Remove all resources from a STACKIT project. The STACKIT counterpart of
aws-nuke, built on the same engine:libnuke.
stackit-nuke is destructive by design. It deletes everything in the targeted STACKIT project that matches the configured resource types. Deletion is permanent.
Read docs/warning.md before running.
- Project-scoped destruction with explicit allow-list
- Dry-run by default; real deletion requires
--no-dry-run - libnuke config schema:
includes/excludes/filters/presets/blocklist - Service-account key auth (STACKIT standard)
- Multi-region in a single run
- Dependency-aware deletion order
- Distroless multi-arch container, Cosign-signed
- Signed binaries + SBOMs
# Pre-built binary
VERSION=v0.1.0
curl -L "https://github.com/qaiser42/stackit-nuke/releases/download/${VERSION}/stackit-nuke-${VERSION}-linux-amd64.tar.gz" \
| tar xz -C /usr/local/bin stackit-nuke
# Container
docker pull ghcr.io/qaiser42/stackit-nuke:latest
# From source
go install github.com/qaiser42/stackit-nuke@latest# config.yaml
regions: [eu01]
project-ids:
- 00000000-0000-0000-0000-000000000000
auth:
service-account-key-path: ~/.stackit/sa-key.jsonstackit-nuke run --config config.yaml # dry run
stackit-nuke run --config config.yaml --no-dry-run # realFull docs: https://qaiser42.io/stackit-nuke
stackit-nuke is a thin CLI shell over libnuke. We write the STACKIT-specific bits; libnuke does the engine work.
main.go blank-imports pkg/commands/... and resources/.... Their init() functions:
- register CLI subcommands (
run,resource-types) - register 19 resource types with
libnuke/pkg/registry— each entry pairs aLister(discover) with aResource(delete) and optionalDependsOn(ordering)
No reflection, no plugin loader — pure compile-time wiring.
pkg/commands/run/command.go is the only real glue:
- Load config —
config.Newparses libnuke schema (filters/presets/blocklist) plus ourproject-ids/regions/authextension. - Load credentials —
stackit.LoadCredentialsreturns a STACKIT SDK*config.Configurationfrom key path or token. - Enforce allow-list —
--project-idmay narrow the config list, never widen. - Build engine —
libnuke.New(params, filters, settings); register the typed-confirm prompt. - Resolve resource types —
types.ResolveResourceTypesdoes set arithmetic over registered names ∩ includes \ excludes. - Register one scanner per
(project × region)— each scanner carries*stackit.ListerOpts(project, region, credentials) which every Lister receives. n.Run(ctx)— hand off to libnuke.
That's the whole CLI. Everything below n.Run is engine.
Validate → Prompt → Scan → Filter → (dry-run? print : delete-loop)
│
├─ topological sort by DependsOn
├─ Resource.Remove(ctx)
├─ retry "waiting" items (dependency)
└─ surface failures
| Concept | Owner |
|---|---|
| Registry, scanner, queue, dependency sort, retries, filters, dry-run | libnuke |
| STACKIT auth, project allow-list, per-resource SDK calls | us |
libnuke calls into our code at exactly four interfaces:
registry.Register(...)—init()in eachresources/*.goLister.List(ctx, opts) ([]resource.Resource, error)— discoveryResource.Remove(ctx) error— deletionRegisterPrompt(fn)— typed-confirm
That's why the scaffold is small: 19 thin SDK adapters + one CLI wiring file. aws-nuke, azure-nuke, gcp-nuke are built the same way.
$ stackit-nuke run --config config.yaml --no-dry-run
│
main.go → cli.App.Run
│
pkg/commands/run/command.go execute()
├─ config.New → libnuke config + STACKIT fields
├─ stackit.LoadCredentials
├─ libnuke.New(params, filters, settings)
├─ n.RegisterScanner(ProjectScope, scanner{Opts: ListerOpts{...}})
├─ n.RegisterPrompt(stackit.Prompt.Prompt)
└─ n.Run(ctx)
│ (libnuke internals: scan)
↓
resources/compute-server.go ComputeServerLister.List(ctx, opts)
├─ iaasv2.NewAPIClient(stackitConfigOpts(opts)...)
└─ client.DefaultAPI.ListServers(ctx, ProjectID, Region).Execute()
↓ for each server → &ComputeServer{...}
│ (libnuke internals: filter, sort, delete)
↓
ComputeServer.Remove(ctx)
└─ client.DefaultAPI.DeleteServer(ctx, ProjectID, Region, ID).Execute()
Implementing the next 18 resources = copy this pattern, swap the SDK package.
Legend: ✅ list + delete via real STACKIT SDK · 🟡 registered, lister returns empty · ⬜ not yet registered
| Service | Resource | Status | SDK package |
|---|---|---|---|
| IaaS / compute | ComputeServer |
✅ | stackit-sdk-go/services/iaas/v2api |
| IaaS / compute | ComputeVolume |
🟡 | iaas/v2api |
| IaaS / compute | ComputeSnapshot |
🟡 | iaas/v2api |
| IaaS / compute | ComputeKeypair |
🟡 | iaas/v2api |
| IaaS / network | Network |
🟡 | iaas/v2api |
| IaaS / network | Subnet |
🟡 | iaas/v2api |
| IaaS / network | Router |
🟡 | iaas/v2api |
| IaaS / network | SecurityGroup |
🟡 | iaas/v2api |
| IaaS / network | FloatingIP |
🟡 | iaas/v2api |
| Object Storage | ObjectStorageBucket |
🟡 | services/objectstorage |
| Object Storage | ObjectStorageObject |
🟡 | services/objectstorage |
| SKE | SKECluster |
🟡 | services/ske |
| PostgresFlex | PostgresFlexInstance |
🟡 | services/postgresflex |
| MongoDBFlex | MongoDBFlexInstance |
🟡 | services/mongodbflex |
| Redis | RedisInstance |
🟡 | services/redis |
| OpenSearch | OpenSearchInstance |
🟡 | services/opensearch |
| RabbitMQ | RabbitMQInstance |
🟡 | services/rabbitmq |
| LoadBalancer | LoadBalancer |
🟡 | services/loadbalancer |
| DNS | DNSZone |
🟡 | services/dns |
1 of 19 resources fully working. The CLI / config / auth / libnuke engine are functional; the per-resource SDK wiring lands incrementally. Pick one above and follow resources/compute-server.go as the reference pattern — see Contributing.
make build # builds ./stackit-nuke
make test # go test -race -cover ./...
make lint # golangci-lint
make snapshot # goreleaser --snapshot
make docs-serve # mkdocs at localhost:8000Requires Go 1.25+.
dev-infra/ is a Pulumi project (@stackitcloud/pulumi-stackit) that spins up a small STACKIT footprint (network, NICs, servers, volume) you can repeatedly create + nuke + recreate while developing new resource implementations.
cd dev-infra && npm install && pulumi up
cd .. && ./stackit-nuke run --config examples/compute-only.yaml --no-dry-runSee dev-infra/README.md.