- Newest
- Most votes
- Most comments
I received a very helpful and enlightening reply from AWS tech support. The answer has been edited for brevity.
tl;dr:
. CloudTrail is a useful diagnostic tool for popping under the hood of CloudFormation
. CloudFormation doesn't always get it right! It assumed control of a resource it did not create
. the erroneous stack could be deleted without removing the existing resource
. AWS tech support is quite good
Embedded stack was not successfully deleted: The following resource(s) failed to delete: InternetGatewayAttachment.
As one of the child stacks failed with the error “TemplateURL must be an Amazon S3 URL.” due to which the parent stack rolled back but then the child stack delete failed with the following error:
Network vpc-xxxxxxxx has some mapped public address(es). Please unmap those public address(es) before detaching the gateway. (Service: AmazonEC2; Status Code: 400; Error Code: DependencyViolation; Request ID: 0a790e5d-41d0-4c2f-9580-84eb81058b2a)
On reviewing the stack I could see that you are attaching the Internet Gateway with the VPC (vpc-xxxxxxxx) but it was already attached manually.
From the cloud trail, I could observe that when cloudformation tried to attach it, it gave the following error at “2020-06-03T07:03:03 UTC"
_"eventTime": "2020-06-03T07:03:03Z",_
_"eventSource": "ec2.amazonaws.com",_
_"eventName": "AttachInternetGateway",_
_"awsRegion": "ap-southeast-2",_
_"sourceIPAddress": "cloudformation.amazonaws.com",_
_"userAgent": "cloudformation.amazonaws.com",_
_"errorCode": "Client.Resource.AlreadyAssociated",_
_"errorMessage": "resource igw-xxxxxxxx is already attached to network vpc-xxxxxxxx”_
But the stack didn’t fail at that point and moved ahead with the creation of the other resources.
To understand the logic behind this behavior, I examined the internal CloudFormation Service Code logic and discovered that it works in the following way: - Tries to attach an Internet Gateway to a VPC - If there is an error other than "Client.Resource.AlreadyAssociated", it will throw an error.
If it encounters the "Client.Resource.AlreadyAssociated" error, it will ignore the error and proceed to create a physical ID for the association (like prod-Attac-1F371BGBSXSSL) This logic seem to hold true for Internet Gateway and VPN Gateway resources according to the part of the CloudFormation I reviewed.
That said, I have not seen any other CloudFormation resources with similar logic where such errors are ignored and, therefore, I would suggest doing a Stack recreation as a best practice in this case.
Now coming to the error:
"Network vpc-xxxxxxxx has some mapped public address(es). Please unmap those public address(es) before detaching the gateway. (Service: AmazonEC2; Status Code: 400; Error Code: DependencyViolation; Request ID: 0a790e5d-41d0-4c2f-9580-84eb81058b2a)”.
The cloud formation has the “VPCGatewayAttachment" as the resource in its template, and so on deletion it will try to detach it. But as there were resources which are dependent on it and not a part of the cloudformation template, it was unable to detach it and failed with the error in concern.
To delete the stack while retaining the InternetGatewayAttachment resource (will skip that and delete the rest), complete the following steps:
- Open the AWS CloudFormation console.
- Choose the stack that's stuck in the DELETE_FAILED status.
- Choose Delete. A pop-up window opens and lists the resources that failed to delete.
- In the pop-up window, select all the resources (in your case it will the InternetGatewayAttachment) that you want to retain, and then choose Delete stack.
The AWS CloudFormation stack tries to delete the stack again, but doesn't delete any of the resources (in your case it will be InternetGatewayAttachment ) that you selected to retain. The status of your stack should change to DELETE_COMPLETE.
Relevant content
- Accepted Answerasked a year ago
- Accepted Answerasked 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago