How to Clean Up Untagged Resources
Resource tags are an essential tool in finding and tracking an organization's cloud resources, but tags are only useful if they are applied consistently. Resoto can enforce tagging policies by automatically cleaning up resources that do not have the required tags (e.g.,
> config edit resoto.worker
Enable cleanup by modifying the
resotoworkersection of the configuration as follows:
# Enable cleanup of resources
# Do not actually cleanup resources, just create log messages
# How many cleanup threads to run in parallel
When cleanup is enabled, marked resources will be deleted as a part of the
collect_and_cleanupworkflow, which runs each hour by default.tip
trueto simulate cleanup without actually deleting resources.
Finally, update the
plugin_cleanup_untaggedsection with the desired target AWS account IDs and setting the
true:cleanup_untagged plugin configuration
# Enable plugin?
# Configuration for the plugin
name: 'Example Account'
cleanup_untaggedplugin configuration has the following subsections:
defaultspecifies the default age of a resource before mandatory tags are enforced. For example, if
ageis set to
2h, there is a 2-hour grace period to add the required tags after resource creation.
tagslists tags that must exist on every resource kind listed in the
kindslists kinds for which tags listed in
accountscontains a dictionary of cloud and account IDs for which tags will be enforced. For each account, a name is defined and the age defined in
defaultcan optionally be overridden.
The plugin will now run each time Resoto emits the
post_cleanup_plan event. The
post_cleanup_plan event is a part of the
collect_and_cleanup workflow and emitted after resource planning is complete but before the cleanup is performed.