Home

Awesome

gcp-nuke

license release Go Report Card Maintainability

This is potentially very destructive! Use at your own risk!

Status: Beta. Tool is stable, but could experience odd behaviors with some resources.

Overview

Remove all resources from a GCP Project.

gcp-nuke is in beta, but it is likely that not all GCP resources are covered by it. Be encouraged to add missing resources and create a Pull Request or to create an Issue.

Documentation

All documentation is in the docs/ directory and is built using Material for Mkdocs.

It is hosted at https://ekristen.github.io/gcp-nuke/.

Attribution, License, and Copyright

This tool was written using libnuke at it's core. It shares similarities and commonalities with aws-nuke and azure-nuke. These tools would not have been possible without the hard work that came before me on the original tool by the team and contributors over at rebuy-de and their original work on rebuy-de/aws-nuke.

This tool is licensed under the MIT license as well. See the LICENSE file for more information. Reference was made to dshelley66/gcp-nuke during the creation of this tool therefore I included them in the license copyright although no direct code was used.

Usage

Note: all cli flags can also be expressed as environment variables.

By default, no destructive actions will be taken.

Example - Dry Run only

gcp-nuke run \
  --config test-config.yaml \
  --project-id playground-12345 

Example - No Dry Run (DESTRUCTIVE)

To actually destroy you must add the --no-dry-run cli parameter.

gcp-nuke run \
  --config=test-config.yaml \
  --project-id playground-12345 \
  --no-dry-run

Authentication

Authentication is only supported via a Service Account either by Key or via Workload Identity.

Service Account Key

export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account-key.json

Federated Token (Kubernetes)

coming soon

Configuring

The entire configuration of the tool is done via a single YAML file.

Example Configuration

Note: you must add at least one entry to the blocklist.

regions:
  - global
  - eastus

blocklist:
  - 00001111-2222-3333-4444-555566667777

accounts: # i.e. projects but due to the commonality of libnuke, it's accounts here universally between tools
  playground-12345:
    presets:
      - common
    filters:
      IAMRole:
        - property: Name
          type: contains
          value: CustomRole
      IAMServiceAccount:
        - property: Name
          type: contains
          value: custom-service-account

presets:
  common:
    filters:
      VPC:
        - default