Every cloud account has a list of idle resources nobody has touched in weeks. The recommendations exist. The savings are real. The list never gets shorter. The blocker is not data. The blocker is that the only button on offer says “delete,” and delete is forever.
This is the reversibility gap: the distance between a recommendation a team agrees with and an action a team is willing to take. ZopNight v1.17.0 closes it. We made 28 idle-resource recommendations one-click, split 6 automatic and 22 guided, and gave idle managed databases a power-only pause instead of deletion. Pause stops the compute and keeps the data, so the action is reversible, which is what finally makes cleanup happen.
The blocker is fear of an irreversible action, not a missing recommendation
Engineers do not leave idle databases running because they failed to notice them. They leave them running because deleting a stateful resource without a tested restore path is a career-grade mistake. So the rational move is to do nothing.
A dashboard that surfaces idle resources does not fix this. It widens the gap. It adds more recommendations to a list of actions nobody wants to take. Visibility without a safe action is just a longer queue of guilt. The fix is not louder alerts. The fix is changing what the button does.
When the action is reversible, the calculation flips. A team will approve a pause in seconds because undoing it is one click. That is why right-sizing idle resources only sticks when the underlying action can be walked back.
We split 28 one-click actions by blast radius: 6 automatic, 22 guided
Not every idle resource carries the same risk. An unattached disk and a primary database both show up as waste, but deleting them have very different consequences. So we route every one-click recommendation by blast radius before it executes.
Six recommendations run fully automatic. These cover resources that can be recreated from declarative state with no data loss: orphaned IPs, detached volumes, empty load balancers. Automating them is safe because the worst case is a cheap re-provision, not a lost workload.
Twenty-two recommendations are guided. A human confirms before anything executes, because these resources hold data, carry dependencies, or affect a running service. Guided is not a slower automatic. It is a different risk class that earns a human in the loop.
This split is what makes one-click honest. The review queue only holds the 22 decisions that genuinely need a person. The 6 low-risk actions clear themselves. Nobody rubber-stamps an empty load balancer at 2 a.m.
Idle databases get a power-only pause, so cleanup is reversible by design
A managed database is the resource teams most want to clean up and least dare to touch. Deleting it frees the most spend and risks the most damage. So we built a third action that is neither delete nor “leave it running.”
A power-only pause stops the compute and keeps the storage and the data intact. The bill for the running instance stops, the same way a night-shift schedule cuts cloud spend by powering down idle hours. The database does not vanish. Resuming it is one click, and the data is exactly where it was. Reversibility is not a feature bolted on top. It is the entire point of the action.
This is why guided cleanup works on stateful resources. A team approves a pause because the recovery plan is “click resume.” There is no restore-from-snapshot drill to schedule first. The same logic underpins closed-loop cloud remediation: an action you can undo is an action you can automate the approval of.
| Action | What it does | When it applies |
|---|---|---|
| Automatic | Executes without confirmation; resource re-provisions from state | Recreatable resources with no data: orphaned IPs, detached volumes, empty load balancers |
| Guided | Surfaces for human confirmation before execution | Resources with data, dependencies, or live traffic |
| Power-only pause | Stops compute, keeps storage and data, resumes in one click | Idle managed databases where deletion is unsafe but the compute bill is pure waste |
Untagged child resources inherit parent tags, so cleanup knows who owns what
Guided cleanup only works if the confirmation lands with the right owner. An idle resource tagged “unknown” goes to nobody, so it stays running. The same v1.17.0 release fixes this: untagged child resources now inherit their parent’s tags.
A read replica inherits the primary’s team and environment tags. A child volume inherits its instance’s owner. Attribution stops leaking the moment a resource is discovered, not after a quarterly tagging campaign. This is the difference between tag governance at discovery time and chasing drift forever.
Accurate ownership is what routes a guided pause to the engineer who can confirm it in seconds. Tagging is not paperwork here. It is the addressing layer for every cleanup decision.
Pause works for idle databases; deletion stays guarded
Power-only pause is the right action when a managed database is idle and the compute bill is the waste. It is the wrong action when the database is small and the storage cost dominates, because pausing compute saves little while you still pay for retained storage. Pause optimizes the compute line, not the storage line.
Guided does not mean automatic-with-a-delay. The 22 guided actions stay guided on purpose. Deletion of a stateful resource is never automatic in ZopNight, even for resources idle for months, because “idle for 90 days” and “safe to delete” are not the same claim. A dormant disaster-recovery replica looks identical to dead weight.
So the rule holds in both directions. Reversible actions get fast approval or full automation. Destructive actions stay behind a confirmed, owner-routed gate. The reversibility gap closes not by making deletion easier, but by making the safe action the default. See the full autonomous cloud governance model for how this scales across providers.
