How do I delete a stack instance from a CloudFormation stack set in a closed or suspended AWS account?

3 minute read
0

I want to delete a stack instance from an AWS CloudFormation stack set. The deletion fails because the target AWS account is closed or suspended.

Short description

When an account is closed or suspended, the CloudFormation StackSets administration role can no longer access the StacksSets execution role in that account. To delete stack instances for closed or suspended accounts, you must perform the DeleteStackInstances operation with the RetainStacks option set to true. This disconnects the stack instance from the stack set and doesn't delete the stack instance in the target account.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also make sure that you're using the most recent AWS CLI version.

To delete a stack instance from a closed or suspended AWS account, use either the CloudFormation console or the AWS CLI.

If you use the AWS CLI, then replace the following values with your values:

  • YourStackSetName with your stack set's name
  • YourStackInstanceAccount with the closed or suspended account's number
  • YourStackInstanceRegion with your stack instance's AWS Region

Complete the resolution for your stack set's permission model.

Delete stack sets with self-managed permissions

CloudFormation console

Complete the following steps:

  1. Open the CloudFormation console.
  2. In the navigation pane, choose StackSets.
  3. In the StackSet name column, select the stack set.
  4. Choose Actions, and then choose Delete stacks from StackSets.
  5. On the Set deployment options page, for Account numbers, enter the 12-digit account number of the account that's closed or suspended.
  6. For Specify regions, choose your stack instance's Region.
  7. For Deployment options, turn on Retain stacks, and then choose Next.
  8. On the Review page, choose Submit.

AWS CLI

Run the delete-stack-instances command:

$ aws cloudformation delete-stack-instances --stack-set-name YourStackSetName --accounts YourStackInstanceAccount --regions YourStackInstanceRegion --retain-stacks

Delete stack sets with service-managed permissions

CloudFormation console

Note: If your account is closed, deleted, or suspended and you don't know your account's organizational unit ID (OU ID), use the root OU ID instead. Then, select AccountFilterType as an intersection.

Complete the following steps:

  1. Open the CloudFormation console.
  2. In the navigation pane, choose StackSets.
  3. In the StackSet name column, select the stack set.
  4. Choose Actions, and then choose Delete stacks from StackSets.
  5. On the Set deployment options page, take the following actions:
    Enter the AWS Organizations unit ID that the target account is in.
    Select account filter type, then select intersection.
    Enter the target account number so that you can delete individual accounts in OUs rather than delete the entire AWS Organizations unit.
  6. In the Specify regions section, choose your stack instance's AWS Region.
  7. In the Deployment options section, turn on Retain stacks, and then choose Next.
  8. On the Review page, choose Submit.

AWS CLI

Run the delete-stack-instances command:

$ aws cloudformation delete-stack-instances --stack-set-name YourStackSetName --deployment-targets Accounts=YourStackInstanceAccount,OrganizationalUnitIds=YourStackInstanceAccountOU,AccountFilterType=INTERSECTION --regions YourStackInstanceRegion --retain-stacks

Related information

Permission models for stack sets

StackSets status codes

AWS OFFICIAL
AWS OFFICIALUpdated 5 months ago
4 Comments

The command example for the service-managed stacks is incomplete. The deployment-targets argument needs to include additional values otherwise it will throw an error:

An error occurred (ValidationError) when calling the DeleteStackInstances operation: StackSets with SERVICE_MANAGED permission model can only have OrganizationalUnit as target

The solution for me to target an individual account or list of accounts was as follows. It was helpful to look closely at the cli docs especially around what AccountFilterType could be set to to understand how to single out a single account here https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudformation/delete-stack-instances.html:

$ aws cloudformation delete-stack-instances --stack-set-name YourStackSetName --deployment-targets Accounts=YourStackInstanceAccount,OrganizationalUnitIds=YourStackInstanceAccountOU,AccountFilterType=INTERSECTION --regions YourStackInstanceRegion --retain-stacks

Side note: it would be really great to have a --dry-run option for this operation since there isn't a great way to "test" the deployment-targets parameter to make sure it's actually hitting the right things.

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
EXPERT
replied a year ago

I have no idea about the OU of the account that has been suspended, I only have the account id. In this case what information should I input in OU?

replied 6 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
EXPERT
replied 6 months ago