Terraform: Terraform is trying to destroy resources that are not involved with the application
Trying to destroy a security group and terraform is complaining about not able to delete a lambda ENI. The IAM role associated with this seems to be good, because I was able to delete the security group using the console, but just not through terraform.
Terraform Version
Terraform v0.10.2
Resources involved
aws_security_group
Output
Error applying plan_destroy:
1 error(s) occurred:
aws_security_group.security_group (destroy): 1 error(s) occurred:
aws_security_group.security_group: Failed to delete Lambda ENIs: UnauthorizedOperation: You are not authorized to perform this operation.
ย ย ย ย status code: 403, request id: 34a87a79-a44e-49dd-8774-65038b01fc6f
Expected Behavior
Destroy the security group successfully
Actual Behavior
Throws an error with the aforementioned output
Steps to Reproduce
- Create a security group using Terraform
- Create an IAM role with the privs to delete the security group (assert that the role has the right privs by using it to create/delete a security group using the console.
- Run a plan_destroy on the security group
References
-#8033
This issue talks about security groups attached to a lambda. But like I said above, lambda functions aren't being created in the terraform app.
vincentdasari
All 4 comments
It turns out "ec2:DescribeNetworkInterfaces" is missing in the IAM role, and once that has been added in, I was able to delete the security group successfully. Based on this, it looks like Terraform requires this additional priv to be able to delete the security group because I was able to delete the security group through the console without this priv.
vincentdasari
on 19 Jan 2018
HI @vincentdasari,
This doesn't appear to be a core issue, so I'm going to move this over to the aws provider to see if there's anything that needs to be changed to operate with the restricted role provided.
jbardin
on 22 Jan 2018
This issue has been automatically migrated to terraform-providers/terraform-provider-aws#3099 because it looks like an issue with that provider. If you believe this is _not_ an issue with the provider, please reply to this issue and let us know.
hashibot
on 22 Jan 2018
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 5 Apr 2020
Related issues
c4milo
ยท
3Comments
larstobi
ยท
3Comments
rnowosielski
ยท
3Comments
darron
ยท
3Comments
cpoole
ยท
3Comments
Most helpful comment
It turns out "ec2:DescribeNetworkInterfaces" is missing in the IAM role, and once that has been added in, I was able to delete the security group successfully. Based on this, it looks like Terraform requires this additional priv to be able to delete the security group because I was able to delete the security group through the console without this priv.