Skip to main content

How to Clean Up Untagged Resources

Resource tags are an essential tool in finding and tracking an organization's cloud resources, but tags are only useful if they are applied consistently.

Resoto's cleanup_untagged plugin can enforce tagging policies by automatically cleaning up resources that do not have required tags (e.g., owner and expiration).

Prerequisites​

This guide assumes that you have already installed and configured Resoto to collect your cloud resources.

Directions​

  1. Execute the following command in Resoto Shell to open the Resoto Worker configuration for editing:

    > config edit resoto.worker

  2. Enable cleanup by modifying the resotoworker section of the configuration as follows:

    resotoworker:
      # Enable cleanup of resources
      cleanup: true
      # Do not actually cleanup resources, just create log messages
      cleanup_dry_run: false
      # How many cleanup threads to run in parallel
      cleanup_pool_size: 16

    When cleanup is enabled, marked resources will be deleted as a part of the collect_and_cleanup workflow, which runs each hour by default.

    tip

    Set cleanup_dry_run to true to simulate cleanup without actually deleting resources.

  3. Update the plugin_cleanup_untagged section with the desired target AWS account IDs and setting the enabled property to true:

    cleanup_untagged plugin configuration
    plugin_cleanup_untagged:
      # Enable plugin?
      enabled: true
      # Configuration for the plugin
      config:
        accounts:
          aws:
            '068564737731':
              name: 'playground'
              age: '1d'
            '575584959047':
              name: 'eng-sre'
          example:
            Example Account:
              name: 'Example Account'
        default:
          age: '2h'
        kinds:
          - 'aws_ec2_instance'
          - 'aws_ec2_volume'
          - 'aws_vpc'
          - 'aws_cloudformation_stack'
          - 'aws_elb'
          - 'aws_alb'
          - 'aws_alb_target_group'
          - 'aws_eks_cluster'
          - 'aws_eks_nodegroup'
          - 'example_instance'
          - 'example_network'
        tags:
          - 'owner'
          - 'expiration'
    info

    The cleanup_untagged plugin configuration has the following subsections:

    • default specifies the default age of a resource before mandatory tags are enforced. For example, if age is set to 2h, there is a 2-hour grace period to add the required tags after resource creation.
    • tags lists tags that must exist on every resource kind listed in the kinds subsection.
    • kinds lists resource kind for which tags listed in tags must exist.
    • accounts contains a dictionary of cloud and account IDs for which tags will be enforced. For each account, a name is defined and the age defined in default can optionally be overridden.

The plugin will now run each time Resoto emits the post_cleanup_plan event. The post_cleanup_plan event is emitted in the cleanup phase of the collect_and_cleanup workflow.

Each time the cleanup_untagged plugin runs, resources for which the specified tag requirements are not met will be flagged for removal during the next cleanup run.

Further Reading​