Why do I get the "Stackset is not empty" error when I try to delete my stack set in CloudFormation?
I want to delete my stack set in AWS CloudFormation.
Short description
To delete the stack set, you must first delete all stack instances that were created in the stack set. Deletion depends on the permissions model that the stack set uses. The permissions might be self-managed or service-managed within AWS Organizations.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you use the most recent AWS CLI version.
Use the following steps to delete the stack set.
Delete the stack instance
Choose one of the following options to delete a stack set instance:
Use the AWS Management Console to delete stack instances.
-or-
Use the AWS CLI to delete stack instances.
Delete a stack set
After you delete the stack instances associated with the selected stack set, delete the stack set.
Choose one of the following options to delete a stack set:
Use the AWS Management Console to delete stack instances.
-or-
Use the AWS CLI to delete a stack set.
Delete stack instances from a closed or suspended AWS account
If an AWS account is closed or suspended, then the CloudFormation StackSets administration role can't access the StackSets admin role ARN for that account. If you try to delete a stack instance in a closed or suspended account, you might get an error message. Then, the stack instance status changes to INOPERABLE.
To delete stack instances for closed or suspended accounts, perform the DeleteStackInstances operation with the RetainStacks option set to True. This decouples the stack instance from the stack set but doesn't delete the stack instance in the target account.
Use the AWS Management Console to delete stack instances from a closed or suspended account
- Open the CloudFormation console.
- From the navigation pane, choose StackSets.
- From the StackSet name column, select the stack set that contains the instance that you want to delete.
- Choose Actions, and then choose Delete stacks from StackSets.
- On the Set deployment options page, choose the following depending on your permissions model:
For self-managed permissions
For Account numbers, enter the 12-digit account number of the AWS account that's closed or suspended.
For service-managed permissions
For Organizational units, enter the IDs of the OUs that your stack set targets.
- (Optional) Select account filter type. Use this option to perform a delete operation on specific individual accounts in OUs rather than delete the entire OUs. Enter target account numbers, separated by commas, in the text box.
- In the Specify Regions section, choose the AWS Region of your stack instance.
- In the Deployment options section, turn on the Retain stacks option, and then choose Next.
- On the Review page, choose Submit.
Use the AWS CLI to delete stack instances from a closed or suspended account
Depending on what Permission Model your StackSet is set to, choose the appropriate option below.
For self-managed permissions
$ aws cloudformation delete-stack-instances --stack-set-name YourStackSetName --accounts '["YourStackInstanceAccount"]' --regions '["YourStackInstanceRegion"]' --operation-preferences FailureToleranceCount=0,MaxConcurrentCount=1 --retain-stacks
Note: Replace YourStackSetName with the name of your stack set. Replace YourStackInstanceAccount with the AWS account number where the stack instance is located. Replace YourStackInstanceRegion with the Region where the stack instance is located.
For service-managed permissions
$ aws cloudformation delete-stack-instances --stack-set-name YourStackSetName --deployment-targets OrganizationalUnitIds='["YourOUId1","YourOUId2"]' --regions '["YourStackInstanceRegion"]' --retain-stacks
Note: Replace YourStackSetName with the name of your stack set. Replace YourOUId1 and YourOUId2 with the Organizational Unit Ids where the stack instances are located. Replace YourStackInstanceRegion with the Region where the stack instance is located.
For a delegated administrator
When you act as a delegated administrator, you must add the --call-as parameter to DELEGATED_ADMIN in the previous commands.
$ --call-as DELEGATED_ADMIN
Related information
The command example for the service-managed stacks is incomplete. The deployment-targets argument needs to include additional values otherwise it will throw an error:
An error occurred (ValidationError) when calling the DeleteStackInstances operation: StackSets with SERVICE_MANAGED permission model can only have OrganizationalUnit as target
The solution for me to target an individual account or list of accounts was as follows. It was helpful to look closely at the cli docs especially around what AccountFilterType could be set to to understand how to single out a single account here https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudformation/delete-stack-instances.html:
$ aws cloudformation delete-stack-instances --stack-set-name YourStackSetName --deployment-targets Accounts=YourStackInstanceAccount,OrganizationalUnitIds=YourStackInstanceAccountOU,AccountFilterType=INTERSECTION --regions YourStackInstanceRegion --retain-stacks
Side note: it would be really great to have a --dry-run option for this operation since there isn't a great way to "test" the deployment-targets parameter to make sure it's actually hitting the right things.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked a year ago
- asked 2 years ago
- asked 9 months ago
- Accepted Answerasked 2 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 months ago
