Skip to main content
Knowledge Base

How to destroy a Reference Architecture with cloud-nuke

Answer

A customer asked: > How can I use cloud-nuke to destroy a deployed Gruntwork Reference Architecture?

# Overview This guide demonstrates how to use cloud-nuke to destroy a Reference Architecture that has been deployed by Gruntwork. This process is useful if a free trial customer gets their Ref Arch deployed but then decides to cancel their subscription, or when CI/CD / Gruntwork Pipelines is not an option due to authorization issues, etc. # Tearing down a deployed Ref Arch ## Step 1. Install cloud-nuke Use cloud-nuke version v0.15.0 or above. You need the latest version of the tool to ensure support for all target resources. You have a couple of options for installing cloud-nuke: - Option 1 (Recommended) - use [the Gruntwork installer](https://github.com/gruntwork-io/gruntwork-installer) to quickly install the correct binary for your platform, like so: `gruntwork-install --binary-name 'cloud-nuke' --repo 'https://github.com/gruntwork-io/cloud-nuke' --tag 'v0.15.0'`. Be sure to [double check here ](https://github.com/gruntwork-io/cloud-nuke/releases)for the latest release tag. - Option 2 Grab the latest release binary for your system from https://github.com/gruntwork-io/cloud-nuke/releases ## Step 2. Ensure you have credentials to every account ready The rough order that we’re going to nuke accounts in is: 1. app accounts 2. security account 3. logs account 4. shared accounts We’ll start by nuking your Dev account, but you should ensure you have credentials handy for each account in your Reference Architecture. At Gruntwork, we recommend the use of [aws-vault](https://github.com/99designs/aws-vault) for securely managing access credentials to multiple AWS accounts. The rest of this tutorial will demonstrate authenticating via aws-vault, but you could alternatively use any of the methods described in our blog post [A Comprehensive Guide to Authenticating to AWS on the Command Line.](https://blog.gruntwork.io/a-comprehensive-guide-to-authenticating-to-aws-on-the-command-line-63656a686799) ## Step 3. Start by nuking your Dev account Authenticate to your Dev account and run the nuke command. Be sure you are targeting the primary region (`PrimaryRegion`) you specified in your reference-architecture-form.yml, as that’s where Gruntwork will have deployed all your resources: `aws-vault exec <your-dev-acct-profile> -- cloud-nuke aws --region <your-primary-region>` After `cloud-nuke` finishes scanning your account, you’ll see output similar to the following, confirming you really want to destroy all your resources. Confirm by entering the word: “nuke”. ```bash [cloud-nuke] INFO[2022-07-21T17:45:46-04:00] * cloudwatch-loggroup mgmt-vpc-flow-logs us-east-1 [cloud-nuke] INFO[2022-07-21T17:45:46-04:00] * s3 gruntwork-james-12-cloudtrail-logs us-east-1 [cloud-nuke] INFO[2022-07-21T17:45:46-04:00] * dynamodb terraform-locks us-east-1 [cloud-nuke] INFO[2022-07-21T17:45:46-04:00] * kmscustomerkeys 96ebd11c-ac79-4fee-8fc4-460487db0a26 us-east-1 [cloud-nuke] INFO[2022-07-21T17:45:46-04:00] * kmscustomerkeys 5560fb79-2449-4753-811a-381d54073090 us-east-1 [cloud-nuke] INFO[2022-07-21T17:45:46-04:00] * guardduty 5ac0c6156e20a7085663b97b0b926cb6 us-east-1 THE NEXT STEPS ARE DESTRUCTIVE AND COMPLETELY IRREVERSIBLE, PROCEED WITH CAUTION!!! Are you sure you want to nuke all listed resources? Enter 'nuke' to confirm (or exit with ^C): nuke ``` ## Step 4. Sanity check the account is clean with aws-inspect Once the nuke routine has finished destroying your resources, you can use cloud-nuke’s inspect functionality to ensure nothing remains: ```bash aws-vault exec <your-dev-acct-profile> -- cloud-nuke inspect-aws --region us-east-1 ``` You should get back the following message: `No resources found!` ## Step 5. Repeat steps 3 and 4 for the remainder of your accounts in the following order: - Stage - Prod - Security - Logs - Shared # Appendix ## Using cloud-nuke inspect to sanity check resource counts Sometimes you want to quickly view all the resources in a given AWS account without having to log in and page through the UI. You can use the `cloud-nuke inspect-aws` command for this. This command will tell us all the resources that cloud-nuke supports which are in the given account. Be sure to target the primary region for your deployment, as that’s where most of the resources Gruntwork deployed will be: `aws-vault exec <your-org-dev> -- cloud-nuke inspect-aws --region us-east-1` If successful, this will result in output that looks similar to the following: ```bash [cloud-nuke] INFO[2022-07-21T12:33:59-04:00] Identifying enabled regions [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] Found enabled region eu-north-1 [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] Found enabled region ap-south-1 [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] Found enabled region eu-west-3 [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] Found enabled region eu-west-2 [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] Found enabled region eu-west-1 [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] Found enabled region ap-northeast-3 [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] Found enabled region ap-northeast-2 [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] Found enabled region ap-northeast-1 [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] Found enabled region sa-east-1 [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] Found enabled region ca-central-1 [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] Found enabled region ap-southeast-1 [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] Found enabled region ap-southeast-2 [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] Found enabled region eu-central-1 [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] Found enabled region us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] Found enabled region us-east-2 [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] Found enabled region us-west-1 [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] Found enabled region us-west-2 [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] The following resource types will be inspected: [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - accessanalyzer [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - acmpca [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - ami [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - asg [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - cloudwatch-dashboard [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - cloudwatch-loggroup [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - dynamodb [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - ebs [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - ec2 [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - ecscluster [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - ecsserv [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - eip [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - ekscluster [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - elasticache [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - elb [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - elbv2 [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - guardduty [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - iam [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - iam-role [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - kmscustomerkeys [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - lambda [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - lc [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - macie-member [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - nat-gateway [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - oidcprovider [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - opensearchdomain [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - rds [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - s3 [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - sagemaker-notebook-instance [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - secretsmanager [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - snap [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - sqs [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - transit-gateway [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - transit-gateway-attachment [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - transit-gateway-route-table [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] - vpc [cloud-nuke] INFO[2022-07-21T12:34:00-04:00] Checking region [1/1]: us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:10-04:00] Getting - 1-5 buckets of batch 1/1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * asg gruntwork-james-12-dev1234 us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * lc gruntwork-james-12-dev1234-20220623141300906400000007 us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * elbv2 arn:aws:elasticloadbalancing:us-east-1:444348184531:loadbalancer/app/grunt-sample-int-dev1234/6eaea032b8aaec26 us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * elbv2 arn:aws:elasticloadbalancing:us-east-1:444348184531:loadbalancer/app/grunt-sample-pub-dev1234/0bc2f5ea601a41f8 us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * nat-gateway nat-0f8483a76f3d46c28 us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * nat-gateway nat-03b0eb2f779bd0eb5 us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * ec2 i-0f827a1e64a32eb9e us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * ec2 i-0fcead0480e4da0ed us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * ec2 i-046af5af76fd7e866 us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * ebs vol-0a9b93edd8de6aeb5 us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * ebs vol-09099c0e680a4d63b us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * ebs vol-01d03a4a21e2c2128 us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * eip eipalloc-0ba598be494d86af8 us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * eip eipalloc-05821d12dca3d9a36 us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * eip eipalloc-0c7cb883c9437be1b us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * ecsserv arn:aws:ecs:us-east-1:444348184531:service/gruntwork-james-12-dev1234/sample-app-backend us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * ecsserv arn:aws:ecs:us-east-1:444348184531:service/gruntwork-james-12-dev1234/sample-app-frontend us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * ecscluster arn:aws:ecs:us-east-1:444348184531:cluster/gruntwork-james-12-dev1234 us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * rds rds-gruntwork-james-12-dev1234 us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * lambda ecs-deploy-runner-invoker us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * secretsmanager arn:aws:secretsmanager:us-east-1:444348184531:secret:RDSDBConfig-rXAxbe us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * secretsmanager arn:aws:secretsmanager:us-east-1:444348184531:secret:SampleAppBackEndCA-ZZlCUX us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * secretsmanager arn:aws:secretsmanager:us-east-1:444348184531:secret:SampleAppFrontEndCA-9WprAg us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * secretsmanager arn:aws:secretsmanager:us-east-1:444348184531:secret:bastion-admin-v1-LLqQOb us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * secretsmanager arn:aws:secretsmanager:us-east-1:444348184531:secret:ecs-cluster-admin-v1-CKPkZK us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * cloudwatch-loggroup /aws/lambda/ecs-deploy-runner-invoker us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * cloudwatch-loggroup /aws/rds/instance/rds-gruntwork-james-12-dev1234/error us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * cloudwatch-loggroup /dev1234/ecs/sample-app-backend us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * cloudwatch-loggroup /dev1234/ecs/sample-app-frontend us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * cloudwatch-loggroup /ecs/ecs-deploy-runner us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * cloudwatch-loggroup app-vpc-flow-logs us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * cloudwatch-loggroup bastion us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * cloudwatch-loggroup cloudtrail-logs us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * cloudwatch-loggroup gruntwork-james-12-dev1234-logs us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * cloudwatch-loggroup mgmt-vpc-flow-logs us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * s3 alb-grunt-sample-int-dev1234-access-logs us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * s3 gruntwork-james-12-dev1234-us-east-1-tf-state us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * s3 alb-grunt-sample-pub-dev1234-access-logs us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * s3 gruntwork-james-12-dev1234-us-east-1-tf-logs us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * dynamodb terraform-locks us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * elasticache redis-gruntwork-james-12-dev1234-001 us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * kmscustomerkeys 88552418-c338-4e03-a4bc-671749368e3d us-east-1 [cloud-nuke] INFO[2022-07-21T12:34:16-04:00] * guardduty f4c0c871e32219083d09df77f1463e65 us-east-1 ``` ## Using cloud-nuke to only destroy certain resource types You can target specific resource types in a given `cloud-nuke` run by passing the `--resource-type` flag multiple times, like so: ```bash ❯ aws-vault exec <your-prod-acct-profile> -- ./cloud-nuke \ aws \ --resource-type asg \ --resource-type lc \ --resource-type elbv2 \ --resource-type ec2 \ --resource-type ebs \ --resource-type eip \ --resource-type ecsserv \ --resource-type ecscluster \ --resource-type rds \ --resource-type lambda \ --resource-type secretsmanager \ --resource-type cloudwatch-loggroup \ --resource-type s3 \ --resource-type dynamodb \ --resource-type elasticache \ --resource-type kmscustomerkeys \ --resource-type guardduty \ --region us-east-1 ```