Skip to main content
Version: 4.2.0

How to Clean Up AWS VPC Resources

When deleting AWS VPCs, dependent network resources are sometimes left behind.

Fix Inventory's cleanup-aws-vpcs infrastructure app can find and delete these orphaned resources:

  • AWS VPC Peering Connections
  • AWS EC2 Network ACLs
  • AWS EC2 Network Interfaces
  • AWS ELB
  • AWS ALB
  • AWS ALB Target Groups
  • AWS EC2 Subnets
  • AWS EC2 Security Groups
  • AWS EC2 Internet Gateways
  • AWS EC2 NAT Gateways
  • AWS EC2 Route Tables

Prerequisites​

This guide assumes that you have already installed and configured Fix Inventory to collect your AWS resources.

Directions​

  1. Execute the following command in Fix Inventory Shell to open the Fix Inventory Worker configuration for editing:

    > config edit fix.worker

  2. Enable cleanup by modifying the fixworker section of the configuration as follows:

    fixworker:
      # Enable cleanup of resources
      cleanup: true
      # Do not actually cleanup resources, just create log messages
      cleanup_dry_run: false
      # How many cleanup threads to run in parallel
      cleanup_pool_size: 16

    When cleanup is enabled, marked resources will be deleted as a part of the collect_and_cleanup workflow, which runs each hour by default.

    tip

    Set cleanup_dry_run to true to simulate cleanup without actually deleting resources.

  3. Use the app install command to install the cleanup-aws-vpcs app:

    > app install cleanup-aws-vpcs
    info

    Fix Inventory will create a default config fix.apps.cleanup_aws_vpcs.

  4. Execute the following command in Fix Inventory Shell to open the infrastructure app configuration for editing:

    > config edit fix.apps.cleanup_aws_vpcs

  5. Update the configuration to set the min_age property to the desired threshold for load balancer cleanup:

    cleanup_aws_vpcs configuration
    clouds_and_accounts:
      aws:
        - '1234567'
        - '567890'

  6. Run the app using the app run command:

    > app run cleanup-aws-vpcs
    tip

    Add the optional --dry-run flag to see what commands the app would perform, without actually executing them.

    note

    Items tagged with expiration: never will not be flagged for cleanup.

  7. Create an event-based job to run the app automatically:

    > jobs create --name "Clean Up VPC Resources" --wait-for-event cleanup_plan 'app run cleanup-aws-vpcs'
    info

    The cleanup-aws-vpcs infrastructure app will now run each time Fix Inventory emits the cleanup_plan event. The post_cleanup_plan event is emitted in the cleanup phase of the collect_and_cleanup workflow.

Each time the cleanup-aws-vpcs infrastructure app runs, network resources associated with VPCs that have been deleted or marked for cleanup will also be flagged for removal during the next cleanup run.

Further Reading​