EKS Control Plane Security Group not getting cleaned up

[chandankashyap19]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

TF: v0.13.7
hashicorp/aws v3.58.0

Affected Resource(s)

EKS Cluster with Fargate Type and Ec2 NodeGroup

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_eks_cluster" "main" {
  name     = join("-",[local.name_prefix,"eks-cluster"])
  role_arn = aws_iam_role.eks_cluster_role.arn
  version  = local.eks_cluster_version

  enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]

  vpc_config {
    subnet_ids = concat(local.private_subnet_ids, local.public_subnet_ids)
  }

  depends_on = [
    aws_cloudwatch_log_group.eks_cluster,
    aws_iam_role_policy_attachment.eks_cluster_policy,
    aws_iam_role_policy_attachment.eks_service_policy,
    aws_iam_role_policy_attachment.eks_cluster_nlb_policy,
    aws_iam_role_policy_attachment.eks_controller_policy
  ]
}

Debug Output

Error deleting VPC: DependencyViolation: The vpc 'vpc-025bfcbeeeeeeddddf22' has dependencies and cannot be deleted

Panic Output

Error deleting VPC: DependencyViolation: The vpc 'vpc-025bfcbeeeeeeddddf22' has dependencies and cannot be deleted

Expected Behavior

TF should delete SG associated with EKS

Actual Behavior

SG is not getting deleted

Steps to Reproduce

We are using Terraform to provision EKS Cluster. Creation of cluster is going smooth but deletion of it SG is not happening.

Below policies are being used in EKS Cluster and I can confirm that these policy attachments are only getting deleted post cluster deletion so here there is no case of policy deletion happening first and then cluster.

AmazonEKSClusterPolicy
AmazonEKSServicePolicy
AmazonEKSVPCResourceController and

Custom Policy: {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"elasticloadbalancing:",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:Describe"
],
"Resource": "*",
"Effect": "Allow"
}
]
}

All the above policies are being used in eks cluster role_arn. While performing terraform delete operations all the resources are getting destroyed successfully but SG ( EKS created security group applied to ENI that is attached to EKS Control Plane master nodes, as well as any managed workloads.) is not getting deleted.

PS: Consulted AWS Support team for the same and they conclude that SG deletion call was received but at that time SG was attached with ENI of the master plane so call was not successful. TF didn't even send 2nd call to check its existence.

Also seen EKS Cluster destroy is happening in 30s-1m and then this error is coming.

[qxmips]

stumbled into the same issue. is there any workaround?

[github-actions]

This functionality has been released in v4.29.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.