feat: Add force-delete-all option to CLI delete command with comprehensive resource cleanup

Author: Bob Strahan

CHANGELOG.md

@@ -5,12 +5,14 @@ SPDX-License-Identifier: MIT-0
 
 ## [Unreleased]
 
-### Fixed
-
-
+## [0.4.2]
 
+### Added
 
-## [0.4.2]
+- **IDP CLI Force Delete All Resources Option**
+  - Added `--force-delete-all` flag to `idp-cli delete` command for comprehensive stack cleanup
+  - **Post-CloudFormation Cleanup**: Analyzes resources after CloudFormation deletion completes to identify retained resources (DELETE_SKIPPED status)
+  - **Use Cases**: Complete test environment cleanup, CI/CD pipelines requiring full teardown, cost optimization by removing all retained resources
 
 ### Changed
 

VERSION

@@ -1 +1 @@
-0.4.2-wip
+0.4.2-wip2

docs/idp-cli.md

@@ -177,14 +177,33 @@ idp-cli delete [OPTIONS]
 - `--stack-name` (required): CloudFormation stack name
 - `--force`: Skip confirmation prompt
 - `--empty-buckets`: Empty S3 buckets before deletion (required if buckets contain data)
+- `--force-delete-all`: Force delete ALL remaining resources after CloudFormation deletion (S3 buckets, CloudWatch logs, DynamoDB tables)
 - `--wait / --no-wait`: Wait for deletion to complete (default: wait)
 - `--region`: AWS region (optional)
 
 **S3 Bucket Behavior:**
-- **LoggingBucket**: `DeletionPolicy: Retain` - Always kept
+- **LoggingBucket**: `DeletionPolicy: Retain` - Always kept (unless using `--force-delete-all`)
 - **All other buckets**: `DeletionPolicy: RetainExceptOnCreate` - Deleted if empty
 - CloudFormation can ONLY delete S3 buckets if they're empty
 - Use `--empty-buckets` to automatically empty buckets before deletion
+- Use `--force-delete-all` to delete ALL remaining resources after CloudFormation completes
+
+**Force Delete All Behavior:**
+
+The `--force-delete-all` flag performs a comprehensive cleanup AFTER CloudFormation deletion completes:
+
+1. **CloudFormation Deletion Phase**: Standard stack deletion
+2. **Analysis Phase**: Identifies resources with DELETE_SKIPPED or retained status
+3. **Cleanup Phase**: Deletes remaining resources in order:
+   - DynamoDB tables (disables PITR, then deletes)
+   - CloudWatch Log Groups (matching stack name pattern)
+   - S3 buckets (regular buckets first, LoggingBucket last)
+
+**Resources Deleted by --force-delete-all:**
+- All DynamoDB tables from stack
+- All CloudWatch Log Groups (including nested stack logs)
+- All S3 buckets including LoggingBucket
+- Handles nested stack resources automatically
 
 **Examples:**
 
@@ -198,11 +217,14 @@ idp-cli delete --stack-name test-stack --force
 # Delete with automatic bucket emptying
 idp-cli delete --stack-name test-stack --empty-buckets --force
 
+# Force delete ALL remaining resources (comprehensive cleanup)
+idp-cli delete --stack-name test-stack --force-delete-all --force
+
 # Delete without waiting
 idp-cli delete --stack-name test-stack --force --no-wait
 ```
 
-**What you'll see:**
+**What you'll see (standard deletion):**
 ```
 ⚠️  WARNING: Stack Deletion
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
@@ -220,15 +242,70 @@ This action cannot be undone.
 Are you sure you want to delete this stack? [y/N]: _
 ```
 
+**What you'll see (force-delete-all):**
+```
+⚠️  WARNING: FORCE DELETE ALL RESOURCES
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+Stack: test-stack
+Region: us-east-1
+
+S3 Buckets:
+  • InputBucket: 20 objects (45.3 MB)
+  • OutputBucket: 20 objects (123.7 MB)
+  • LoggingBucket: 5000 objects (2.3 GB)
+
+⚠️  FORCE DELETE ALL will remove:
+  • All S3 buckets (including LoggingBucket)
+  • All CloudWatch Log Groups
+  • All DynamoDB Tables
+  • Any other retained resources
+
+This happens AFTER CloudFormation deletion completes
+
+This action cannot be undone.
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+Are you ABSOLUTELY sure you want to force delete ALL resources? [y/N]: y
+
+Deleting CloudFormation stack...
+✓ Stack deleted successfully!
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+Starting force cleanup of retained resources...
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+Analyzing retained resources...
+Found 4 retained resources:
+  • DynamoDB Tables: 0
+  • CloudWatch Logs: 0
+  • S3 Buckets: 3
+
+⠋ Deleting S3 buckets... 3/3
+
+✓ Cleanup phase complete!
+
+Resources deleted:
+  • S3 Buckets: 3
+    - test-stack-inputbucket-abc123
+    - test-stack-outputbucket-def456
+    - test-stack-loggingbucket-ghi789
+
+Stack 'test-stack' and all resources completely removed.
+```
+
 **Use Cases:**
 - Cleanup test/development environments to avoid charges
 - CI/CD pipelines that provision and teardown stacks
 - Automated testing with temporary stack creation
-
-**Note:** LoggingBucket is retained by design. To delete it manually:
-```bash
-aws s3 rb s3://<logging-bucket-name> --force
-```
+- Complete removal of failed stacks with retained resources
+- Cleanup of stacks with LoggingBucket and CloudWatch logs
+
+**Important Notes:**
+- `--force-delete-all` automatically includes `--empty-buckets` behavior
+- Cleanup phase runs even if CloudFormation deletion fails
+- Includes resources from nested stacks automatically
+- Safe to run - only deletes resources that weren't deleted by CloudFormation
+- Progress bars show real-time deletion status
 
 ---
 

idp_cli/idp_cli/cli.py

@@ -40,7 +40,7 @@
 
 
 @click.group()
-@click.version_option(version="1.0.0")
+@click.version_option(version="0.4.2")
 def cli():
     """
     IDP CLI - Batch document processing for IDP Accelerator
@@ -301,6 +301,11 @@ def deploy(
     is_flag=True,
     help="Empty S3 buckets before deletion (required if buckets contain data)",
 )
+@click.option(
+    "--force-delete-all",
+    is_flag=True,
+    help="Force delete ALL remaining resources after CloudFormation deletion (S3 buckets, CloudWatch logs, DynamoDB tables). This cannot be undone.",
+)
 @click.option(
     "--wait/--no-wait",
     default=True,
@@ -311,6 +316,7 @@ def delete(
     stack_name: str,
     force: bool,
     empty_buckets: bool,
+    force_delete_all: bool,
     wait: bool,
     region: Optional[str],
 ):
@@ -321,6 +327,7 @@ def delete(
 
     S3 buckets configured with RetainExceptOnCreate will be deleted if empty.
     Use --empty-buckets to automatically empty buckets before deletion.
+    Use --force-delete-all to delete ALL remaining resources after CloudFormation deletion.
 
     Examples:
 
@@ -333,6 +340,9 @@ def delete(
       # Delete with automatic bucket emptying
       idp-cli delete --stack-name test-stack --empty-buckets --force
 
+      # Force delete ALL remaining resources (S3, logs, DynamoDB)
+      idp-cli delete --stack-name test-stack --force-delete-all --force
+
       # Delete without waiting for completion
       idp-cli delete --stack-name test-stack --force --no-wait
     """
@@ -350,7 +360,10 @@ def delete(
 
         # Show warning with bucket details
         console.print()
-        console.print("[bold red]⚠️  WARNING: Stack Deletion[/bold red]")
+        if force_delete_all:
+            console.print("[bold red]⚠️  WARNING: FORCE DELETE ALL RESOURCES[/bold red]")
+        else:
+            console.print("[bold red]⚠️  WARNING: Stack Deletion[/bold red]")
         console.print("━" * 60)
         console.print(f"Stack: [cyan]{stack_name}[/cyan]")
         console.print(f"Region: {region or 'default'}")
@@ -372,12 +385,25 @@ def delete(
                 else:
                     console.print(f"  • {logical_id}: [green]empty[/green]")
 
-            if has_data and not empty_buckets:
+            if has_data and not empty_buckets and not force_delete_all:
                 console.print()
                 console.print("[bold red]⚠️  Buckets contain data![/bold red]")
                 console.print("Deletion will FAIL unless you:")
                 console.print("  1. Use --empty-buckets flag to auto-delete data, OR")
-                console.print("  2. Manually empty buckets first")
+                console.print("  2. Use --force-delete-all to delete everything, OR")
+                console.print("  3. Manually empty buckets first")
+
+        if force_delete_all:
+            console.print()
+            console.print("[bold red]⚠️  FORCE DELETE ALL will remove:[/bold red]")
+            console.print("  • All S3 buckets (including LoggingBucket)")
+            console.print("  • All CloudWatch Log Groups")
+            console.print("  • All DynamoDB Tables")
+            console.print("  • Any other retained resources")
+            console.print()
+            console.print(
+                "[bold yellow]This happens AFTER CloudFormation deletion completes[/bold yellow]"
+            )
 
         console.print()
         console.print("[bold red]This action cannot be undone.[/bold red]")
@@ -386,15 +412,22 @@ def delete(
 
         # Confirmation unless --force
         if not force:
-            response = click.confirm(
-                "Are you sure you want to delete this stack?", default=False
-            )
+            if force_delete_all:
+                response = click.confirm(
+                    "Are you ABSOLUTELY sure you want to force delete ALL resources?",
+                    default=False,
+                )
+            else:
+                response = click.confirm(
+                    "Are you sure you want to delete this stack?", default=False
+                )
+
             if not response:
                 console.print("[yellow]Deletion cancelled[/yellow]")
                 return
 
-            # Double confirmation if --empty-buckets
-            if empty_buckets:
+            # Double confirmation if --empty-buckets (and not force-delete-all)
+            if empty_buckets and not force_delete_all:
                 console.print()
                 console.print(
                     "[bold red]⚠️  You are about to permanently delete all bucket data![/bold red]"
@@ -416,20 +449,11 @@ def delete(
                 wait=wait,
             )
 
-        # Show results
+        # Show CloudFormation deletion results
         if result.get("success"):
             console.print("\n[green]✓ Stack deleted successfully![/green]")
             console.print(f"Stack: {stack_name}")
             console.print(f"Status: {result.get('status')}")
-
-            # Note about LoggingBucket
-            console.print()
-            console.print(
-                "[bold]Note:[/bold] LoggingBucket (if exists) is retained by design."
-            )
-            console.print("Delete it manually if no longer needed:")
-            console.print("  [cyan]aws s3 rb s3://<logging-bucket-name> --force[/cyan]")
-            console.print()
         else:
             console.print("\n[red]✗ Stack deletion failed![/red]")
             console.print(f"Status: {result.get('status')}")
@@ -438,10 +462,96 @@ def delete(
             if "bucket" in result.get("error", "").lower():
                 console.print()
                 console.print(
-                    "[yellow]Tip: Try again with --empty-buckets flag[/yellow]"
+                    "[yellow]Tip: Try again with --empty-buckets or --force-delete-all flag[/yellow]"
                 )
 
-            sys.exit(1)
+            if not force_delete_all:
+                sys.exit(1)
+            else:
+                console.print()
+                console.print(
+                    "[yellow]Stack deletion failed, but continuing with force cleanup...[/yellow]"
+                )
+
+        # Post-deletion cleanup if --force-delete-all
+        cleanup_result = None
+        if force_delete_all:
+            console.print()
+            console.print("[bold blue]━" * 60 + "[/bold blue]")
+            console.print(
+                "[bold blue]Starting force cleanup of retained resources...[/bold blue]"
+            )
+            console.print("[bold blue]━" * 60 + "[/bold blue]")
+
+            try:
+                # Use stack ID for deleted stacks (CloudFormation requires ID for deleted stacks)
+                stack_identifier = result.get("stack_id", stack_name)
+                cleanup_result = deployer.cleanup_retained_resources(stack_identifier)
+
+                # Show cleanup summary
+                console.print()
+                console.print("[bold green]✓ Cleanup phase complete![/bold green]")
+                console.print()
+
+                total_deleted = (
+                    len(cleanup_result.get("dynamodb_deleted", []))
+                    + len(cleanup_result.get("logs_deleted", []))
+                    + len(cleanup_result.get("buckets_deleted", []))
+                )
+
+                if total_deleted > 0:
+                    console.print("[bold]Resources deleted:[/bold]")
+
+                    if cleanup_result.get("dynamodb_deleted"):
+                        console.print(
+                            f"  • DynamoDB Tables: {len(cleanup_result['dynamodb_deleted'])}"
+                        )
+                        for table in cleanup_result["dynamodb_deleted"]:
+                            console.print(f"    - {table}")
+
+                    if cleanup_result.get("logs_deleted"):
+                        console.print(
+                            f"  • CloudWatch Log Groups: {len(cleanup_result['logs_deleted'])}"
+                        )
+                        for log_group in cleanup_result["logs_deleted"]:
+                            console.print(f"    - {log_group}")
+
+                    if cleanup_result.get("buckets_deleted"):
+                        console.print(
+                            f"  • S3 Buckets: {len(cleanup_result['buckets_deleted'])}"
+                        )
+                        for bucket in cleanup_result["buckets_deleted"]:
+                            console.print(f"    - {bucket}")
+
+                if cleanup_result.get("errors"):
+                    console.print()
+                    console.print(
+                        "[bold yellow]⚠️  Some resources could not be deleted:[/bold yellow]"
+                    )
+                    for error in cleanup_result["errors"]:
+                        console.print(f"  • {error['type']}: {error['resource']}")
+                        console.print(f"    Error: {error['error']}")
+
+                console.print()
+
+            except Exception as e:
+                logger.error(f"Error during cleanup: {e}", exc_info=True)
+                console.print(f"\n[red]✗ Cleanup phase error: {e}[/red]")
+                console.print(
+                    "[yellow]Some resources may remain - check AWS Console[/yellow]"
+                )
+        else:
+            # Standard deletion without force-delete-all
+            if result.get("success"):
+                console.print()
+                console.print(
+                    "[bold]Note:[/bold] LoggingBucket (if exists) is retained by design."
+                )
+                console.print("Delete it manually if no longer needed:")
+                console.print(
+                    "  [cyan]aws s3 rb s3://<logging-bucket-name> --force[/cyan]"
+                )
+                console.print()
 
     except Exception as e:
         logger.error(f"Error deleting stack: {e}", exc_info=True)