I have a stack arn:aws:cloudformation:us-east-1:384426254369:stack/BraunStack/ac1302e0-6cde-11ed-8837-0a5c7a83545f that I am trying to delete but it's stuck in state UPDATE_ROLLBACK_COMPLETE_CLEANUP_IN_PROGRESS. I traced through the stack events and found out that the problem is this:
Certificate arn:aws:acm:us-east-1:384426254369:certificate/e015608b-e8a9-4dbc-bd7a-d4b299e1c0ef in account 384426254369 is in use. (Service: AWSCertificateManager; Status Code: 400; Error Code: ResourceInUseException; Request ID: ba2370ae-8f61-46a4-a251-aea442d34311; Proxy: null)
so I went to try to manually delete that ACM certificate and it says I can't because it's in use. The problem is, it says it's in use by this:
arn:aws:cloudfront::745623467555:distribution/ENHGSRI0SJ739
The issue is that's not something I see as one of my cloudfromt distributions. In fact, that's not even my account number. It's almost as if somebody else is using my certificate, which is impossible. I do have two separate organizations (with one account each) that I manage, but that's not the account number of either.
So it looks like CloudFormation can't delete the stack because it can't delete the certificate, and I can't manually delete the certificate because some distribution that I cannot find (possibly in another account) is using it:
Failed to delete certificates
Certificate arn:aws:acm:us-east-1:384426254369:certificate/e015608b-e8a9-4dbc-bd7a-d4b299e1c0ef in account 384426254369 is in use. (Service: AWSCertificateManager; Status Code: 400; Error Code: ResourceInUseException; Request ID: 38c32079-f59e-45b8-b753-07b0ee58a4ae; Proxy: null)
Can somebody at amazon tell me how to clean this up? I think step 1 is delete that certificate, but it won't let me. I can always regenerate the certificate and this site isn't in production yet.
Update: I signed up for paid Developer support so I could ask for help. Case 11538935921. It really looks like somehow some other account is using my certificate, I'm mystified how that could be.
Thanks, Matt. That was the problem. It turns out it was a custom domain on a Cognito pool, and that causes a CF distribution to be created on an amazon account just like you said. what was confusing was that CF distribution was basically invisible to me. What would have helped is if the Cognito user pool said explicitly "Here's the CloudFront dist that is part of this" - it was just hard to track down having not encountered this before. Thanks for your help!