Delete resources

The commands in this section can be used for teardown of the enclave instances and cleanup of the supporting GCP resources. These are destructive actions and may not be recoverable, so proceed with caution.

Delete client compute instances

Run the following command to delete a client compute instance:

$ anjuna-gcp-cli instance delete "${APM_CLIENT_INSTANCE}"

Delete client image storage bucket

Run the following command to remove the Google Cloud Storage bucket that was used to store the client disk image:

$ gcloud storage rm -r "gs://${APM_CLIENT_BUCKET}/"

Delete server compute instance

Run the following command to delete the Anjuna Policy Manager (APM) server compute instance:

$ anjuna-gcp-cli instance delete "${APM_SERVER_INSTANCE}"

Delete server image storage bucket

Run the following command to remove the Google Cloud Storage bucket that was used to store the APM server disk image:

$ gcloud storage rm -r "gs://${APM_SERVER_BUCKET}/"

Delete TLS secrets

Run the following command to delete the TLS key and certificate secrets from Google Cloud Secret Manager:

$ gcloud secrets delete "${APM_SERVER_TLS_KEY_SECRET}"
$ gcloud secrets delete "${APM_SERVER_TLS_CERT_SECRET}"

Delete persistent storage bucket

This operation will remove the APM server persistent storage, which will delete all of the stored secrets. The root token and recovery keys will also become obsolete.

Run the following command to delete the APM server’s persistent storage and all stored secrets:

$ gcloud storage rm -r "gs://${APM_SERVER_STORAGE}/"

Delete KMS Key

This operation will delete the KMS key used for auto-unsealing the APM server secret data. Unsealing the encrypted storage bucket would still be possible using the recovery keys, but the entire bucket was deleted in Delete persistent storage bucket, above.

In a GCP project, KMS keyring and key names cannot be deleted and will remain indefinitely. However, each key consists of one or more key versions, which can be scheduled for deletion.

Run the following command to list the KMS key versions:

$ gcloud kms keys versions list \
    --key "${KMS_KEY}" \
    --keyring "${KMS_KEYRING}" \
    --location "${KMS_LOCATION}"

Note the latest version number from the previous command, which will be 1 if only one KMS key version has been created, and use this value in place of <VERSION> in the following command, to schedule the key version deletion (there is a 24 hour grace period to cancel the deletion):

gcloud kms keys versions destroy \
    "<VERSION>" \
    --key "${KMS_KEY}" \
    --keyring "${KMS_KEYRING}" \
    --location "${KMS_LOCATION}"

Delete attestation IAM role

Run the following commands to remove the IAM policy binding of the attestation role for the service account, and delete the attestation role:

$ gcloud projects remove-iam-policy-binding "${GCP_PROJECT}" \
    --member "serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
    --role "projects/${GCP_PROJECT}/roles/${ATTESTATION_ROLE_NAME}"
$ gcloud iam roles delete "${ATTESTATION_ROLE_NAME}" \
    --project "${GCP_PROJECT}"

Delete service account

Run the following command to delete the service account used for the APM server:

$ gcloud iam service-accounts delete "${SERVICE_ACCOUNT_EMAIL}"

Delete VPC network

In order to delete a VPC network, all firewall rules and subnets must first be deleted. The following command will delete the firewall rules and the subnet that were created in the VPC network section.

If you have created any additional firewall rules or subnets for your application, you will need to delete them before deleting the network.

$ gcloud compute firewall-rules delete \
    "${NETWORK_NAME}-allow-internal" \
    "${NETWORK_NAME}-firewall-apm"
$ gcloud compute networks subnets delete \
    "${SUBNET_NAME}" \
    --region ${GCP_REGION}

Once all of the firewall rules and subnets have been deleted, run the following command to delete the Google Cloud VPC network:

$ gcloud compute networks delete "${NETWORK_NAME}"