How do I retain some of my resources when I delete an AWS CloudFormation stack?

4 minute read
1

I want to delete a new or existing AWS CloudFormation stack, but I don’t want to delete all the stack's resources.

Short description

To keep certain resources when you delete a stack, use the DeletionPolicy attribute in your CloudFormation template.

Before you delete a stack, specify the Retain, Snapshot, or Delete policy option for each resource that you want to keep:

  • The Retain option keeps the resource in case there's a stack deletion.
  • The Snapshot option creates a snapshot of the resource before that resource is deleted.
    Note: This option is available only for resources that support snapshots.
  • The Delete option deletes the resource along with the stack.
    Note: This option is the default outcome if you don't set a DeletionPolicy.

Resolution

The following steps show you how to use the Retain option for DeletionPolicy to prevent the deletion of resources during a CloudFormation stack deletion.

Specify the DeletionPolicy attributes in the AWS CloudFormation template

In your CloudFormation template, enter Retain as the DeletionPolicy for the resources that you want to keep. In the following example JSON and YAML templates, the Retain policy is specified for AWS::EC2::SecurityGroup resources.

JSON:

{
  "Description": "AWS CloudFormation DeletionPolicy demo",
  "Resources": {
    "SGroup1": {
      "Type": "AWS::EC2::SecurityGroup",
      "DeletionPolicy": "Retain",
      "Properties": {
        "GroupDescription": "EC2 Instance access"
      }
    },
    "SGroup2": {
      "Type": "AWS::EC2::SecurityGroup",
      "DeletionPolicy": "Retain",
      "Properties": {
        "GroupDescription": "EC2 Instance access"
      }
    },
    "SGroup1Ingress": {
      "Type": "AWS::EC2::SecurityGroupIngress",
      "DeletionPolicy": "Retain",
      "Properties": {
        "GroupName": {
          "Ref": "SGroup1"
        },
        "IpProtocol": "tcp",
        "ToPort": "80",
        "FromPort": "80",
        "CidrIp": "0.0.0.0/0"
      }
    },
    "SGroup2Ingress": {
      "Type": "AWS::EC2::SecurityGroupIngress",
      "DeletionPolicy": "Retain",
      "Properties": {
        "GroupName": {
          "Ref": "SGroup2"
        },
        "IpProtocol": "tcp",
        "ToPort": "80",
        "FromPort": "80",
        "CidrIp": "0.0.0.0/0"
      }
    }
  }
}

YAML:

Description: AWS CloudFormation DeletionPolicy demo
Resources:
  SGroup1:
    Type: 'AWS::EC2::SecurityGroup'
    DeletionPolicy: Retain
    Properties:
      GroupDescription: EC2 Instance access
  SGroup2:
    Type: 'AWS::EC2::SecurityGroup'
    DeletionPolicy: Retain
    Properties:
      GroupDescription: EC2 Instance access
  SGroup1Ingress:
    Type: 'AWS::EC2::SecurityGroupIngress'
    DeletionPolicy: Retain
    Properties:
      GroupName: !Ref SGroup1
      IpProtocol: tcp
      ToPort: '80'
      FromPort: '80'
      CidrIp: 0.0.0.0/0
  SGroup2Ingress:
    Type: 'AWS::EC2::SecurityGroupIngress'
    DeletionPolicy: Retain
    Properties:
      GroupName: !Ref SGroup2
      IpProtocol: tcp
      ToPort: '80'
      FromPort: '80'
      CidrIp: 0.0.0.0/0

Upload your updated CloudFormation template

Complete the following steps:

  1. Open the AWS CloudFormation console.
  2. For a new stack, choose Create Stack. For an existing stack, select the stack that you want to update. Then, choose Update Stack.
  3. For Choose a template, select Upload a template to Amazon S3. Then, choose the CloudFormation template that you modified to include deletion policies.
  4. Choose Next.
  5. If you are creating a new stack, for Stack name, enter a name for your stack. Then, choose Next.
  6. On the Options page, select the appropriate options for your stack. Then, choose Next.
  7. Choose Create.

Test the DeletionPolicy attribute

Complete the following steps:

  1. Delete the AWS CloudFormation stack.

  2. Confirm that the resources with the Retain option for DeletionPolicy are still available after the stack deletion is complete. Use the Amazon Elastic Compute Cloud (Amazon EC2) console or the AWS Command Line Interface (AWS CLI) to check resources and their respective services.

    Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

    AWS CLI

    To delete the stack, run the following command:

    aws cloudformation delete-stack --stack-name myteststack

    Note: Replace myteststack with the name of your stack.

    Amazon EC2 console

    To verify that the resources associated with the Retain policy are still available after you deleted the stack, complete the following steps:

    Open the Amazon EC2 console.
    On the navigation pane in the Network & Security section, choose Security Groups.
    Confirm that the security groups with the attached Retain policy are still available.

Related information

Creating a stack on the AWS CloudFormation console

How do I prevent the resources in my CloudFormation stack from getting deleted or updated?

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago