What should I do when my Amazon ECS cluster fails to delete as part of an AWS CloudFormation stack?
4 minute read
My Amazon Elastic Container Service (Amazon ECS) cluster fails to delete.
An Amazon ECS cluster might fail to delete due to an issue with underlying resource dependencies. When an Amazon ECS cluster is created, AWS CloudFormation creates resources, including Auto Scaling groups, virtual private clouds (VPC), or load balancers. These resources are associated with the cluster, and their presence can prevent the deletion of the cluster. Other issues with AWS CloudFormation can also prevent the deletion of an Amazon ECS cluster.
Note: Clusters created through the console first-run experience (after November 24, 2015) or the cluster creation wizard have an underlying AWS CloudFormation stack. During the cluster deletion process, your stack EC2ContainerService-yourClusterName might run into the following errors:
"The vpc 'vpc-1234567' has dependencies and cannot be deleted"
"The security group sg-123456 failed to delete due to the error "resource sg-123456 has a dependent object"
"User: arn:aws:sts::1111222233334444:assumed-role/example-role/example-user is not authorized to perform: ecs:DeleteCluster on resource: arn:aws:ecs:Region:1111222233334444:cluster/example-cluster"
Cluster deletion fails, and the AWS CloudFormation stack moves to the DELETE_FAILED state.
3. In the Roles page, enter the IAM role that's specified in the error message. You can check the error message from CloudTrail Events by filtering to the DeleteCluster API calls. Note: This is the IAM role or user that's trying to delete the Amazon ECS cluster.
4. Choose the IAM role or user.
5. Choose the Permissions tab.
Check if the permissions policy contains the ecs:Delete* permission. This permission is required by the IAM role or user to delete the ECS cluster.
If the permission is missing, grant the required access to the IAM user or role. For more information, see AmazonECS_FullAccess.
Delete the cluster by skipping the resources with dependencies
2. To find the stack that failed, for Filter, choose Active, and then choose Failed.
3. Select the failed stack that won't delete.
4. Choose Actions, and then choose Delete Stack.
5. Select the check boxes next to the resources that failed to delete.
6. Choose Yes, Delete.
Important: If you can't delete a resource, but you still want to delete the stack, then choose to retain that resource. You can also retain resources by using the AWS CLI delete-stack command. Use the resource.