After an incident where an auto-cleanup tool mistakenly deleted our production database, we're exploring safer strategies for managing orphaned Azure resources. We're weighing options like Azure Policy, which is comprehensive but requires setup, and manual reviews, which don't scale well. We've also considered read-only scanners, which is what we developed (called CleanCloud), and even the possibility of just accepting the waste, though that's obviously not cost-effective. I'm curious about what other teams use to maintain their production subscriptions where granting delete permissions is a potential risk.
3 Answers
I think using Infrastructure as Code (IaC) can help here. It organizes and tracks resources, making it easier to spot orphaned ones without needing delete permissions.
I've found success using regular weekly or monthly reviews with a workbook I came across on GitHub. You might want to check it out here: https://github.com/dolevshor/azure-orphan-resources. It's worked really well for my clients!
I can confirm that! I’ve been using it too, and it really helps manage things efficiently.
Just to clarify, does your tool offer any kind of auto-cleanup feature, or is it just focused on reporting resources that need attention? I'm looking for something that can automate some of that process.
True! But sometimes, the signals for things like disks being unattached for just 7 days might need to be adjusted for accuracy.