The boto3 `list_discovered_resources` method is returning deleted resources even when flag `includeDeletedResources` is set to False

Question

I am using a python script to fetch active resources from my AWS account. I am using the following method:

member_session = boto3.session.Session(
      aws_access_key_id=credentials["Credentials"]["AccessKeyId"],
      aws_secret_access_key=credentials["Credentials"]["SecretAccessKey"],
      aws_session_token=credentials["Credentials"]["SessionToken"],
  )
member_session.client('config').list_discovered_resources(resourceType="AWS::CloudFormation::Stack", includeDeletedResources=False)

This returns all resources including the deleted ones of a specific resource type. I validated from the aws console and they are under the deleted tab for cloudformation-stack.

Is there something I am missing? Is there a time period after which the deleted resources are not visible as response to this api? I couldn't find something related in the docs.

Boto3 docs for the API Call

Why is the call returning deleted resources even though flag includeDeletedResources is set to False?

Answer 1

That's most likely because CloudFormation only really deletes a stack after 90 days, see this question for reference. Before that, they're still returned by the API.

If I run this script against my account, the flag definitely shows a difference:

import boto3


def main():

    client = boto3.client("config")

    response_without_deleted = client.list_discovered_resources(
        resourceType="AWS::CloudFormation::Stack", includeDeletedResources=False
    )
    print(
        f"Found {len(response_without_deleted['resourceIdentifiers'])} resources that aren't deleted."
    )

    response_with_deleted = client.list_discovered_resources(
        resourceType="AWS::CloudFormation::Stack", includeDeletedResources=True
    )

    print(
        f"Found {len(response_with_deleted['resourceIdentifiers'])} resources including those that are deleted."
    )


if __name__ == "__main__":
    main()

Output

Found 22 resources that aren't deleted.
Found 93 resources including those that are deleted.

So my guess is that your deleted stack will be considered by the flag as deleted about 90 days after you originally deleted it because only then CloudFormation reports the resource as deleted to AWS Config.