Terraform - How to nuke AWS resources and save additional AWS infrastructure cost?
Working in the AWS cloud is always fun until you are not paying your AWS bills from your pocket. Being a developer we work on our developer machine and we do not much worry much about resources(CPU, Memory, and Disk space) because nowadays developer machines (Laptops/desktops) are very powerful. Apart from the initial purchase cost, it will not only consume a very tiny amount of electricity if you keep it running days and nights.
But have you think of scenario "In which you need to pay for each resource which you are going to consume on your laptop .i.e. CPU, Memory, Disk space, network ..., just think for a second.....
I can easily guess now you will think What can I do to reduce the cost? the same concept applies when you are working on a cloud such as AWS. In this article, we are going to see what are the tools and framework which are available in the market which can help you to reduce your AWS costs.
Table of content
- Gruntwork-io/cloud-nuke Tool for cleaning up your cloud account
- How to install Gruntwork's cloud-nuke?
- Export AWS access key, secret key, and region before using Gruntwork's cloud-nuke
- How to use cloud-nuke for deleting all resources of AWS?
- How to use cloud-nuke specific region of AWS?
- How to list the supported resources which can be nuked/deleted by cloud-nuke?
- Is there a way to exclude the resources from cloud-nuke command?
- How to Dry run cloud-nuke without deleting actual AWS resource?
1. Gruntwork-io/cloud-nuke Tool for cleaning up your cloud account
The first and most important principle if you are working on a cloud environment is your cloud infrastructure should be bundled as code .i.e. infrastructure as a code (IAC) and for that, we generally use Terraform because it's easy and opensource and widely used across the industry.
Well if Terraform is used for setting up your cloud infrastructure but it lacks if you want to perform clean-up on your cloud platform and that is where Cloud-Nuke from Gruntwork comes into the picture.
Cloud-Nuke is an Open-source tool available on GitHub which you can fork and install. But keep in mind it only works for AWS and provided you have set up your infrastructure using Terraform
2. How to install Gruntwork's cloud-nuke?
Now you have a little bit of understanding on what is the purpose of Gruntwork's cloud-nuke, let's see how we can install the Gruntwork's cloud-nuke.
The best way to install the Gruntwork's cloud-nuke is using the Homebrew . It does not matter you are using macOS or Linux, you can simply run the command brew install cloud-nuke and you are good to go.
Run the following command to verify the installation. (At the time of writing this article v0.1.30 was the latest from Gruntwork.)
1cloud-nuke
3. Export AWS access key, secret key, and region before using Gruntwork's cloud-nuke
Before we start using cloud-nuke it is mandatory steps for to Export the AWS access key, secret key, and region as environment variables
Use the following commands for export -
1 export AWS_ACCESS_KEY="<PLACE_YOUR_AWS_ACCESS_KEY>"
2 export AWS_SECRET_KEY="<PLACE_YOUR_AWS_SECRET_KEY>"
3 export AWS_REGION="<PLACE_YOUR_AWS_REGION_NAME>"
You can find all above details by-
- Going to your AWS console.
- On the top right corner under your username click on ->
My Security Credentials - Then navigate to
Access keys (access key ID and secret access key) - Check the status of the key. It should have an ACTIVE status
4. How to use cloud-nuke for deleting all resources of AWS?
Warning: - If you want to run cloud-nuke to for deletion of all the resources on AWS then keep in mind there is returning, you would lose all of your cloud infrastructures.
After reading the warning now I am assuming you know the gravity of the command cloud-nuke and it has to be used with all caution.
As cloud-nuke can do some serious damage to your AWS cloud infrastructure but on the other hand using the cloud-nuke is very easy, you simply need to run the following command -
1cloud-nuke aws
The above command will list all the resources which are going to be nuked/deleted from your AWS environment. Here are my list of resources which got deleted when I ran the cloud-nuke aws command -
1
2[cloud-nuke] INFO[2021-05-05T18:10:19Z] The following resource types will be nuked:
3[cloud-nuke] INFO[2021-05-05T18:10:19Z] - ami
4[cloud-nuke] INFO[2021-05-05T18:10:19Z] - asg
5[cloud-nuke] INFO[2021-05-05T18:10:19Z] - ebs
6[cloud-nuke] INFO[2021-05-05T18:10:19Z] - ec2
7[cloud-nuke] INFO[2021-05-05T18:10:19Z] - ecscluster
8[cloud-nuke] INFO[2021-05-05T18:10:19Z] - ecsserv
9[cloud-nuke] INFO[2021-05-05T18:10:19Z] - eip
10[cloud-nuke] INFO[2021-05-05T18:10:19Z] - ekscluster
11[cloud-nuke] INFO[2021-05-05T18:10:19Z] - elb
12[cloud-nuke] INFO[2021-05-05T18:10:19Z] - elbv2
13[cloud-nuke] INFO[2021-05-05T18:10:19Z] - iam
14[cloud-nuke] INFO[2021-05-05T18:10:19Z] - lambda
15[cloud-nuke] INFO[2021-05-05T18:10:19Z] - lc
16[cloud-nuke] INFO[2021-05-05T18:10:19Z] - rds
17[cloud-nuke] INFO[2021-05-05T18:10:19Z] - s3
18[cloud-nuke] INFO[2021-05-05T18:10:19Z] - snap
19[cloud-nuke] INFO[2021-05-05T18:10:19Z] - sqs
20[cloud-nuke] INFO[2021-05-05T18:10:19Z] - transit-gateway
21[cloud-nuke] INFO[2021-05-05T18:10:19Z] - transit-gateway-attachment
22[cloud-nuke] INFO[2021-05-05T18:10:19Z] - transit-gateway-route-table
23[cloud-nuke] INFO[2021-05-05T18:10:19Z] Retrieving active AWS resources in [eu-north-1, ap-south-1, eu-west-3, eu-west-2, eu-west-1, ap-northeast-3, ap-northeast-2, ap-northeast-1, sa-east-1, ca-central-1, ap-southeast-1, ap-southeast-2, eu-central-1, us-east-1, us-east-2, us-west-1, us-west-2, global]
24[cloud-nuke] INFO[2021-05-05T18:10:19Z] Checking region [1/18]: eu-north-1
25[cloud-nuke] INFO[2021-05-05T18:10:22Z] Checking region [2/18]: ap-south-1
26[cloud-nuke] INFO[2021-05-05T18:10:30Z] Checking region [3/18]: eu-west-3
27[cloud-nuke] INFO[2021-05-05T18:10:33Z] Checking region [4/18]: eu-west-2
28[cloud-nuke] INFO[2021-05-05T18:10:36Z] Checking region [5/18]: eu-west-1
29[cloud-nuke] INFO[2021-05-05T18:10:40Z] Checking region [6/18]: ap-northeast-3
30[cloud-nuke] INFO[2021-05-05T18:10:54Z] Checking region [7/18]: ap-northeast-2
31[cloud-nuke] INFO[2021-05-05T18:11:10Z] Checking region [8/18]: ap-northeast-1
32[cloud-nuke] INFO[2021-05-05T18:11:27Z] Checking region [9/18]: sa-east-1
33[cloud-nuke] INFO[2021-05-05T18:11:38Z] Checking region [10/18]: ca-central-1
34[cloud-nuke] INFO[2021-05-05T18:11:44Z] Checking region [11/18]: ap-southeast-1
35[cloud-nuke] INFO[2021-05-05T18:11:54Z] Checking region [12/18]: ap-southeast-2
36[cloud-nuke] INFO[2021-05-05T18:12:11Z] Checking region [13/18]: eu-central-1
37[cloud-nuke] INFO[2021-05-05T18:12:13Z] Checking region [14/18]: us-east-1
38[cloud-nuke] INFO[2021-05-05T18:12:21Z] Checking region [15/18]: us-east-2
39[cloud-nuke] INFO[2021-05-05T18:12:28Z] Checking region [16/18]: us-west-1
40[cloud-nuke] INFO[2021-05-05T18:12:36Z] Checking region [17/18]: us-west-2
41[cloud-nuke] INFO[2021-05-05T18:12:47Z] Checking region [18/18]: global
42[cloud-nuke] INFO[2021-05-05T18:12:48Z] The following 2 AWS resources will be nuked:
43[cloud-nuke] INFO[2021-05-05T18:12:48Z] * ec2 i-022c6eb3c456ada38 eu-central-1
44[cloud-nuke] INFO[2021-05-05T18:12:48Z] * ebs vol-00f682b2ce10eb994 eu-central-1
It will ask for the confirmation before deleting the resources for confirmation just type nuke and hit enter -
1THE NEXT STEPS ARE DESTRUCTIVE AND COMPLETELY IRREVERSIBLE, PROCEED WITH CAUTION!!!
2
3Are you sure you want to nuke all listed resources? Enter 'nuke' to confirm (or exit with ^C): nuke
Since I am using the AWS for development purposes and I am using eu-centrol-1 zone, so I had very few resources running inside my AWS account. I am only running one ec2 machine, if you look carefully in the logs of cloud-nuke aws command you will see these records getting deleted -
1[cloud-nuke] INFO[2021-05-05T18:12:48Z] The following 2 AWS resources will be nuked:
2[cloud-nuke] INFO[2021-05-05T18:12:48Z] * ec2 i-022c6eb3c456ada38 eu-central-1
3[cloud-nuke] INFO[2021-05-05T18:12:48Z] * ebs vol-00f682b2ce10eb994 eu-central-1
5. How to use cloud-nuke specific region of AWS?
In the previous step we have seen How to delete all the resources of AWS account? but is there a way by which we can only delete some specific resources of our AWS account.
Yes, cloud-nuke provides various ways by which you can delete some specific resources of your AWS account.
The first way is by using aws region, you can run the following command to delete AWS resources of eu-central-1 region -
1cloud-nuke aws --region eu-central-1
The above command will only affect the eu-central-1 region resources.
6. How to list the supported resources which can be nuked/deleted by cloud-nuke?
If you are wondering AWS has many numbers of resources does cloud-nuke support all the resources?
Well the answer is NO, cloud-nuke does not support all the resources of AWS but you can get the list of supported resources by running the following command -
1cloud-nuke aws --list-resource-types
The above command should return -
1ami
2asg
3ebs
4ec2
5ecscluster
6ecsserv
7eip
8ekscluster
9elb
10elbv2
11iam
12lambda
13lc
14rds
15s3
16snap
17sqs
18transit-gateway
19transit-gateway-attachment
20transit-gateway-route-table
You can nuke/delete the above-mentioned resources of your AWS account.
7. Is there a way to exclude the resources from cloud-nuke command?
When you work in a development and production environment, it is quite often that you have to include and exclude certain resources.
cloud-nuke provides a very convenient way to exclude the resources from getting deleted/nuked. You can simply supply the flag --exclude-resource-type followed by the resource name such as ec2, s3 etc.
Here is the example command for excluding the ec2, s3 resources from getting deleted -
1cloud-nuke aws --exclude-resource-type s3 --exclude-resource-type ec2
8. How to Dry run cloud-nuke without deleting actual AWS resource?
Now we have pretty much the different ways to nuke/delete the AWS resources using cloud nuke. But is there a way to simulate/debug the cloud nuke command so that it does not delete the actual AWS resource but tells us what it is going to do?
cloud nuke provides a flag called --dry-run which can be supplied with the actual command it will tell you what is going to happen and how many resources it is going to delete but if we keep the --dry-run flag it will not delete anything from AWS account.
Here is the example command -
1cloud-nuke aws --resource-type ec2 --dry-run
Read More - Terragrunt -
Posts in this Series
- Securing Sensitive Data in Terraform
- Boost Your AWS Security with Terraform : A Step-by-Step Guide
- How to Load Input Data from a File in Terraform?
- Can Terraform be used to provision on-premises infrastructure?
- Fixing the Terraform Error creating IAM Role. MalformedPolicyDocument Has prohibited field Resource
- In terraform how to handle null value with default value?
- Terraform use module output variables as inputs for another module?
- How to Reference a Resource Created by a Terraform Module?
- Understanding Terraform Escape Sequences
- How to fix private-dns-enabled cannot be set because there is already a conflicting DNS domain?
- Use Terraform to manage AWS IAM Policies, Roles and Users
- How to split Your Terraform main.tf File into Multiple Files
- How to use Terraform variable within variable
- Mastering the Terraform Lookup Function for Dynamic Keys
- Copy files to EC2 and S3 bucket using Terraform
- Troubleshooting Error creating EC2 Subnet InvalidSubnet Range The CIDR is Invalid
- Troubleshooting InvalidParameter Security group and subnet belong to different networks
- Managing strings in Terraform: A comprehensive guide
- How to use terraform depends_on meta argument?
- What is user_data in Terraform?
- Why you should not store terraform state file(.tfstate) inside Git Repository?
- How to import existing resource using terraform import comand?
- Terraform - A detailed guide on setting up ALB(Application Load Balancer) and SSL?
- Testing Infrastructure as Code with Terraform?
- How to remove a resource from Terraform state?
- What is Terraform null Resource?
- In terraform how to skip creation of resource if the resource already exist?
- How to setup Virtual machine on Google Cloud Platform
- How to use Terraform locals?
- Terraform Guide - Docker Containers & AWS ECR(elastic container registry)?
- How to generate SSH key in Terraform using tls_private_key?
- How to fix-Terraform Error acquiring the state lock ConditionalCheckFiledException?
- Terraform Template - A complete guide?
- How to use Terragrunt?
- Terraform and AWS Multi account Setup?
- Terraform and AWS credentials handling?
- How to fix-error configuring S3 Backend no valid credential sources for S3 Backend found?
- Terraform state locking using DynamoDB (aws_dynamodb_table)?
- Managing Terraform states?
- Securing AWS secrets using HashiCorp Vault with Terraform?
- How to use Workspaces in Terraform?
- How to run specific terraform resource, module, target?
- How Terraform modules works?
- Secure AWS EC2s & GCP VMs with Terraform SSH Keys!
- What is terraform provisioner?
- Is terraform destroy needed before terraform apply?
- How to fix terraform error Your query returned no results. Please change your search criteria and try again?
- How to use Terraform Data sources?
- How to use Terraform resource meta arguments?
- How to use Terraform Dynamic blocks?
- Terraform - How to nuke AWS resources and save additional AWS infrastructure cost?
- Understanding terraform count, for_each and for loop?
- How to use Terraform output values?
- How to fix error configuring Terraform AWS Provider error validating provider credentials error calling sts GetCallerIdentity SignatureDoesNotMatch?
- How to fix Invalid function argument on line in provider credentials file google Invalid value for path parameter no file exists
- How to fix error value for undeclared variable a variable named was assigned on the command line?
- What is variable.tf and terraform.tfvars?
- How to use Terraform Variables - Locals,Input,Output
- Terraform create EC2 Instance on AWS
- How to fix Error creating service account googleapi Error 403 Identity and Access Management (IAM) API has not been used in project before or it is disabled
- Install terraform on Ubuntu 20.04, CentOS 8, MacOS, Windows 10, Fedora 33, Red hat 8 and Solaris 11