AWS announces AWS Interconnect – multicloud (preview), providing simple, resilient, high-speed private connections to other cloud service providers. AWS Interconnect - multicloud is easy to configure and provides high-speed, resilient connectivity with dedicated bandwidth, enabling customers to interconnect AWS networking services such as AWS Transit Gateway, AWS Cloud WAN, and Amazon VPC to other cloud service providers with ease.
How do I delete a stack instance from a CloudFormation stack set in a closed or suspended AWS account?
I want to delete a stack instance from an AWS CloudFormation stack set. The deletion fails because the target AWS account is closed or suspended.
Short description
To delete stack instances for closed or suspended accounts, you must perform the DeleteStackInstances operation with the RetainStacks option set to true. This disconnects the stack instance from the stack set and doesn't delete the stack instance in the target account.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
To delete a stack instance from a closed or suspended account, use either the CloudFormation console or the AWS CLI. Complete the resolution for your stack set's permission model.
Delete stack sets with self-managed permissions
Use the CloudFormation console
Complete the following steps:
- Open the CloudFormation console.
- In the navigation pane, choose StackSets.
- In the StackSet name column, select the stack set.
- Choose Actions, and then choose Delete stacks from StackSet.
- On the Set deployment options page, for Account numbers, enter the closed or suspended account's 12-digit ID.
- For Specify Regions, choose your stack instance's AWS Region.
- For Deployment options, turn on Retain stacks, and then choose Next.
- On the Review page, choose Submit.
Use AWS CLI
Run the following delete-stack-instances AWS CLI command:
$ aws cloudformation delete-stack-instances --stack-set-name ExampleStackSetName --accounts 1234567890abcdef0 --regions aa-example-1 --retain-stacks
Note: Replace ExampleStackSetName with your stack set name, 1234567890abcdef0 with your stack instance account ID and aa-example-1 with your instance's Region.
Delete stack sets with service-managed permissions
Use the CloudFormation console
Complete the following steps:
- Open the CloudFormation console.
- In the navigation pane, choose StackSets.
- In the StackSet name column, select the stack set.
- Choose Actions, and then choose Delete stacks from StackSet.
- On the Set deployment options page, take the following actions:
Enter the AWS Organizations unit ID that the target account is in.
Note: If you don't know your closed or suspended account's organizational unit ID (OU ID), then use the root OU ID instead.
Choose Account filter type, then choose Intersection.
Enter the target account number so that you can delete individual accounts in OUs rather than delete the entire AWS Organizations unit. - In the Specify Regions section, choose your stack instance's Region.
- In the Deployment options section, turn on Retain stacks, and then choose Next.
- On the Review page, choose Submit.
AWS CLI
Run the delete-stack-instances command:
$ aws cloudformation delete-stack-instances --stack-set-name ExampleStackSetName --deployment-targets Accounts=1234567890abcdef0,OrganizationalUnitIds=abcdef01234567890,AccountFilterType=INTERSECTION --regions aa-example-1 --retain-stacks
Note: Replace ExampleStackSetName with your stack set name, 1234567890abcdef0 with your stack instance account ID, abcdef01234567890 with your stack instance account OU and aa-example-1 with your instance's Region.
Related information
- Topics
- Management & Governance
- Language
- English
The command example for the service-managed stacks is incomplete. The deployment-targets argument needs to include additional values otherwise it will throw an error:
An error occurred (ValidationError) when calling the DeleteStackInstances operation: StackSets with SERVICE_MANAGED permission model can only have OrganizationalUnit as target
The solution for me to target an individual account or list of accounts was as follows. It was helpful to look closely at the cli docs especially around what AccountFilterType could be set to to understand how to single out a single account here https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudformation/delete-stack-instances.html:
$ aws cloudformation delete-stack-instances --stack-set-name YourStackSetName --deployment-targets Accounts=YourStackInstanceAccount,OrganizationalUnitIds=YourStackInstanceAccountOU,AccountFilterType=INTERSECTION --regions YourStackInstanceRegion --retain-stacks
Side note: it would be really great to have a --dry-run option for this operation since there isn't a great way to "test" the deployment-targets parameter to make sure it's actually hitting the right things.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
I have no idea about the OU of the account that has been suspended, I only have the account id. In this case what information should I input in OU?
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 3 years ago
- asked 4 years ago
- asked 3 years ago
