Terraform-provider-aws: Terraform is trying to destroy resources that are not involved with the application

Created on 22 Jan 2018  ยท  10Comments  ยท  Source: hashicorp/terraform-provider-aws

_This issue was originally opened by @vincentdasari as hashicorp/terraform#17143. It was migrated here as a result of the provider split. The original body of the issue is below._

Trying to destroy a security group and terraform is complaining about not able to delete a lambda ENI. The IAM role associated with this seems to be good, because I was able to delete the security group using the console, but just not through terraform.

Terraform Version

Terraform v0.10.2

Resources involved

aws_security_group

Output

Error applying plan_destroy:

1 error(s) occurred:

  • aws_security_group.security_group (destroy): 1 error(s) occurred:

  • aws_security_group.security_group: Failed to delete Lambda ENIs: UnauthorizedOperation: You are not authorized to perform this operation.
    ย  ย  ย  ย  status code: 403, request id: 34a87a79-a44e-49dd-8774-65038b01fc6f

Expected Behavior

Destroy the security group successfully

Actual Behavior

Throws an error with the aforementioned output

Steps to Reproduce

  1. Create a security group using Terraform
  2. Create an IAM role with the privs to delete the security group (assert that the role has the right privs by using it to create/delete a security group using the console.
  3. Run a plan_destroy on the security group

References

-#8033
This issue talks about security groups attached to a lambda. But like I said above, lambda functions aren't being created in the terraform app.

bug servicec2
Source
picture hashibot
👍1

Most helpful comment

Update. The fix was to add ec2:DescribeNetworkInterfaces iam permissions to my terraform role.

The relevant code where this lookup exists can be found here:

https://github.com/hashicorp/terraform/commit/8e90dd4dc8dddef86f547f8adce71b3fc6d94c53

Would be interested in a better explanation as to why this needs to happen though.

There is an issue around providing extra docs about this feature: https://github.com/terraform-providers/terraform-provider-aws/issues/5083.

picture sdanbury on 12 Nov 2018
1 🎉1

All 10 comments

@vincentdasari this does seem strange. Are you using the provider assume_role configuration to perform this? Are you able to provide a the relevant snippet of Terraform configuration that reproduces this problem? Otherwise we might need to see your debug logs to further troubleshoot. Thanks!

bflad picture bflad on 23 Jan 2018

Closing due to lack of response.

bflad picture bflad on 31 May 2018

Please reopen this issue. The issue still persists with
Terraform v0.11.8

  • provider.aws v1.37.0

Not using assume_role. The same user is able to delete the security group from the console

unixengineer picture unixengineer on 26 Sep 2018
👍1

Can we re-open this please?

Using terraform 0.11.8 and

provider.aws: version = "~> 1.41"

I get this error trying to delete an aws_security_group used by an aws_elasticache_replication_group. No Lambdas involved.

Happy to supply whatever information you think is useful.

alkar picture alkar on 23 Oct 2018

Also getting this.

Terraform v0.11.10
provider.aws: version = "~> 1.41"

Resource:

resource "aws_security_group" "my-resource" {
  name        = "<redacted>-${var.environment}"
  description = "<redacted>"
  vpc_id      = "${var.vpc_id}"
}

Error:

Failed to delete Lambda ENIs: UnauthorizedOperation: You are not authorized to perform this operation.
    status code: 403

I am assuming into a role which performs the terraform changes.

sdanbury picture sdanbury on 9 Nov 2018

Here is a full example with terraform v0.11.10:

provider "aws" {
  version = "~> 1.41"
  region  = "eu-west-1"

  assume_role {
    role_arn = "arn:aws:iam::xxxxxxxxxxxx:role/my-terraform-role"
  }
}

resource "aws_security_group" "my-resource" {
  name        = "test"
  description = "test"
  vpc_id      = "vpc-xxxxxxxxxxx"
}

Giving:

$ terraform init

Initializing provider plugins...
- Checking for available provider plugins on https://releases.hashicorp.com...
- Downloading plugin for provider "aws" (1.43.2)...

Terraform has been successfully initialized!
...

$ terraform apply

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  + aws_security_group.my-resource
      id:                     <computed>
      arn:                    <computed>
      description:            "test"
      egress.#:               <computed>
      ingress.#:              <computed>
      name:                   "test"
      owner_id:               <computed>
      revoke_rules_on_delete: "false"
      vpc_id:                 "vpc-xxxxxxxxxxx"


Plan: 1 to add, 0 to change, 0 to destroy.
...

$ terraform destroy
aws_security_group.my-resource: Refreshing state... (ID: sg-xxxxxxxxxxxxxxxxx)

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  - aws_security_group.my-resource


Plan: 0 to add, 0 to change, 1 to destroy.

Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

aws_security_group.my-resource: Destroying... (ID: sg-xxxxxxxxxxxxxxxxx)

Error: Error applying plan:

1 error(s) occurred:

* aws_security_group.my-resource (destroy): 1 error(s) occurred:

* aws_security_group.my-resource: Failed to delete Lambda ENIs: UnauthorizedOperation: You are not authorized to perform this operation.
    status code: 403, request id: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
sdanbury picture sdanbury on 12 Nov 2018
👍1

Update. The fix was to add ec2:DescribeNetworkInterfaces iam permissions to my terraform role.

The relevant code where this lookup exists can be found here:

https://github.com/hashicorp/terraform/commit/8e90dd4dc8dddef86f547f8adce71b3fc6d94c53

Would be interested in a better explanation as to why this needs to happen though.

There is an issue around providing extra docs about this feature: https://github.com/terraform-providers/terraform-provider-aws/issues/5083.

sdanbury picture sdanbury on 12 Nov 2018
1 🎉1

I had this same problem on 0.11.14 even with ec2:DescribeNetworkInterfaces

(aws provider: 2.14.0)

It successfully removed everything but the security group, which is still tied to an ENI, that for some reason did not get cleaned up when the lambda was removed.

 Failed to delete Lambda ENIs: UnauthorizedOperation: You are not authorized to perform this operation.

Edit:

The error message wasn't entirely clear, but the solution was still simple. I also needed ec2:DeleteNetworkInterface :)

eedwards-sk picture eedwards-sk on 12 Jun 2019
👍1

tl;dr: Solution : Add ec2:DeleteNetworkInterface & ec2:DescribeNetworkInterfaces to your policy

unixengineer picture unixengineer on 1 Oct 2019

I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] picture hashibot[bot] on 1 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dvishniakov picture dvishniakov  ยท  3Comments
hashibot picture hashibot  ยท  3Comments
gothrek22 picture gothrek22  ยท  3Comments
hashibot picture hashibot  ยท  3Comments
blaltarriba picture blaltarriba  ยท  3Comments