Skip to content

Instantly share code, notes, and snippets.

@jamesonwilliams

jamesonwilliams/cleanup-amplify-resources.md

Last active April 23, 2021 00:41
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jamesonwilliams/37fda3c0080195b03426697e1ec1f5b0 to your computer and use it in GitHub Desktop.
Save jamesonwilliams/37fda3c0080195b03426697e1ec1f5b0 to your computer and use it in GitHub Desktop.
Download ZIP
Cleaning up Amplify resources when you're done with it
Raw
cleanup-amplify-resources.md

Cleaning up your AWS account after using Amplify

The Amplify tools create a lot of resources in your AWS account. When you stop using Amplify, you'll want some way to remove it all. This document discusses some various strategies to cleanup your AWS account when offboarding Amplify.

The commands below will call the AWS CLI (and not the Amplify CLI.)

Removing Apps

Fortunately, most of the Amplify stack if managed through CloudFormation under the hood. This means that you can cleanup most of the outputs just by deleting the Amplify "app."

apps=$(aws amplify list-apps | jq -r '.apps[].AppId')
for a in $apps; do
    aws amplify delete-app --app-id $a
done

Removing IAM Roles & Policies

You'll notive a bunch of IAM roles in your account. To delete them, you might like to exercise IAM's DeleteRole API.

A naive invocation of this API via the AWS CLI looks like:

aws iam delete-role --role-name "<role_name>"

This command will result in a message like this:

An error occurred (DeleteConflict) when calling the DeleteRole operation: Cannot delete entity, must delete policies first.

To resolve this, we must first delete all associated role policies. We can list them by:

aws iam list-role-policies --role-name "<from-above-output>"

Then, we can extract the policy name one-by-one and delete it:

aws iam delete-role-policy --role-name "<role_name>" --policy-name "<policy_name>"

Even so, the DeleteRole and DeleteRolePolicy APIs have fairly aggressive throttling rules. If you iterate over the various roles and policies, deleting each one, you'll likely encounter:

An error occurred (Throttling) when calling the DeleteRole operation (reached max retries: 4): Rate exceeded

To get around this, we can introduce some sleep statements after each deletion.

A complete working solution is below:

#!/bin/bash

set -e

role_names=$(
    aws iam list-roles | \
        jq -r '.Roles[] | select(.RoleName | startswith("amplify")) | .RoleName'
)

for r in $role_names; do
    role_policies=$(
        aws iam list-role-policies \
            --role-name $r | jq -r '.PolicyNames[]'
    )
    for p in $role_policies; do
        echo "Deleting role policy $p..."
        aws iam delete-role-policy --role-name $r --policy-name $p
        sleep 10
    done

    echo "Deleting role $r..."
    aws iam delete-role --role-name $r

    sleep 10
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment