By using AWS re:Post, you agree to the AWS re:Post Terms of Use

What do I do when my Amazon ECS cluster fails to delete as part of an AWS CloudFormation stack?

4 minute read
0

My Amazon Elastic Container Service (Amazon ECS) cluster fails to delete.

Short description

An Amazon ECS cluster might fail to delete because of an issue with resource dependencies. When you create an ECS cluster, AWS CloudFormation associates resources with the cluster, such as Auto Scaling groups, virtual private clouds (VPCs), and load balancers. These resources and other issues with AWS CloudFormation can prevent the deletion of the cluster.

If you used the ECS console after November 24, 2015 or the Create Cluster wizard to create your cluster, then the cluster has a CloudFormation stack. When you're deleting your cluster, you might experience the following errors with your EC2ContainerService-yourClusterName stack:

  • "The vpc 'vpc-1234567' has dependencies and cannot be deleted"
  • "The security group sg-123456 failed to delete due to the error "resource sg-123456 has a dependent object"
  • "User: arn:aws:sts::1111222233334444:assumed-role/example-role/example-user is not authorized to perform: ecs:DeleteCluster on resource: arn:aws:ecs:Region:1111222233334444:cluster/example-cluster"

Because of the preceding errors, cluster deletion fails and the CloudFormation stack moves to the DELETE_FAILED state.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Verify the IAM permissions

Complete the following steps:

  1. Open the AWS Identity and Access Management (IAM) console.
  2. In the navigation pane, choose Roles.
  3. On the Roles page, enter the IAM role that's specified in the error message. To check the error message from the AWS CloudTrail Event history page, filter for the DeleteCluster API calls.
    Note: The IAM entity that makes the API call is the entity that's trying to delete the Amazon ECS cluster.
  4. Choose the IAM entity.
  5. Choose the Permissions tab.
  6. Check whether the permissions policy contains the required ecs:Delete* permission. If the permission is missing, then grant AmazonECS_FullAccess to the IAM entity.

Skip the resources with dependencies to delete the cluster

Complete the following steps:

  1. Open the CloudFormation console.
  2. For Filter, choose Active, and then choose Failed.
  3. Select the failed stack.
  4. Choose Actions, and then choose Delete Stack.
  5. Select the resources that failed to delete.
  6. Choose Yes, Delete.
    Important: If you can't delete a resource but you want to delete the stack, then choose Retain. You can also use the AWS CLI delete-stack command to retain resources.
  7. Delete the ECS cluster.

Delete the retained resources

The following examples show you how to delete resources that are commonly associated with the CloudFormation stack.

Security group dependency

In the following example, the inbound or outbound rules of one security group refer to other security groups, so you can't delete your cluster.

To clear security group dependencies, complete the following steps:

  1. Run the describe-security-groups command to find the associated security groups:
    aws ec2 describe-security-groups --filters Name=ip-permission.group-id,Values=[sg-xxxxxxxxx] --region us-east-1 | jq '.SecurityGroups[] .GroupId'
    Note: jq is a command line JSON processor.
  2. Clear the dependencies for the security group that you want to delete.
  3. Delete the security group resource.

VPC dependency

Common VPC dependencies include internet gateways, subnets, and Amazon Elastic Compute Cloud (Amazon EC2) instances.

To clear VPC dependencies, complete the following steps:

  1. Run the describe-subnets command to identify the dependent resources of your VPC:
    aws ec2 describe-subnets --filters "Name=vpc-id,Values=vpc-########" --region RegionId | grep SubnetId
    Note: Replace vpc-######## with your VPC value and RegionId with your AWS Region ID. You can run similar describe_* commands for other dependencies, such as describe-internet-gateways and describe-instances.
  2. Clear the dependencies for the VPC that you want to delete.
  3. Delete the VPC.

For more information, see I tried to delete my Amazon VPC, but I received a dependency error. How can I delete my Amazon VPC?

Related information

Delete stack fails

AWS OFFICIAL
AWS OFFICIALUpdated 25 days ago