Skip to main content

Auto-nuke and redeploy development environments on weekly basis

Feature description

This feature automatically nukes and optionally recreates development environments on weekly basis. This is useful for environments with the sandbox permission, which allow users provisioning resources directly through the AWS web console as opposite to using terraform. In such cases, the auto-nuke will make sure the resources created manually will be cleared on weekly basis. If requested, the resources defined in terraform will then be recreated.

Every Sunday:

  • At 10.00pm the awsnuke.yml workflow is triggered. This workflow nukes all the configured development environments using the AWS Nuke tool (
  • At 12.00 noon the nuke-redeploy.yml workflow is triggered. If requested, this workflow redeploys the nuked environment using terraform apply.

A sketch of the algorithm is as follows:

  • For every account in a dynamically generated list of all sandbox accounts
  • Assume the role MemberInfrastructureAccess under the account ID
  • Nuke the resources under the account ID
  • (Optionally) Perform terraform apply in order to recreate all resources from terraform


Auto-nuke consumes the following dynamically generated Github secrets stored in the Modernisation Platorm Environments repository:

  • MODERNISATION_PLATFORM_AUTONUKE_BLOCKLIST: Account aliases to always exclude from auto-nuke. This takes precedence over all other configuration options. Due to the destructive nature of the tool, AWS-Nuke ( requires at least one Account ID in the configured blocklist. Our blocklist contains all production. preproduction and core accounts.

  • MODERNISATION_PLATFORM_AUTONUKE: Account aliases of sandbox accounts to be auto-nuked on weekly basis.

  • MODERNISATION_PLATFORM_AUTONUKE_REBUILD: Accounts to be rebuilt after auto-nuke runs. This secret is consumed by the nuke-redeploy.yml workflow.

The nuke-config-template.txt is populated with account and blocklist information during the runtime of the awsnuke.yml workflow, to produce a valid aws-nuke configuration file.

When new sandbox development environment is onboarded

When Modernisation Platform onboards a new sandbox development environment or converts an existing development environment to a sandbox it is automatically added to the autonuke account list and will be nuked as part of the regular scheduled workflow run. Customers can optionally request to have their environment rebuilt after nuke and, in some exceptional circumstances, excluded from nuke.

The default behaviour can be modified by adding a nuke attribute to the environments json file.


      "name": "development",
      "access": [
          "github_slug": "my-application",
          "level": "sandbox",
          "nuke": "rebuild"

Valid values are:

include = nukes but doesn’t rebuild (default option if nothing added) exclude = doesn’t nuke or rebuild rebuild = nukes and rebuilds

Please contact us in #ask-modernisation-platform channel for details.

This page was last reviewed on 9 June 2023. It needs to be reviewed again on 9 December 2023 by the page owner #modernisation-platform .
This page was set to be reviewed before 9 December 2023 by the page owner #modernisation-platform. This might mean the content is out of date.