resource/aws_iot_topic_rule_destination : Not Deleting ENIs

[MickSheppardWB]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.2.6 registry.terraform.io/hashicorp/aws 4.28.0

Affected Resource(s)

• aws_iot_topic_rule_destination

Terraform Configuration Files

resource "aws_vpc" "main" {
  cidr_block = "10.0.0.0/16"
}

resource "aws_subnet" "main" {
  vpc_id     = aws_vpc.main.id
  cidr_block = "10.0.1.0/24"
}

resource "aws_iam_role" "iot_core_rule_destination" {
  name = "rule-destination-role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Effect = "Allow",
        Principal = {
          Service = "iot.amazonaws.com"
        },
        Action = "sts:AssumeRole"
      }
    ]
  })
}

resource "aws_iam_role_policy" "iot_core_rule_destination" {
  name = "rule-destination-policy"
  role = aws_iam_role.iot_core_rule_destination.id

  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Effect = "Allow",
        Action = [
          "ec2:CreateNetworkInterface",
          "ec2:DescribeNetworkInterfaces",
          "ec2:CreateNetworkInterfacePermission",
          "ec2:DeleteNetworkInterface",
          "ec2:DescribeSubnets",
          "ec2:DescribeVpcs",
          "ec2:DescribeVpcAttribute",
          "ec2:DescribeSecurityGroups"
        ],
        Resource = "*"
      }
    ]
  })
}

resource "aws_iot_topic_rule_destination" "iot_rule_destination" {
  vpc_configuration {
    role_arn   = aws_iam_role.iot_core_rule_destination.arn
    vpc_id     = aws_vpc.main.id
    subnet_ids = [aws_subnet.main.id]
  }
}

Debug Output

N/A

Panic Output

N/A

Expected Behavior

To be consistent with the AWS CLI and AWS Console when destroying the IOT Rule Destination it should delete the ENIs that are created during the apply.

Actual Behavior

On running terraform destroy the ENIs are detached but not deleted.

Steps to Reproduce

1. terraform apply
2. terraform destroy

Important Factoids

References

[MickSheppardWB]

An additional note on the behaviour on destroy.

Because the ENIs are not deleted the destruction of the subnets and VPC fails.

[mbbush]

Would https://github.com/hashicorp/terraform-provider-aws/issues/26568 make this easier to fix?

[mbbush]

When I use the aws cli to delete an iot topic rule destination, it also deletes the created ENIs.

When I use terraform, it does not.

What I haven't tried is using the go sdk to delete the iot topic rule destination.

[mbbush]

I think this bug is happening because the role that has permission to delete ENIs gets deleted before the topic rule destination is finished cleaning up. There's an acceptance test for the terraform provider which deletes everything except the IAM role, and that seems to clean up properly.