isovalent / aws-delete-vpc Goto Github PK

Nice tool isovalent. Saved me a bunch of effort. 🍻 It would be awesome if there was a way to provide the region via the CLI, like ---region [[NON_DEFAULT_REGION_VALUE]]. I was able to edit my ~/.aws/config for each region and everything worked nicely. CLI argument is just a bonus awesome extra feature.

Cheers.

I've failed to use the tool to properly clean up a setup where EC2 LBs were attached to the network interfaces, thus preventing them from being deleted, and blocking the tear down of the VPC.

It looks like we're leaving Virtual Private Gateways in our wake after running terraform. Can we please add that are managed by this tool?

There are no instructions on how to build this tool. I ran go build . just fine, but it'd be nice to have that information presented to the user.

#4 releases Elastic IPs, but I've encountered the following problem with the AWS API if permissions are not set correctly which leads to the Elastic IP not being released.

From the logs of a run:

$ aws-delete-vpc --cluster-name=twp-nwm3-2698053183
...
4:31PM INF DescribeAddresses AllocationIds=["eipalloc-07e568711c415fc49"]
4:31PM ERR ReleaseAddress error="operation error EC2: ReleaseAddress, https response error StatusCode: 400, RequestID: 70003f2b-351d-4f3b-b03a-06e3b41fa8f4, api error AuthFailure: You do not have permission to access the specified resource." AllocationId=eipalloc-07e568711c415fc49 PublicIp=34.251.241.48
4:31PM ERR DetachNetworkInterface error="operation error EC2: DetachNetworkInterface, https response error StatusCode: 400, RequestID: 25996d94-8ea1-453a-b50b-69bfcc01d29c, api error OperationNotPermitted: You are not allowed to manage 'ela-attach' attachments." AttachmentId=ela-attach-0fc5a7182c0fdd756
...
4:32PM ERR DeleteVpc error="operation error EC2: DeleteVpc, https response error StatusCode: 400, RequestID: b48e276b-a4c1-49e1-84cc-0b19c88d9bb8, api error InvalidVpcID.NotFound: The vpc ID 'vpc-07499152ed45c6325' does not exist" vpcId=vpc-07499152ed45c6325
4:32PM INF tryDeleteVpc deleted=true vpcId=vpc-07499152ed45c6325
4:32PM INF DeleteCluster Name=twp-nwm3-2698053183

What happens here is:

1. aws-delete-vpc finds the Elastic IP through its attachment to a Network Interface used by the VPC.
2. It then tries to release the Elastic IP, but the AWS API returns that the user does not have permission to do this.
3. Deletion of the rest of the VPC proceeds and eventually succeeds, unassociating the Elastic IP from its Network Interface.
4. At the end of this operation, the Elastic IP is not released, but as the VPC has been deleted, there is no way to identify that the Elastic IP was associated with the VPC, so the Elastic IP remains.

The net result is that the Elastic IP is not released.

I'm not sure if there's a way to fix this apart from using the correct permissions for the AWS profile used.

Some CREs will have Elastic IP addresses attached to them. These should be released when the VPC is deleted.