Skip to main content
Version: 4.2.0

How to Clean Up AWS VPC Resources

When deleting AWS VPCs, dependent network resources are sometimes left behind.

Fix Inventory's cleanup-aws-vpcs infrastructure app can find and delete these orphaned resources:

  • AWS VPC Peering Connections
  • AWS EC2 Network ACLs
  • AWS EC2 Network Interfaces
  • AWS ELB
  • AWS ALB
  • AWS ALB Target Groups
  • AWS EC2 Subnets
  • AWS EC2 Security Groups
  • AWS EC2 Internet Gateways
  • AWS EC2 NAT Gateways
  • AWS EC2 Route Tables

Prerequisites

This guide assumes that you have already installed and configured Fix Inventory to collect your AWS resources.

Directions

  1. Execute the following command in Fix Inventory Shell to open the Fix Inventory Worker configuration for editing:

    > config edit fix.worker

  2. Enable cleanup by modifying the fixworker section of the configuration as follows:

    fixworker:
      # Enable cleanup of resources
      cleanup: true
      # Do not actually cleanup resources, just create log messages
      cleanup_dry_run: false
      # How many cleanup threads to run in parallel
      cleanup_pool_size: 16

    When cleanup is enabled, marked resources will be deleted as a part of the collect_and_cleanup workflow, which runs each hour by default.

    tip

    Set cleanup_dry_run to true to simulate cleanup without actually deleting resources.

  3. Use the app install command to install the cleanup-aws-vpcs app:

    > app install cleanup-aws-vpcs
    info

    Fix Inventory will create a default config fix.apps.cleanup_aws_vpcs.

  4. Execute the following command in Fix Inventory Shell to open the infrastructure app configuration for editing:

    > config edit fix.apps.cleanup_aws_vpcs

  5. Update the configuration to set the min_age property to the desired threshold for load balancer cleanup:

    cleanup_aws_vpcs configuration
    clouds_and_accounts:
      aws:
        - '1234567'
        - '567890'

  6. Run the app using the app run command:

    > app run cleanup-aws-vpcs
    tip

    Add the optional --dry-run flag to see what commands the app would perform, without actually executing them.

    note

    Items tagged with expiration: never will not be flagged for cleanup.

  7. Create an event-based job to run the app automatically:

    > jobs create --name "Clean Up VPC Resources" --wait-for-event cleanup_plan 'app run cleanup-aws-vpcs'
    info

    The cleanup-aws-vpcs infrastructure app will now run each time Fix Inventory emits the cleanup_plan event. The post_cleanup_plan event is emitted in the cleanup phase of the collect_and_cleanup workflow.

Each time the cleanup-aws-vpcs infrastructure app runs, network resources associated with VPCs that have been deleted or marked for cleanup will also be flagged for removal during the next cleanup run.

Further Reading