Skip to content

Commit 55630a3

Browse files
wkingwking
committed
pkg/destroy/aws: Delete security groups by VPC
Sometimes CI leaks untagged security groups. Because we are allowed to remove all resources from within a cluster-owned VPC, add a ByVPC walker to remove these indirectly-owned groups. The default name skip avoids errors like: time="2019-08-22T12:39:23-07:00" level=debug msg="deleting EC2 security group sg-07c2e6d7b620fb39c: CannotDelete: the specified group: \"sg-07c2e6d7b620fb39c\" name: \"default\" cannot be deleted by a user\n\tstatus code: 400, request id: c88fd74c-77c3-41fe-badb-c53e8022226d" arn="arn:aws:ec2:us-west-2:269733383066:vpc/vpc-0c9097bf5797f611b" Without the name guard, hitting the error would cause an early exit from deleteEC2SecurityGroupsByVPC, and mean we never progressed further in deleteEC2VPC, leading a hung cluster teardown.
1 parent 37a7f49 commit 55630a3

File tree

1 file changed

+70
-20
lines changed

1 file changed

+70
-20
lines changed

pkg/destroy/aws/aws.go

Lines changed: 70 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -880,31 +880,45 @@ func deleteEC2SecurityGroup(client *ec2.EC2, id string, logger logrus.FieldLogge
880880
}
881881

882882
for _, group := range response.SecurityGroups {
883-
if len(group.IpPermissions) > 0 {
884-
_, err := client.RevokeSecurityGroupIngress(&ec2.RevokeSecurityGroupIngressInput{
885-
GroupId: group.GroupId,
886-
IpPermissions: group.IpPermissions,
887-
})
888-
if err != nil {
889-
return errors.Wrap(err, "revoking ingress permissions")
890-
}
891-
logger.Debug("Revoked ingress permissions")
883+
err = deleteEC2SecurityGroupObject(client, group, logger)
884+
if err != nil {
885+
return err
892886
}
887+
}
893888

894-
if len(group.IpPermissionsEgress) > 0 {
895-
_, err := client.RevokeSecurityGroupEgress(&ec2.RevokeSecurityGroupEgressInput{
896-
GroupId: group.GroupId,
897-
IpPermissions: group.IpPermissionsEgress,
898-
})
899-
if err != nil {
900-
return errors.Wrap(err, "revoking egress permissions")
901-
}
902-
logger.Debug("Revoked egress permissions")
889+
return nil
890+
}
891+
892+
func deleteEC2SecurityGroupObject(client *ec2.EC2, group *ec2.SecurityGroup, logger logrus.FieldLogger) error {
893+
if group.GroupName != nil && *group.GroupName == "default" {
894+
logger.Debug("Skipping default security group")
895+
return nil
896+
}
897+
898+
if len(group.IpPermissions) > 0 {
899+
_, err := client.RevokeSecurityGroupIngress(&ec2.RevokeSecurityGroupIngressInput{
900+
GroupId: group.GroupId,
901+
IpPermissions: group.IpPermissions,
902+
})
903+
if err != nil {
904+
return errors.Wrap(err, "revoking ingress permissions")
905+
}
906+
logger.Debug("Revoked ingress permissions")
907+
}
908+
909+
if len(group.IpPermissionsEgress) > 0 {
910+
_, err := client.RevokeSecurityGroupEgress(&ec2.RevokeSecurityGroupEgressInput{
911+
GroupId: group.GroupId,
912+
IpPermissions: group.IpPermissionsEgress,
913+
})
914+
if err != nil {
915+
return errors.Wrap(err, "revoking egress permissions")
903916
}
917+
logger.Debug("Revoked egress permissions")
904918
}
905919

906-
_, err = client.DeleteSecurityGroup(&ec2.DeleteSecurityGroupInput{
907-
GroupId: aws.String(id),
920+
_, err := client.DeleteSecurityGroup(&ec2.DeleteSecurityGroupInput{
921+
GroupId: group.GroupId,
908922
})
909923
if err != nil {
910924
if err.(awserr.Error).Code() == "InvalidGroup.NotFound" {
@@ -917,6 +931,41 @@ func deleteEC2SecurityGroup(client *ec2.EC2, id string, logger logrus.FieldLogge
917931
return nil
918932
}
919933

934+
func deleteEC2SecurityGroupsByVPC(client *ec2.EC2, vpc string, failFast bool, logger logrus.FieldLogger) error {
935+
var lastError error
936+
err := client.DescribeSecurityGroupsPages(
937+
&ec2.DescribeSecurityGroupsInput{
938+
Filters: []*ec2.Filter{
939+
{
940+
Name: aws.String("vpc-id"),
941+
Values: []*string{&vpc},
942+
},
943+
},
944+
},
945+
func(results *ec2.DescribeSecurityGroupsOutput, lastPage bool) bool {
946+
for _, group := range results.SecurityGroups {
947+
err := deleteEC2SecurityGroupObject(client, group, logger.WithField("security group", *group.GroupId))
948+
if err != nil {
949+
if lastError != nil {
950+
logger.Debug(err)
951+
}
952+
lastError = errors.Wrapf(err, "deleting EC2 security group %s", *group.GroupId)
953+
if failFast {
954+
return false
955+
}
956+
}
957+
}
958+
959+
return !lastPage
960+
},
961+
)
962+
963+
if lastError != nil {
964+
return lastError
965+
}
966+
return err
967+
}
968+
920969
func deleteEC2Snapshot(client *ec2.EC2, id string, logger logrus.FieldLogger) error {
921970
_, err := client.DeleteSnapshot(&ec2.DeleteSnapshotInput{
922971
SnapshotId: &id,
@@ -1058,6 +1107,7 @@ func deleteEC2VPC(ec2Client *ec2.EC2, elbClient *elb.ELB, elbv2Client *elbv2.ELB
10581107
deleteEC2NATGatewaysByVPC, // not always tagged
10591108
deleteEC2NetworkInterfaceByVPC, // not always tagged
10601109
deleteEC2RouteTablesByVPC, // not always tagged
1110+
deleteEC2SecurityGroupsByVPC, // not always tagged
10611111
deleteEC2SubnetsByVPC, // not always tagged
10621112
deleteEC2VPCEndpointsByVPC, // not taggable
10631113
} {

0 commit comments

Comments
 (0)