DeletionPolicy in AWS CloudFormation

Photo by Sam Pak on Unsplash

DeletionPolicy in AWS CloudFormation

In AWS CloudFormation, the DeletionPolicy attribute is used to specify how AWS resources should be handled when the CloudFormation stack they belong to is deleted. It allows you to define the desired behavior for resource deletion, helping you manage the lifecycle of your infrastructure.

The DeletionPolicy attribute can be set for individual resources within a CloudFormation template, and it has three possible values:

  1. "Delete" (default): This value indicates that the resource should be deleted when the stack is deleted. This is the most common behavior and ensures that the resource is completely removed from your AWS account.

  2. "Retain": This value indicates that the resource should not be deleted when the stack is deleted. It will be left intact, and you will be responsible for manually deleting it later if needed. This can be useful for preserving important data or resources that should not be accidentally deleted.

  3. "Snapshot": This value is applicable only for AWS Elastic Block Store (EBS) volumes. It indicates that a snapshot of the EBS volume should be created before the resource is deleted. The snapshot can then be used to restore the data later if needed. This is commonly used to create backups before removing storage resources.

It's important to note that the DeletionPolicy attribute does not affect resource updates. It only defines the behavior during stack deletion. If a resource is updated within a stack, CloudFormation will handle the update based on the resource's update behavior, not the deletion policy.

By explicitly setting the DeletionPolicy for resources in your CloudFormation templates, you have more control over how resources are managed and can ensure that your infrastructure is cleaned up properly when necessary.

DeletionPolicy options

Delete

CloudFormation deletes the resource and all its content if applicable during stack deletion. You can add this deletion policy to any resource type. By default, if you don't specify a DeletionPolicy, CloudFormation deletes your resources. However, be aware of the following considerations:

  • For AWS::RDS::DBCluster resources, the default policy is Snapshot.

  • For AWS::RDS::DBInstance resources that don't specify the DBClusterIdentifier property, the default policy is Snapshot.

  • For Amazon S3 buckets, you must delete all objects in the bucket for deletion to succeed.

Note:

The default behavior of CloudFormation is to delete the secret with the ForceDeleteWithoutRecovery flag.

Retain

CloudFormation keeps the resource without deleting the resource or its contents when its stack is deleted. You can add this deletion policy to any resource type. When CloudFormation completes the stack deletion, the stack will be in Delete_Complete state; however, resources that are retained continue to exist and continue to incur applicable charges until you delete those resources.

For update operations, the following considerations apply:

  • If a resource is deleted, the DeletionPolicy retains the physical resource but ensures that it's deleted from CloudFormation's scope.

  • If a resource is updated such that a new physical resource is created to replace the old resource, then the old resource is completely deleted, including from CloudFormation's scope.

Snapshot

For resources that support snapshots, CloudFormation creates a snapshot for the resource before deleting it. When CloudFormation completes the stack deletion, the stack will be in the Delete_Complete state; however, the snapshots that are created with this policy continue to exist and continue to incur applicable charges until you delete those snapshots.

Resources that support snapshots include:

Specify the DeletionPolicy attributes in the AWS CloudFormation template

  1. In your CloudFormation template, enter Retain as the DeletionPolicy for the resources that you want to keep. In the following example YAML templates, the Retain policy is specified for AWS::EC2::SecurityGroup resources.
Description: AWS CloudFormation DeletionPolicy demo
Resources:
  SGroup1:
    Type: 'AWS::EC2::SecurityGroup'
    DeletionPolicy: Retain
    Properties:
      GroupDescription: EC2 Instance access
  SGroup2:
    Type: 'AWS::EC2::SecurityGroup'
    DeletionPolicy: Retain
    Properties:
      GroupDescription: EC2 Instance access
  MyEBS:
    Type: AWS::EC2::Volume
    DeletionPolicy: Snapshot
    Properties:
      AvailabilityZone: us-east-1a
      Size: 1
  1. Deploy your stack with the following command:

     aws cloudformation create-stack --stack-name MyStack --template-body file://stack.yaml
    

  2. Now test the DeletionPolicy attribute. Delete the AWS CloudFormation stack.

  3. Confirm that the resources with the Retain option for DeletionPolicy are still available after the stack deletion is complete.

As you can see, DeletionPolicy skipped deletion of the SG groups with Retain option, while EBS volume was deleted after creating a snapshot

References

  1. How do I retain some of my resources when I delete an AWS CloudFormation stack?

  2. DeletionPolicy attribute

  3. AWS CloudFormation Deletion Policy