Delete orphaned subnets in eksctl_delete_cluster_cf_stack (#749)

renanmagagnin · web-flow · commit 87df570c757a · 2026-04-13T10:17:05.000+01:00
*Issue #, if available:*

Cluster deletion fails with `DependencyViolation` when CloudFormation
tries to delete the VPC. This happens when a previous stack creation
partially failed and rolled back, leaving orphaned subnets behind that
CloudFormation no longer tracks but that still block VPC deletion.

*Description of changes:*

In `eksctl_delete_cluster_cf_stack`, before initiating the
`CloudFormation` stack deletion, we now query and delete any subnets
tagged with the stack name. These are subnets that were created by
CloudFormation during a failed/rolled-back stack creation and were not
cleaned up, causing subsequent VPC deletion to fail.


By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice.

Signed-off-by: Renan Magagnin &lt;renanmag@amazon.co.uk&gt;
diff --git a/tests/e2e-kubernetes/scripts/eksctl.sh b/tests/e2e-kubernetes/scripts/eksctl.sh
@@ -209,6 +209,21 @@ function eksctl_delete_cluster_cf_stack() {
         return 0
     fi
 
+    # Delete any subnets orphaned by a CloudFormation SDK retry during stack creation.
+    # CreateSubnet is not idempotent: if the first API call succeeds but the response times out
+    # (a transient issue), the SDK retries and gets a CIDR conflict error. CFN sees only the
+    # failure, records no PhysicalResourceId, and cannot clean up the subnet during rollback.
+    # These orphaned subnets are still tagged with the stack name but are unknown to CFN,
+    # and will block VPC deletion.
+    SUBNETS=$(aws ec2 describe-subnets --region ${REGION} \
+        --filters "Name=tag:aws:cloudformation:stack-name,Values=${STACK_NAME}" \
+        --query 'Subnets[*].SubnetId' --output text)
+    if [ -n "$SUBNETS" ]; then
+        for SUBNET_ID in $SUBNETS; do
+            aws ec2 delete-subnet --region ${REGION} --subnet-id ${SUBNET_ID} || true
+        done
+    fi
+
     aws cloudformation delete-stack --region ${REGION} --stack-name ${STACK_NAME}
 
     # GuardDury creates resources (namely an endpoint and a security group), which are not handled by eks cfn stack and prevents it from being deleted
