This is potentially very destructive! Use at your own risk!
Status: This is early beta. Expect some behaviors around safeguarding, delays, and prompts to change. Likely will change CLI behavior a bit as well.
Originally based on the source code from aws-nuke fork and aws-nuke original
This tool is designed to target an Azure Tenant and all subscriptions within the tenant and remove all resources from that tenant.
Note: all cli flags can also be expressed as environment variables.
By default no destructive actions will be taken.
azure-nuke nuke \
--tenant-id=00000000-0000-0000-0000-000000000000 \
--resource-id=api://11111111-1111-1111-1111-111111111111 \
--config=./config.yaml
To actually destroy you must add the --no-dry-run
cli parameter.
azure-nuke nuke \
--tenant-id=00000000-0000-0000-0000-000000000000 \
--resource-id=api://11111111-1111-1111-1111-111111111111 \
--config=./config.yaml \
--no-dry-run
NAME:
azure-nuke - remove everything from an azure tenant
USAGE:
azure-nuke [global options] command [command options] [arguments...]
VERSION:
0.7.1
AUTHOR:
Erik Kristensen <erik@erikkristensen.com>
COMMANDS:
nuke nuke an azure tenant
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--help, -h show help (default: false)
--version, -v print the version (default: false)
Authentication is only supported via a Service Principal and you can authenticate via a shared secret
, certificate
, or federated token (kubernetes)
export AZURE_CLIENT_ID=00000000-0000-0000-0000-000000000000
export AZURE_CLIENT_SECRET=000000000000
export AZURE_CLIENT_ID=00000000-0000-0000-0000-000000000000
export AZURE_CLIENT_CERTIFICATE=""
export AZURE_CLIENT_PRIVATE_KEY=""
You can also authenticate using Federated Tokens with Kubernetes and the Azure Workload Identity.
To make this work you'll need to deploy azure-nuke with a Service Account that's configured to do federation with the Service Principal.
The entire configuration of the tool is done via a single YAML file.
Note: you must add at least one entry to the blocklist.
tenant-blocklist:
- 00001111-2222-3333-4444-555566667777
tenants:
77776666-5555-4444-3333-222211110000:
presets:
- common
filters:
AzureADUser:
- property: Name
type: contains
value: ImportantUser
ServicePrincipal:
- type: contains
property: Name
value: testing-azure-nuke
presets:
common:
filters:
ResourceGroup:
- Default
- NetworkWatcherRG
- eastus
- eastus2
- southcentralus
- westus2
- westus3
- australiaeast
- southeastasia
- northeurope
- swedencentral
- uksouth
- westeurope
- centralus
- northcentralus
- westus
- southafricanorth
- centralindia
- eastasia
- japaneast
- jioindiawest
- koreacentral
- canadacentral
- francecentral
- germanywestcentral
- norwayeast
- switzerlandnorth
- uaenorth
- brazilsouth
- centralusstage
- eastusstage
- eastus2stage
- northcentralusstage
- southcentralusstage
- westusstage
- westus2stage
- asia
- asiapacific
- australia
- brazil
- canada
- europe
- france
- germany
- global
- india
- japan
- korea
- norway
- southafrica
- switzerland
- uae
- uk
- unitedstates
- unitedstateseuap
- eastasiastage
- southeastasiastage
- centraluseuap
- eastus2euap
- westcentralus
- southafricawest
- australiacentral
- australiacentral2
- australiasoutheast
- japanwest
- jioindiacentral
- koreasouth
- southindia
- westindia
- canadaeast
- francesouth
- germanynorth
- norwaywest
- switzerlandwest
- ukwest
- uaecentral
- brazilsoutheast