I want to delete an AWS CloudFormation stack but I don’t want to remove all its resources. What can I do to keep some of the resources in the stack?

To retain certain resources when deleting a stack, you can use DeletionPolicy attributes in your CloudFormation template (JSON or YAML). For more detailed information, see DeletionPolicy Attribute.

DeletionPolicy options include:

  • Retain: You retain the resource in the event of a stack deletion.
  • Snapshot: You get a snapshot of the resource before it’s deleted. This option is available only for resources that support snapshots.
  • Delete: You delete the resource along with the stack. This is the default outcome if you don’t set a DeletionPolicy.

To keep or copy resources when you delete a stack, you can specify either the Retain or Snapshot policy options.

This resolution demonstrates how you can use the Retain policy to prevent the removal of security groups during the deletion of a CloudFormation stack. The procedure modifies this JSON-formatted snippet, but you can also use the YAML format to specify DeletionPolicy attributes.

Specify the DeletionPolicy attributes in the CloudFormation template

In the CloudFormation template, enter Retain as the DeletionPolicy for the resources you want to keep when the stack is deleted. In the following example template, the Retain policy is specified for security groups.

{
	"Description" : "AWS CloudFormation DeletionPolicy demo",
	"Resources" : {
		"SGroup1" : {
			"Type" : "AWS::EC2::SecurityGroup",
			"DeletionPolicy" : "Retain",
			"Properties" : {
				"GroupDescription" : "EC2 Instance access"
			}
		},
		"SGroup2" : {
			"Type" : "AWS::EC2::SecurityGroup",
			"DeletionPolicy" : "Retain",
			"Properties" : {
				"GroupDescription" : "EC2 Instance access"
			}
		},
		"SGroup1Ingress" : {
			"Type" : "AWS::EC2::SecurityGroupIngress",
			"DeletionPolicy" : "Retain",
			"Properties" : {
				"GroupName" : { "Ref" : "SGroup1" },
				"IpProtocol" : "tcp",
				"ToPort" : "80",
				"FromPort" : "80",
				"CidrIp" : "0.0.0.0/0"
			}
		},
		"SGroup2Ingress" : {
			"Type" : "AWS::EC2::SecurityGroupIngress",
			"DeletionPolicy" : "Retain",
			"Properties" : {
				"GroupName" : { "Ref" : "SGroup2" },
				"IpProtocol" : "tcp",
				"ToPort" : "80",
				"FromPort" : "80",
				"CidrIp" : "0.0.0.0/0"
			}
		}
	}
}

Upload the CloudFormation template

  1. Open the AWS CloudFormation console.
  2. Choose Create Stack.
  3. For Choose a template, select Upload a template to Amazon S3 and choose the CloudFormation template you modified to include deletion policies.
  4. Choose Next.
  5. For Stack name, enter the name for your CloudFormation stack, then choose Next.
  6. For Options, leave all values as default and choose Next. Optionally, you can customize the Tags, Permissions, and Advanced options for your stack.
  7. In the Review page, choose Create.

Verify the DeletionPolicy attribute

To test the DeletionPolicy attribute, delete the CloudFormation stack and confirm whether the resources with the Retain policy are still available after the stack deletion is complete.

For the example template in this resolution, you can verify the success of the Retain policy by following these steps after you've deleted the CloudFormation stack.

  1. Open the Amazon EC2 console.
  2. In the navigation pane, under Network & Security, choose Security Groups.
  3. Confirm that the security groups with the Retain policy are still available.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-11-15