search

cloud-custodian / cloud-custodian

Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources
https://cloudcustodian.io
Apache License 2.0
5.4k stars 1.47k forks source link

ELB Target Group deletion fails #3559

Open ghost opened 5 years ago

ghost commented 5 years ago

Whenever I try to delete an ELB and a target group is attached, deletion of the target group fails. Below a sample for an ALB.

The following is the relevant part of the policy

- name: untagged-alb-delete
   resource: app-elb
   filters:
    - "tag:NoCustodian": absent
   actions:
    - type: delete
      force: true
 - name: untagged-alb-target-group-delete
   resource: app-elb-target-group
   filters:
    - "tag:NoCustodian": absent
   actions:
    - delete

Error output is the following

2019-02-21 15:06:58,549: custodian.policy:INFO policy: untagged-alb-target-group-delete resource:app-elb-target-group region:eu-west-1 count:1 time:0.48 2019-02-21 15:06:58,711: custodian.output:ERROR Error while executing policy Traceback (most recent call last): File "/usr/local/lib/python3.7/site-packages/c7n/policy.py", line 264, in run results = a.process(resources) File "/usr/local/lib/python3.7/site-packages/c7n/resources/appelb.py", line 1013, in process self.process_target_group(client, tg) File "/usr/local/lib/python3.7/site-packages/c7n/resources/appelb.py", line 1018, in process_target_group TargetGroupArn=target_group['TargetGroupArn']) File "/usr/local/lib/python3.7/site-packages/c7n/utils.py", line 374, in _retry return func(*args, **kw) File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 357, in _api_call return self._make_api_call(operation_name, kwargs) File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 661, in _make_api_call raise error_class(parsed_response, operation_name) botocore.errorfactory.ResourceInUseException: An error occurred (ResourceInUse) when calling the DeleteTargetGroup operation: Target group 'arn:aws:elasticloadbalancing:eu-west-1:1234567890:targetgroup/NukerTest/80e577bc233ae165' is currently in use by a listener or a rule

Is there any way of forcing deletion of target groups?

kapilt commented 5 years ago

noted, is the target group here referenced from multiple load balancers? just trying to understand if its a delay in the association due to the deleting alb or if its multi-parented across several albs. a force configuration is going to need a code/change pull request, contributions welcome.

ghost commented 5 years ago

Hi @kapilt, thanks for the quick reply! Nope, the test was done with a single LB.

kapilt commented 5 years ago

okay, so its likely some degree of delay for the alb deletion itself, if you run the policy again, i assume it then converges/works?

ghost commented 5 years ago

Correct, when I reran the policy the target group was deleted.