How do I retain some of my resources when I delete an AWS CloudFormation stack?

Last updated: 2019-07-08

I want to delete a new or existing AWS CloudFormation stack, but I don’t want to remove all the stack's resources. How can I keep some of the resources in the stack?

Short Description

To keep certain resources when you delete a stack, use the DeletionPolicy attribute in your AWS CloudFormation template.

When you delete a stack, specify the Retain, Snapshot, or Delete policy option:

  • The Retain option keeps the resource in the event of a stack deletion.
  • The Snapshot option creates a snapshot of the resource before that resource is deleted.
    Note: This option is available only for resources that support snapshots.
  • The Delete option deletes the resource along with the stack.
    Note: This option is the default outcome if you don’t set a DeletionPolicy.

Resolution

The following steps show you how to use the Retain policy to prevent the removal of security groups during the deletion of an AWS CloudFormation stack.

Specify the DeletionPolicy attributes in the AWS CloudFormation template

In your AWS CloudFormation template, enter Retain as the DeletionPolicy for the resources that you want to keep when the stack is deleted. In the following example JSON and YAML template snippets, the Retain policy is specified for security groups.

JSON:

{
  "Description": "AWS CloudFormation DeletionPolicy demo",
  "Resources": {
    "SGroup1": {
      "Type": "AWS::EC2::SecurityGroup",
      "DeletionPolicy": "Retain",
      "Properties": {
        "GroupDescription": "EC2 Instance access"
      }
    },
    "SGroup2": {
      "Type": "AWS::EC2::SecurityGroup",
      "DeletionPolicy": "Retain",
      "Properties": {
        "GroupDescription": "EC2 Instance access"
      }
    },
    "SGroup1Ingress": {
      "Type": "AWS::EC2::SecurityGroupIngress",
      "DeletionPolicy": "Retain",
      "Properties": {
        "GroupName": {
          "Ref": "SGroup1"
        },
        "IpProtocol": "tcp",
        "ToPort": "80",
        "FromPort": "80",
        "CidrIp": "0.0.0.0/0"
      }
    },
    "SGroup2Ingress": {
      "Type": "AWS::EC2::SecurityGroupIngress",
      "DeletionPolicy": "Retain",
      "Properties": {
        "GroupName": {
          "Ref": "SGroup2"
        },
        "IpProtocol": "tcp",
        "ToPort": "80",
        "FromPort": "80",
        "CidrIp": "0.0.0.0/0"
      }
    }
  }
}

YAML:

Description: AWS CloudFormation DeletionPolicy demo
Resources:
  SGroup1:
    Type: 'AWS::EC2::SecurityGroup'
    DeletionPolicy: Retain
    Properties:
      GroupDescription: EC2 Instance access
  SGroup2:
    Type: 'AWS::EC2::SecurityGroup'
    DeletionPolicy: Retain
    Properties:
      GroupDescription: EC2 Instance access
  SGroup1Ingress:
    Type: 'AWS::EC2::SecurityGroupIngress'
    DeletionPolicy: Retain
    Properties:
      GroupName: !Ref SGroup1
      IpProtocol: tcp
      ToPort: '80'
      FromPort: '80'
      CidrIp: 0.0.0.0/0
  SGroup2Ingress:
    Type: 'AWS::EC2::SecurityGroupIngress'
    DeletionPolicy: Retain
    Properties:
      GroupName: !Ref SGroup2
      IpProtocol: tcp
      ToPort: '80'
      FromPort: '80'
      CidrIp: 0.0.0.0/0

Upload your updated AWS CloudFormation template

  1. Open the AWS CloudFormation console.
  2. Choose Create Stack.
  3. For Choose a template, select Upload a template to Amazon S3, and then choose the AWS CloudFormation template that you modified to include deletion policies.
  4. Choose Next.
  5. For Stack name, enter a name for your stack, and then choose Next.
  6. On the Options page, choose the appropriate options for your stack, and then choose Next.
  7. Choose Create.

Test the DeletionPolicy attribute

  1. Delete the AWS CloudFormation stack.
  2. Confirm that the resources with the Retain policy are still available after the stack deletion is complete.

For the example template snippet in this resolution, you can verify the success of the Retain policy by following these steps after you've deleted the AWS CloudFormation stack.

  1. Open the Amazon EC2 console.
  2. In the navigation pane, in the Network & Security section, choose Security Groups.
  3. Confirm that the security groups with the Retain policy are still available.