1

I am using a python script to fetch active resources from my AWS account. I am using the following method:

member_session = boto3.session.Session(
      aws_access_key_id=credentials["Credentials"]["AccessKeyId"],
      aws_secret_access_key=credentials["Credentials"]["SecretAccessKey"],
      aws_session_token=credentials["Credentials"]["SessionToken"],
  )
member_session.client('config').list_discovered_resources(resourceType="AWS::CloudFormation::Stack", includeDeletedResources=False)

This returns all resources including the deleted ones of a specific resource type. I validated from the aws console and they are under the deleted tab for cloudformation-stack.

Is there something I am missing? Is there a time period after which the deleted resources are not visible as response to this api? I couldn't find something related in the docs.

Boto3 docs for the API Call

Why is the call returning deleted resources even though flag includeDeletedResources is set to False?

Maurice
  • 11,482
  • 2
  • 25
  • 45
sparkstar
  • 593
  • 1
  • 7
  • 14

1 Answers1

2

That's most likely because CloudFormation only really deletes a stack after 90 days, see this question for reference. Before that, they're still returned by the API.

If I run this script against my account, the flag definitely shows a difference:

import boto3


def main():

    client = boto3.client("config")

    response_without_deleted = client.list_discovered_resources(
        resourceType="AWS::CloudFormation::Stack", includeDeletedResources=False
    )
    print(
        f"Found {len(response_without_deleted['resourceIdentifiers'])} resources that aren't deleted."
    )

    response_with_deleted = client.list_discovered_resources(
        resourceType="AWS::CloudFormation::Stack", includeDeletedResources=True
    )

    print(
        f"Found {len(response_with_deleted['resourceIdentifiers'])} resources including those that are deleted."
    )


if __name__ == "__main__":
    main()

Output

Found 22 resources that aren't deleted.
Found 93 resources including those that are deleted.

So my guess is that your deleted stack will be considered by the flag as deleted about 90 days after you originally deleted it because only then CloudFormation reports the resource as deleted to AWS Config.

Maurice
  • 11,482
  • 2
  • 25
  • 45
  • Is this true for other resources as well? I get the same response for Roles as well i.e. the deleted roles still come up. – sparkstar Jan 05 '23 at 09:41
  • I don't know, I haven't heard of roles being visible in IAM after they're deleted so that may have a different reason. Sounds like a new question ;-) – Maurice Jan 05 '23 at 12:53