What should I do when my Amazon ECS cluster fails to delete as part of an AWS CloudFormation stack?

Last updated: 2019-08-22

My Amazon Elastic Container Service (Amazon ECS) cluster fails to delete. How can I delete my cluster?

Short Description

Your ECS cluster can fail to delete due to an issue with underlying resource dependencies. When an ECS cluster is created, AWS CloudFormation creates resources such as Auto Scaling groups, VPCs, or load balancers. These resources are associated with your cluster, and their presence can prevent the deletion of your ECS cluster. Other issues with AWS CloudFormation can also prevent the deletion of your cluster.

Note: If your cluster was created through the console first-run experience (after November 24, 2015) or the cluster creation wizard, then your cluster has an underlying AWS CloudFormation stack. During the cluster deletion process, your stack EC2ContainerService-yourClusterName can run into the following errors:

  • "The vpc 'vpc-1234567' has dependencies and cannot be deleted"
  • "The security group sg-123456 failed to delete due to the error "resource sg-123456 has a dependent object"

Cluster deletion fails, and the AWS CloudFormation stack moves to the DELETE_FAILED state.

If you can't delete your ECS cluster, complete the following steps.

Resolution

Delete the cluster by skipping the resources with dependencies

1.    Open the AWS CloudFormation console.

2.    To find the stack that failed, for Filter, choose Active, and then choose Failed.

3.    Select the failed stack that won't delete.

4.    Choose Actions, and then choose Delete Stack.

5.    Select the check boxes next to the resources that failed to delete.

6.    Choose Yes, Delete.

Important: If you can't delete a resource, but you still want to delete the stack, then choose to retain that resource. You can also retain resources by using the AWS Command Line Interface (AWS CLI) delete-stack command. Use the --retain-resources flag to specify the logical ID for the resource.

7.    Delete the ECS cluster.

Delete the retained resources

The following examples show you how to delete resources that are commonly associated with the underlying AWS CloudFormation stack.

Security group dependency example:

In this example, the ingress or egress rules of one security group refer to another security group or groups.

1.    To find security groups associated with the security group that you want to delete, run the following AWS CLI command:

aws ec2 describe-security-groups --filters Name=ip-permission.group-id,Values=[sg-xxxxxxxxx] --region us-east-1 | jq '.SecurityGroups[] .GroupId'

Note: The ingress or egress rules of one security group commonly refer to another security group or groups. This dependency can prevent the deletion of your cluster. jq is a command-line JSON processor.

2.    Clear the dependencies for the security group that you want to delete.

3.    Delete the security group resource.

VPC dependency example:

Note: Common VPC dependencies include InternetGatewayId, SubnetId, or InstanceId.

1.    To identify the dependent resources of your VPC, run the following AWS CLI command:

aws ec2 describe-subnets --filters "Name=vpc-id,Values=vpc-xxxxxxxx" --region us-east-1 | grep SubnetId

Note: To use this command, enter your VPC value and AWS Region. You can run similar describe_* commands for other dependencies.

2.    Clear the dependencies for the VPC that you want to delete.

3.    Delete the VPC.


Did this article help you?

Anything we could improve?


Need more help?