I want to delete a new or existing AWS CloudFormation stack, but I don’t want to delete all the stack's resources.
Short description
To keep certain resources when you delete a stack, use the DeletionPolicy attribute in your CloudFormation template.
Before you delete a stack, specify the Retain, Snapshot, or Delete policy option for each resource that you want to keep:
- The Retain option keeps the resource in case there's a stack deletion.
- The Snapshot option creates a snapshot of the resource before that resource is deleted.
Note: This option is available only for resources that support snapshots.
- The Delete option deletes the resource along with the stack.
Note: This option is the default outcome if you don't set a DeletionPolicy.
Resolution
The following steps show you how to use the Retain option for DeletionPolicy to prevent the deletion of resources during a CloudFormation stack deletion.
Specify the DeletionPolicy attributes in the AWS CloudFormation template
In your CloudFormation template, enter Retain as the DeletionPolicy for the resources that you want to keep. In the following example JSON and YAML templates, the Retain policy is specified for AWS::EC2::SecurityGroup resources.
JSON:
{
"Description": "AWS CloudFormation DeletionPolicy demo",
"Resources": {
"SGroup1": {
"Type": "AWS::EC2::SecurityGroup",
"DeletionPolicy": "Retain",
"Properties": {
"GroupDescription": "EC2 Instance access"
}
},
"SGroup2": {
"Type": "AWS::EC2::SecurityGroup",
"DeletionPolicy": "Retain",
"Properties": {
"GroupDescription": "EC2 Instance access"
}
},
"SGroup1Ingress": {
"Type": "AWS::EC2::SecurityGroupIngress",
"DeletionPolicy": "Retain",
"Properties": {
"GroupName": {
"Ref": "SGroup1"
},
"IpProtocol": "tcp",
"ToPort": "80",
"FromPort": "80",
"CidrIp": "0.0.0.0/0"
}
},
"SGroup2Ingress": {
"Type": "AWS::EC2::SecurityGroupIngress",
"DeletionPolicy": "Retain",
"Properties": {
"GroupName": {
"Ref": "SGroup2"
},
"IpProtocol": "tcp",
"ToPort": "80",
"FromPort": "80",
"CidrIp": "0.0.0.0/0"
}
}
}
}
YAML:
Description: AWS CloudFormation DeletionPolicy demo
Resources:
SGroup1:
Type: 'AWS::EC2::SecurityGroup'
DeletionPolicy: Retain
Properties:
GroupDescription: EC2 Instance access
SGroup2:
Type: 'AWS::EC2::SecurityGroup'
DeletionPolicy: Retain
Properties:
GroupDescription: EC2 Instance access
SGroup1Ingress:
Type: 'AWS::EC2::SecurityGroupIngress'
DeletionPolicy: Retain
Properties:
GroupName: !Ref SGroup1
IpProtocol: tcp
ToPort: '80'
FromPort: '80'
CidrIp: 0.0.0.0/0
SGroup2Ingress:
Type: 'AWS::EC2::SecurityGroupIngress'
DeletionPolicy: Retain
Properties:
GroupName: !Ref SGroup2
IpProtocol: tcp
ToPort: '80'
FromPort: '80'
CidrIp: 0.0.0.0/0
Upload your updated CloudFormation template
Complete the following steps:
- Open the AWS CloudFormation console.
- For a new stack, choose Create Stack. For an existing stack, select the stack that you want to update. Then, choose Update Stack.
- For Choose a template, select Upload a template to Amazon S3. Then, choose the CloudFormation template that you modified to include deletion policies.
- Choose Next.
- If you are creating a new stack, for Stack name, enter a name for your stack. Then, choose Next.
- On the Options page, select the appropriate options for your stack. Then, choose Next.
- Choose Create.
Test the DeletionPolicy attribute
Complete the following steps:
-
Delete the AWS CloudFormation stack.
-
Confirm that the resources with the Retain option for DeletionPolicy are still available after the stack deletion is complete. Use the Amazon Elastic Compute Cloud (Amazon EC2) console or the AWS Command Line Interface (AWS CLI) to check resources and their respective services.
Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
AWS CLI
To delete the stack, run the following command:
aws cloudformation delete-stack --stack-name myteststack
Note: Replace myteststack with the name of your stack.
Amazon EC2 console
To verify that the resources associated with the Retain policy are still available after you deleted the stack, complete the following steps:
Open the Amazon EC2 console.
On the navigation pane in the Network & Security section, choose Security Groups.
Confirm that the security groups with the attached Retain policy are still available.
Related information
Creating a stack on the AWS CloudFormation console
How do I prevent the resources in my CloudFormation stack from getting deleted or updated?