saltstack / salt

Software to automate the management and configuration of any infrastructure or application at scale. Get access to the Salt software package repository here:
https://repo.saltproject.io/
Apache License 2.0
14.17k stars 5.48k forks source link

[BUG] boto_vpc.absent fails because of dependencies #60140

Open dfidler opened 3 years ago

dfidler commented 3 years ago

Description

Can't delete the vpc because an Internet Gateway and default Routing Table is created when creating a VPC, and so the VPC depends on those resources.

Setup

Script to create /srv/salt/issue-setup.sls and /srv/salt/issue-decomm.sls ``` cat < /srv/salt/issue-setup.sls {% set profile = salt['pillar.get']('aws') %} {% set prefix = salt['pillar.get']('aws:resource_prefix', 'sedemo_') %} {% set region = 'eu-west-1' %} {{prefix}}vpc: boto_vpc.present: - name: {{ prefix }}vpc - region: {{ region }} - cidr_block: 172.16.0.0/16 - instance_tenancy: default - dns_hostnames: False - tags: App: SaltStack Name: {{ prefix }}vpc {{prefix}}ig: boto_vpc.internet_gateway_present: - name: {{ prefix }}ig - vpc_name: {{ prefix }}vpc - region: {{ region }} - tags: Name: {{ prefix }}ig - require: - {{prefix}}vpc {% for net in ['128', '129', '130', '131'] %} {{prefix}}net_{{net}}: boto_vpc.subnet_present: - name: {{ prefix }}net_{{ net }} - region: {{ region }} - cidr_block: 172.16.{{net}}.0/24 - vpc_name: {{prefix}}vpc - availability_zone: eu-west-1b - tags: Name: {{ prefix }}net_{{ net }} #- route_table_name: {{ prefix }}rt - require: - {{prefix}}vpc # - {{prefix}}rt - require_in: - {{prefix}}rt {% endfor %} {{prefix}}rt: boto_vpc.route_table_present: - name: {{ prefix }}rt - region: {{ region }} - vpc_name: {{ prefix }}vpc - routes: - destination_cidr_block: 0.0.0.0/0 internet_gateway_name: {{ prefix }}ig - tags: Name: {{ prefix }}rt - subnet_names: {% for net in ['128', '129', '130', '131'] %} - {{ prefix }}net_{{ net }} {% endfor %} - require: - {{prefix}}vpc - {{prefix}}ig EOF cat < /srv/salt/issue-decomm.sls {% set profile = salt['pillar.get']('aws') %} {% set prefix = salt['pillar.get']('aws:resource_prefix', 'sedemo_') %} {% set region = 'eu-west-1' %} {% for net in ['128', '129', '130', '131'] %} {{prefix}}net_{{net}}: boto_vpc.subnet_absent: - name: {{ prefix }}net_{{ net }} - region: {{ region }} {% endfor %} {{prefix}}rt: boto_vpc.route_table_absent: - name: {{ prefix }}rt - region: {{ region }} {{prefix}}ig: boto_vpc.internet_gateway_absent: - name: {{ prefix }}ig - region: {{ region }} {{prefix}}vpc: boto_vpc.absent: - name: {{ prefix }}vpc - region: {{ region }} EOF ```

Steps to Reproduce the behavior

Results from issue-setup.sls ``` # salt saltmaster state.apply issue-setup local: ---------- ID: dkf_vpc Function: boto_vpc.present Result: True Comment: VPC dkf_vpc created. Started: 17:19:34.007185 Duration: 2451.457 ms Changes: ---------- new: ---------- vpc: ---------- cidr_block: 172.16.0.0/16 dhcp_options_id: dopt-9644d6f0 id: vpc-0e341452a6125ec60 instance_tenancy: default is_default: False region: eu-west-1 state: available tags: ---------- App: SaltStack Name: dkf_vpc old: ---------- vpc: None ---------- ID: dkf_ig Function: boto_vpc.internet_gateway_present Result: True Comment: Internet gateway dkf_ig created. Started: 17:19:36.459212 Duration: 1568.699 ms Changes: ---------- new: ---------- internet_gateway: igw-016aa38059d9af36a old: ---------- internet_gateway: None ---------- ID: dkf_net_128 Function: boto_vpc.subnet_present Result: True Comment: Subnet dkf_net_128 created. Started: 17:19:38.028167 Duration: 2057.704 ms Changes: ---------- new: ---------- subnet: ---------- availability_zone: eu-west-1b cidr_block: 172.16.128.0/24 id: subnet-032313dca107fdf76 tags: ---------- Name: dkf_net_128 vpc_id: vpc-0e341452a6125ec60 old: ---------- subnet: None ---------- ID: dkf_net_129 Function: boto_vpc.subnet_present Result: True Comment: Subnet dkf_net_129 created. Started: 17:19:40.086122 Duration: 1884.538 ms Changes: ---------- new: ---------- subnet: ---------- availability_zone: eu-west-1b cidr_block: 172.16.129.0/24 id: subnet-06725e30bfbbed551 tags: ---------- Name: dkf_net_129 vpc_id: vpc-0e341452a6125ec60 old: ---------- subnet: None ---------- ID: dkf_net_130 Function: boto_vpc.subnet_present Result: True Comment: Subnet dkf_net_130 created. Started: 17:19:41.970922 Duration: 1969.717 ms Changes: ---------- new: ---------- subnet: ---------- availability_zone: eu-west-1b cidr_block: 172.16.130.0/24 id: subnet-06a2df1924cd1c1ca tags: ---------- Name: dkf_net_130 vpc_id: vpc-0e341452a6125ec60 old: ---------- subnet: None ---------- ID: dkf_net_131 Function: boto_vpc.subnet_present Result: True Comment: Subnet dkf_net_131 created. Started: 17:19:43.940901 Duration: 1899.423 ms Changes: ---------- new: ---------- subnet: ---------- availability_zone: eu-west-1b cidr_block: 172.16.131.0/24 id: subnet-09a3f61456922b312 tags: ---------- Name: dkf_net_131 vpc_id: vpc-0e341452a6125ec60 old: ---------- subnet: None ---------- ID: dkf_rt Function: boto_vpc.route_table_present Result: True Comment: Route table dkf_rt created. Created route 0.0.0.0/0 in route table dkf_rt. Started: 17:19:45.841267 Duration: 5746.775 ms Changes: ---------- new: - subnet-06725e30bfbbed551 - subnet-032313dca107fdf76 - subnet-09a3f61456922b312 - subnet-06a2df1924cd1c1ca old: Summary for local ------------ Succeeded: 7 (changed=7) Failed: 0 ------------ Total states run: 7 Total run time: 17.578 s ```
Results from issue-decomm.sls (with errors) ``` # salt-call state.apply issue-decomm [ERROR ] Failed to delete route table: Bad Request: The routeTable 'rtb-0faff2a3b28fcdf39' has dependencies and cannot be deleted. [ERROR ] Failed to delete internet gateway: Bad Request: The internetGateway 'igw-016aa38059d9af36a' has dependencies and cannot be deleted.. [ERROR ] Failed to delete VPC: Bad Request: The vpc 'vpc-0e341452a6125ec60' has dependencies and cannot be deleted.. local: ---------- ID: dkf_net_128 Function: boto_vpc.subnet_absent Result: True Comment: Subnet dkf_net_128 deleted. Started: 17:20:31.162044 Duration: 884.874 ms Changes: ---------- new: ---------- subnet: None old: ---------- subnet: subnet-032313dca107fdf76 ---------- ID: dkf_net_129 Function: boto_vpc.subnet_absent Result: True Comment: Subnet dkf_net_129 deleted. Started: 17:20:32.047100 Duration: 630.03 ms Changes: ---------- new: ---------- subnet: None old: ---------- subnet: subnet-06725e30bfbbed551 ---------- ID: dkf_net_130 Function: boto_vpc.subnet_absent Result: True Comment: Subnet dkf_net_130 deleted. Started: 17:20:32.677330 Duration: 744.753 ms Changes: ---------- new: ---------- subnet: None old: ---------- subnet: subnet-06a2df1924cd1c1ca ---------- ID: dkf_net_131 Function: boto_vpc.subnet_absent Result: True Comment: Subnet dkf_net_131 deleted. Started: 17:20:33.422248 Duration: 681.369 ms Changes: ---------- new: ---------- subnet: None old: ---------- subnet: subnet-09a3f61456922b312 ---------- ID: dkf_rt Function: boto_vpc.route_table_absent Result: True Comment: Route table dkf_rt deleted. Started: 17:20:34.103782 Duration: 404.936 ms Changes: ---------- new: ---------- route_table: None old: ---------- route_table: rtb-017d23057cb8538fe ---------- ID: dkf_vpc-default-table Function: boto_vpc.route_table_absent Result: False Comment: Failed to delete route table: Bad Request: The routeTable 'rtb-0faff2a3b28fcdf39' has dependencies and cannot be deleted. Started: 17:20:34.508885 Duration: 366.934 ms Changes: ---------- ID: dkf_ig Function: boto_vpc.internet_gateway_absent Result: False Comment: Failed to delete internet gateway: Bad Request: The internetGateway 'igw-016aa38059d9af36a' has dependencies and cannot be deleted.. Started: 17:20:34.876064 Duration: 760.022 ms Changes: ---------- ID: dkf_vpc Function: boto_vpc.absent Result: False Comment: Failed to delete VPC: Bad Request: The vpc 'vpc-0e341452a6125ec60' has dependencies and cannot be deleted.. Started: 17:20:35.636286 Duration: 989.269 ms Changes: Summary for local ------------ Succeeded: 5 (changed=5) Failed: 3 ------------ Total states run: 8 Total run time: 5.462 s ```

Expected behavior

Delete the vpc. The problems are the following:

  1. You can't delete the internet gateway because the vpc depends on it
  2. A default routing table named (in my case) dkf_rt-default-table; you can't delete a default route table because it has dependencies
  3. You can't delete the vpc because it depends on both the internet gateway and the default routing table that was created by present.

When you delete a vpc from the UI, it tells you that it will delete both the vpc and the internet gateway and that you need to type "delete" to confirm deletion of both.

My guess is that the delete operation must include both the VPC and IG in the same call.

Screenshots gah

Versions Report

NOTE: I have applied https://github.com/saltstack/salt/commit/32ed7d05f0af1f07a0144cf5594370a5d65e70b3 to be able to create the routing tables in my sample script.

salt --versions-report (Provided by running salt --versions-report. Please also mention any differences in master/minion versions.) ``` Salt Version: Salt: 3002.5 Dependency Versions: cffi: 1.14.5 cherrypy: unknown dateutil: 2.8.1 docker-py: Not Installed gitdb: 0.6.4 gitpython: 1.0.1 Jinja2: 2.11.1 libgit2: Not Installed M2Crypto: 0.35.2 Mako: Not Installed msgpack: 0.6.2 msgpack-pure: Not Installed mysql-python: Not Installed pycparser: 2.20 pycrypto: Not Installed pycryptodome: 3.10.1 pygit2: Not Installed Python: 3.6.8 (default, Nov 16 2020, 16:55:22) python-gnupg: Not Installed PyYAML: 3.13 PyZMQ: 17.0.0 smmap: 0.9.0 timelib: Not Installed Tornado: 4.5.3 ZMQ: 4.1.4 System Versions: dist: centos 7 Core locale: UTF-8 machine: x86_64 release: 3.10.0-957.1.3.el7.x86_64 system: Linux version: CentOS Linux 7 Core ```

Additional context Add any other context about the problem here.

sagetherage commented 3 years ago

@dfidler Salt v3002.5 is vulnerable, please upgrade to v3002.6