKING CAREFUL OK. You can easily destroy production systems or live client environments with this if you’re careless.
There is a dry run mode using the
--dry-run switch, please use it. I refuse to protect you from your own dumbfuckery if you ignore this.
Overview of the tool
As of writing, cloud-nuke can wipe out the following:
- Auto scaling groups (asg)
- Elastic Load Balancers (elbv2)
- EBS Volumes (ebs)
- EC2 instances (ec2)
- AMIs (ami)
- Snapshots (snap)
- Elastic IPs (eip)
- Launch Configurations (lc)
- ECS services but not clusters (ecsserv)
- EKS clusters (ekscluster)
- RDS DB instances (rds)
- S3 buckets (s3)
- Default VPCs (default-aws)
- Default rules in the default security group of a VPC (default-aws)
cloud-nuke will ignore anything with termination protection on, or any S3 bucket tagged with
To get an up to date list of the supported commands for your installed version, which will definitely be more accurate than this 2 bit article, run:
➜ ~ cloud-nuke aws --list-resource types
The region switch
If you want to delete all your resources in one region, you can easily do this using the
--region switch. You can chain regions together if you want to delete resources from multiple regions, or just stick to one region.
➜ ~ cloud-nuke aws --region eu-west-1 --region eu-west-2
If you want to do the opposite and remove everything except one region, you can also combine the
--exclude-region switch. Again, you can chain this command for multiple regions should you want to exclude two or three regions from the blast radius.
➜ ~ cloud-nuke aws --exclude-region eu-west-1 --exclude-region eu-west-2
What you cannot do is use
--exclude-region together. You’re better than that, so don’t even try.
Speed things up with region
Typically cloud-nuke will check every region for resources to delete.
➜ ~ INFO[2020-09-11T23:05:22+01:00] Retrieving active AWS resources in [eu-north-1, ap-south-1, eu-west-3, eu-west-2, eu-west-1, ap-northeast-2, ap-northeast-1, sa-east-1, ca-central-1, ap-southeast-1, ap-southeast-2, eu-central-1, us-east-1, us-east-2, us-west-1, us-west-2]
INFO[2020-09-11T23:05:22+01:00] Checking region [1/16]: eu-north-1INFO[2020-09-11T23:05:25+01:00] Checking region [2/16]: ap-south-1
INFO[2020-09-11T23:05:32+01:00] Checking region [3/16]: eu-west-3AND SO ON...
If you have a lot of resources, this can drag on. The nice thing about the region switch is that it can drastically cut down the time it takes to execute commands. Using
--region to filter the results to the regions you use will speed things up drastically.
The resource type switch
Let’s say you move your application to Lambda and API Gateway, which talks to RDS, storing snapshots and images in S3. Well done for going full hipster. Now you no longer need your EC2 estate, but you still need to keep everything else you use.
Well cloud-nuke can do the heavy lifting and scuttle those old fashioned compute instances.
➜ ~ cloud-nuke aws --resource-type ec2
This will delete all your EC2 instances.
But what if you want to delete everything except RDS, S3 and your snapshots?
➜ ~ cloud-nuke aws --resource-type-exclude rds --resource-type-exclude s3 --resource-type-exclude snap
As with the
--region command, you can chain these to remove/keep multiple resource types, but again, you cannot use them together.
You have termination protection on your EC2 stack, right? RIGHT??
If you don’t have a word with yourself for being foolish/lazy, but also you can skip this part. Clearly you enjoy shortcuts, you slacker.
You can turn off termination protection using the aws cli. For a single instance:
➜ ~ aws ec2 modify-instance-atttribute --no-disable-api-termination --instance-id i-0ef1f57f78d4775a4
What you really want is to do them all in one go though:
➜ ~ for resources in $(aws ec2 describe-instances --query 'Reservations.Instances.[InstanceId]' --output text);
aws ec2 modify-instance-attribute --disable-api-termination --instance-id $resources;
Resources by age
You can delete resources based on their age. This will accept input in “ms”, “s”, “m”, “h”.
This will delete any snapshots older than a week
➜ ~ cloud-nuke aws --resource-type snap --older-than 168h --region eu-west-2
The nuclear option
Had enough and don’t want to run in this cloud anymore?
➜ ~ cloud-nuke aws
This command will delete AWS in its entirety. Have fun in Azure because that’s all that will be left when the smoke clears.
Not really. It does delete ALL your AWS resources with extreme prejudice though.
The main ways to keep resources when nuking are:
- Ensure termination protection is on.
- If it’s S3, tag it with Key=cloud-nuke-excluded Value=true
- Use the exclude switches.
A live demo
A quick demo of me actually destroying some resources in AWS.
cloud-nuke is a tool that used strategically, can save you a lot of time. Decommissioning is boring, tedious, grunt work. No-one enjoys it. Winding down a cloud would typically take me a day of work, sometimes more. At the end I’d feel drained, like I’d accomplished nothing useful that day.
That is not a nice feeling to have.
Using this, it’s reduced to minutes, which changes it from janitorial shit shovelling to a quick job you barely care about. Here I only cover the basic things you may use frequently, the github page contains a well written readme with more details on the advanced use of this tool. So off you go and get nuking.