Skip to content

cli-usage.md

Latest commit

 

History

History
96 lines (68 loc) · 4.08 KB

cli-usage.md

File metadata and controls

96 lines (68 loc) · 4.08 KB

CLI Usage

Commands

Command Description
cloud-nuke aws Delete all resources (with confirmation prompt)
cloud-nuke inspect-aws Inspect resources without deleting
cloud-nuke defaults-aws Delete default VPCs and default security group rules
cloud-nuke gcp Delete GCP resources (with confirmation prompt)
cloud-nuke inspect-gcp Inspect GCP resources without deleting

Flags

Filtering

Flag Description Available in
--region Target specific regions (repeatable) aws, inspect-aws, defaults-aws
--exclude-region Exclude regions (repeatable, mutually exclusive with --region) aws, inspect-aws, defaults-aws
--resource-type Target specific resource types (repeatable) aws, inspect-aws, gcp, inspect-gcp
--exclude-resource-type Exclude resource types (repeatable, mutually exclusive with --resource-type) aws, inspect-aws, gcp, inspect-gcp
--older-than Only target resources older than duration (Go duration) aws, inspect-aws, gcp, inspect-gcp
--newer-than Only target resources newer than duration aws, inspect-aws, gcp, inspect-gcp
--config Path to config file for granular filtering aws, gcp
--exclude-first-seen Exclude resources based on first-seen tag aws, inspect-aws

Execution

Flag Description Available in
--dry-run Preview deletions without executing aws, gcp
--force Skip confirmation prompt aws, gcp, defaults-aws
--timeout Set execution timeout (e.g., 10m) aws, gcp
--sg-only Only delete default security group rules, not VPCs defaults-aws

Output

Flag Description Available in
--log-level Log verbosity: debug, info (default), warn, error, panic, fatal, trace. Also settable via LOG_LEVEL env var. all
--output-format Output format: table (default), json aws, inspect-aws, gcp, inspect-gcp
--output-file Write output to file instead of stdout aws, inspect-aws, gcp, inspect-gcp
--list-resource-types List all supported resource type identifiers aws, inspect-aws, gcp, inspect-gcp

KMS

Flag Description Available in
--delete-unaliased-kms-keys Delete KMS keys without aliases aws
--list-unaliased-kms-keys List KMS keys without aliases inspect-aws

GCP

Flag Description Available in
--project-id GCP project ID (required) gcp, inspect-gcp

Examples

# Nuke everything in specific regions
cloud-nuke aws --region us-east-1 --region us-west-2

# Nuke only EC2 and S3, skip confirmation
cloud-nuke aws --resource-type ec2 --resource-type s3 --force

# Dry run with config file
cloud-nuke aws --dry-run --config path/to/config.yaml

# Inspect with specific AWS profile
AWS_PROFILE=dev cloud-nuke inspect-aws --region us-east-1

# Nuke only default security group rules
cloud-nuke defaults-aws --sg-only

# JSON output to file
cloud-nuke inspect-aws --output-format json --output-file results.json

# Nuke GCP resources
cloud-nuke gcp --project-id my-project-id --resource-type compute-instance

CLI flags override config file options. If you pass --resource-type s3 but your config only defines rules for ec2, only s3 is targeted.

Protect Resources with cloud-nuke-after Tag

Tag resources with cloud-nuke-after and an ISO 8601 date (e.g., 2024-07-09T00:00:00Z) to protect them from deletion until that date.

Note on Nuking VPCs

Cloud-nuke automatically removes VPC dependencies: Internet Gateways, Egress Only Internet Gateways, ENIs, VPC Endpoints, Subnets, Route Tables, Network ACLs, Security Groups, and DHCP Option Sets (dissociated only). Elastic IPs are cleaned up as a separate resource first.

All other VPC sub-resources must be cleaned up before nuking VPCs.

VPC cleanup may not fully complete on the first run due to AWS eventual consistency. If you see InvalidParameterValue: Network interface is currently in use., wait 30 minutes and retry.