Skip to main content

How to Clean Up Untagged Resources

Resource tags are an essential tool in finding and tracking an organization's cloud resources, but tags are only useful if applied consistently.

Fix Inventory's cleanup-untagged infrastructure app can enforce tagging policies by automatically cleaning up resources that do not have required tags (e.g., owner and expiration).

Prerequisites​

This guide assumes that you have already installed and configured Fix Inventory to collect your cloud resources.

Directions​

  1. Execute the following command in Fix Inventory Shell to open the Fix Inventory Worker configuration for editing:

    > config edit fix.worker

  2. Enable cleanup by modifying the fixworker section of the configuration as follows:

    fixworker:
      # Enable cleanup of resources
      cleanup: true
      # Do not actually cleanup resources, just create log messages
      cleanup_dry_run: false
      # How many cleanup threads to run in parallel
      cleanup_pool_size: 16

    When cleanup is enabled, marked resources will be deleted as a part of the collect_and_cleanup workflow, which runs each hour by default.

    tip

    Set cleanup_dry_run to true to simulate cleanup without actually deleting resources.

  3. Use the app install command to install the cleanup-untagged app:

    > app install cleanup-untagged
    info

    Fix Inventory will create a default config fix.apps.cleanup_untagged.

  4. Execute the following command in Fix Inventory Shell to open the infrastructure app configuration for editing:

    > config edit fix.apps.cleanup_untagged

  5. Update the configuration:

    cleanup_untagged configuration
    default:
      age: '2h'
    tags:
      - 'owner'
      - 'expiration'
     kinds:
      - 'aws_ec2_instance'
      - 'aws_ec2_volume'
      - 'aws_vpc'
      - 'aws_cloudformation_stack'
      - 'aws_elb'
      - 'aws_alb'
      - 'aws_alb_target_group'
      - 'aws_eks_cluster'
      - 'aws_eks_nodegroup'
      - 'example_instance'
      - 'example_network'
    accounts:
      aws:
        068564737731:
          name: 'playground'
          age: '7d'
        '575584959047':
          name: 'eng-sre'
      example:
        Example Account:
          name: 'Example Account'
    info

    Valid age units include:

    • weeks

    • days

    • hours

    • minutes

    Age units can be abbreviated to a single letter (e.g., 7d, 24h, 60m, etc.).

    A space in between the numeric value and the unit is also optional, meaning that 7d and 7 days are equivalent.

    info

    The config section consists of four sub-sections. default, tags, classes, and accounts.

    1. The default section specifies the default age a resource must have before we enforce mandatory tags on it. For instance, if age is set to 2h this means that whatever mechanism creates a resource has two hours to add those mandatory tags.
    2. The tags section is a list of tag names that MUST exist on every resource class specified in classes.
    3. The classes section is a list of resource class names for which tags specified in the tags list must exist.
    4. The accounts section contains a dictionary with cloud IDs as keys (e.g. aws) and account IDs for which tags will be enforced as values (e.g. 068564737731). Those in turn contain a name and optionally an age override.

  6. Run the app using the app run command:

    > app run cleanup-untagged
    tip

    Add the optional --dry-run flag to see what commands the app would perform, without actually executing them.

    note

    Items tagged with expiration: never will not be flagged for cleanup.

  7. Create an event-based job to run the app automatically:

    > jobs create --name "Clean Up Untagged Resources" --wait-for-event cleanup_plan 'app run cleanup-untagged'
    info

    The cleanup-untagged infrastructure app will now run each time Fix Inventory emits the cleanup_plan event. The post_cleanup_plan event is emitted in the cleanup phase of the collect_and_cleanup workflow.

Each time the cleanup_untagged infrastructure app runs, resources for which the specified tag requirements are not met will be flagged for removal during the next cleanup run.

Further Reading​