A GitLab CI/CD pipeline for safely nuking AWS accounts using aws-nuke with automated configuration management and multi-stage approval process.
This project provides a secure, automated way to completely clean AWS accounts by removing all resources. It's designed for scenarios like:
- Cleaning up development/test accounts
- Account closure procedures
- Resource cleanup after testing
- Preparing accounts for handover
- Multi-stage approval process - Two manual approval gates before execution
- Dry-run validation - Always runs a dry-run first to show what will be deleted
- Flexible account configuration - Supports accounts with and without aliases
- Comprehensive resource exclusions - Pre-configured to exclude deprecated and problematic resources
- Detailed logging - Captures all operations with timestamped logs
- Role-based access - Uses AWS STS assume role for secure cross-account operations
├── .gitlab-ci.yml # Main CI/CD pipeline configuration
├── config-with-alias.yml # aws-nuke config template for accounts with aliases
├── config-without-alias.yml # aws-nuke config template for accounts without aliases
├── scripts/
│ └── prepare-config.sh # Script to generate final config from templates
├── close-account/
│ └── nuke.yml # Account registry for tracking accounts to be nuked
└── README.md # This file
- Monitors changes to
close-account/nuke.yml
- Extracts account information (ID, CLSP, alias if present)
- Only triggers when nuke.yml is modified in merge requests to main
- Shows the account details that will be processed
- Provides visibility into what account will be affected
- MANUAL GATE: Requires human approval before dry-run
- Shows account details for verification
- Downloads aws-nuke from GitHub releases
- Assumes
AWSAFTExecution
role in target account - Runs aws-nuke in dry-run mode
- Generates detailed log of resources that would be removed
- Does not actually delete anything
- MANUAL GATE: Requires human approval before execution
- Final confirmation before actual resource deletion
- Performs actual aws-nuke execution
- Permanently deletes all identified resources
- Generates execution log with deleted resources
Add accounts to be nuked in this format:
Accounts:
- "AccountId": "123456789012"
"CLSP": "my-account-identifier"
- "AccountId": "987654321098"
"CLSP": "another-account"
"AccountAlias": "my-account-alias" # Optional
The pipeline uses two template configurations:
config-with-alias.yml
- For accounts that have an AWS account aliasconfig-without-alias.yml
- For accounts without an alias
Both configurations exclude:
- Deprecated AWS services (OpsWorks, CodeStar, Cloud9, etc.)
- Problematic resources (ServiceCatalog items, ML services)
- IAM roles and policies (to avoid breaking access)
- S3Objects (handled by S3 bucket deletion)
The configuration excludes several resource types for safety and compatibility:
- Deprecated Services: OpsWorks, CodeStar, Cloud9, CloudSearch, RoboMaker
- Machine Learning: All ML-related resources (service unavailable)
- Service Catalog: Tag options and attachments (known issues)
- IAM: Roles and policies (to maintain access during cleanup)
- S3Objects: Handled automatically by S3 bucket deletion
- Target accounts must have
AWSAFTExecution
role - Pipeline execution role must be able to assume roles in target accounts
- Accounts should not be production accounts (use blocklist protection)
- GitLab runner with
test-runner
tag - AWS credentials configured for the runner
- Required tools:
curl
,tar
,jq
,aws-cli
- Create a merge request to main branch
- Edit
close-account/nuke.yml
and add your account:Accounts: - "AccountId": "YOUR_ACCOUNT_ID" "CLSP": "your-identifier" "AccountAlias": "your-alias" # Optional
- Submit the merge request
- Pipeline will automatically trigger and require two manual approvals
- Automatic Detection: Pipeline detects changes to nuke.yml
- Review Account Info: Check the displayed account details
- First Approval: Approve to proceed with dry-run
- Review Dry-run Results: Examine what resources will be deleted
- Second Approval: Final approval for actual execution
- Execution: Resources are permanently deleted
- Production account
123456789012
is blocklisted - Add additional production accounts to the blocklist in config templates
- Two manual approval gates prevent accidental execution
- Clear warnings about permanent deletion
- Always shows what will be deleted before actual execution
- Allows review and cancellation if needed
- Uses temporary credentials via STS assume role
- Credentials are automatically cleaned up after use
The pipeline generates several artifacts:
aws-nuke-removal-*.log
- Dry-run results showing resources to be removedaws-nuke-execution-*.log
- Execution results showing deleted resourcesconfig-prepared.yml
- Final configuration used for aws-nukeaccount_info.env
- Account details for pipeline stages
Artifacts are retained for 1 day for review and troubleshooting.
Pipeline doesn't trigger
- Ensure changes are made to
close-account/nuke.yml
- Verify merge request targets the
main
branch
Role assumption fails
- Check that
AWSAFTExecution
role exists in target account - Verify trust relationship allows assumption from pipeline role
aws-nuke exits with warnings
- This is normal - some resources may not be deletable due to dependencies
- Check logs to see what was and wasn't deleted
- Pipeline continues even with warnings
Config preparation fails
- Verify account ID format in nuke.yml
- Check that alias is provided when HAS_ALIAS is true
If the pipeline fails partway through, you may need to:
- Check the execution logs for partially deleted resources
- Manually clean up any remaining resources
- Re-run the pipeline if needed
- Never run against production accounts
- Always review dry-run results carefully
- Ensure proper IAM permissions and role trust relationships
- Monitor execution logs for any unexpected behavior
- Keep the blocklist updated with protected accounts
- Test changes in a non-production environment first
- Update documentation for any configuration changes
- Follow the existing code style and structure
- Ensure all safety features remain intact
MIT License - see LICENSE file for details.