AWS CloudFormation

CloudFormation circular dependency error

By Sai Kiran Pandrala · Last verified: 2026-05-31 · Source: community Q&A, AWS docs, AWS re:Post

At a glance
ServiceAWS CloudFormation
CloudAmazon Web Services (AWS)
Guide typeProcedure
Skill levelIntermediate to advanced
Time15 - 60 minutes depending on account size

Running into CloudFormation circular dependency error on AWS CloudFormation is one of the more searched issues on AWS re:Post and StackOverflow in the last 12 months. Here is what actually moves the needle when the AWS docs are too generic.

What cloudformation circular dependency error actually involves on AWS CloudFormation

Real-world context. Cost envelope: ~Rs 0 INR for the fix itself, support plan adds Rs 2,500 to Rs 1,00,000 INR per month (around $30 to $1,200 USD/month). Time at the keyboard: ~15 to 45 minutes. Time end-to-end including verification: ~1 to 4 hours including IAM review and post-fix validation. Have an admin IAM role, the AWS CLI v2, and a CloudTrail filter pointed at the affected resource staged before the first command so you do not stall on missing inputs.

This task on AWS CloudFormation is one of the more searched operational topics on AWS in the last 12 months. The procedure below is the path that works in a current AWS account with default IAM and standard VPC config.

The rest of this page is the structured fix path. Start with diagnose, then remediation, then the automation options so you do not have to do this by hand the next time it surfaces. Verify and safety sections at the end are the discipline that keeps the fix from regressing in production.

Signal review

Reproduce the failure with the AWS CLI in --debug mode. The full SigV4 request payload it emits, plus the exact endpoint URL it resolved to, is what AWS Support uses to verify policy, region, or parameter issues without you having to share IAM credentials. Save the debug output to a file with aws ... --debug 2> debug.log and you can search it for the failed aws.request entry.

Look at the CloudTrail event for the failed call, even if you are not enrolled in CloudTrail Lake. The basic 90-day event history works for most diagnostic purposes and lives in the console under CloudTrail > Event history. Filter by event name (the API action) and time range; the event JSON shows the exact user identity, source IP, request parameters, and error code.

Diff against last known good. The last config change you made is the cause about three quarters of the time, even when the change should not have mattered. Use AWS Config history (or your Terraform / CloudFormation drift report) to see the actual delta between the resource state when it worked and when it broke. The change you remember is often not the only change that happened.

Solution-focused remediation path

For IAM and STS issues, the timing matters. STS sessions can take up to 60 seconds to propagate after creation. The first call right after assume-role can fail with a permission error even when the policy is correct. Add a small retry with backoff before treating the first failure as definitive.

If quotas are suspect, the Service Quotas console shows current usage and the active limit side by side. Request increases through Service Quotas, not through Support tickets - quota dashboard requests usually approve faster (often within minutes for soft limits) and they are auditable in CloudTrail. Set up Service Quotas + CloudWatch alarms at 80 percent usage so you get notified before you hit the wall.

If you cannot reproduce the failure consistently, the cause is probably a race condition or a session-cache issue. Run the call with --profile set to a fresh STS session, in a different region you control, with a single concurrent request. If it works there but fails in your normal setup, the difference is the bug.

Automate this fix so you do not do it twice

Wire the fix into EventBridge for self-healing

If the failure mode is recurring, automate the remediation instead of the diagnosis. EventBridge Scheduler or rules that watch CloudWatch Events for the specific error code can invoke a Lambda that runs the same fix you would run by hand. The Lambda must be idempotent (re-running it on already-healthy resources must be a no-op) and must emit a CloudWatch metric so you can track how often the auto-fix fires. A spike in auto-fix invocations is itself a signal worth alerting on.

# EventBridge rule pattern (JSON)
{ "source": ["aws.cloudformation"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "errorCode": ["AccessDenied", "ThrottlingException"] }
}

Automate the fix with Python and boto3

For anything you do more than twice, write a small Python script. The boto3 pattern below uses paginators (so it does not blow up on accounts with thousands of resources), explicit region binding, and a dry-run flag that defaults to True. Keep the script under 100 lines; if it grows beyond that, you are building a tool and should put it behind a Lambda with proper logging.

import boto3, sys
DRY_RUN = '--apply' not in sys.argv
client = boto3.client('cloudformation', region_name='us-east-1')
paginator = client.get_paginator('describe_...')
for page in paginator.paginate(): for item in page.get('Items', []): if item.get('Status') == 'FAILED': if DRY_RUN: print(f'[dry-run] would fix {item["Id"]}') else: client.modify_...(ResourceId=item['Id']) print(f'fixed {item["Id"]}')

Codify the fix in Terraform or CloudFormation

When you reach for the console to fix the same issue twice, the third occurrence should be solved in IaC, not in the console. Terraform's terraform import and CloudFormation's resource importer let you adopt the existing resource into state without recreating it. Lock the corrected attribute behind a variable so the next operator does not have to rediscover the value. Add a moved {} block or CloudFormation resource refactor to keep the diff clean.

Things that bite

The most common pitfall when fixing this on AWS CloudFormation is treating it as a one-off rather than as a recurring class of incident. The same misconfiguration tends to happen again after a deployment, a role rotation, or a region migration unless the fix is codified. Add a CloudFormation hook, Service Control Policy condition, or AWS Config rule that prevents the same misconfig from being introduced again. Documentation alone does not survive turnover.

Another common trap: confirming the fix on a single resource and assuming the fleet is healthy. Loop your check across every account, region, and IAM principal that could exhibit the same symptom. If you cannot enumerate the affected scope without a script, you do not yet understand the scope.

Repair sequence

Safety, rollback, blast radius

FAQ

How long does cloudformation circular dependency error typically take on AWS?
For most AWS CloudFormation environments, 15 to 60 minutes including verification. Large multi-account setups, anything touching SCPs at the Organizations level, or cross-region replication can stretch to half a day because AWS has to wait for replication and IAM session caches.
Is there a rollback path?
Yes for most AWS CloudFormation changes. Export the existing config to JSON via aws cloudformation describe-... first, then commit it before you change anything. A few operations are one-way (KMS key deletion past the pending window, region migration, account closure). Check the AWS doc for the specific API before you commit.
Will this affect dependent AWS services?
Often yes. AWS CloudFormation resources are usually referenced by other workloads (Lambda, ECS tasks, IAM-bound apps, CloudFront origins, downstream pipelines). Use IAM Access Analyzer + CloudTrail to enumerate consumers before changing a shared resource.
What if my AWS Console layout does not match these steps?
AWS Console UI moves quarterly. The Console layout in this page is current as of 2026-05-31 but the underlying CLI / SDK calls do not change as fast. If the Console version differs, fall back to aws CLI or SDK calls - those almost always still work.
Where do I get AWS Support help if I am still stuck?
Open a case via the AWS Support Center with: the request ID + correlation ID, the exact error string, CloudTrail event, and your reproduction steps. AWS re:Post is the no-cost public alternative - search there first; 80% of common AWS CloudFormation issues already have an answer with an AWS-staff-verified flag.

References

Related guides worth a look while you sort this one out: