{"id":31078099,"url":"https://github.com/itsnotsagar/aws-nuke-gitlab","last_synced_at":"2026-04-29T16:34:35.084Z","repository":{"id":314920683,"uuid":"1056656023","full_name":"itsnotsagar/aws-nuke-gitlab","owner":"itsnotsagar","description":"AWS Account Nuke Pipeline - Automated AWS Resource Cleanup with GitLab CI/CD","archived":false,"fork":false,"pushed_at":"2025-09-15T17:08:48.000Z","size":16,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-15T17:40:53.599Z","etag":null,"topics":["aft","aws","cicd","gitlab","nuke","remove"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/itsnotsagar.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-14T14:44:07.000Z","updated_at":"2025-09-15T17:08:51.000Z","dependencies_parsed_at":"2025-09-15T17:40:55.914Z","dependency_job_id":"7516e478-edd0-44ce-b406-a83753b706a8","html_url":"https://github.com/itsnotsagar/aws-nuke-gitlab","commit_stats":null,"previous_names":["itsnotsagar/aws-nuke-tf"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/itsnotsagar/aws-nuke-gitlab","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itsnotsagar%2Faws-nuke-gitlab","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itsnotsagar%2Faws-nuke-gitlab/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itsnotsagar%2Faws-nuke-gitlab/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itsnotsagar%2Faws-nuke-gitlab/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/itsnotsagar","download_url":"https://codeload.github.com/itsnotsagar/aws-nuke-gitlab/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itsnotsagar%2Faws-nuke-gitlab/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32435106,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-29T13:34:34.882Z","status":"ssl_error","status_checked_at":"2026-04-29T13:34:29.830Z","response_time":110,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aft","aws","cicd","gitlab","nuke","remove"],"created_at":"2025-09-16T08:03:15.886Z","updated_at":"2026-04-29T16:34:35.066Z","avatar_url":"https://github.com/itsnotsagar.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS Nuke - GitLab Pipeline\n\nA GitLab CI/CD pipeline for safely nuking AWS accounts using [aws-nuke](https://github.com/ekristen/aws-nuke) with automated configuration management and multi-stage approval process.\n\n## Overview\n\nThis project provides a secure, automated way to completely clean AWS accounts by removing all resources. It's designed for scenarios like:\n- Cleaning up development/test accounts\n- Account closure procedures\n- Resource cleanup after testing\n- Preparing accounts for handover\n\n## Features\n\n- **Multi-stage approval process** - Two manual approval gates before execution\n- **Dry-run validation** - Always runs a dry-run first to show what will be deleted\n- **Flexible account configuration** - Supports accounts with and without aliases\n- **Comprehensive resource exclusions** - Pre-configured to exclude deprecated and problematic resources\n- **Detailed logging** - Captures all operations with timestamped logs\n- **Role-based access** - Uses AWS STS assume role for secure cross-account operations\n\n## Project Structure\n\n```\n├── .gitlab-ci.yml              # Main CI/CD pipeline configuration\n├── config-with-alias.yml       # aws-nuke config template for accounts with aliases\n├── config-without-alias.yml    # aws-nuke config template for accounts without aliases\n├── scripts/\n│   └── prepare-config.sh       # Script to generate final config from templates\n├── close-account/\n│   └── nuke.yml               # Account registry for tracking accounts to be nuked\n└── README.md                  # This file\n```\n\n## Pipeline Stages\n\n### 1. Detect Changes\n- Monitors changes to `close-account/nuke.yml`\n- Extracts account information (ID, CLSP, alias if present)\n- Only triggers when nuke.yml is modified in merge requests to main\n\n### 2. Display Account\n- Shows the account details that will be processed\n- Provides visibility into what account will be affected\n\n### 3. Manual Approval 1\n- **MANUAL GATE**: Requires human approval before dry-run\n- Shows account details for verification\n\n### 4. Dry Run\n- Downloads aws-nuke from GitHub releases\n- Assumes `AWSAFTExecution` role in target account\n- Runs aws-nuke in dry-run mode\n- Generates detailed log of resources that would be removed\n- Does not actually delete anything\n\n### 5. Manual Approval 2\n- **MANUAL GATE**: Requires human approval before execution\n- Final confirmation before actual resource deletion\n\n### 6. Execute\n- Performs actual aws-nuke execution\n- Permanently deletes all identified resources\n- Generates execution log with deleted resources\n\n## Configuration\n\n### Account Registry (`close-account/nuke.yml`)\n\nAdd accounts to be nuked in this format:\n\n```yaml\nAccounts:\n  - \"AccountId\": \"123456789012\"\n    \"CLSP\": \"my-account-identifier\"\n  - \"AccountId\": \"987654321098\"\n    \"CLSP\": \"another-account\"\n    \"AccountAlias\": \"my-account-alias\"  # Optional\n```\n\n### AWS Nuke Configuration\n\nThe pipeline uses two template configurations:\n\n- `config-with-alias.yml` - For accounts that have an AWS account alias\n- `config-without-alias.yml` - For accounts without an alias\n\nBoth configurations exclude:\n- Deprecated AWS services (OpsWorks, CodeStar, Cloud9, etc.)\n- Problematic resources (ServiceCatalog items, ML services)\n- IAM roles and policies (to avoid breaking access)\n- S3Objects (handled by S3 bucket deletion)\n\n### Excluded Resource Types\n\nThe configuration excludes several resource types for safety and compatibility:\n\n- **Deprecated Services**: OpsWorks, CodeStar, Cloud9, CloudSearch, RoboMaker\n- **Machine Learning**: All ML-related resources (service unavailable)\n- **Service Catalog**: Tag options and attachments (known issues)\n- **IAM**: Roles and policies (to maintain access during cleanup)\n- **S3Objects**: Handled automatically by S3 bucket deletion\n\n## Prerequisites\n\n### AWS Setup\n1. Target accounts must have `AWSAFTExecution` role\n2. Pipeline execution role must be able to assume roles in target accounts\n3. Accounts should not be production accounts (use blocklist protection)\n\n### GitLab Setup\n1. GitLab runner with `test-runner` tag\n2. AWS credentials configured for the runner\n3. Required tools: `curl`, `tar`, `jq`, `aws-cli`\n\n## Usage\n\n### Adding an Account for Cleanup\n\n1. Create a merge request to main branch\n2. Edit `close-account/nuke.yml` and add your account:\n   ```yaml\n   Accounts:\n     - \"AccountId\": \"YOUR_ACCOUNT_ID\"\n       \"CLSP\": \"your-identifier\"\n       \"AccountAlias\": \"your-alias\"  # Optional\n   ```\n3. Submit the merge request\n4. Pipeline will automatically trigger and require two manual approvals\n\n### Pipeline Execution\n\n1. **Automatic Detection**: Pipeline detects changes to nuke.yml\n2. **Review Account Info**: Check the displayed account details\n3. **First Approval**: Approve to proceed with dry-run\n4. **Review Dry-run Results**: Examine what resources will be deleted\n5. **Second Approval**: Final approval for actual execution\n6. **Execution**: Resources are permanently deleted\n\n## Safety Features\n\n### Blocklist Protection\n- Production account `123456789012` is blocklisted\n- Add additional production accounts to the blocklist in config templates\n\n### Multi-stage Approval\n- Two manual approval gates prevent accidental execution\n- Clear warnings about permanent deletion\n\n### Dry-run First\n- Always shows what will be deleted before actual execution\n- Allows review and cancellation if needed\n\n### Role-based Access\n- Uses temporary credentials via STS assume role\n- Credentials are automatically cleaned up after use\n\n## Logs and Artifacts\n\nThe pipeline generates several artifacts:\n\n- `aws-nuke-removal-*.log` - Dry-run results showing resources to be removed\n- `aws-nuke-execution-*.log` - Execution results showing deleted resources\n- `config-prepared.yml` - Final configuration used for aws-nuke\n- `account_info.env` - Account details for pipeline stages\n\nArtifacts are retained for 1 day for review and troubleshooting.\n\n## Troubleshooting\n\n### Common Issues\n\n**Pipeline doesn't trigger**\n- Ensure changes are made to `close-account/nuke.yml`\n- Verify merge request targets the `main` branch\n\n**Role assumption fails**\n- Check that `AWSAFTExecution` role exists in target account\n- Verify trust relationship allows assumption from pipeline role\n\n**aws-nuke exits with warnings**\n- This is normal - some resources may not be deletable due to dependencies\n- Check logs to see what was and wasn't deleted\n- Pipeline continues even with warnings\n\n**Config preparation fails**\n- Verify account ID format in nuke.yml\n- Check that alias is provided when HAS_ALIAS is true\n\n### Manual Cleanup\n\nIf the pipeline fails partway through, you may need to:\n\n1. Check the execution logs for partially deleted resources\n2. Manually clean up any remaining resources\n3. Re-run the pipeline if needed\n\n## Security Considerations\n\n- Never run against production accounts\n- Always review dry-run results carefully\n- Ensure proper IAM permissions and role trust relationships\n- Monitor execution logs for any unexpected behavior\n- Keep the blocklist updated with protected accounts\n\n## Contributing\n\n1. Test changes in a non-production environment first\n2. Update documentation for any configuration changes\n3. Follow the existing code style and structure\n4. Ensure all safety features remain intact\n\n## License\n\nMIT License - see LICENSE file for details.\n\n## Disclaimer\n\n⚠️ **WARNING**: This tool permanently deletes AWS resources. Use with extreme caution and always test in non-production environments first. The authors are not responsible for any data loss or service disruption caused by the use of this tool.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fitsnotsagar%2Faws-nuke-gitlab","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fitsnotsagar%2Faws-nuke-gitlab","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fitsnotsagar%2Faws-nuke-gitlab/lists"}