{"id":13430968,"url":"https://github.com/rebuy-de/aws-nuke","last_synced_at":"2026-01-03T15:30:18.057Z","repository":{"id":37484109,"uuid":"74891203","full_name":"rebuy-de/aws-nuke","owner":"rebuy-de","description":"Nuke a whole AWS account and delete all its resources.","archived":true,"fork":false,"pushed_at":"2024-10-15T07:47:29.000Z","size":1411,"stargazers_count":5761,"open_issues_count":0,"forks_count":728,"subscribers_count":79,"default_branch":"main","last_synced_at":"2025-02-08T20:16:45.010Z","etag":null,"topics":["aws","cli","deprecated","golang"],"latest_commit_sha":null,"homepage":"https://github.com/ekristen/aws-nuke","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rebuy-de.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-11-27T14:02:22.000Z","updated_at":"2025-02-05T09:14:32.000Z","dependencies_parsed_at":"2023-11-14T10:31:28.567Z","dependency_job_id":"273035f6-c725-4d66-8cff-b04a6c7fe029","html_url":"https://github.com/rebuy-de/aws-nuke","commit_stats":{"total_commits":745,"total_committers":161,"mean_commits":4.627329192546584,"dds":0.7677852348993288,"last_synced_commit":"7ab3cd206e34c761e69ba5f33f74b11e3b889793"},"previous_names":[],"tags_count":51,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rebuy-de%2Faws-nuke","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rebuy-de%2Faws-nuke/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rebuy-de%2Faws-nuke/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rebuy-de%2Faws-nuke/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rebuy-de","download_url":"https://codeload.github.com/rebuy-de/aws-nuke/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239731691,"owners_count":19687878,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","cli","deprecated","golang"],"created_at":"2024-07-31T02:00:59.393Z","updated_at":"2026-01-03T15:30:17.958Z","avatar_url":"https://github.com/rebuy-de.png","language":"Go","funding_links":[],"categories":["Go","\u003ca id=\"7e840ca27f1ff222fd25bc61a79b07ba\"\u003e\u003c/a\u003e特定目标","\u003ca id=\"c71ad1932bbf9c908af83917fe1fd5da\"\u003e\u003c/a\u003eAWS","golang"],"sub_categories":["\u003ca id=\"c71ad1932bbf9c908af83917fe1fd5da\"\u003e\u003c/a\u003eAWS","\u003ca id=\"0476f6b97e87176da0a0d7328f8747e7\"\u003e\u003c/a\u003eblog"],"readme":"\u003e [!CAUTION]\n\u003e This repository for aws-nuke is no longer being actively maintained. We recommend users to switch to the actively maintained fork of this project at [ekristen/aws-nuke](https://github.com/ekristen/aws-nuke).\n\u003e We appreciate all the support and contributions we've received throughout the life of this project. We believe that the fork will continue to provide the functionality and support that you have come to expect from aws-nuke.\n\u003e Please note that this deprecation means we will not be addressing issues, accepting pull requests, or making future releases from this repository.\n\u003e Thank you for your understanding and support.\n\n\n# aws-nuke\n\n![Build Status](https://github.com/rebuy-de/aws-nuke/workflows/Golang%20CI/badge.svg?branch=main)\n[![license](https://img.shields.io/github/license/rebuy-de/aws-nuke.svg)](https://github.com/rebuy-de/aws-nuke/blob/main/LICENSE)\n[![GitHub release](https://img.shields.io/github/release/rebuy-de/aws-nuke.svg)](https://github.com/rebuy-de/aws-nuke/releases)\n[![Docker Hub](https://img.shields.io/docker/pulls/rebuy/aws-nuke)](https://hub.docker.com/r/rebuy/aws-nuke)\n\nRemove all resources from an AWS account.\n\n\u003e **Development Status** *aws-nuke* is stable, but it is likely that not all AWS\nresources are covered by it. Be encouraged to add missing resources and create\na Pull Request or to create an [Issue](https://github.com/rebuy-de/aws-nuke/issues/new).\n\n## Caution!\n\nBe aware that *aws-nuke* is a very destructive tool, hence you have to be very\ncareful while using it. Otherwise you might delete production data.\n\n**We strongly advise you to not run this application on any AWS account, where\nyou cannot afford to lose all resources.**\n\nTo reduce the blast radius of accidents, there are some safety precautions:\n\n1. By default *aws-nuke* only lists all nukeable resources. You need to add\n   `--no-dry-run` to actually delete resources.\n2. *aws-nuke* asks you twice to confirm the deletion by entering the account\n   alias. The first time is directly after the start and the second time after\n   listing all nukeable resources.\n3. To avoid just displaying a account ID, which might gladly be ignored by\n   humans, it is required to actually set an [Account\n   Alias](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html)\n   for your account. Otherwise *aws-nuke* will abort.\n4. The Account Alias must not contain the string `prod`. This string is\n   hardcoded and it is recommended to add it to every actual production account\n   (eg `mycompany-production-ecr`).\n5. The config file contains a blocklist field. If the Account ID of the account\n   you want to nuke is part of this blocklist, *aws-nuke* will abort. It is\n   recommended, that you add every production account to this blocklist.\n6. To ensure you don't just ignore the blocklisting feature, the blocklist must\n   contain at least one Account ID.\n7. The config file contains account specific settings (eg. filters). The\n   account you want to nuke must be explicitly listed there.\n8. To ensure to not accidentally delete a random account, it is required to\n   specify a config file. It is recommended to have only a single config file\n   and add it to a central repository. This way the account blocklist is way\n   easier to manage and keep up to date.\n\nFeel free to create an issue, if you have any ideas to improve the safety\nprocedures.\n\n\n## Use Cases\n\n* We are testing our [Terraform](https://www.terraform.io/) code with Jenkins.\n  Sometimes a Terraform run fails during development and messes up the account.\n  With *aws-nuke* we can simply clean up the failed account so it can be reused\n  for the next build.\n* Our platform developers have their own AWS Accounts where they can create\n  their own Kubernetes clusters for testing purposes. With *aws-nuke* it is\n  very easy to clean up these account at the end of the day and keep the costs\n  low.\n\n## Releases\n\nWe usually release a new version once enough changes came together and have\nbeen tested for a while.\n\nYou can find Linux, macOS and Windows binaries on the\n[releases page](https://github.com/rebuy-de/aws-nuke/releases), but we also\nprovide containerized versions on [quay.io/rebuy/aws-nuke](https://quay.io/rebuy/aws-nuke)\nand [docker.io/rebuy/aws-nuke](https://hub.docker.com/r/rebuy/aws-nuke). Both\nare available for multiple architectures (amd64, arm64 \u0026 armv7).\n\n\n## Usage\n\nAt first you need to create a config file for *aws-nuke*. This is a minimal one:\n\n```yaml\nregions:\n- eu-west-1\n- global\n\naccount-blocklist:\n- \"999999999999\" # production\n\naccounts:\n  \"000000000000\": {} # aws-nuke-example\n```\n\nWith this config we can run *aws-nuke*:\n\n```\n$ aws-nuke -c config/nuke-config.yml --profile aws-nuke-example\naws-nuke version v1.0.39.gc2f318f - Fri Jul 28 16:26:41 CEST 2017 - c2f318f37b7d2dec0e646da3d4d05ab5296d5bce\n\nDo you really want to nuke the account with the ID 000000000000 and the alias 'aws-nuke-example'?\nDo you want to continue? Enter account alias to continue.\n\u003e aws-nuke-example\n\neu-west-1 - EC2DHCPOption - 'dopt-bf2ec3d8' - would remove\neu-west-1 - EC2Instance - 'i-01b489457a60298dd' - would remove\neu-west-1 - EC2KeyPair - 'test' - would remove\neu-west-1 - EC2NetworkACL - 'acl-6482a303' - cannot delete default VPC\neu-west-1 - EC2RouteTable - 'rtb-ffe91e99' - would remove\neu-west-1 - EC2SecurityGroup - 'sg-220e945a' - cannot delete group 'default'\neu-west-1 - EC2SecurityGroup - 'sg-f20f958a' - would remove\neu-west-1 - EC2Subnet - 'subnet-154d844e' - would remove\neu-west-1 - EC2Volume - 'vol-0ddfb15461a00c3e2' - would remove\neu-west-1 - EC2VPC - 'vpc-c6159fa1' - would remove\neu-west-1 - IAMUserAccessKey - 'my-user -\u003e ABCDEFGHIJKLMNOPQRST' - would remove\neu-west-1 - IAMUserPolicyAttachment - 'my-user -\u003e AdministratorAccess' - [UserName: \"my-user\", PolicyArn: \"arn:aws:iam::aws:policy/AdministratorAccess\", PolicyName: \"AdministratorAccess\"] - would remove\neu-west-1 - IAMUser - 'my-user' - would remove\nScan complete: 13 total, 11 nukeable, 2 filtered.\n\nWould delete these resources. Provide --no-dry-run to actually destroy resources.\n```\n\nAs we see, *aws-nuke* only lists all found resources and exits. This is because\nthe `--no-dry-run` flag is missing. Also it wants to delete the\nadministrator. We don't want to do this, because we use this user to access\nour account. Therefore we have to extend the config so it ignores this user:\n\n\n```yaml\nregions:\n- eu-west-1\n\naccount-blocklist:\n- \"999999999999\" # production\n\naccounts:\n  \"000000000000\": # aws-nuke-example\n    filters:\n      IAMUser:\n      - \"my-user\"\n      IAMUserPolicyAttachment:\n      - \"my-user -\u003e AdministratorAccess\"\n      IAMUserAccessKey:\n      - \"my-user -\u003e ABCDEFGHIJKLMNOPQRST\"\n```\n\n```\n$ aws-nuke -c config/nuke-config.yml --profile aws-nuke-example --no-dry-run\naws-nuke version v1.0.39.gc2f318f - Fri Jul 28 16:26:41 CEST 2017 - c2f318f37b7d2dec0e646da3d4d05ab5296d5bce\n\nDo you really want to nuke the account with the ID 000000000000 and the alias 'aws-nuke-example'?\nDo you want to continue? Enter account alias to continue.\n\u003e aws-nuke-example\n\neu-west-1 - EC2DHCPOption - 'dopt-bf2ec3d8' - would remove\neu-west-1 - EC2Instance - 'i-01b489457a60298dd' - would remove\neu-west-1 - EC2KeyPair - 'test' - would remove\neu-west-1 - EC2NetworkACL - 'acl-6482a303' - cannot delete default VPC\neu-west-1 - EC2RouteTable - 'rtb-ffe91e99' - would remove\neu-west-1 - EC2SecurityGroup - 'sg-220e945a' - cannot delete group 'default'\neu-west-1 - EC2SecurityGroup - 'sg-f20f958a' - would remove\neu-west-1 - EC2Subnet - 'subnet-154d844e' - would remove\neu-west-1 - EC2Volume - 'vol-0ddfb15461a00c3e2' - would remove\neu-west-1 - EC2VPC - 'vpc-c6159fa1' - would remove\neu-west-1 - IAMUserAccessKey - 'my-user -\u003e ABCDEFGHIJKLMNOPQRST' - filtered by config\neu-west-1 - IAMUserPolicyAttachment - 'my-user -\u003e AdministratorAccess' - [UserName: \"my-user\", PolicyArn: \"arn:aws:iam::aws:policy/AdministratorAccess\", PolicyName: \"AdministratorAccess\"] - would remove\neu-west-1 - IAMUser - 'my-user' - filtered by config\nScan complete: 13 total, 8 nukeable, 5 filtered.\n\nDo you really want to nuke these resources on the account with the ID 000000000000 and the alias 'aws-nuke-example'?\nDo you want to continue? Enter account alias to continue.\n\u003e aws-nuke-example\n\neu-west-1 - EC2DHCPOption - 'dopt-bf2ec3d8' - failed\neu-west-1 - EC2Instance - 'i-01b489457a60298dd' - triggered remove\neu-west-1 - EC2KeyPair - 'test' - triggered remove\neu-west-1 - EC2RouteTable - 'rtb-ffe91e99' - failed\neu-west-1 - EC2SecurityGroup - 'sg-f20f958a' - failed\neu-west-1 - EC2Subnet - 'subnet-154d844e' - failed\neu-west-1 - EC2Volume - 'vol-0ddfb15461a00c3e2' - failed\neu-west-1 - EC2VPC - 'vpc-c6159fa1' - failed\neu-west-1 - S3Object - 's3://rebuy-terraform-state-138758637120/run-terraform.lock' - triggered remove\n\nRemoval requested: 2 waiting, 6 failed, 5 skipped, 0 finished\n\neu-west-1 - EC2DHCPOption - 'dopt-bf2ec3d8' - failed\neu-west-1 - EC2Instance - 'i-01b489457a60298dd' - waiting\neu-west-1 - EC2KeyPair - 'test' - removed\neu-west-1 - EC2RouteTable - 'rtb-ffe91e99' - failed\neu-west-1 - EC2SecurityGroup - 'sg-f20f958a' - failed\neu-west-1 - EC2Subnet - 'subnet-154d844e' - failed\neu-west-1 - EC2Volume - 'vol-0ddfb15461a00c3e2' - failed\neu-west-1 - EC2VPC - 'vpc-c6159fa1' - failed\n\nRemoval requested: 1 waiting, 6 failed, 5 skipped, 1 finished\n\n--- truncating long output ---\n```\n\nAs you see *aws-nuke* now tries to delete all resources which aren't filtered,\nwithout caring about the dependencies between them. This results in API errors\nwhich can be ignored. These errors are shown at the end of the *aws-nuke* run,\nif they keep to appear.\n\n*aws-nuke* retries deleting all resources until all specified ones are deleted\nor until there are only resources with errors left.\n\n### AWS Credentials\n\nThere are two ways to authenticate *aws-nuke*. There are static credentials and\nprofiles. The later one can be configured in the shared credentials file (ie\n`~/.aws/credentials`) or the shared config file (ie `~/.aws/config`).\n\nTo use *static credentials* the command line flags `--access-key-id` and\n`--secret-access-key` are required. The flag `--session-token` is only required\nfor temporary sessions.\n\nTo use *shared profiles* the command line flag `--profile` is required. The\nprofile must be either defined with static credentials in the [shared\ncredential\nfile](https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html)\nor in [shared config\nfile](https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html) with an\nassuming role.\n\n### Using custom AWS endpoint\n\nIt is possible to configure aws-nuke to run against non-default AWS endpoints.\nIt could be used for integration testing pointing to a local endpoint such as an\nS3 appliance or a Stratoscale cluster for example.\n\nTo configure aws-nuke to use custom endpoints, add the configuration directives as shown in the following example:\n\n```yaml\nregions:\n- demo10\n\n# inspired by https://www.terraform.io/docs/providers/aws/guides/custom-service-endpoints.html\nendpoints:\n- region: demo10\n  tls_insecure_skip_verify: true\n  services:\n  - service: ec2\n    url: https://10.16.145.115/api/v2/aws/ec2\n  - service: s3\n    url: https://10.16.145.115:1060\n  - service: rds\n    url: https://10.16.145.115/api/v2/aws/rds\n  - service: elbv2\n    url: https://10.16.145.115/api/v2/aws/elbv2\n  - service: efs\n    url: https://10.16.145.115/api/v2/aws/efs\n  - service: emr\n    url: https://10.16.145.115/api/v2/aws/emr\n  - service: autoscaling\n    url: https://10.16.145.115/api/v2/aws/autoscaling\n  - service: cloudwatch\n    url: https://10.16.145.115/api/v2/aws/cloudwatch\n  - service: sns\n    url: https://10.16.145.115/api/v2/aws/sns\n  - service: iam\n    url: https://10.16.145.115/api/v2/aws/iam\n  - service: acm\n    url: https://10.16.145.115/api/v2/aws/acm\n\naccount-blocklist:\n- \"account-id-of-custom-region-prod\" # production\n\naccounts:\n  \"account-id-of-custom-region-demo10\":\n```\n\nThis can then be used as follows:\n```buildoutcfg\n$ aws-nuke -c config/my.yaml  --access-key-id \u003caccess-key\u003e --secret-access-key \u003csecret-key\u003e --default-region demo10\naws-nuke version v2.11.0.2.gf0ad3ac.dirty - Tue Nov 26 19:15:12 IST 2019 - f0ad3aca55eb66b93b88ce2375f8ad06a7ca856f\n\nDo you really want to nuke the account with the ID account-id-of-custom-region-demo10 and the alias 'account-id-of-custom-region-demo10'?\nDo you want to continue? Enter account alias to continue.\n\u003e account-id-of-custom-region-demo10\n\ndemo10 - EC2Volume - vol-099aa1bb08454fd5bc3499897f175fd8 - [tag:Name: \"volume_of_5559b38e-0a56-4078-9a6f-eb446c21cadf\"] - would remove\ndemo10 - EC2Volume - vol-11e9b09c71924354bcb4ee77e547e7db - [tag:Name: \"volume_of_e4f8c806-0235-4578-8c08-dce45d4c2952\"] - would remove\ndemo10 - EC2Volume - vol-1a10cb3f3119451997422c435abf4275 - [tag:Name: \"volume-dd2e4c4a\"] - would remove\ndemo10 - EC2Volume - vol-1a2e649df1ef449686ef8771a078bb4e - [tag:Name: \"web-server-5\"] - would remove\ndemo10 - EC2Volume - vol-481d09bbeb334ec481c12beee6f3012e - [tag:Name: \"volume_of_15b606ce-9dcd-4573-b7b1-4329bc236726\"] - would remove\ndemo10 - EC2Volume - vol-48f6bd2bebb945848b029c80b0f2de02 - [tag:Name: \"Data volume for 555e9f8a\"] - would remove\ndemo10 - EC2Volume - vol-49f0762d84f0439da805d11b6abc1fee - [tag:Name: \"Data volume for acb7f3a5\"] - would remove\ndemo10 - EC2Volume - vol-4c34656f823542b2837ac4eaff64762b - [tag:Name: \"wpdb\"] - would remove\ndemo10 - EC2Volume - vol-875f091078134fee8d1fe3b1156a4fce - [tag:Name: \"volume-f1a7c95f\"] - would remove\ndemo10 - EC2Volume - vol-8776a0d5bd4e4aefadfa8038425edb20 - [tag:Name: \"web-server-6\"] - would remove\ndemo10 - EC2Volume - vol-8ed468bfab0b42c3bc617479b8f33600 - [tag:Name: \"web-server-3\"] - would remove\ndemo10 - EC2Volume - vol-94e0370b6ab54f03822095d74b7934b2 - [tag:Name: \"web-server-2\"] - would remove\ndemo10 - EC2Volume - vol-9ece34dfa7f64dd583ab903a1273340c - [tag:Name: \"volume-4ccafc2e\"] - would remove\ndemo10 - EC2Volume - vol-a3fb3e8800c94452aff2fcec7f06c26b - [tag:Name: \"web-server-0\"] - would remove\ndemo10 - EC2Volume - vol-a53954e17cb749a283d030f26bbaf200 - [tag:Name: \"volume-5484e330\"] - would remove\ndemo10 - EC2Volume - vol-a7afe64f4d0f4965a6703cc0cfab2ba4 - [tag:Name: \"Data volume for f1a7c95f\"] - would remove\ndemo10 - EC2Volume - vol-d0bc3f2c887f4072a9fda0b8915d94c1 - [tag:Name: \"physical_volume_of_39c29f53-eac4-4f02-9781-90512cc7c563\"] - would remove\ndemo10 - EC2Volume - vol-d1f066d8dac54ae59d087d7e9947e8a9 - [tag:Name: \"Data volume for 4ccafc2e\"] - would remove\ndemo10 - EC2Volume - vol-d9adb3f084cd4d588baa08690349b1f9 - [tag:Name: \"volume_of_84854c9b-98aa-4f5b-926a-38b3398c3ad2\"] - would remove\ndemo10 - EC2Volume - vol-db42e471b19f42b7835442545214bc1a - [tag:Name: \"lb-tf-lb-20191126090616258000000002\"] - would remove\ndemo10 - EC2Volume - vol-db80932fb47243efa67c9dd34223c647 - [tag:Name: \"web-server-5\"] - would remove\ndemo10 - EC2Volume - vol-dbea1d1083654d30a43366807a125aed - [tag:Name: \"volume-555e9f8a\"] - would remove\n\n--- truncating long output ---\n```\n### Specifying Resource Types to Delete\n\n*aws-nuke* deletes a lot of resources and there might be added more at any\nrelease. Eventually, every resources should get deleted. You might want to\nrestrict which resources to delete. There are multiple ways to configure this.\n\nOne way are filters, which already got mentioned. This requires to know the\nidentifier of each resource. It is also possible to prevent whole resource\ntypes (eg `S3Bucket`) from getting deleted with two methods.\n\n* The `--target` flag limits nuking to the specified resource types.\n* The `--exclude` flag prevent nuking of the specified resource types.\n\nIt is also possible to configure the resource types in the config file like in\nthese examples:\n\n```\n---\nregions:\n  - \"eu-west-1\"\naccount-blocklist:\n- 1234567890\n\nresource-types:\n  # only nuke these three resources\n  targets:\n  - S3Object\n  - S3Bucket\n  - IAMRole\n\naccounts:\n  555133742: {}\n```\n\n```\n---\nregions:\n  - \"eu-west-1\"\naccount-blocklist:\n- 1234567890\n\nresource-types:\n  # don't nuke IAM users\n  excludes:\n  - IAMUser\n\naccounts:\n  555133742: {}\n```\n\nIf targets are specified in multiple places (eg CLI and account specific), then\na resource type must be specified in all places. In other words each\nconfiguration limits the previous ones.\n\nIf an exclude is used, then all its resource types will not be deleted.\n\n**Hint:** You can see all available resource types with this command:\n\n```\naws-nuke resource-types\n```\n\n### AWS Cloud Control API Support\n\n\u003e This feature is not yet released and is probably part of `v2.18`.\n\n_aws-nuke_ supports removing resources via the AWS Cloud Control API. When\nexecuting _aws-nuke_ it will automatically remove a manually managed set of\nresources via Cloud Control.\n\nOnly a subset of Cloud Control supported resources will be removed\nautomatically, because there might be resources that were already implemented\nand adding them too would bypass existing filters in user configs as Cloud\nControl has another naming scheme and a different set of properties. Moreover,\nthere are some Cloud Control resources that need special handling which is not\nyet supported by _aws-nuke_.\n\nEven though the subset of automatically supported Cloud Control resources is\nlimited, you can can configure _aws-nuke_ to make it try any additional\nresource. Either via command line flags of via the config file.\n\nFor the config file you have to add the resource to\nthe`resource-types.cloud-control` list:\n\n```yaml\nresource-types:\n  cloud-control:\n  - AWS::EC2::TransitGateway\n  - AWS::EC2::VPC\n```\n\nIf you want to use the command line, you have to add a `--cloud-control` flag\nfor each resource you want to add:\n\n```sh\naws-nuke \\\n    -c nuke-config.yaml \\\n    --cloud-control AWS::EC2::TransitGateway \\\n    --cloud-control AWS::EC2::VPC\n```\n\n**Note:** There are some resources that are supported by Cloud Control and are\nalready natively implemented by _aws-nuke_. If you configure to use Cloud\nControl for those resources, it will not execute the natively implemented code\nfor this resource. For example with the `--cloud-control AWS::EC2::VPC` it will\nnot use the `EC2VPC` resource.\n\n\n### Feature Flags\n\nThere are some features, which are quite opinionated. To make those work for\neveryone, *aws-nuke* has flags to manually enable those features. These can be\nconfigured on the root-level of the config, like this:\n\n```yaml\n---\nfeature-flags:\n  disable-deletion-protection:\n    RDSInstance: true\n    EC2Instance: true\n    CloudformationStack: true\n  force-delete-lightsail-addons: true\n```\n\n\n### Filtering Resources\n\nIt is possible to filter this is important for not deleting the current user\nfor example or for resources like S3 Buckets which have a globally shared\nnamespace and might be hard to recreate. Currently the filtering is based on\nthe resource identifier. The identifier will be printed as the first step of\n*aws-nuke* (eg `i-01b489457a60298dd` for an EC2 instance).\n\n**Note: Even with filters you should not run aws-nuke on any AWS account, where\nyou cannot afford to lose all resources. It is easy to make mistakes in the\nfilter configuration. Also, since aws-nuke is in continous development, there\nis always a possibility to introduce new bugs, no matter how careful we review\nnew code.**\n\nThe filters are part of the account-specific configuration and are grouped by\nresource types. This is an example of a config that deletes all resources but\nthe `admin` user with its access permissions and two access keys:\n\n```yaml\n---\nregions:\n- global\n- eu-west-1\n\naccount-blocklist:\n- 1234567890\n\naccounts:\n  0987654321:\n    filters:\n      IAMUser:\n      - \"admin\"\n      IAMUserPolicyAttachment:\n      - \"admin -\u003e AdministratorAccess\"\n      IAMUserAccessKey:\n      - \"admin -\u003e AKSDAFRETERSDF\"\n      - \"admin -\u003e AFGDSGRTEWSFEY\"\n```\n\nAny resource whose resource identifier exactly matches any of the filters in\nthe list will be skipped. These will be marked as \"filtered by config\" on the\n*aws-nuke* run.\n\n#### Filter Properties\n\nSome resources support filtering via properties. When a resource support these\nproperties, they will be listed in the output like in this example:\n\n```\nglobal - IAMUserPolicyAttachment - 'admin -\u003e AdministratorAccess' - [RoleName: \"admin\", PolicyArn: \"arn:aws:iam::aws:policy/AdministratorAccess\", PolicyName: \"AdministratorAccess\"] - would remove\n```\n\nTo use properties, it is required to specify a object with `properties` and\n`value` instead of the plain string.\n\nThese types can be used to simplify the configuration. For example, it is\npossible to protect all access keys of a single user:\n\n```yaml\nIAMUserAccessKey:\n- property: UserName\n  value: \"admin\"\n```\n\n#### Filter Types\n\nThere are also additional comparision types than an exact match:\n\n* `exact` – The identifier must exactly match the given string. This is the default.\n* `contains` – The identifier must contain the given string.\n* `glob` – The identifier must match against the given [glob\n  pattern](https://en.wikipedia.org/wiki/Glob_(programming)). This means the\n  string might contains wildcards like `*` and `?`. Note that globbing is\n  designed for file paths, so the wildcards do not match the directory\n  separator (`/`). Details about the glob pattern can be found in the [library\n  documentation](https://godoc.org/github.com/mb0/glob).\n* `regex` – The identifier must match against the given regular expression.\n  Details about the syntax can be found in the [library\n  documentation](https://golang.org/pkg/regexp/syntax/).\n* `dateOlderThan` - The identifier is parsed as a timestamp. After the offset is added to it (specified in the `value` field), the resulting timestamp must be AFTER the current\n  time. Details on offset syntax can be found in\n  the [library documentation](https://golang.org/pkg/time/#ParseDuration). Supported\n  date formats are epoch time, `2006-01-02`, `2006/01/02`, `2006-01-02T15:04:05Z`,\n  `2006-01-02T15:04:05.999999999Z07:00`, and `2006-01-02T15:04:05Z07:00`.\n\nTo use a non-default comparision type, it is required to specify an object with\n`type` and `value` instead of the plain string.\n\nThese types can be used to simplify the configuration. For example, it is\npossible to protect all access keys of a single user by using `glob`:\n\n```yaml\nIAMUserAccessKey:\n- type: glob\n  value: \"admin -\u003e *\"\n```\n\n\n#### Using Them Together\n\nIt is also possible to use Filter Properties and Filter Types together. For\nexample to protect all Hosted Zone of a specific TLD:\n\n```yaml\nRoute53HostedZone:\n- property: Name\n  type: glob\n  value: \"*.rebuy.cloud.\"\n```\n\n####  Inverting Filter Results\n\nAny filter result can be inverted by using `invert: true`, for example:\n```yaml\nCloudFormationStack:\n- property: Name\n  value: \"foo\"\n  invert: true\n```\n\nIn this case *any* CloudFormationStack ***but*** the ones called \"foo\" will be\nfiltered. Be aware that *aws-nuke* internally takes every resource and applies\nevery filter on it. If a filter matches, it marks the node as filtered.\n\n\n#### Filter Presets\n\nIt might be the case that some filters are the same across multiple accounts.\nThis especially could happen, if provisioning tools like Terraform are used or\nif IAM resources follow the same pattern.\n\nFor this case *aws-nuke* supports presets of filters, that can applied on\nmultiple accounts. A configuration could look like this:\n\n```yaml\n---\nregions:\n- \"global\"\n- \"eu-west-1\"\n\naccount-blocklist:\n- 1234567890\n\naccounts:\n  555421337:\n    presets:\n    - \"common\"\n  555133742:\n    presets:\n    - \"common\"\n    - \"terraform\"\n  555134237:\n    presets:\n    - \"common\"\n    - \"terraform\"\n    filters:\n      EC2KeyPair:\n      - \"notebook\"\n\npresets:\n  terraform:\n    filters:\n      S3Bucket:\n      - type: glob\n        value: \"my-statebucket-*\"\n      DynamoDBTable:\n      - \"terraform-lock\"\n  common:\n    filters:\n      IAMRole:\n      - \"OrganizationAccountAccessRole\"\n```\n\n\n## Install\n\n### For macOS\n`brew install aws-nuke`\n\n### Use Released Binaries\n\nThe easiest way of installing it, is to download the latest\n[release](https://github.com/rebuy-de/aws-nuke/releases) from GitHub.\n\n#### Example for Linux Intel/AMD\n\nDownload and extract\n`$ wget -c https://github.com/rebuy-de/aws-nuke/releases/download/v2.25.0/aws-nuke-v2.25.0-linux-amd64.tar.gz -O - | tar -xz -C $HOME/bin`\n\nRun\n`$ aws-nuke-v2.25.0-linux-amd64`\n\n### Compile from Source\n\nTo compile *aws-nuke* from source you need a working\n[Golang](https://golang.org/doc/install) development environment. The sources\nmust be cloned to `$GOPATH/src/github.com/rebuy-de/aws-nuke`.\n\nAlso you need to install [golint](https://github.com/golang/lint/) and [GNU\nMake](https://www.gnu.org/software/make/).\n\nThen you just need to run `make build` to compile a binary into the project\ndirectory or `make install` go install *aws-nuke* into `$GOPATH/bin`. With\n`make xc` you can cross compile *aws-nuke* for other platforms.\n\n### Docker\n\nYou can run *aws-nuke* with Docker by using a command like this:\n\n```bash\n$ docker run \\\n    --rm -it \\\n    -v /full-path/to/nuke-config.yml:/home/aws-nuke/config.yml \\\n    -v /home/user/.aws:/home/aws-nuke/.aws \\\n    quay.io/rebuy/aws-nuke:v2.25.0 \\\n    --profile default \\\n    --config /home/aws-nuke/config.yml\n```\n\nTo make it work, you need to adjust the paths for the AWS config and the\n*aws-nuke* config.\n\nAlso you need to specify the correct AWS profile. Instead of mounting the AWS\ndirectory, you can use the `--access-key-id` and `--secret-access-key` flags.\n\nMake sure you use the latest version in the image tag. Alternatiely you can use\n`main` for the latest development version, but be aware that this is more\nlikely to break at any time.\n\n\n## Testing\n\n### Unit Tests\n\nTo unit test *aws-nuke*, some tests require [gomock](https://github.com/golang/mock) to run.\nThis will run via `go generate ./...`, but is automatically run via `make test`.\nTo run the unit tests:\n\n```bash\nmake test\n```\n\n\n## Contact Channels\n\nFeel free to create a GitHub Issue for any bug reports or feature requests.\nPlease use our mailing list for questions: aws-nuke@googlegroups.com. You can\nalso search in the mailing list archive, whether someone already had the same\nproblem: https://groups.google.com/d/forum/aws-nuke\n\n## Contribute\n\nYou can contribute to *aws-nuke* by forking this repository, making your\nchanges and creating a Pull Request against our repository. If you are unsure\nhow to solve a problem or have other questions about a contributions, please\ncreate a GitHub issue.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frebuy-de%2Faws-nuke","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frebuy-de%2Faws-nuke","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frebuy-de%2Faws-nuke/lists"}