What should I do when my Amazon ECS cluster fails to delete as part of an AWS CloudFormation stack?
Last updated: 2019-08-22
My Amazon Elastic Container Service (Amazon ECS) cluster fails to delete. How can I delete my cluster?
Your ECS cluster can fail to delete due to an issue with underlying resource dependencies. When an ECS cluster is created, AWS CloudFormation creates resources such as Auto Scaling groups, VPCs, or load balancers. These resources are associated with your cluster, and their presence can prevent the deletion of your ECS cluster. Other issues with AWS CloudFormation can also prevent the deletion of your cluster.
Note: If your cluster was created through the console first-run experience (after November 24, 2015) or the cluster creation wizard, then your cluster has an underlying AWS CloudFormation stack. During the cluster deletion process, your stack EC2ContainerService-yourClusterName can run into the following errors:
- "The vpc 'vpc-1234567' has dependencies and cannot be deleted"
- "The security group sg-123456 failed to delete due to the error "resource sg-123456 has a dependent object"
Cluster deletion fails, and the AWS CloudFormation stack moves to the DELETE_FAILED state.
If you can't delete your ECS cluster, complete the following steps.
Delete the cluster by skipping the resources with dependencies
1. Open the AWS CloudFormation console.
2. To find the stack that failed, for Filter, choose Active, and then choose Failed.
3. Select the failed stack that won't delete.
4. Choose Actions, and then choose Delete Stack.
5. Select the check boxes next to the resources that failed to delete.
6. Choose Yes, Delete.
Important: If you can't delete a resource, but you still want to delete the stack, then choose to retain that resource. You can also retain resources by using the AWS Command Line Interface (AWS CLI) delete-stack command. Use the --retain-resources flag to specify the logical ID for the resource.
Delete the retained resources
The following examples show you how to delete resources that are commonly associated with the underlying AWS CloudFormation stack.
Security group dependency example:
In this example, the ingress or egress rules of one security group refer to another security group or groups.
1. To find security groups associated with the security group that you want to delete, run the following AWS CLI command:
aws ec2 describe-security-groups --filters Name=ip-permission.group-id,Values=[sg-xxxxxxxxx] --region us-east-1 | jq '.SecurityGroups .GroupId'
Note: The ingress or egress rules of one security group commonly refer to another security group or groups. This dependency can prevent the deletion of your cluster. jq is a command-line JSON processor.
2. Clear the dependencies for the security group that you want to delete.
VPC dependency example:
1. To identify the dependent resources of your VPC, run the following AWS CLI command:
aws ec2 describe-subnets --filters "Name=vpc-id,Values=vpc-xxxxxxxx" --region us-east-1 | grep SubnetId
Note: To use this command, enter your VPC value and AWS Region. You can run similar describe_* commands for other dependencies.
2. Clear the dependencies for the VPC that you want to delete.
3. Delete the VPC.