How to Clean Up Untagged Resources

Resource tags are an essential tool in finding and tracking an organization's cloud resources, but tags are only useful if applied consistently.

Resoto's cleanup_untagged plugin can enforce tagging policies by automatically cleaning up resources that do not have required tags (e.g., owner and expiration).

Prerequisites

This guide assumes that you have already installed and configured Resoto to collect your cloud resources.

Directions

1. Execute the following command in Resoto Shell to open the Resoto Worker configuration for editing:

   > config edit resoto.worker

2. Enable cleanup by modifying the resotoworker section of the configuration as follows:

   resotoworker:
     # Enable cleanup of resources
     cleanup: true
     # Do not actually cleanup resources, just create log messages
     cleanup_dry_run: false
     # How many cleanup threads to run in parallel
     cleanup_pool_size: 16

   When cleanup is enabled, marked resources will be deleted as a part of the collect_and_cleanup workflow, which runs each hour by default.

   tip

   Set cleanup_dry_run to true to simulate cleanup without actually deleting resources.

3. Update the plugin_cleanup_untagged section with the desired target AWS account IDs and setting the enabled property to true:

   cleanup_untagged plugin configuration

   plugin_cleanup_untagged:
     # Enable plugin?
     enabled: true
     # Configuration for the plugin
     config:
       accounts:
         aws:
           '068564737731':
             name: 'playground'
             age: '1d'
           '575584959047':
             name: 'eng-sre'
         example:
           Example Account:
             name: 'Example Account'
       default:
         age: '2h'
       kinds:
         - 'aws_ec2_instance'
         - 'aws_ec2_volume'
         - 'aws_vpc'
         - 'aws_cloudformation_stack'
         - 'aws_elb'
         - 'aws_alb'
         - 'aws_alb_target_group'
         - 'aws_eks_cluster'
         - 'aws_eks_nodegroup'
         - 'example_instance'
         - 'example_network'
       tags:
         - 'owner'
         - 'expiration'
   info

   The cleanup_untagged plugin configuration has the following subsections:

   • default specifies the default age of a resource before mandatory tags are enforced. For example, if age is set to 2h, there is a 2-hour grace period to add the required tags after resource creation.
   • tags lists tags that must exist on every resource kind listed in the kinds subsection.
   • kinds lists resource kind for which tags listed in tags must exist.
   • accounts contains a dictionary of cloud and account IDs for which tags will be enforced. For each account, a name is defined and the age defined in default can optionally be overridden.

The plugin will now run each time Resoto emits the post_cleanup_plan event. The post_cleanup_plan event is emitted in the cleanup phase of the collect_and_cleanup workflow.

Each time the cleanup_untagged plugin runs, resources for which the specified tag requirements are not met will be flagged for removal during the next cleanup run.

Related How-To Guides

• How to Find Untagged Resources

Further Reading

• cleanup_untagged Plugin
• Resource Tagging
• Resource Cleanup
• Cloud Data Sync
• Configuration
• Command-Line Interface