Tidying up after failed Terraform exams

Automated exams are making their means into Infrastructure as Code tasks. Just lately, I’ve carried out exams with Terraform’s check framework which was launched in October 2023. Nonetheless, I bumped into the problem that Terraform couldn’t take away all AWS assets on the finish of the check underneath uncommon circumstances.

The issue and resolution mentioned within the following additionally apply to OpenTofu.

Right here is the standard message that terraform check will print out in case cleansing up all of the assets fails.

Terraform left the next assets in state after executing
exams/default.tftest.hcl/execute, and they want to be cleaned up manually:
  - aws_subnet.non-public[0]
  - aws_subnet.non-public[1]
  - aws_subnet.public[0]
  - aws_subnet.public[1]
  - aws_vpc.this
  - ...

Leftover AWS assets are a problem, particularly when operating exams in an automatic method, inflicting undesirable prices. Due to this fact, I used to be in search of an answer to tidy up AWS assets usually. The software aws-nuke, by rebuy, deletes all assets belonging to an AWS account.

The next snippet exhibits the configuration file nuke-config.yml for aws-nuke. First, outline which areas aws-nuke shall take away assets. world is required to delete world assets like IAM roles and insurance policies. For security causes, defining an account-blocklist with AWS account IDs that you just by no means wish to tidy up is important. Subsequent, you outline the accounts the place you wish to take away all assets. The filters are required to maintain some important assets, such because the IAM position and coverage utilized by aws-nuke to entry the AWS account.

areas:
- eu-west-1
- world
account-blocklist:
- '999999999999'
accounts:
  '111111111111':
    filters:
      IAMRole:
      - 'nuke'
      IAMRolePolicy:
      - sort: glob
        worth: "nuke -> *"

My advice is to run aws-nuke with the dry run possibility activated – which is the default – and verify for assets you wish to maintain. Then, add a filter for these assets. Learn to set up aws-nuke.

aws-nuke -c nuke-config.yml

For instance, aws-nuke deletes the VPC and subnets left over from the Terraform check.

> aws-nuke-example

eu-west-1 - EC2Subnet - 'subnet-154d844e' - would take away
eu-west-1 - EC2Subnet - 'subnet-af12a261' - would take away
eu-west-1 - EC2Subnet - 'subnet-cd2fa222' - would take away
eu-west-1 - EC2Subnet - 'subnet-51223aff' - would take away
eu-west-1 - EC2VPC - 'vpc-c6159fa1' - would take away
Scan full: 13 complete, 5 nukeable, 10 filtered.

Whereas it’s doable to run aws-nuke out of your machine to make sure leftover AWS assets are usually cleaned up, a scheduled job is the best way to go. As I’m operating the command terraform check inside a CI/CD pipeline on GitHub, I made a decision to make use of a scheduled GitHub workflow to run aws-nuke as soon as a day. The next snippet illustrates find out how to outline a GitHub workflow to usually run aws-nuke to delete assets belonging to an AWS account.

title: 'nuke'
on:
  workflow_dispatch:
  schedule:
    - cron:  '0 0 * * *'
concurrency:
  group: 'nuke'
  cancel-in-progress: false
permissions:
  id-token: write
  contents: learn
jobs:
  nuke:
    runs-on: ubuntu-latest
    steps:
    - makes use of: actions/checkout@v4
    - title: 'Assuming IAM position'
      makes use of: aws-actions/configure-aws-credentials@v4
      with:
        role-to-assume: arn:aws:iam::111111111111:position/nuke
        role-session-name: nuke
        aws-region: eu-west-1
    - title: 'Tidying up AWS assets'
      run: |
        docker run -e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} -e AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} --rm -v ./nuke-config.yml:/house/aws-nuke/config.yml quay.io/rebuy/aws-nuke:v2.25.0 --config /house/aws-nuke/config.yml --force --no-dry-run

By the best way, have you ever heard about our resolution HyperEnv for GitHub Actions Runner to spin up EC2 cases on-demand for executing GitHub workflow jobs?

Abstract

Be careful for leftover AWS assets after executing Terraform exams. Periodically operating aws-nuke ensures all AWS assets are deleted to keep away from undesirable prices.