Skip to content

Commit 9a32769

Browse files
committed
ROSAENG-0000 | test: Cleanup VPC
1 parent f7dc1c3 commit 9a32769

8 files changed

Lines changed: 86 additions & 7 deletions

File tree

examples/rosa-hcp-private-shared-vpc/main.tf

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -106,8 +106,9 @@ module "vpc" {
106106
aws = aws.network-owner
107107
}
108108

109-
name_prefix = local.shared_resources_name_prefix
110-
availability_zones_count = 1
109+
name_prefix = local.shared_resources_name_prefix
110+
availability_zones_count = 1
111+
cleanup_rosa_vpce_security_groups = true
111112
}
112113

113114
############################

examples/rosa-hcp-private-with-additional-control-plane-security-groups/main.tf

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -91,8 +91,9 @@ resource "random_password" "password" {
9191
module "vpc" {
9292
source = "../../modules/vpc"
9393

94-
name_prefix = var.cluster_name
95-
availability_zones_count = 1
94+
name_prefix = var.cluster_name
95+
availability_zones_count = 1
96+
cleanup_rosa_vpce_security_groups = true
9697
}
9798

9899
############################

examples/rosa-hcp-private/main.tf

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -46,8 +46,9 @@ resource "random_password" "password" {
4646
module "vpc" {
4747
source = "../../modules/vpc"
4848

49-
name_prefix = var.cluster_name
50-
availability_zones_count = 1
49+
name_prefix = var.cluster_name
50+
availability_zones_count = 1
51+
cleanup_rosa_vpce_security_groups = true
5152
}
5253

5354
############################

modules/vpc/README.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,13 +22,15 @@ module "vpc" {
2222
| ---- | ------- |
2323
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
2424
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.38.0 |
25+
| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2.4 |
2526
| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9 |
2627

2728
## Providers
2829

2930
| Name | Version |
3031
| ---- | ------- |
3132
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.38.0 |
33+
| <a name="provider_null"></a> [null](#provider\_null) | >= 3.2.4 |
3234
| <a name="provider_time"></a> [time](#provider\_time) | >= 0.9 |
3335

3436
## Modules
@@ -54,6 +56,7 @@ No modules.
5456
| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource |
5557
| [aws_vpc_endpoint.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
5658
| [aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_route_table_association) | resource |
59+
| [null_resource.vpc_destroy_cleanup](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
5760
| [time_sleep.vpc_resources_wait](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
5861
| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
5962
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
@@ -64,6 +67,7 @@ No modules.
6467
| ---- | ----------- | ---- | ------- | :------: |
6568
| <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | A list of availability zones names in the region. This value should not be updated, please create a new resource instead | `list(string)` | `null` | no |
6669
| <a name="input_availability_zones_count"></a> [availability\_zones\_count](#input\_availability\_zones\_count) | The count of availability zones to use within the specified AWS Region, where pairs of public and private subnets will be generated. Valid only when availability\_zones variable is not provided. This value should not be updated, please create a new resource instead | `number` | `null` | no |
70+
| <a name="input_cleanup_rosa_vpce_security_groups"></a> [cleanup\_rosa\_vpce\_security\_groups](#input\_cleanup\_rosa\_vpce\_security\_groups) | On destroy, remove orphaned ROSA HCP PrivateLink security groups (name suffix -vpce-private-router) left in this VPC after cluster deletion. Enable for private ROSA HCP clusters using this module; requires AWS CLI and EC2 permissions at destroy time. | `bool` | `false` | no |
6771
| <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | User-defined prefix for all generated AWS resources of this VPC. This value should not be updated, please create a new resource instead | `string` | n/a | yes |
6872
| <a name="input_tags"></a> [tags](#input\_tags) | AWS tags to be applied to generated AWS resources of this VPC. | `map(string)` | `null` | no |
6973
| <a name="input_vpc_cidr"></a> [vpc\_cidr](#input\_vpc\_cidr) | Cidr block of the desired VPC. This value should not be updated, please create a new resource instead | `string` | `"10.0.0.0/16"` | no |

modules/vpc/main.tf

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -204,9 +204,26 @@ resource "aws_route_table_association" "private_route_table_association" {
204204

205205
# This resource is used in order to add dependencies on all resources
206206
# Any resource uses this VPC ID, must wait to all resources creation completion
207+
# Optional destroy hook: after time_sleep.vpc_resources_wait completes its destroy wait,
208+
# remove orphaned ROSA HCP VPCE security groups that block VPC deletion (DependencyViolation).
209+
resource "null_resource" "vpc_destroy_cleanup" {
210+
count = var.cleanup_rosa_vpce_security_groups ? 1 : 0
211+
212+
triggers = {
213+
vpc_id = aws_vpc.vpc.id
214+
}
215+
216+
provisioner "local-exec" {
217+
when = destroy
218+
command = "bash ${path.module}/../../scripts/vpc-destroy-cleanup.sh '${self.triggers.vpc_id}'"
219+
}
220+
}
221+
207222
resource "time_sleep" "vpc_resources_wait" {
223+
depends_on = [null_resource.vpc_destroy_cleanup]
224+
208225
create_duration = "20s"
209-
destroy_duration = "20s"
226+
destroy_duration = "5m"
210227
triggers = {
211228
vpc_id = aws_vpc.vpc.id
212229
cidr_block = aws_vpc.vpc.cidr_block

modules/vpc/variables.tf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,3 +29,9 @@ variable "tags" {
2929
default = null
3030
description = "AWS tags to be applied to generated AWS resources of this VPC."
3131
}
32+
33+
variable "cleanup_rosa_vpce_security_groups" {
34+
type = bool
35+
default = false
36+
description = "On destroy, remove orphaned ROSA HCP PrivateLink security groups (name suffix -vpce-private-router) left in this VPC after cluster deletion. Enable for private ROSA HCP clusters using this module; requires AWS CLI and EC2 permissions at destroy time."
37+
}

modules/vpc/versions.tf

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,5 +13,9 @@ terraform {
1313
source = "hashicorp/time"
1414
version = ">= 0.9"
1515
}
16+
null = {
17+
source = "hashicorp/null"
18+
version = ">= 3.2.4"
19+
}
1620
}
1721
}

scripts/vpc-destroy-cleanup.sh

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
#!/usr/bin/env bash
2+
# Copyright Red Hat
3+
# SPDX-License-Identifier: Apache-2.0
4+
5+
set -euo pipefail
6+
7+
VPC_ID="${1:-}"
8+
9+
if [[ -z "$VPC_ID" ]]; then
10+
echo "usage: $0 <vpc-id>" >&2
11+
exit 1
12+
fi
13+
14+
while IFS=$'\t' read -r sg_id sg_name _sg_desc; do
15+
[[ -z "$sg_id" || "$sg_id" == "None" ]] && continue
16+
17+
attached_enis="$(aws ec2 describe-network-interfaces \
18+
--filters "Name=group-id,Values=${sg_id}" \
19+
--query 'length(NetworkInterfaces)' \
20+
--output text 2>/dev/null || echo 0)"
21+
22+
if [[ "$attached_enis" != "0" ]]; then
23+
continue
24+
fi
25+
26+
if [[ "$sg_name" == *"-vpce-private-router" ]]; then
27+
aws ec2 delete-security-group --group-id "$sg_id" >/dev/null 2>&1 || true
28+
fi
29+
done < <(aws ec2 describe-security-groups \
30+
--filters "Name=vpc-id,Values=${VPC_ID}" \
31+
--query 'SecurityGroups[?GroupName!=`default`].[GroupId,GroupName,Description]' \
32+
--output text 2>/dev/null || true)
33+
34+
remaining_count="$(aws ec2 describe-security-groups \
35+
--filters "Name=vpc-id,Values=${VPC_ID}" \
36+
--query 'length(SecurityGroups[?GroupName!=`default`])' \
37+
--output text 2>/dev/null || echo 0)"
38+
39+
if [[ "$remaining_count" != "0" ]]; then
40+
echo "VPC ${VPC_ID} still has ${remaining_count} non-default security group(s) after cleanup." >&2
41+
aws ec2 describe-security-groups \
42+
--filters "Name=vpc-id,Values=${VPC_ID}" \
43+
--query 'SecurityGroups[?GroupName!=`default`].[GroupId,GroupName,Description]' \
44+
--output table >&2
45+
fi

0 commit comments

Comments
 (0)