How do I delete a stack instance from a CloudFormation stack set in a closed or suspended AWS account?

3 minute read
0

I want to delete a stack instance from an AWS CloudFormation stack set, but the deletion fails because the target AWS account is closed or suspended.

Short description

When an AWS account is closed or suspended, the CloudFormation StackSets administration role can no longer access the StackSets execution role in that account. This prevents stack set operations from running on stack instances for that account. If you try to delete a stack instance in a closed or suspended account, you can get an error message. Then, the stack instance status can change to INOPERABLE.

To delete stack instances for closed or suspended accounts, you must perform the DeleteStackInstances operation with the RetainStacks option set to true. This decouples the stack instance from the stack set without deleting the stack instance in the target account.

The following resolution steps depend on the permissions model that the stack set uses: self-managed permissions or service-managed permissions with AWS Organizations.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Resolution

Delete inoperable stack instances for stack sets with self-managed permissions

For stack sets that use self-managed permissions, you can delete the INOPERABLE stack instance with either the CloudFormation console or AWS CLI.

CloudFormation console:

1.    Open the CloudFormation console.

2.    From the navigation pane, choose StackSets.

3.    From the StackSet name column, select the stack set that contains the instance that you want to delete.

4.    Choose Actions, and then choose Delete stacks from StackSets.

5.    On the Set deployment options page, for Account numbers, enter the 12-digit account number of the AWS account that's closed or suspended.

6.    In the Specify regions section, choose the AWS Region of your stack instance.

7.    In the Deployment options section, turn on Retain stacks, and then choose Next.

8.    On the Review page, choose Submit.

AWS CLI:

In the AWS CLI, run the following command:

$ aws cloudformation delete-stack-instances --stack-set-name YourStackSetName --accounts YourStackInstanceAccount --regions YourStackInstanceRegion --retain-stacks

Note: Replace YourStackSetName with the name of your stack set. Replace YourStackInstanceAccount with the AWS account number of the closed or suspended account. Replace YourStackInstanceRegion with the Region where the stack instance is located.

Delete inoperable stack instances for stack sets with service-managed permissions

For stack sets that use service-managed permissions, operations from the CloudFormation console can target only entire organizational units (OUs). You must use the AWS CLI to delete a specific stack instance from a single account.

In the AWS CLI, run the following command:

aws cloudformation delete-stack-instances --stack-set-name YourStackSetName --deployment-targets Accounts=YourStackInstanceAccount --regions YourStackInstanceRegion --retain-stacks

Note: Replace YourStackSetName with the name of your stack set. Replace YourStackInstanceAccount with the AWS account number of the closed or suspended account. Replace YourStackInstanceRegion with the Region where the stack instance is located.


Related information

Permission models for stack sets

Stack set and stack instance status codes

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago
2 Comments

The command example for the service-managed stacks is incomplete. The deployment-targets argument needs to include additional values otherwise it will throw an error:

An error occurred (ValidationError) when calling the DeleteStackInstances operation: StackSets with SERVICE_MANAGED permission model can only have OrganizationalUnit as target

The solution for me to target an individual account or list of accounts was as follows. It was helpful to look closely at the cli docs especially around what AccountFilterType could be set to to understand how to single out a single account here https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudformation/delete-stack-instances.html:

$ aws cloudformation delete-stack-instances --stack-set-name YourStackSetName --deployment-targets Accounts=YourStackInstanceAccount,OrganizationalUnitIds=YourStackInstanceAccountOU,AccountFilterType=INTERSECTION --regions YourStackInstanceRegion --retain-stacks

Side note: it would be really great to have a --dry-run option for this operation since there isn't a great way to "test" the deployment-targets parameter to make sure it's actually hitting the right things.

replied 2 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 2 months ago