Open kralicky opened 2 years ago
Hi @kralicky - thank you for reporting. We'll take a look as soon as we can!
@kralicky How did you create the security group that was attached to the VPC? If you created it outside of Pulumi, then this is the expected behavior because Pulumi does not delete or modify resources that it did not create.
If you created the security group in Pulumi, please provide a minimal program that reproduces the error.
I think it's the security group created by an EKS cluster. This is how I create it: https://github.com/rancher/opni/blob/main/infra/pkg/aws/aws.go#L30
Hi, I'm facing a similar issue where I cannot destroy my stack because of a security group is not deletable since it's used by an ENI attached to the EC2 instance (worker node) of my EKS Cluster.
The whole cluster (with the security group) was created using:
const eksCluster = new eks.Cluster("eks-cluster", {
// Put the cluster in the new VPC created earlier
vpcId: eksVpc.id,
// Public subnets will be used for load balancers
publicSubnetIds: eksVpc.publicSubnetIds,
// Private subnets will be used for cluster nodes
privateSubnetIds: eksVpc.privateSubnetIds,
// Change configuration values to change any of the following settings
instanceType: eksNodeInstanceType,
desiredCapacity: desiredClusterSize,
minSize: minClusterSize,
maxSize: maxClusterSize,
// Do not give the worker nodes public IP addresses
nodeAssociatePublicIpAddress: true,
// Uncomment the next two lines for a private cluster (VPN access required)
// endpointPrivateAccess: true,
// endpointPublicAccess: true
userMappings: aws_auth_configMap
});
This is caused by the aws-node daemonset (vpc-cni) AWS installs on clusters. It assigns manages IP addresses and ENIs of the worker nodes. When shutting down it may not be able to gracefully detach & delete ENIs, leaving some of them dangling and blocking the deletion of the security groups attached to it. In turn this will block the deletion of subnets and VPCs.
A possible option for us to remediate this is deleting the aws-node daemonset before shutting down the node group.
What happened?
Deleting a stack containing a VPC times out and cannot be deleted. The following error is given:
This is ostensibly caused by the security group attached to the VPC. If I try to delete the VPC in the AWS console, it notes that the security group will also be deleted.
Upon manually deleting the security group, pulumi is able to delete the VPC successfully.
Steps to reproduce
See here for the relevant code
Expected Behavior
Pulumi should delete the associated security group before deleting the VPC
Actual Behavior
Pulumi cannot delete the VPC, and times out.
Output of
pulumi about
Additional context
It appears the security group was created from an EKS ELB.
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).