fix: Preserve ECR images during cleanup and increase deployment timeout

- Update pre-destroy-cleanup.sh to NOT delete ECR repositories
- Add prominent warning message with manual ECR deletion commands
- Add Secrets Manager cleanup to pre-destroy script
- Update README with "Destroying Resources" section and ECR cleanup docs
- Increase post-deployment max_attempts from 30 to 40 for slower deployments

Author: aarora79

terraform/aws-ecs/README.md

@@ -881,10 +881,110 @@ curl https://kc.us-east-1.YOUR.DOMAIN/health
 # ============================================================================
 # CLEANUP
 # ============================================================================
-# Destroy infrastructure (WARNING: Deletes everything)
+# See "Destroying Resources" section below for detailed instructions
+./scripts/pre-destroy-cleanup.sh  # Run first to clean up blocking resources
+terraform destroy                  # Then destroy infrastructure
+```
+
+## Destroying Resources
+
+Before running `terraform destroy`, you must run the pre-destroy cleanup script to remove resources that may block deletion:
+
+```bash
+cd terraform/aws-ecs
+
+# Step 1: Run pre-destroy cleanup
+./scripts/pre-destroy-cleanup.sh
+
+# Step 2: Destroy infrastructure
 terraform destroy
 ```
 
+### Why Pre-Destroy Cleanup is Required
+
+Terraform destroy may fail due to:
+- **ECS Services**: Services must be scaled to 0 and deleted before clusters can be removed
+- **Service Discovery Namespaces**: Must delete services within namespaces before deleting namespaces
+- **ECS Cluster Capacity Providers**: Clusters with active capacity providers cannot be deleted
+- **Secrets Manager Secrets**: Deleted secrets are scheduled for deletion (7-30 days) and block recreation with the same name
+
+**Note:** ECR repositories are intentionally NOT deleted by the pre-destroy cleanup script. Container images are preserved to avoid expensive rebuilds when redeploying. See the "ECR Repository Cleanup (Optional)" section below for manual deletion commands.
+
+### Manual Cleanup Commands
+
+If `terraform destroy` fails, you may need to run these commands manually:
+
+```bash
+export AWS_REGION=us-east-1
+
+# ============================================================================
+# ECS Services Cleanup
+# ============================================================================
+# Scale down and delete ECS services
+aws ecs update-service --cluster mcp-gateway-ecs-cluster --service mcp-gateway-v2-registry --desired-count 0 --region $AWS_REGION
+aws ecs delete-service --cluster mcp-gateway-ecs-cluster --service mcp-gateway-v2-registry --force --region $AWS_REGION
+
+aws ecs update-service --cluster mcp-gateway-ecs-cluster --service mcp-gateway-v2-auth --desired-count 0 --region $AWS_REGION
+aws ecs delete-service --cluster mcp-gateway-ecs-cluster --service mcp-gateway-v2-auth --force --region $AWS_REGION
+
+aws ecs update-service --cluster keycloak --service keycloak --desired-count 0 --region $AWS_REGION
+aws ecs delete-service --cluster keycloak --service keycloak --force --region $AWS_REGION
+
+# Wait for tasks to stop (check with)
+aws ecs list-tasks --cluster mcp-gateway-ecs-cluster --region $AWS_REGION
+aws ecs list-tasks --cluster keycloak --region $AWS_REGION
+
+# ============================================================================
+# Service Discovery Cleanup
+# ============================================================================
+# List namespaces
+aws servicediscovery list-namespaces --region $AWS_REGION
+
+# Delete services in namespace first
+aws servicediscovery list-services --filters Name=NAMESPACE_ID,Values=ns-xxxxx --region $AWS_REGION
+aws servicediscovery delete-service --id srv-xxxxx --region $AWS_REGION
+
+# Then delete namespace
+aws servicediscovery delete-namespace --id ns-xxxxx --region $AWS_REGION
+
+# ============================================================================
+# Secrets Manager Cleanup
+# ============================================================================
+# Force delete secrets that are scheduled for deletion (required before recreating)
+aws secretsmanager delete-secret --secret-id "keycloak/database" --force-delete-without-recovery --region $AWS_REGION
+aws secretsmanager delete-secret --secret-id "mcp-gateway-keycloak-client-secret" --force-delete-without-recovery --region $AWS_REGION
+aws secretsmanager delete-secret --secret-id "mcp-gateway-keycloak-m2m-client-secret" --force-delete-without-recovery --region $AWS_REGION
+
+# ============================================================================
+# Targeted Terraform Destroy
+# ============================================================================
+# If full destroy fails, try targeted destroy of remaining resources
+terraform state list  # List remaining resources
+
+terraform destroy \
+  -target=module.mcp_gateway.aws_service_discovery_private_dns_namespace.mcp \
+  -target=module.ecs_cluster.aws_ecs_cluster.this[0] \
+  -target=module.vpc.aws_vpc.this[0]
+```
+
+### ECR Repository Cleanup (Optional)
+
+ECR repositories are intentionally NOT deleted by the pre-destroy cleanup script to preserve container images and avoid expensive rebuilds when redeploying. If you want to completely remove all resources including ECR repositories, run these commands manually:
+
+```bash
+export AWS_REGION=us-east-1
+
+# Delete all ECR repositories (WARNING: This deletes all container images!)
+aws ecr delete-repository --repository-name keycloak --force --region $AWS_REGION
+aws ecr delete-repository --repository-name mcp-gateway-registry --force --region $AWS_REGION
+aws ecr delete-repository --repository-name mcp-gateway-auth-server --force --region $AWS_REGION
+aws ecr delete-repository --repository-name mcp-gateway-currenttime --force --region $AWS_REGION
+aws ecr delete-repository --repository-name mcp-gateway-mcpgw --force --region $AWS_REGION
+aws ecr delete-repository --repository-name mcp-gateway-realserverfaketools --force --region $AWS_REGION
+aws ecr delete-repository --repository-name mcp-gateway-flight-booking-agent --force --region $AWS_REGION
+aws ecr delete-repository --repository-name mcp-gateway-travel-assistant-agent --force --region $AWS_REGION
+```
+
 ### File Structure Reference
 
 ```
@@ -911,7 +1011,8 @@ terraform/aws-ecs/
     ├── user_mgmt.sh                   # Keycloak user management
     ├── service_mgmt.sh                # Service management utilities
     ├── rotate-keycloak-web-client-secret.sh  # Rotate OAuth2 secrets
-    └── save-terraform-outputs.sh      # Export terraform outputs as JSON
+    ├── save-terraform-outputs.sh      # Export terraform outputs as JSON
+    └── pre-destroy-cleanup.sh         # Run before terraform destroy
 ```
 
 ### Environment Variables Reference

terraform/aws-ecs/scripts/post-deployment-setup.sh

@@ -344,7 +344,7 @@ _verify_ecs_services() {
     local keycloak_cluster="keycloak"
     local keycloak_service="keycloak"
 
-    local max_attempts=30
+    local max_attempts=40
     local wait_interval=20
 
     log_info "Checking ECS services are running..."
@@ -530,7 +530,7 @@ _restart_services() {
 
     log_info "Waiting for services to stabilize..."
 
-    local max_attempts=30
+    local max_attempts=40
     local wait_interval=10
 
     for attempt in $(seq 1 $max_attempts); do

terraform/aws-ecs/scripts/pre-destroy-cleanup.sh

@@ -126,33 +126,57 @@ else
 fi
 
 
-# Step 4: Force delete ECR repositories
+# Step 4: ECR Repositories - PRESERVED (not deleted)
 echo ""
-echo "Step 4: Cleaning up ECR Repositories"
-echo "-------------------------------------"
-
-ECR_REPOS=(
-    "mcp-gateway-registry"
-    "mcp-gateway-auth-server"
-    "mcp-gateway-currenttime"
-    "mcp-gateway-mcpgw"
-    "mcp-gateway-realserverfaketools"
-    "mcp-gateway-flight-booking-agent"
-    "mcp-gateway-travel-assistant-agent"
-    "keycloak"
+echo "Step 4: ECR Repositories"
+echo "------------------------"
+echo ""
+log_warn "============================================================"
+log_warn "ECR REPOSITORIES ARE NOT DELETED BY THIS SCRIPT"
+log_warn "============================================================"
+log_warn ""
+log_warn "Container images are preserved to avoid expensive rebuilds."
+log_warn "Images can be reused after terraform apply without rebuilding."
+log_warn ""
+log_warn "If you want to delete ECR repositories manually, run:"
+log_warn ""
+log_warn "  aws ecr delete-repository --repository-name keycloak --force --region $AWS_REGION"
+log_warn "  aws ecr delete-repository --repository-name mcp-gateway-registry --force --region $AWS_REGION"
+log_warn "  aws ecr delete-repository --repository-name mcp-gateway-auth-server --force --region $AWS_REGION"
+log_warn "  aws ecr delete-repository --repository-name mcp-gateway-currenttime --force --region $AWS_REGION"
+log_warn "  aws ecr delete-repository --repository-name mcp-gateway-mcpgw --force --region $AWS_REGION"
+log_warn "  aws ecr delete-repository --repository-name mcp-gateway-realserverfaketools --force --region $AWS_REGION"
+log_warn "  aws ecr delete-repository --repository-name mcp-gateway-flight-booking-agent --force --region $AWS_REGION"
+log_warn "  aws ecr delete-repository --repository-name mcp-gateway-travel-assistant-agent --force --region $AWS_REGION"
+log_warn ""
+log_warn "============================================================"
+echo ""
+
+
+# Step 5: Force delete Secrets Manager secrets
+echo ""
+echo "Step 5: Cleaning up Secrets Manager Secrets"
+echo "--------------------------------------------"
+
+SECRETS=(
+    "keycloak/database"
+    "mcp-gateway-keycloak-client-secret"
+    "mcp-gateway-keycloak-m2m-client-secret"
 )
 
-for repo in "${ECR_REPOS[@]}"; do
-    if aws ecr describe-repositories --repository-names "$repo" --region "$AWS_REGION" &>/dev/null; then
-        log_info "Force deleting ECR repository: $repo"
-        aws ecr delete-repository --repository-name "$repo" --force --region "$AWS_REGION" 2>/dev/null || log_warn "Failed to delete $repo"
+for secret in "${SECRETS[@]}"; do
+    if aws secretsmanager describe-secret --secret-id "$secret" --region "$AWS_REGION" &>/dev/null; then
+        log_info "Force deleting secret: $secret"
+        aws secretsmanager delete-secret --secret-id "$secret" --force-delete-without-recovery --region "$AWS_REGION" 2>/dev/null || log_warn "Failed to delete $secret"
+    else
+        log_info "Secret not found (already deleted): $secret"
     fi
 done
 
 
-# Step 5: Clean up any orphaned load balancers
+# Step 6: Clean up any orphaned load balancers
 echo ""
-echo "Step 5: Checking for orphaned resources"
+echo "Step 6: Checking for orphaned resources"
 echo "----------------------------------------"
 
 # Check for target groups that might block ALB deletion