BatchComputeEnvironment IAM role is deleted before the environment

[wayneworkman]

I'm opening this issue based on findings from a colleague. I can retrieve additional information as is necessary. Below is from my colleague:

In every invocation of aws-nuke against an environment that contains at least one AWS Batch Compute resource, in all cases, the tool has removed the Batch Compute's IAM role before fully deleting the compute environment. When this happens, the Batch Compute resource cannot be deleted, as this activity is delegated to AWS Batch, and without an appropriate role, the delete activity fails.

The logs will present repeated messages like the following:
{"level":"info","msg":"waiting for removal","name":"NAME REMOVED","owner":"us-east-1","state":"waiting","state_code":5,"time":"2025-04-04T15:41:30-05:00","type":"BatchComputeEnvironment"}

[ekristen]

We've had this problem in the past with cloudformation, we added a special settings to re-create the role to allow the deletion. We could do something like this. I also have an open feature about introducing a dag deletion order which would help too.

[rob100]

Hi, I have the same issue and aws-nuke will wait forever to delete the BatchComputeEnvironment. It would be nice if the tool would at least stop waiting after a specific time (I stopped it manually after 4 hours waiting).
The automatic recreation of the role could be a good workaround until the DAG Deletion Order Feature is available.

[ekristen]

Odd, I would expect it to throw an error if the role does exist.