Terraform - How to nuke AWS resources and save additional AWS infrastructure cost?



Working in the AWS cloud is always fun until you are not paying your AWS bills from your pocket. Being a developer we work on our developer’s machine and we do not much worry much about resources(CPU, Memory, and Disk space) because nowadays developer’s machines (Laptops/desktops) are very powerful. Apart from the initial purchase cost, it will not only consume a very tiny amount of electricity if you keep it running days and nights.

But have you think of scenario "In which you need to pay for each resource which you are going to consume on your laptop .i.e. CPU, Memory, Disk space, network …, just think for a second…..

I can easily guess now you will think What can I do to reduce the cost? the same concept applies when you are working on a cloud such as AWS. In this article, we are going to see what are the tools and framework which are available in the market which can help you to reduce your AWS costs.

Table of content

  1. Gruntwork-io/cloud-nuke Tool for cleaning up your cloud account
  2. How to install Gruntwork’s cloud-nuke?
  3. Export AWS access key, secret key, and region before using Gruntwork’s cloud-nuke
  4. How to use cloud-nuke for deleting all resources of AWS?
  5. How to use cloud-nuke specific region of AWS?
  6. How to list the supported resources which can be nuked/deleted by cloud-nuke?
  7. Is there a way to exclude the resources from cloud-nuke command?
  8. How to Dry run cloud-nuke without deleting actual AWS resource?

1. Gruntwork-io/cloud-nuke Tool for cleaning up your cloud account

The first and most important principle if you are working on a cloud environment is your cloud infrastructure should be bundled as code .i.e. **infrastructure as a code (IAC)** and for that, we generally use Terraform because it’s easy and opensource and widely used across the industry.

Well if Terraform is used for setting up your cloud infrastructure but it lacks if you want to perform clean-up on your cloud platform and that is where Cloud-Nuke from Gruntwork comes into the picture.

Cloud-Nuke is an Open-source tool available on GitHub which you can fork and install. But keep in mind it only works for AWS and provided you have set up your infrastructure using Terraform


2. How to install Gruntwork’s cloud-nuke?

Now you have a little bit of understanding on what is the purpose of Gruntwork’s cloud-nuke, let’s see how we can install the Gruntwork’s cloud-nuke.

The best way to install the Gruntwork’s cloud-nuke is using the [Homebrew][https://docs.brew.sh/]. It does not matter you are using macOS or Linux, you can simply run the command brew install cloud-nuke and you are good to go.

Run the following command to verify the installation. (At the time of writing this article v0.1.30 was the latest from Gruntwork.)

1cloud-nuke


3. Export AWS access key, secret key, and region before using Gruntwork’s cloud-nuke

Before we start using cloud-nuke it is mandatory steps for to Export the AWS access key, secret key, and region as environment variables

Use the following commands for export -

1  export AWS_ACCESS_KEY="<PLACE_YOUR_AWS_ACCESS_KEY>"
2  export AWS_SECRET_KEY="<PLACE_YOUR_AWS_SECRET_KEY>"
3  export AWS_REGION="<PLACE_YOUR_AWS_REGION_NAME>"

You can find all above details by-

  1. Going to your AWS console.
  2. On the top right corner under your username click on -> My Security Credentials
  3. Then navigate to Access keys (access key ID and secret access key)
  4. Check the status of the key. It should have an ACTIVE status


4. How to use cloud-nuke for deleting all resources of AWS?

Warning: - If you want to run cloud-nuke to for deletion of all the resources on AWS then keep in mind there is returning, you would lose all of your cloud infrastructures.

After reading the warning now I am assuming you know the gravity of the command cloud-nuke and it has to be used with all caution.

As cloud-nuke can do some serious damage to your AWS cloud infrastructure but on the other hand using the cloud-nuke is very easy, you simply need to run the following command -

1cloud-nuke aws

The above command will list all the resources which are going to be nuked/deleted from your AWS environment. Here are my list of resources which got deleted when I ran the cloud-nuke aws command -

 1
 2[cloud-nuke] INFO[2021-05-05T18:10:19Z] The following resource types will be nuked:
 3[cloud-nuke] INFO[2021-05-05T18:10:19Z] - ami
 4[cloud-nuke] INFO[2021-05-05T18:10:19Z] - asg
 5[cloud-nuke] INFO[2021-05-05T18:10:19Z] - ebs
 6[cloud-nuke] INFO[2021-05-05T18:10:19Z] - ec2
 7[cloud-nuke] INFO[2021-05-05T18:10:19Z] - ecscluster
 8[cloud-nuke] INFO[2021-05-05T18:10:19Z] - ecsserv
 9[cloud-nuke] INFO[2021-05-05T18:10:19Z] - eip
10[cloud-nuke] INFO[2021-05-05T18:10:19Z] - ekscluster
11[cloud-nuke] INFO[2021-05-05T18:10:19Z] - elb
12[cloud-nuke] INFO[2021-05-05T18:10:19Z] - elbv2
13[cloud-nuke] INFO[2021-05-05T18:10:19Z] - iam
14[cloud-nuke] INFO[2021-05-05T18:10:19Z] - lambda
15[cloud-nuke] INFO[2021-05-05T18:10:19Z] - lc
16[cloud-nuke] INFO[2021-05-05T18:10:19Z] - rds
17[cloud-nuke] INFO[2021-05-05T18:10:19Z] - s3
18[cloud-nuke] INFO[2021-05-05T18:10:19Z] - snap
19[cloud-nuke] INFO[2021-05-05T18:10:19Z] - sqs
20[cloud-nuke] INFO[2021-05-05T18:10:19Z] - transit-gateway
21[cloud-nuke] INFO[2021-05-05T18:10:19Z] - transit-gateway-attachment
22[cloud-nuke] INFO[2021-05-05T18:10:19Z] - transit-gateway-route-table
23[cloud-nuke] INFO[2021-05-05T18:10:19Z] Retrieving active AWS resources in [eu-north-1, ap-south-1, eu-west-3, eu-west-2, eu-west-1, ap-northeast-3, ap-northeast-2, ap-northeast-1, sa-east-1, ca-central-1, ap-southeast-1, ap-southeast-2, eu-central-1, us-east-1, us-east-2, us-west-1, us-west-2, global]
24[cloud-nuke] INFO[2021-05-05T18:10:19Z] Checking region [1/18]: eu-north-1
25[cloud-nuke] INFO[2021-05-05T18:10:22Z] Checking region [2/18]: ap-south-1
26[cloud-nuke] INFO[2021-05-05T18:10:30Z] Checking region [3/18]: eu-west-3
27[cloud-nuke] INFO[2021-05-05T18:10:33Z] Checking region [4/18]: eu-west-2
28[cloud-nuke] INFO[2021-05-05T18:10:36Z] Checking region [5/18]: eu-west-1
29[cloud-nuke] INFO[2021-05-05T18:10:40Z] Checking region [6/18]: ap-northeast-3
30[cloud-nuke] INFO[2021-05-05T18:10:54Z] Checking region [7/18]: ap-northeast-2
31[cloud-nuke] INFO[2021-05-05T18:11:10Z] Checking region [8/18]: ap-northeast-1
32[cloud-nuke] INFO[2021-05-05T18:11:27Z] Checking region [9/18]: sa-east-1
33[cloud-nuke] INFO[2021-05-05T18:11:38Z] Checking region [10/18]: ca-central-1
34[cloud-nuke] INFO[2021-05-05T18:11:44Z] Checking region [11/18]: ap-southeast-1
35[cloud-nuke] INFO[2021-05-05T18:11:54Z] Checking region [12/18]: ap-southeast-2
36[cloud-nuke] INFO[2021-05-05T18:12:11Z] Checking region [13/18]: eu-central-1
37[cloud-nuke] INFO[2021-05-05T18:12:13Z] Checking region [14/18]: us-east-1
38[cloud-nuke] INFO[2021-05-05T18:12:21Z] Checking region [15/18]: us-east-2
39[cloud-nuke] INFO[2021-05-05T18:12:28Z] Checking region [16/18]: us-west-1
40[cloud-nuke] INFO[2021-05-05T18:12:36Z] Checking region [17/18]: us-west-2
41[cloud-nuke] INFO[2021-05-05T18:12:47Z] Checking region [18/18]: global
42[cloud-nuke] INFO[2021-05-05T18:12:48Z] The following 2 AWS resources will be nuked:
43[cloud-nuke] INFO[2021-05-05T18:12:48Z] * ec2 i-022c6eb3c456ada38 eu-central-1
44[cloud-nuke] INFO[2021-05-05T18:12:48Z] * ebs vol-00f682b2ce10eb994 eu-central-1

It will ask for the confirmation before deleting the resources for confirmation just type nuke and hit enter -

1THE NEXT STEPS ARE DESTRUCTIVE AND COMPLETELY IRREVERSIBLE, PROCEED WITH CAUTION!!!
2
3Are you sure you want to nuke all listed resources? Enter 'nuke' to confirm (or exit with ^C): nuke

Since I am using the AWS for development purposes and I am using eu-centrol-1 zone, so I had very few resources running inside my AWS account. I am only running one ec2 machine, if you look carefully in the logs of cloud-nuke aws command you will see these records getting deleted -

1[cloud-nuke] INFO[2021-05-05T18:12:48Z] The following 2 AWS resources will be nuked:
2[cloud-nuke] INFO[2021-05-05T18:12:48Z] * ec2 i-022c6eb3c456ada38 eu-central-1
3[cloud-nuke] INFO[2021-05-05T18:12:48Z] * ebs vol-00f682b2ce10eb994 eu-central-1

5. How to use cloud-nuke specific region of AWS?

In the previous step we have seen How to delete all the resources of AWS account? but is there a way by which we can only delete some specific resources of our AWS account.

Yes, cloud-nuke provides various ways by which you can delete some specific resources of your AWS account.

The first way is by using aws region, you can run the following command to delete AWS resources of eu-central-1 region -

1cloud-nuke aws --region eu-central-1

The above command will only affect the eu-central-1 region resources.


6. How to list the supported resources which can be nuked/deleted by cloud-nuke?

If you are wondering AWS has many numbers of resources does cloud-nuke support all the resources?

Well the answer is NO, cloud-nuke does not support all the resources of AWS but you can get the list of supported resources by running the following command -

1cloud-nuke aws --list-resource-types

The above command should return -

 1ami
 2asg
 3ebs
 4ec2
 5ecscluster
 6ecsserv
 7eip
 8ekscluster
 9elb
10elbv2
11iam
12lambda
13lc
14rds
15s3
16snap
17sqs
18transit-gateway
19transit-gateway-attachment
20transit-gateway-route-table

You can nuke/delete the above-mentioned resources of your AWS account.


7. Is there a way to exclude the resources from cloud-nuke command?

When you work in a development and production environment, it is quite often that you have to include and exclude certain resources.

cloud-nuke provides a very convenient way to exclude the resources from getting deleted/nuked. You can simply supply the flag --exclude-resource-type followed by the resource name such as ec2, s3 etc.

Here is the example command for excluding the ec2, s3 resources from getting deleted -

1cloud-nuke aws --exclude-resource-type s3 --exclude-resource-type ec2

8. How to Dry run cloud-nuke without deleting actual AWS resource?

Now we have pretty much the different ways to nuke/delete the AWS resources using cloud nuke. But is there a way to simulate/debug the cloud nuke command so that it does not delete the actual AWS resource but tells us what it is going to do?

cloud nuke provides a flag called --dry-run which can be supplied with the actual command it will tell you what is going to happen and how many resources it is going to delete but if we keep the --dry-run flag it will not delete anything from AWS account.

Here is the example command -

1cloud-nuke aws --resource-type ec2 --dry-run

Read More -

  1. Install terraform on Ubuntu 20.04, CentOS 8, MacOS, Windows 10, Fedora 33, Red hat 8 and Solaris 11
  2. How to setup Virtual machine on Google Cloud Platform using terraform
  3. Create EC2 Instance on AWS using terraform
  4. How to use Terraform Input Variables
  5. What is variable.tf and terraform.tfvars?
  6. How to use Terraform locals?
  7. How to use Terraform output values?
  8. Understanding terraform count, for_each and for loop?
  9. Cloud-nuke : How to nuke AWS resources and save additional AWS infrastructure cost?
  10. How to use Terraform Dynamic blocks?
  11. How to use Terraform resource meta arguments?
  12. How to use Terraform Data sources?