How to Clean Up Untagged Resources
Resource tags are an essential tool in finding and tracking an organization's cloud resources, but tags are only useful if applied consistently.
Fix Inventory's cleanup-untagged infrastructure app can enforce tagging policies by automatically cleaning up resources that do not have required tags (e.g., owner and expiration).
Prerequisites​
This guide assumes that you have already installed and configured Fix Inventory to collect your cloud resources.
Directions​
-
Execute the following command in Fix Inventory Shell to open the Fix Inventory Worker configuration for editing:
> config edit fix.worker -
Enable cleanup by modifying the
fixworkersection of the configuration as follows:fixworker:
# Enable cleanup of resources
cleanup: true
# Do not actually cleanup resources, just create log messages
cleanup_dry_run: false
# How many cleanup threads to run in parallel
cleanup_pool_size: 16When cleanup is enabled, marked resources will be deleted as a part of the
collect_and_cleanupworkflow, which runs each hour by default.tipSet
cleanup_dry_runtotrueto simulate cleanup without actually deleting resources. -
Use the
app installcommand to install thecleanup-untaggedapp:> app install cleanup-untaggedinfoFix Inventory will create a default config
fix.apps.cleanup_untagged. -
Execute the following command in Fix Inventory Shell to open the infrastructure app configuration for editing:
> config edit fix.apps.cleanup_untagged -
Update the configuration:
cleanup_untagged configurationdefault:
age: '2h'
tags:
- 'owner'
- 'expiration'
kinds:
- 'aws_ec2_instance'
- 'aws_ec2_volume'
- 'aws_vpc'
- 'aws_cloudformation_stack'
- 'aws_elb'
- 'aws_alb'
- 'aws_alb_target_group'
- 'aws_eks_cluster'
- 'aws_eks_nodegroup'
- 'example_instance'
- 'example_network'
accounts:
aws:
068564737731:
name: 'playground'
age: '7d'
'575584959047':
name: 'eng-sre'
example:
Example Account:
name: 'Example Account'infoValid age units include:
-
weeks -
days -
hours -
minutes
Age units can be abbreviated to a single letter (e.g.,
7d,24h,60m, etc.).A space in between the numeric value and the unit is also optional, meaning that
7dand7 daysare equivalent.infoThe config section consists of four sub-sections.
default,tags,classes, andaccounts.- The
defaultsection specifies the defaultagea resource must have before we enforce mandatory tags on it. For instance, ifageis set to2hthis means that whatever mechanism creates a resource has two hours to add those mandatory tags. - The
tagssection is a list of tag names that MUST exist on every resource class specified inclasses. - The
classessection is a list of resource class names for which tags specified in thetagslist must exist. - The
accountssection contains a dictionary with cloud IDs as keys (e.g.aws) and account IDs for which tags will be enforced as values (e.g.068564737731). Those in turn contain anameand optionally anageoverride.
-
-
Run the app using the
app runcommand:> app run cleanup-untaggedtipAdd the optional
--dry-runflag to see what commands the app would perform, without actually executing them.noteItems tagged with
expiration: neverwill not be flagged for cleanup. -
Create an event-based job to run the app automatically:
> jobs create --name "Clean Up Untagged Resources" --wait-for-event cleanup_plan 'app run cleanup-untagged'infoThe
cleanup-untaggedinfrastructure app will now run each time Fix Inventory emits thecleanup_planevent. Thepost_cleanup_planevent is emitted in thecleanupphase of thecollect_and_cleanupworkflow.
Each time the cleanup_untagged infrastructure app runs, resources for which the specified tag requirements are not met will be flagged for removal during the next cleanup run.