This is potentially very destructive! Use at your own risk!
Status: Beta. Tool is stable, but could experience odd behaviors with some resources.
Remove all resources from a GCP Project.
gcp-nuke is in beta, but it is likely that not all GCP resources are covered by it. Be encouraged to add missing resources and create a Pull Request or to create an Issue.
All documentation is in the docs/ directory and is built using Material for Mkdocs.
It is hosted at https://ekristen.github.io/gcp-nuke/.
This tool was written using libnuke at it's core. It shares similarities and commonalities with aws-nuke and azure-nuke. These tools would not have been possible without the hard work that came before me on the original tool by the team and contributors over at rebuy-de and their original work on rebuy-de/aws-nuke.
This tool is licensed under the MIT license as well. See the LICENSE file for more information. Reference was made to dshelley66/gcp-nuke during the creation of this tool therefore I included them in the license copyright although no direct code was used.
Note: All CLI flags can also be expressed as environment variables.
By default, no destructive actions will be taken.
gcp-nuke run \
--config test-config.yaml \
--project-id playground-12345To actually destroy you must add the --no-dry-run cli parameter.
gcp-nuke run \
--config=test-config.yaml \
--project-id playground-12345 \
--no-dry-runAuthentication uses Application Default Credentials (ADC). The following methods are supported:
gcloud auth application-default loginexport GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account-key.jsonFor CI/CD pipelines and containerized environments where you want to pass credentials directly without creating a file:
export GOOGLE_APPLICATION_CREDENTIALS_JSON='{"type":"service_account","project_id":"...","private_key":"..."}'If both GOOGLE_APPLICATION_CREDENTIALS and GOOGLE_APPLICATION_CREDENTIALS_JSON are set, GOOGLE_APPLICATION_CREDENTIALS_JSON takes precedence.
When running on GCP infrastructure, credentials are automatically provided via the attached service account.
The entire configuration of the tool is done via a single YAML file.
Note: you must add at least one entry to the blocklist.
regions:
- global # Nuke global resources
- us-east1 # Nuke resources in the us-east1 region
resource-types:
excludes:
- StorageBucketObject # Exclude Storage Bucket Objects
blocklist:
- production-12345 # Never nuke this project
accounts: # i.e. Google Cloud projects
playground-12345:
presets:
- common
filters:
# Protect specific service accounts by email
IAMServiceAccount:
- 'custom-service-account@playground-12345.iam.gserviceaccount.com'
# Protect service account keys by service account email
IAMServiceAccountKey:
- property: ServiceAccountEmail
value: 'custom-service-account@playground-12345.iam.gserviceaccount.com'
# Protect a DNS zone from deletion
DNSManagedZone:
- 'my-dns-zone'
# Protect IAM policy bindings for specific users
IAMPolicyBinding:
- property: Member
value: 'user:admin@example.com'
# Delete DNS records only in a specific zone
DNSRecordSet:
- property: Zone
value: 'my-dns-zone'
invert: true
presets:
common:
filters:
VPC:
- default