Murder Your VPCs

murder-vpcs.sh

#!/bin/bash -ex

# Do you have VPCs or other AWS network resources you just can't get rid of?
# Circular dependencies, ownership issues?
# This script will do its very best to murderize them for you. If it can't,
# it will tell you what permissions need to be added (assuming you can add
# permission polices to your AWS CLI user) or dependencies need to be manually
# deleted (e.g. route tables, ENIs, etc).

# Good luck.

# WARNING: DO NOT USE UNLESS YOU REALLY, REALLY, MEAN IT!


delete_vpc_resources() {
  local vpc_id=$1

  echo "Deleting resources in VPC: $vpc_id"

  # Delete NAT Gateways
  for nat_gw in $(aws ec2 describe-nat-gateways --filter "Name=vpc-id,Values=$vpc_id" --query 'NatGateways[*].NatGatewayId' --output text); do
    aws ec2 delete-nat-gateway --nat-gateway-id "$nat_gw"
    aws ec2 wait nat-gateway-deleted --nat-gateway-ids "$nat_gw"
  done

  # Release Elastic IPs
  for eip in $(aws ec2 describe-addresses --query 'Addresses[*].AllocationId' --output text); do
    aws ec2 release-address --allocation-id "$eip"
  done

  # Detach and delete network interfaces
  for ni in $(aws ec2 describe-network-interfaces --filters "Name=vpc-id,Values=$vpc_id" --query 'NetworkInterfaces[*].NetworkInterfaceId' --output text); do
    attachment_id=$(aws ec2 describe-network-interfaces --network-interface-ids "$ni" --query 'NetworkInterfaces[0].Attachment.AttachmentId' --output text)
    if [ "$attachment_id" != "None" ]; then
      aws ec2 detach-network-interface --attachment-id "$attachment_id"
    fi
    aws ec2 delete-network-interface --network-interface-id "$ni"
  done

  # Detach and delete Internet Gateways
  for igw in $(aws ec2 describe-internet-gateways --filter "Name=attachment.vpc-id,Values=$vpc_id" --query 'InternetGateways[*].InternetGatewayId' --output text); do
    aws ec2 detach-internet-gateway --internet-gateway-id "$igw" --vpc-id "$vpc_id"
    aws ec2 delete-internet-gateway --internet-gateway-id "$igw"
  done

  # Delete subnets
  for subnet in $(aws ec2 describe-subnets --filter "Name=vpc-id,Values=$vpc_id" --query 'Subnets[*].SubnetId' --output text); do
    # Delete any dependent ENIs in subnets
    for eni in $(aws ec2 describe-network-interfaces --filters "Name=subnet-id,Values=$subnet" --query 'NetworkInterfaces[*].NetworkInterfaceId' --output text); do
      attachment_id=$(aws ec2 describe-network-interfaces --network-interface-ids "$eni" --query 'NetworkInterfaces[0].Attachment.AttachmentId' --output text)
      if [ "$attachment_id" != "None" ]; then
        aws ec2 detach-network-interface --attachment-id "$attachment_id"
      fi
      aws ec2 delete-network-interface --network-interface-id "$eni"
    done
    aws ec2 delete-subnet --subnet-id "$subnet"
  done

  # Delete route tables (excluding the main route table)
  for rtb in $(aws ec2 describe-route-tables --filter "Name=vpc-id,Values=$vpc_id" --query 'RouteTables[*].RouteTableId' --output text); do
    main=$(aws ec2 describe-route-tables --route-table-ids "$rtb" --query 'RouteTables[*].Associations[0].Main' --output text)
    if [ "$main" != "true" ]; then
      aws ec2 delete-route-table --route-table-id "$rtb"
    fi
  done

  # Delete security groups (excluding the default security group)
  for sg in $(aws ec2 describe-security-groups --filter "Name=vpc-id,Values=$vpc_id" --query 'SecurityGroups[*].GroupId' --output text); do
    if ! aws ec2 describe-security-groups --group-ids "$sg" --query 'SecurityGroups[*].GroupName' --output text | grep -q 'default'; then
      aws ec2 delete-security-group --group-id "$sg"
    fi
  done

  # Finally, delete the VPC
  aws ec2 delete-vpc --vpc-id "$vpc_id"
}

# Get all VPCs and delete them
for vpc in $(aws ec2 describe-vpcs --query 'Vpcs[*].VpcId' --output text); do
  delete_vpc_resources "$vpc"
done