How do I retain some of my resources when I delete an AWS CloudFormation stack?

4 minute read
1

I want to delete a new or existing AWS CloudFormation stack, but I don’t want to delete all the stack's resources.

Short description

To keep certain resources when you delete a stack, use the DeletionPolicy attribute in your CloudFormation template.

Before you delete a stack, make sure that you specify the Retain, Snapshot, or Delete policy option for each resource that you want to keep:

  • The Retain option keeps the resource in case there's a stack deletion.
  • The Snapshot option creates a snapshot of the resource before that resource is deleted.
    Note: This option is available only for resources that support snapshots.
  • The Delete option deletes the resource along with the stack.
    Note: This option is the default outcome if you don't set a DeletionPolicy.

Resolution

The following steps show you how to use the Retain option for DeletionPolicy to prevent the deletion of resources during a CloudFormation stack deletion.

Specify the DeletionPolicy attributes in the AWS CloudFormation template

In your CloudFormation template, enter Retain as the DeletionPolicy for the resources that you want to keep. In the following example JSON and YAML templates, the Retain policy is specified for AWS::EC2::SecurityGroup resources.

JSON:

{
  "Description": "AWS CloudFormation DeletionPolicy demo",
  "Resources": {
    "SGroup1": {
      "Type": "AWS::EC2::SecurityGroup",
      "DeletionPolicy": "Retain",
      "Properties": {
        "GroupDescription": "EC2 Instance access"
      }
    },
    "SGroup2": {
      "Type": "AWS::EC2::SecurityGroup",
      "DeletionPolicy": "Retain",
      "Properties": {
        "GroupDescription": "EC2 Instance access"
      }
    },
    "SGroup1Ingress": {
      "Type": "AWS::EC2::SecurityGroupIngress",
      "DeletionPolicy": "Retain",
      "Properties": {
        "GroupName": {
          "Ref": "SGroup1"
        },
        "IpProtocol": "tcp",
        "ToPort": "80",
        "FromPort": "80",
        "CidrIp": "0.0.0.0/0"
      }
    },
    "SGroup2Ingress": {
      "Type": "AWS::EC2::SecurityGroupIngress",
      "DeletionPolicy": "Retain",
      "Properties": {
        "GroupName": {
          "Ref": "SGroup2"
        },
        "IpProtocol": "tcp",
        "ToPort": "80",
        "FromPort": "80",
        "CidrIp": "0.0.0.0/0"
      }
    }
  }
}

YAML:

Description: AWS CloudFormation DeletionPolicy demo
Resources:
  SGroup1:
    Type: 'AWS::EC2::SecurityGroup'
    DeletionPolicy: Retain
    Properties:
      GroupDescription: EC2 Instance access
  SGroup2:
    Type: 'AWS::EC2::SecurityGroup'
    DeletionPolicy: Retain
    Properties:
      GroupDescription: EC2 Instance access
  SGroup1Ingress:
    Type: 'AWS::EC2::SecurityGroupIngress'
    DeletionPolicy: Retain
    Properties:
      GroupName: !Ref SGroup1
      IpProtocol: tcp
      ToPort: '80'
      FromPort: '80'
      CidrIp: 0.0.0.0/0
  SGroup2Ingress:
    Type: 'AWS::EC2::SecurityGroupIngress'
    DeletionPolicy: Retain
    Properties:
      GroupName: !Ref SGroup2
      IpProtocol: tcp
      ToPort: '80'
      FromPort: '80'
      CidrIp: 0.0.0.0/0

Upload your updated CloudFormation template

  1. Open the AWS CloudFormation console.
  2. For a new stack, choose Create Stack. For an existing stack, select the stack that you want to update, and then choose Update Stack.
  3. For Choose a template, select Upload a template to Amazon S3, and then choose the CloudFormation template that you modified to include deletion policies.
  4. Choose Next.
  5. If you are creating a new stack, for Stack name, enter a name for your stack, and then choose Next.
  6. On the Options page, select the appropriate options for your stack, and then choose Next.
  7. Choose Create.

Test the DeletionPolicy attribute

  1. Delete the AWS CloudFormation stack.
  2. Confirm that the resources with the Retain option for DeletionPolicy are still available after the stack deletion is complete. You can check the resources in their respective services using the AWS Management Console or the AWS CLI.

For example, you can verify the success of the Retain policy for the preceding templates by using the following steps after you deleted the CloudFormation stack.

  1. Open the Amazon EC2 console.
  2. On the navigation pane in the Network & Security section, choose Security Groups.
  3. Confirm that the security groups to with the attached Retain policy are still available.

Related information

Creating a stack on the AWS CloudFormation console

How do I prevent the resources in my CloudFormation stack from getting deleted or updated?

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago
1 Comment

Just not a useful process for IAM::Roles..... you know, one of those least-used resources in AWS 🤣

replied 4 months ago