Terraform - How to nuke AWS resources and save additional AWS infrastructure cost?
Working in the AWS cloud is always fun until you are not paying your AWS bills from your pocket. Being a developer we work on our developer machine and we do not much worry much about resources(CPU, Memory, and Disk space) because nowadays developer machines (Laptops/desktops) are very powerful. Apart from the initial purchase cost, it will not only consume a very tiny amount of electricity if you keep it running days and nights.
But have you think of scenario "In which you need to pay for each resource which you are going to consume on your laptop .i.e. CPU, Memory, Disk space, network ..., just think for a second.....
I can easily guess now you will think What can I do to reduce the cost? the same concept applies when you are working on a cloud such as AWS. In this article, we are going to see what are the tools and framework which are available in the market which can help you to reduce your AWS costs.
Table of content
- Gruntwork-io/cloud-nuke Tool for cleaning up your cloud account
- How to install Gruntwork's cloud-nuke?
- Export AWS access key, secret key, and region before using Gruntwork's cloud-nuke
- How to use cloud-nuke for deleting all resources of AWS?
- How to use cloud-nuke specific region of AWS?
- How to list the supported resources which can be nuked/deleted by cloud-nuke?
- Is there a way to exclude the resources from cloud-nuke command?
- How to Dry run cloud-nuke without deleting actual AWS resource?
1. Gruntwork-io/cloud-nuke Tool for cleaning up your cloud account
The first and most important principle if you are working on a cloud environment is your cloud infrastructure should be bundled as code .i.e. infrastructure as a code (IAC) and for that, we generally use Terraform because it's easy and opensource and widely used across the industry.
Well if Terraform is used for setting up your cloud infrastructure but it lacks if you want to perform clean-up on your cloud platform and that is where Cloud-Nuke from Gruntwork comes into the picture.
Cloud-Nuke is an Open-source tool available on GitHub which you can fork and install. But keep in mind it only works for AWS and provided you have set up your infrastructure using Terraform
2. How to install Gruntwork's cloud-nuke?
Now you have a little bit of understanding on what is the purpose of Gruntwork's cloud-nuke, let's see how we can install the Gruntwork's cloud-nuke.
The best way to install the Gruntwork's cloud-nuke is using the Homebrew . It does not matter you are using macOS or Linux, you can simply run the command
brew install cloud-nuke and you are good to go.
Run the following command to verify the installation. (At the time of writing this article v0.1.30 was the latest from Gruntwork.)
3. Export AWS access key, secret key, and region before using Gruntwork's cloud-nuke
Before we start using cloud-nuke it is mandatory steps for to Export the AWS access key, secret key, and region as environment variables
Use the following commands for export -
1 export AWS_ACCESS_KEY="<PLACE_YOUR_AWS_ACCESS_KEY>" 2 export AWS_SECRET_KEY="<PLACE_YOUR_AWS_SECRET_KEY>" 3 export AWS_REGION="<PLACE_YOUR_AWS_REGION_NAME>"
You can find all above details by-
- Going to your AWS console.
- On the top right corner under your username click on ->
My Security Credentials
- Then navigate to
Access keys (access key ID and secret access key)
- Check the status of the key. It should have an ACTIVE status
4. How to use cloud-nuke for deleting all resources of AWS?
Warning: - If you want to run cloud-nuke to for deletion of all the resources on AWS then keep in mind there is returning, you would lose all of your cloud infrastructures.
After reading the warning now I am assuming you know the gravity of the command
cloud-nuke and it has to be used with all caution.
cloud-nuke can do some serious damage to your AWS cloud infrastructure but on the other hand using the
cloud-nuke is very easy, you simply need to run the following command -
The above command will list all the resources which are going to be nuked/deleted from your AWS environment. Here are my list of resources which got deleted when I ran the
cloud-nuke aws command -
1 2[cloud-nuke] INFO[2021-05-05T18:10:19Z] The following resource types will be nuked: 3[cloud-nuke] INFO[2021-05-05T18:10:19Z] - ami 4[cloud-nuke] INFO[2021-05-05T18:10:19Z] - asg 5[cloud-nuke] INFO[2021-05-05T18:10:19Z] - ebs 6[cloud-nuke] INFO[2021-05-05T18:10:19Z] - ec2 7[cloud-nuke] INFO[2021-05-05T18:10:19Z] - ecscluster 8[cloud-nuke] INFO[2021-05-05T18:10:19Z] - ecsserv 9[cloud-nuke] INFO[2021-05-05T18:10:19Z] - eip 10[cloud-nuke] INFO[2021-05-05T18:10:19Z] - ekscluster 11[cloud-nuke] INFO[2021-05-05T18:10:19Z] - elb 12[cloud-nuke] INFO[2021-05-05T18:10:19Z] - elbv2 13[cloud-nuke] INFO[2021-05-05T18:10:19Z] - iam 14[cloud-nuke] INFO[2021-05-05T18:10:19Z] - lambda 15[cloud-nuke] INFO[2021-05-05T18:10:19Z] - lc 16[cloud-nuke] INFO[2021-05-05T18:10:19Z] - rds 17[cloud-nuke] INFO[2021-05-05T18:10:19Z] - s3 18[cloud-nuke] INFO[2021-05-05T18:10:19Z] - snap 19[cloud-nuke] INFO[2021-05-05T18:10:19Z] - sqs 20[cloud-nuke] INFO[2021-05-05T18:10:19Z] - transit-gateway 21[cloud-nuke] INFO[2021-05-05T18:10:19Z] - transit-gateway-attachment 22[cloud-nuke] INFO[2021-05-05T18:10:19Z] - transit-gateway-route-table 23[cloud-nuke] INFO[2021-05-05T18:10:19Z] Retrieving active AWS resources in [eu-north-1, ap-south-1, eu-west-3, eu-west-2, eu-west-1, ap-northeast-3, ap-northeast-2, ap-northeast-1, sa-east-1, ca-central-1, ap-southeast-1, ap-southeast-2, eu-central-1, us-east-1, us-east-2, us-west-1, us-west-2, global] 24[cloud-nuke] INFO[2021-05-05T18:10:19Z] Checking region [1/18]: eu-north-1 25[cloud-nuke] INFO[2021-05-05T18:10:22Z] Checking region [2/18]: ap-south-1 26[cloud-nuke] INFO[2021-05-05T18:10:30Z] Checking region [3/18]: eu-west-3 27[cloud-nuke] INFO[2021-05-05T18:10:33Z] Checking region [4/18]: eu-west-2 28[cloud-nuke] INFO[2021-05-05T18:10:36Z] Checking region [5/18]: eu-west-1 29[cloud-nuke] INFO[2021-05-05T18:10:40Z] Checking region [6/18]: ap-northeast-3 30[cloud-nuke] INFO[2021-05-05T18:10:54Z] Checking region [7/18]: ap-northeast-2 31[cloud-nuke] INFO[2021-05-05T18:11:10Z] Checking region [8/18]: ap-northeast-1 32[cloud-nuke] INFO[2021-05-05T18:11:27Z] Checking region [9/18]: sa-east-1 33[cloud-nuke] INFO[2021-05-05T18:11:38Z] Checking region [10/18]: ca-central-1 34[cloud-nuke] INFO[2021-05-05T18:11:44Z] Checking region [11/18]: ap-southeast-1 35[cloud-nuke] INFO[2021-05-05T18:11:54Z] Checking region [12/18]: ap-southeast-2 36[cloud-nuke] INFO[2021-05-05T18:12:11Z] Checking region [13/18]: eu-central-1 37[cloud-nuke] INFO[2021-05-05T18:12:13Z] Checking region [14/18]: us-east-1 38[cloud-nuke] INFO[2021-05-05T18:12:21Z] Checking region [15/18]: us-east-2 39[cloud-nuke] INFO[2021-05-05T18:12:28Z] Checking region [16/18]: us-west-1 40[cloud-nuke] INFO[2021-05-05T18:12:36Z] Checking region [17/18]: us-west-2 41[cloud-nuke] INFO[2021-05-05T18:12:47Z] Checking region [18/18]: global 42[cloud-nuke] INFO[2021-05-05T18:12:48Z] The following 2 AWS resources will be nuked: 43[cloud-nuke] INFO[2021-05-05T18:12:48Z] * ec2 i-022c6eb3c456ada38 eu-central-1 44[cloud-nuke] INFO[2021-05-05T18:12:48Z] * ebs vol-00f682b2ce10eb994 eu-central-1
It will ask for the confirmation before deleting the resources for confirmation just type
nuke and hit enter -
1THE NEXT STEPS ARE DESTRUCTIVE AND COMPLETELY IRREVERSIBLE, PROCEED WITH CAUTION!!! 2 3Are you sure you want to nuke all listed resources? Enter 'nuke' to confirm (or exit with ^C): nuke
Since I am using the AWS for development purposes and I am using
eu-centrol-1 zone, so I had very few resources running inside my AWS account. I am only running one ec2 machine, if you look carefully in the logs of
cloud-nuke aws command you will see these records getting deleted -
1[cloud-nuke] INFO[2021-05-05T18:12:48Z] The following 2 AWS resources will be nuked: 2[cloud-nuke] INFO[2021-05-05T18:12:48Z] * ec2 i-022c6eb3c456ada38 eu-central-1 3[cloud-nuke] INFO[2021-05-05T18:12:48Z] * ebs vol-00f682b2ce10eb994 eu-central-1
5. How to use cloud-nuke specific region of AWS?
In the previous step we have seen How to delete all the resources of AWS account? but is there a way by which we can only delete some specific resources of our AWS account.
cloud-nuke provides various ways by which you can delete some specific resources of your AWS account.
The first way is by using
aws region, you can run the following command to delete AWS resources of eu-central-1 region -
1cloud-nuke aws --region eu-central-1
The above command will only affect the
eu-central-1 region resources.
6. How to list the supported resources which can be nuked/deleted by cloud-nuke?
If you are wondering AWS has many numbers of resources does
cloud-nuke support all the resources?
Well the answer is NO,
cloud-nuke does not support all the resources of
AWS but you can get the list of supported resources by running the following command -
1cloud-nuke aws --list-resource-types
The above command should return -
1ami 2asg 3ebs 4ec2 5ecscluster 6ecsserv 7eip 8ekscluster 9elb 10elbv2 11iam 12lambda 13lc 14rds 15s3 16snap 17sqs 18transit-gateway 19transit-gateway-attachment 20transit-gateway-route-table
You can nuke/delete the above-mentioned resources of your AWS account.
7. Is there a way to exclude the resources from cloud-nuke command?
When you work in a development and production environment, it is quite often that you have to include and exclude certain resources.
cloud-nuke provides a very convenient way to exclude the resources from getting deleted/nuked. You can simply supply the flag
--exclude-resource-type followed by the resource name such as
Here is the example command for excluding the
s3 resources from getting deleted -
1cloud-nuke aws --exclude-resource-type s3 --exclude-resource-type ec2
8. How to Dry run cloud-nuke without deleting actual AWS resource?
Now we have pretty much the different ways to nuke/delete the AWS resources using
cloud nuke. But is there a way to simulate/debug the
cloud nuke command so that it does not delete the actual AWS resource but tells us what it is going to do?
cloud nuke provides a flag called
--dry-run which can be supplied with the actual command it will tell you what is going to happen and how many resources it is going to delete but if we keep the
--dry-run flag it will not delete anything from AWS account.
Here is the example command -
1cloud-nuke aws --resource-type ec2 --dry-run
Read More - Terragrunt -
Posts in this Series
- Managing strings in Terraform: A comprehensive guide
- How to use terraform depends_on meta argument?
- What is user_data in Terraform?
- Why you should not store terraform state file(.tfstate) inside Git Repository?
- How to import existing resource using terraform import comand?
- Terraform - A detailed guide on setting up ALB(Application Load Balancer) and SSL?
- Testing Infrastructure as Code with Terraform?
- How to remove a resource from Terraform state?
- What is Terraform null Resource?
- In terraform how to skip creation of resource if the resource already exist?
- How to setup Virtual machine on Google Cloud Platform
- How to use Terraform locals?
- Terraform Guide - Docker Containers & AWS ECR(elastic container registry)?
- How to generate SSH key in Terraform using tls_private_key?
- How to fix-Terraform Error acquiring the state lock ConditionalCheckFiledException?
- Terraform Template - A complete guide?
- How to use Terragrunt?
- Terraform and AWS Multi account Setup?
- Terraform and AWS credentials handling?
- How to fix-error configuring S3 Backend no valid credential sources for S3 Backend found?
- Terraform state locking using DynamoDB (aws_dynamodb_table)?
- Managing Terraform states?
- Securing AWS secrets using HashiCorp Vault with Terraform?
- How to use Workspaces in Terraform?
- How to run specific terraform resource, module, target?
- How Terraform modules works?
- Terraform how to do SSH in AWS EC2 instance?
- What is terraform provisioner?
- Is terraform destroy needed before terraform apply?
- How to fix terraform error Your query returned no results. Please change your search criteria and try again?
- How to use Terraform Data sources?
- How to use Terraform resource meta arguments?
- How to use Terraform Dynamic blocks?
- Terraform - How to nuke AWS resources and save additional AWS infrastructure cost?
- Understanding terraform count, for_each and for loop?
- How to use Terraform output values?
- How to fix error configuring Terraform AWS Provider error validating provider credentials error calling sts GetCallerIdentity SignatureDoesNotMatch?
- How to fix Invalid function argument on line in provider credentials file google Invalid value for path parameter no file exists
- How to fix error value for undeclared variable a variable named was assigned on the command line?
- What is variable.tf and terraform.tfvars?
- How to use Terraform Variables - Locals,Input,Output
- Terraform create EC2 Instance on AWS
- How to fix Error creating service account googleapi Error 403 Identity and Access Management (IAM) API has not been used in project before or it is disabled
- Install terraform on Ubuntu 20.04, CentOS 8, MacOS, Windows 10, Fedora 33, Red hat 8 and Solaris 11