CFN Teardown is a tool to delete CloudFormation stacks respecting the stack dependencies.

If you deploy all of you intrastructure using CloudFormation with a consistent naming convention for stacks, then you can use this tool to tear down the environment.

Teardown of huge number of stacks using this tool is considerably faster that applying brute force.

Example of consistent stack naming:

• qa-bucket-users
• qa-service-user-management
• qa-service-user-search

You can supply stack pattern as qa- in this tool to delete these stacks.

• Matches stack pattern and builds dependency tree for intelligent/faster teardown.

• Stack dependencies are respected during deletion. No brute force strategy.

• Multiple safety checks to prevent accidental deletion.

• Generates a file stack_teardown_details listing stack dependencies which can be watched live to get an idea of how the script is working. It contains useful details like time taken to delete each stacks, delete attempts, failure reason and many more.

• Supports slack notification via webhook.

go get github.com/nirdosh17/cfn-teardown

OR download binary from HERE

Required global flags for all commands: stackPattern, awsRegion, awsProfile

1. Run cfn-teardown -h and see available commands and needed parameters.

2. Listing stack dependencies: cfn-teardown listDependencies

   Generates dependencies in stack_teardown_details.json file (printed in terminal as well)

3. Tear down stacks: cfn-teardown deleteStacks

   Deletes matching stacks and updates status in the teardown details file.

Configuration for this command can be set in three different ways in the precedence order defined below:

1. Environment variables(same as flag name)

2. Flags e.g. cfn-teardown deleteStacks --stackPattern=qaenv-

3. Supplied YAML Config file (default: ~/.cfn-teardown.yaml)

   Minimal config file

   awsRegion: us-east-1
   awsProfile: staging
   stackPattern: qa-
   All configs present

   awsRegion: us-east-1
   awsProfile: staging
   awsAccountId: 121212121212
   stackPattern: qa-
   abortWaitTimeMinutes: 20
   stackWaitTimeSeconds: 30
   maxDeleteRetryCount: 5
   notificationWebhookURL: https://hooks.slack.com/services/dummy/dummy/long_hash
   roleARN: <arn>
   dryRun: false

See Available configurations via:

cfn-teardown --help
cfn-teardown listDependencies --help
cfn-teardown deleteStacks --help

1. Scans all stacks in your account.

2. Prepares of list of stack with their dependencies.

   It looks something like this:

   {
     "staging-bucket-archived-items": {
       "StackName": "staging-bucket-archived-items",
       "Status": "CREATE_COMPLETE",
       "StackStatusReason": "",
       "DeleteStartedAt": "2021-02-07T03:35:43Z",
       "DeleteCompletedAt": "",
       "DeletionTimeInMinutes": "",
       "DeleteAttempt": 0,
       "Exports": [
         "staging:ItemsArchiveBucket",
         "staging:ItemsArchiveBucketArn"
       ],
       "ActiveImporterStacks": {
         "staging-products-service": {}
       },
       "CFNConsoleLink": "https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/stackinfo?stackId=staging-bucket-archived-items"
     },
     "staging-products-service": {
       "StackName": "staging-products-service",
       "Status": "CREATE_COMPLETE",
       "StackStatusReason": "",
       "DeleteStartedAt": "2021-02-07T03:30:54Z",
       "DeleteCompletedAt": "",
       "DeletionTimeInMinutes": "",
       "DeleteAttempt": 0,
       "Exports": [
         "staging:ProductsServiceEndpoint"
       ],
       "ActiveImporterStacks": {},
       "CFNConsoleLink": "https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/stackinfo?stackId=staging-products-service"
     }
   }

3. Alerts slack channel(if provided) and waits for the specified time before initiating deletion. If wait time is not provided, it starts deleting stacks immediately.

4. Finds stacks which are eligible for deletion. Eligibility criteria is that the stack shouldn't have it's exports imported by any other stacks. In simple terms, it should have no dependencies.

5. Initiates delete requests concurrently for eligible stacks.

6. Waits for 30 seconds(can be configurable) before scanning eligible stacks again. Checks If the stack has been already deleted and if deleted updates stack stack in the dependency tree.

By default it tries to use the IAM role of environment it is being run. e.g. Codebuild, EC2 instance. We can also supply role arn if we want the script to assume a different role.

• dryRun flag must be explicitely set to false to activate delete functionality

• abortWaitTimeMinutes flag lets us to decide how much to wait before initiating delete as you might want to confirm the stacks that are about to get deleted

• awsAccountId flag will check the supplied account id with aws session account id during runtime to confirm that we are deleting stacks in the desired non production account

If a stack can't be deleted from the AWS Console itself due to some dependencies, then it won't be deleted by this tool as well. In such case, manual intervention is required which is notified by this tool.

With great power, comes great responsibility

• Use this tool with great caution. Don't ever run this in production environment with the intention of deleting a subset of stacks.
• First try within small number of test stacks in dry run mode.
• Use redundant safety flags dryRun, awsAccountId and abortWaitTimeMinutes.