terraform-aws-eks icon indicating copy to clipboard operation
terraform-aws-eks copied to clipboard

Published 20 hours ago β€’ verified publisher icon terraform-aws-modules

EKS created security group is (sometimes) orphaned when `terraform destroy` is interrupted

Open oponomarov-tu opened this issue 1 year ago β€’ 1 comments

Description

Destroying EKS cluster might sometimes leave EKS created security group in an orphaned state in consequence blocking VPC destruction when terraform destroy has been interrupted. Might be related:

  • https://github.com/hashicorp/terraform-provider-aws/issues/11473

I am raising this issue here instead of the upstream provider repository because I believe that the module's consumers are more likely to provide practical workarounds.

  • [x] βœ‹ I have searched the open/closed issues and my issue is not listed.

Versions

  • Module version [Required]: v20.13.1
  • Terraform version: v1.8.4
  • Provider version(s):
Terraform v1.8.4
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v5.53.0
...

Reproduction Code [Required]

Steps to reproduce the behavior:

Pretty basic setup: run apply, run destroy, interrupt process, run destroy again. Not 100% reproducible though.

eks.tf 

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "~> 20.13.0"

  create = local.create_eks_cluster

  cluster_name                   = local.eks_cluster_name
  cluster_version                = var.eks_cluster_version
  cluster_endpoint_public_access = true

  vpc_id     = local.vpc_id
  subnet_ids = local.private_subnet_ids

  # Fargate profiles use the cluster primary security group so these are not utilized.
  create_cluster_security_group = false
  create_node_security_group    = false

  enable_cluster_creator_admin_permissions = true

  fargate_profiles = {
    karpenter = {
      selectors = [
        { namespace = "karpenter" }
      ]
    }
    kube_system = {
      name = "kube-system"
      selectors = [
        { namespace = "kube-system" }
      ]
    }
    argocd = {
      name = "argocd"
      selectors = [
        { namespace = "argocd" }
      ]
    }
  }

  tags = merge(
    local.tags,
    {
      "karpenter.sh/discovery" = local.eks_cluster_name
    }
  )
}

Expected behavior

All resources managed by EKS module are destroyed.

Actual behavior

All resources managed by EKS module are destroyed except EKS created security group -- the one with the description:

  • "EKS created security group applied to ENI that is attached to EKS Control Plane master nodes, as well as any managed workloads."

oponomarov-tu avatar Jun 17 '24 12:06 oponomarov-tu