How to Clean Up Untagged Resources
Resource tags are an essential tool in finding and tracking an organization's cloud resources, but tags are only useful if applied consistently.
Resoto's cleanup_untagged
plugin can enforce tagging policies by automatically cleaning up resources that do not have required tags (e.g., owner
and expiration
).
Prerequisites​
This guide assumes that you have already installed and configured Resoto to collect your cloud resources.
Directions​
Execute the following command in Resoto Shell to open the Resoto Worker configuration for editing:
> config edit resoto.worker
Enable cleanup by modifying the
resotoworker
section of the configuration as follows:resotoworker:
# Enable cleanup of resources
cleanup: true
# Do not actually cleanup resources, just create log messages
cleanup_dry_run: false
# How many cleanup threads to run in parallel
cleanup_pool_size: 16When cleanup is enabled, marked resources will be deleted as a part of the
collect_and_cleanup
workflow, which runs each hour by default.tipSet
cleanup_dry_run
totrue
to simulate cleanup without actually deleting resources.Update the
plugin_cleanup_untagged
section with the desired target AWS account IDs and setting theenabled
property totrue
:cleanup_untagged plugin configurationplugin_cleanup_untagged:
# Enable plugin?
enabled: true
# Configuration for the plugin
config:
accounts:
aws:
'068564737731':
name: 'playground'
age: '1d'
'575584959047':
name: 'eng-sre'
example:
Example Account:
name: 'Example Account'
default:
age: '2h'
kinds:
- 'aws_ec2_instance'
- 'aws_ec2_volume'
- 'aws_vpc'
- 'aws_cloudformation_stack'
- 'aws_elb'
- 'aws_alb'
- 'aws_alb_target_group'
- 'aws_eks_cluster'
- 'aws_eks_nodegroup'
- 'example_instance'
- 'example_network'
tags:
- 'owner'
- 'expiration'infoThe
cleanup_untagged
plugin configuration has the following subsections:default
specifies the default age of a resource before mandatory tags are enforced. For example, ifage
is set to2h
, there is a 2-hour grace period to add the required tags after resource creation.tags
lists tags that must exist on every resource kind listed in thekinds
subsection.kinds
lists resource kind for which tags listed intags
must exist.accounts
contains a dictionary of cloud and account IDs for which tags will be enforced. For each account, a name is defined and the age defined indefault
can optionally be overridden.
The plugin will now run each time Resoto emits the post_cleanup_plan
event. The post_cleanup_plan
event is emitted in the cleanup
phase of the collect_and_cleanup
workflow.
Each time the cleanup_untagged
plugin runs, resources for which the specified tag requirements are not met will be flagged for removal during the next cleanup run.