Enable/Disable EC2 Termination Protection using CloudFormation
Dear reader, I hope you are doing great. In one of my previous tutorial, I explained how to enable EC2 termination protection using AWS Management Console and AWS CLI.
In this post, we will learn to Enable/Disable EC2 termination protection using CloudFormation.
Let’s start with a short overview of EC2 termination protection.
What say?
Well, lets go !!!
Overview of AWS EC2 Termination Protection
When you create an EC2 instance, by default you are allowed to terminate your EC2 instance, once you are done with it.
However, sometimes when you don’t want your instance to be terminated by someone accidently or deliberately, what do you do?
Well, AWS provides a feature called instance termination protection. Once you enable termination protection, you can’t delete the instance from console, CLI or API.
Having said that, if you need to change termination protection on an instance, you will need to modify an attribute “DisableApiTermination“.
EC2 Termination Protection in CloudFormation
As we learnt that, we need to modify DisableApiTermination attribute to enable/disable termination protection, this is how it goes like-
- DisableApiTermination : false (default): Termination protection disabled
- DisableApiTermination: true Termination protection enabled
Enable Termination Protection
DemoInstance:
Type: 'AWS::EC2::Instance'
Properties:
ImageId: !Ref ImageId
DisableApiTermination: true
Disable Termination Protection
DemoInstance:
Type: 'AWS::EC2::Instance'
Properties:
ImageId: !Ref ImageId
DisableApiTermination: false
You can change this attribute while launching the instance/creating the stack. Or you can even update the stack to enable/disable termination protection based on your need.
Steps to Enable/Disable EC2 Termination Protection using CloudFormation
- Provide proper permission to your user/role
- Prepare the template
- Create/Update your Stack using prepared template
- Validate the EC2 Termination Protection In console
- Clean up
Let’s see the step by step instruction to Enable/Disable EC2 Termination Protection using CloudFormation .
Step 1: Provide proper permission to your user/role
- If you are not an admin user, you should at least provide these permission for your user/role that will be creating the stack.
- ec2:ModifyInstanceAttribute
- ec2:RunInstances
- ec2:StartInstances
- ec2:StopInstances
- ec2:TerminateInstances
- Additionally, you will also need cloudformation:* to be able to do CloudFormation stack creation, updation etc.
Note: If you are unable to figure out correct permission in the beginning, you can use ec2:*. However, please note that, it’s not safe to allow all action. You should only use it till you find correct set of permission.
Step 2: Prepare the template
You can use YAML or JSON for your template. I prefer YAML for writing my templates. But don’t worry, If you want it in JSON, I will provide JSON template as well.
Template to Enable EC2 Termination Protection using CloudFormationn : YAML
In this template, we are creating an EC2 instance with termination protection turned on by making attribute DisableApiTermination: true .
Please make sure to use your own ImageId, and KeyName depending on your environment.
AWSTemplateFormatVersion: '2010-09-09'
Description: Template to Create an EC2 instance with Termination Protection
Parameters:
ImageId:
Type: String
Description: 'Linux 2 AMI for Ireland eu-west1 Region'
Default: 'ami-0fc970315c2d38f01'
InstanceType:
Type: String
Description: Choosing t2 micro because it is free
Default: t2.micro
KeyName:
Description: SSH Keypair to login to the instance
Type: AWS::EC2::KeyPair::KeyName
Default: DemoKeyPair
Resources:
DemoInstance:
Type: 'AWS::EC2::Instance'
Properties:
ImageId: !Ref ImageId
InstanceType: !Ref InstanceType
KeyName: !Ref KeyName
DisableApiTermination: true
Outputs:
DemoInstanceId:
Description: Instance Id
Value: !Ref DemoInstance
Template to Enable EC2 Termination Protection using CloudFormation: JSON
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Template to Create an EC2 instance with Termination Protection",
"Parameters": {
"ImageId": {
"Type": "String",
"Description": "Linux 2 AMI for Ireland eu-west1 Region",
"Default": "ami-0fc970315c2d38f01"
},
"InstanceType": {
"Type": "String",
"Description": "Choosing t2 micro because it is free",
"Default": "t2.micro"
},
"KeyName": {
"Description": "SSH Keypair to login to the instance",
"Type": "AWS::EC2::KeyPair::KeyName",
"Default": "DemoKeyPair"
}
},
"Resources": {
"DemoInstance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": {
"Ref": "ImageId"
},
"InstanceType": {
"Ref": "InstanceType"
},
"KeyName": {
"Ref": "KeyName"
},
"DisableApiTermination": true
}
}
},
"Outputs": {
"DemoInstanceId": {
"Description": "Instance Id",
"Value": {
"Ref": "DemoInstance"
}
}
}
}
Template to Disable EC2 Termination Protection using CloudFormation: YAML
In this template, we are creating an EC2 instance with termination protection turned off by making attribute DisableApiTermination: false explicitly. Please note that, you can simply skip this attribute and it will have same effect because default value for this attribute is false.
AWSTemplateFormatVersion: '2010-09-09'
Description: Template to Create an EC2 instance with Termination Protection
Parameters:
ImageId:
Type: String
Description: 'Linux 2 AMI for Ireland eu-west1 Region'
Default: 'ami-0fc970315c2d38f01'
InstanceType:
Type: String
Description: Choosing t2 micro because it is free
Default: t2.micro
KeyName:
Description: SSH Keypair to login to the instance
Type: AWS::EC2::KeyPair::KeyName
Default: DemoKeyPair
Resources:
DemoInstance:
Type: 'AWS::EC2::Instance'
Properties:
ImageId: !Ref ImageId
InstanceType: !Ref InstanceType
KeyName: !Ref KeyName
DisableApiTermination: false
Outputs:
DemoInstanceId:
Description: Instance Id
Value: !Ref DemoInstance
Template to Disable EC2 Termination Protection using CloudFormation: JSON
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Template to Create an EC2 instance with Termination Protection",
"Parameters": {
"ImageId": {
"Type": "String",
"Description": "Linux 2 AMI for Ireland eu-west1 Region",
"Default": "ami-0fc970315c2d38f01"
},
"InstanceType": {
"Type": "String",
"Description": "Choosing t2 micro because it is free",
"Default": "t2.micro"
},
"KeyName": {
"Description": "SSH Keypair to login to the instance",
"Type": "AWS::EC2::KeyPair::KeyName",
"Default": "DemoKeyPair"
}
},
"Resources": {
"DemoInstance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": {
"Ref": "ImageId"
},
"InstanceType": {
"Ref": "InstanceType"
},
"KeyName": {
"Ref": "KeyName"
},
"DisableApiTermination": false
}
}
},
"Outputs": {
"DemoInstanceId": {
"Description": "Instance Id",
"Value": {
"Ref": "DemoInstance"
}
}
}
}
Step 3: Create the Stack using prepared template
Now, we know the basics and we have the template so let’s go and create the stack.
- Grab the YAML or JSON template from above as per your convenience.
- Change the parameters as per your requirement
- Save the template with .yml or .json as per the choice of template and follow below steps.
- Login to AWS Management Console, navigate to CloudFormation and click on Create stack
- Click on “Upload a template file”, upload your saved .yml or .json file and click Next
- Enter the stack name and click on Next. In configuration, keep everything as default and click on Next.
- In the events tab of stack, you can view the status.
- Once successful, you can check EC2 instance in console
Step 4: Validate the EC2 Termination Protection
Go to EC2 console, click on your instance to open EC2 instance details screen. You can see termination protection status there.
In the below screenshot, I have underlined the termination protection status as you can see below.
Congratulations !!!
You have successfully created an EC2 instance with termination protection turned on using CloudFormation.
Step 5: Clean Up
If you are trying to enable termination protection for learning purpose, don’t forget to delete your CloudFormation stack, so that your instance is deleted and you don’t bear any cost.
But, But, you know that if you have enabled termination protection, you can’t delete your stack. and it will always fail. Because due to instance protection, CloudFormation won’t be able to delete the instance. As a result stack will not be deleted.
Also once you try to delete the stack and delete fails, your stack goes in DELETE_FAILED state and you no longer can update the same stack. You must disable the termination protection using console or CLI and then try deleting the stack and create the stack fresh.
Therefore, you must disable the termination protection by changing DisableApiTermination to false and updating your stack.
DisableApiTermination: false
Or simply you can remove this attribute altogether and it will default to false. However, for the sake of clarity, I like to keep it set to false.
Once you have updated your stack to false, you can go ahead and delete you stack happily 🙂
Happy Learning !!!
Conclusion:
In this post, we learnt how to Enable/Disable EC2 Termination Protection using CloudFormation. We learnt that-
- We can turn on EC2 termination protection by modifying DisableApiTermination attribute of instance.
- Once enabled, you can not delete your stack
- You must disable termination protection first and then try to delete your stack.
I hope you found this post helpful. If you have any question, please feel free to drop in comment.
Enjoyed the content?
Subscribe to our newsletter below to get awesome AWS learning materials delivered straight to your inbox.
Don’t forget to motivate me by-
- Adding a comment below on what you liked and what can be improved.
- Reach us on
- Share this post with your friends