A CLI tool to force delete CloudFormation Stacks

k_goto

k.goto

Posted on March 13, 2023

A CLI tool to force delete CloudFormation Stacks

A CloudFormation (or AWS CDK, etc...) stack sometimes fail to be deleted (for the status of DELETE_FAILED). For example, when the stack contains: non-empty S3 or ECR, etc...

So I have released a CLI tool in OSS that can force delete the entire AWS CloudFormation stack with just one command, even if it contains resources that fail to delete by the CloudFormation delete operation.

The name of this tool is delstack, and it is implemented in golang.(see the GitHub Link!)

Resource Types that can be forced to delete

Among the resources that fail in the normal CloudFormation stack deletion, this tool supports the following resources.

If you want to delete the unsupported resources, please create an issue at GitHub.

All resources that do not fail normal deletion can be deleted as is.

RESOURCE TYPE DETAILS
AWS::S3::Bucket S3 Buckets, including buckets with Non-empty or Versioning enabled and DeletionPolicy not Retain. (Because "Retain" buckets should not be deleted.)
AWS::S3Express::DirectoryBucket S3 Directory Buckets for S3 Express One Zone, including buckets with Non-empty and DeletionPolicy not Retain. (Because "Retain" buckets should not be deleted.)
AWS::IAM::Group IAM Groups, including groups with IAM users from outside the stack. In that case, this tool detaches the IAM users and then deletes the IAM group (but not the IAM users themselves).
AWS::ECR::Repository ECR Repositories, including repositories that contain images and where the EmptyOnDelete is not true.
AWS::Backup::BackupVault Backup Vaults, including vaults containing recovery points.
AWS::CloudFormation::Stack Nested Child Stacks that failed to delete. If any of the other resources are included in the child stack, they too will be deleted.
Custom::Xxx Custom Resources, including resources that do not return a SUCCESS status.

This tool can be used even for stacks that do not contain any of the above targets for forced deletion. So all stack deletions can basically be done with this tool!!

Rest assured! "Termination Protection" stacks will not be deleted. Because it probably really should not want to delete it.

Deletion of resources that fail to be deleted because they are used by other stack resources, i.e., resources that are referenced (depended on) from outside the stack, is not supported. Only forced deletion of resources that can be completed only within the stack is supported.

Interactive Mode

StackName Selection

If you do not specify a stack name in command options in the interactive mode (-i, --interactive), you can search stack names in a case-insensitive and select a stack.

It can be empty.

❯ delstack -i
Filter a keyword of stack names(case-insensitive): goto
Enter fullscreen mode Exit fullscreen mode

Then you select stack names in the UI.

? Select StackNames.
Nested child stacks, XXX_IN_PROGRESS(e.g. ROLLBACK_IN_PROGRESS) status stacks and EnableTerminationProtection stacks are not displayed.
  [Use arrows to move, space to select, <right> to all, <left> to none, type to filter]
  [x]  dev-goto-04-TestStack
  [ ]  dev-GOTO-03-TestStack
> [x]  dev-Goto-02-TestStack
  [ ]  dev-goto-01-TestStack
Enter fullscreen mode Exit fullscreen mode

ResourceTypes

The -i, --interactive option allows you to select the ResourceTypes you wish to force delete even if DELETE_FAILED. This feature allows you to protect resources you really do not want to delete by "do not select the ResourceTypes"!

However, if a resource can be deleted without becoming DELETE_FAILED by the normal CloudFormation stack deletion feature, the resource will be deleted even if you do not select that resource type. This tool is not intended to protect specific resources from the normal CloudFormation stack deletion feature, so I implemented this feature with the nuance that only those resources that really should not be deleted will not be forced to be deleted.

❯ delstack -i -s dev-goto-01-TestStack
? dev-goto-01-TestStack
Select ResourceTypes you wish to delete even if DELETE_FAILED.
However, if a resource can be deleted without becoming DELETE_FAILED by the normal CloudFormation stack deletion feature, the resource will be deleted even if you do not select that resource type.
  [Use arrows to move, space to select, <right> to all, <left> to none, type to filter]
  [x]  AWS::S3::Bucket
  [ ] AWS::S3Express::DirectoryBucket
  [ ]  AWS::IAM::Group
> [x]  AWS::ECR::Repository
  [ ]  AWS::Backup::BackupVault
  [ ]  AWS::CloudFormation::Stack
  [ ]  Custom::
Enter fullscreen mode Exit fullscreen mode

GitHub Actions

You can use delstack with parameters "stack-name" and "region" in GitHub Actions Workflow. To delete multiple stacks, specify stack names separated by commas.

jobs:
  delstack:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v3
        with:
          role-to-assume: arn:aws:iam::123456789100:role/my-github-actions-role
          # Or specify access keys.
          # aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          # aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-1
      - name: Delete stack
        uses: go-to-k/delstack@main # Or specify the version instead of main
        with:
          stack-name: YourStack
          # stack-name: YourStack1, YourStack2, YourStack3 # To delete multiple stacks
          region: us-east-1
Enter fullscreen mode Exit fullscreen mode

You can also run raw commands after installing the delstack binary.

jobs:
  delstack:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v3
        with:
          role-to-assume: arn:aws:iam::123456789100:role/my-github-actions-role
          # Or specify access keys.
          # aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          # aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-1
      - name: Install delstack
        uses: go-to-k/delstack@main # Or specify the version instead of main
      - name: Run delstack
        run: |
          echo "delstack"
          delstack -v
          delstack -s YourStack1 -s YourStack2 -r us-east-1
Enter fullscreen mode Exit fullscreen mode

Finally

Please feel free to use this tool! I would be happy to help you.
Have fun with CloudFormation and CDK!

💖 💪 🙅 🚩
k_goto
k.goto

Posted on March 13, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related