Skip to main content
Version: 3.9.0

How to Clean Up Untagged Resources

Resource tags are an essential tool in finding and tracking an organization's cloud resources, but tags are only useful if applied consistently.

Resoto's cleanup_untagged plugin can enforce tagging policies by automatically cleaning up resources that do not have required tags (e.g., owner and expiration).

Prerequisites​

This guide assumes that you have already installed and configured Resoto to collect your cloud resources.

Directions​

  1. Execute the following command in Resoto Shell to open the Resoto Worker configuration for editing:

    > config edit resoto.worker

  2. Enable cleanup by modifying the resotoworker section of the configuration as follows:

    resotoworker:
      # Enable cleanup of resources
      cleanup: true
      # Do not actually cleanup resources, just create log messages
      cleanup_dry_run: false
      # How many cleanup threads to run in parallel
      cleanup_pool_size: 16

    When cleanup is enabled, marked resources will be deleted as a part of the collect_and_cleanup workflow, which runs each hour by default.

    tip

    Set cleanup_dry_run to true to simulate cleanup without actually deleting resources.

  3. Update the plugin_cleanup_untagged section with the desired target AWS account IDs and setting the enabled property to true:

    cleanup_untagged plugin configuration
    plugin_cleanup_untagged:
      # Enable plugin?
      enabled: true
      # Configuration for the plugin
      config:
        accounts:
          aws:
            '068564737731':
              name: 'playground'
              age: '1d'
            '575584959047':
              name: 'eng-sre'
          example:
            Example Account:
              name: 'Example Account'
        default:
          age: '2h'
        kinds:
          - 'aws_ec2_instance'
          - 'aws_ec2_volume'
          - 'aws_vpc'
          - 'aws_cloudformation_stack'
          - 'aws_elb'
          - 'aws_alb'
          - 'aws_alb_target_group'
          - 'aws_eks_cluster'
          - 'aws_eks_nodegroup'
          - 'example_instance'
          - 'example_network'
        tags:
          - 'owner'
          - 'expiration'
    info

    The cleanup_untagged plugin configuration has the following subsections:

    • default specifies the default age of a resource before mandatory tags are enforced. For example, if age is set to 2h, there is a 2-hour grace period to add the required tags after resource creation.
    • tags lists tags that must exist on every resource kind listed in the kinds subsection.
    • kinds lists resource kind for which tags listed in tags must exist.
    • accounts contains a dictionary of cloud and account IDs for which tags will be enforced. For each account, a name is defined and the age defined in default can optionally be overridden.

The plugin will now run each time Resoto emits the post_cleanup_plan event. The post_cleanup_plan event is emitted in the cleanup phase of the collect_and_cleanup workflow.

Each time the cleanup_untagged plugin runs, resources for which the specified tag requirements are not met will be flagged for removal during the next cleanup run.

Further Reading​

Contact Us

Have feedback or need help? Don’t be shy—we’d love to hear from you!

 

 

 

Some Engineering Inc.