[Feature Request] Make sam delete clean up all SAM managed resources including aws-sam-cli-managed-default stack

[miketheman]

Description:

After running sam package, a CloudFormation stack aws-sam-cli-managed-default is created, with 2 resources - SamCliSourceBucket & SamCliSourceBucketBucketPolicy.

Running sam delete errors out, and does not remove the bucket, policy, or CFN stack.

Steps to reproduce:

sam init a hello_world or other template, do NOT deploy yet.

$ sam package
$ sam delete --debug

Observed result:

2024-12-08 17:53:32,249 | Config file location: demo-failure/samconfig.toml
2024-12-08 17:53:32,251 | Loading configuration values from [default.['deploy'].parameters] (env.command_name.section) in config file at
'/tmp/demo-failure/samconfig.toml'...
2024-12-08 17:53:32,253 | Configuration values successfully loaded.
2024-12-08 17:53:32,253 | Configuration values are: {'stack_name': 'demo-failure', 'capabilities': 'CAPABILITY_IAM', 'confirm_changeset': True, 'resolve_s3': True}
2024-12-08 17:53:32,284 | Using config file: samconfig.toml, config environment: default
2024-12-08 17:53:32,285 | Expand command line arguments to:
2024-12-08 17:53:32,286 | --stack_name=demo-failure
	Are you sure you want to delete the stack demo-failure in the region us-east-1 ? [y/N]: y
2024-12-08 17:53:35,409 | Stack with id demo-failure does not exist
2024-12-08 17:53:35,410 | Input stack does not exists on Cloudformation
Error: The input stack demo-failure does not exist on Cloudformation in the region us-east-1
2024-12-08 17:53:35,412 | Telemetry endpoint configured to be https://aws-serverless-tools-telemetry.us-west-2.amazonaws.com/metrics
2024-12-08 17:53:35,507 | Telemetry endpoint configured to be https://aws-serverless-tools-telemetry.us-west-2.amazonaws.com/metrics
2024-12-08 17:53:35,509 | Sending Telemetry: {'metrics': [{'commandRun': {'requestId': 'a5fb3278-b7a7-45ab-8b85-36f2983b16c2', 'installationId': '1b202f64-2248-4ee3-afb0-9d4958012182', 'sessionId':
'44efe86e-7b7b-497e-bdeb-2674fb6a8083', 'executionEnvironment': 'CLI', 'ci': False, 'pyversion': '3.13.0', 'samcliVersion': '1.131.0', 'awsProfileProvided': False, 'debugFlagProvided': True, 'region': '', 'commandName':
'sam delete', 'metricSpecificAttributes': {'projectType': 'CFN', 'gitOrigin': None, 'projectName': '9caac13c35207d92fbff4a22452366e12cee615e5da8098be2d48c907172a1de', 'initialCommit': None}, 'duration': 3128, 'exitReason':
'success', 'exitCode': 0}}]}
2024-12-08 17:53:35,509 | Unable to find Click Context for getting session_id.
2024-12-08 17:53:35,512 | Sending Telemetry: {'metrics': [{'events': {'requestId': '78924319-0757-4f07-9d22-88cdbf265d80', 'installationId': '1b202f64-2248-4ee3-afb0-9d4958012182', 'sessionId':
'44efe86e-7b7b-497e-bdeb-2674fb6a8083', 'executionEnvironment': 'CLI', 'ci': False, 'pyversion': '3.13.0', 'samcliVersion': '1.131.0', 'commandName': 'sam delete', 'metricSpecificAttributes': {'events': [{'event_name':
'SamConfigFileExtension', 'event_value': '.toml', 'thread_id': '8046f296c6db4b8d9aa416cab9dca9a4', 'time_stamp': '2024-12-08 22:53:32.248', 'exception_name': None}, {'event_name': 'SamConfigFileExtension', 'event_value':
'.toml', 'thread_id': '77d3177873fb41e78036ba2241a96b82', 'time_stamp': '2024-12-08 22:53:32.284', 'exception_name': None}]}}}]}
2024-12-08 17:53:35,770 | Telemetry response: 200
2024-12-08 17:53:35,772 | Telemetry response: 200

Expected result:

The bucket, artifacts, polciy, and cloudformation stack are removed completely.

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

{
  "version": "1.131.0",
  "system": {
    "python": "3.13.0",
    "os": "macOS-15.1.1-x86_64-i386-64bit-Mach-O"
  },
  "additional_dependencies": {
    "docker_engine": "27.3.1",
    "aws_cdk": "Not available",
    "terraform": "1.5.7"
  },
  "available_beta_feature_env_vars": [
    "SAM_CLI_BETA_FEATURES",
    "SAM_CLI_BETA_BUILD_PERFORMANCE",
    "SAM_CLI_BETA_TERRAFORM_SUPPORT",
    "SAM_CLI_BETA_RUST_CARGO_LAMBDA"
  ]
}

[miketheman]

Looks like this is part of the "overall" sam setup, and not specific to an application.

After a sam delete of the final application, this bucket cannot be removed, as it has versioning enabled, and the objects removed have versions, whcih disallows CloudFormation from deleting the bucket with:

The bucket you tried to delete is not empty. You must delete all versions in the bucket. (Service: S3, Status Code: 409, Request ID: ...

[vicheey]

@miketheman,

I have a few follow-up questions:

1. After running sam init, when you ran sam package, which bucket did you specify for storing the artifact?
2. Without deploying the application, when running sam delete, what stack name do you specify for stack name prompter?

Project 12 vichym$ sam delete
        Enter stack name you want to delete: 

After a sam delete of the final application, this bucket cannot be removed, as it has versioning enabled, ....

3. Which bucket do you refer here? The SamCliSourceBucket of aws-sam-cli-managed-default or S3 bucket as part of your application stack?

[miketheman]

1. After running sam init, when you ran sam package, which bucket did you specify for storing the artifact?

I was not prompted for one, sam generated one for me:

...
2024-12-13 17:51:35,502 | Managed S3 stack [aws-sam-cli-managed-default] not found. Creating a new one.
	Creating the required resources...
	Successfully created!

		Managed S3 bucket: aws-sam-cli-managed-default-samclisourcebucket-blvhapsmfbaz
		A different default S3 bucket can be set in samconfig.toml
		Or by specifying --s3-bucket explicitly.
...

2. Without deploying the application, when running sam delete, what stack name do you specify for stack name prompter?

I didn't specify a stack name, allowing sam to detect automatically. This command failed to delete anything, since it was never deployed:

...
Error: The input stack demo-python does not exist on Cloudformation in the region us-east-1

3. Which bucket do you refer here? The SamCliSourceBucket of aws-sam-cli-managed-default or S3 bucket as part of your application stack?

I'm referring to SamCliSourceBucket - aws-sam-cli-managed-default-samclisourcebucket-blvhapsmfbaz was autogenerated during sam package from the CloudFormation stack aws-sam-cli-managed-default.

There's no sam command I could find that runs a delete on that stack, so I tried via the CloudFormation console, and found out (the hard way) that CFN couldn't delete a non-empty bucket, and even when manually deleting the single object, I then found out that there's versions as well, which made it even harder to delete.

What I'd expect is some sort of sam command that empties the bucket from all objects and versions, and runs a CFN delete on aws-sam-cli-managed-default bucket to completely clean up after itself.

[vicheey]

Question 1

1. After running sam init, when you ran sam package, which bucket did you specify for storing the artifact?

I was not prompted for one, sam generated one for me

• Do you checking if there is any samconfig.toml file in your project folder?
• What is your sam cli version?

I have attempt to reproduce the issue and see that I was prompted.
If you sam cli is not 1.132.0, please consider updating to updating the tool and try again.

➜  Project 1  sam package
Usage: sam package [OPTIONS]
Try 'sam package -h' for help.

Error: Missing option '--s3-bucket'
➜  Project 1  

➜  Project 1  sam --version    
SAM CLI, version 1.132.0
➜  Project 1  

Question 2

The same as above, the issue does not seem to happen with sam cli version 1.132.0 as shown below:

➜  Project 1  sam delete
        Are you sure you want to delete the stack multi-project-1 in the region us-east-1 ? [y/N]: 

Please verify if the update version solve the issue.

Question 3

I'm referring to SamCliSourceBucket - aws-sam-cli-managed-default-samclisourcebucket-blvhapsmfbaz was autogenerated during sam package from the CloudFormation stack aws-sam-cli-managed-default.

The aws-sam-cli-managed-default-samclisourcebucket-blvhapsmfbaz can be used by multiple sam application deployment to store multiple project artifact. It may not be safe to delete this bucket if it is used for multiple projects.

The behavior you're experiencing is actually due to an underlying CloudFormation limitation. CloudFormation intentionally prevents the deletion of non-empty S3 buckets (including buckets with versioned objects) as a safety mechanism to prevent accidental data loss.

Since SAM CLI relies on CloudFormation for resource provisioning and management (including deletion), this CloudFormation limitation binds us.

To fully clean up these resources, you would need to manually remove all objects and their versions from the bucket before the CloudFormation stack (and bucket) can be deleted.

[miketheman]

Hi @vicheey, thanks for following up.

Question 1
This is not the primary problem, so I don't think being prompted or not prompted matters in this case.

• What is your sam cli version?

I had supplied that in my original report - per your template, under Additional environment details. See there for details.

If you sam cli is not 1.132.0, please consider updating to updating the tool and try again.

This is an unsatisfying response. I understand "upgrade to latest and try again" - but it's not like I was far behind, and nothing in the release notes or diff between versions points to this issue being resolved. Is there any specific commit you can point to that resolves this? It's okay if not, since it's not the issue I'm worried about.

Question 2
Also not the primary issue - from my original console log I showed:

	Are you sure you want to delete the stack demo-failure in the region us-east-1 ? [y/N]: y

Which you are showing as well. But note - this is not the problem, the stack was never deployed, so there's nothing to remove, so it's a nonsensical question from the tool.

Question 3
This is the main issue - I'll restate it plainly again:

Using sam creates things in an AWS account that sam itself cannot delete. This is poor behavior, as a tool that can generate things should also be able to clean up after itself.

The aws-sam-cli-managed-default-samclisourcebucket-blvhapsmfbaz can be used by multiple sam application deployment to store multiple project artifact. It may not be safe to delete this bucket if it is used for multiple projects.

That makes sense, but nowhere does sam explain that, nor offer a way to clean up after itself.

The behavior you're experiencing is actually due to an underlying CloudFormation limitation. CloudFormation intentionally prevents the deletion of non-empty S3 buckets (including buckets with versioned objects) as a safety mechanism to prevent accidental data loss.

Since SAM CLI relies on CloudFormation for resource provisioning and management (including deletion), this CloudFormation limitation binds us.

To fully clean up these resources, you would need to manually remove all objects and their versions from the bucket before the CloudFormation stack (and bucket) can be deleted.

That's a fine explanation of CloudFormation, but the entire point of using sam is to not have to concern oneself with the inner workings of CloudFormation, so not offering a method to clean up leaves a user in a state where the tool they used had unintended side effects that are not obvious on how to resolve.

I remain of the opinion that if sam can create a CloudFormation stack and create resources in that stack, it should also offer a way to remove those resources and stacks completely.

[vicheey]

Thank you for clarifying the issue.

Since this is currently an expected behavior of sam, we will consider your suggestion as a feature request in improve sam.

We have a roadmap here, but we also try to take in popular feature requests based on 👍🏽 from the community. We will be adding this to our intake for prioritization.

Once again, thank you for your contribution.