2

(disclaimer: new to AWS, a developer trying to pivot into DevOps)

During one interview/screening, I took a take-home challenge, which asked me to provision a complex piece of infrastructure, using their own script, which relied on Terraform, and created a little cosmos of intertwined AWS resources. Unfortunatelly, I manually (yuck!) deleted the S3 bucket used by Terraform to keep track of the state of things - so destroying them automatically is no longer possible, so I need to clean it all up manually.

Most of the things are cleared now. But there's a Security Group that's left over. Deleting it fails due to it being connected to something called Network Interface. Looking at that Network Interface I found out that "Delete" button is greyed out, but "Detach" is active - alas, it said I can't "Detach" it, because I "lack permissions". Given the fact that I'm logged into console as a root of my AWS account, I don't buy it.

Does anyone know what these beasts are, and what are the possible problems killing them? I suppose it's kinda like a connection between A and B, and if either end of a connection is plugged in, you can't "kill" it - but what should I look for?

alexakarpov
  • 1,553
  • 1
  • 14
  • 31
  • OK, so this is getting interesting: there's a field called "Attachment Owner", and that sure ain't me: 395204662587 – alexakarpov Jun 27 '18 at 16:57
  • Did you try a force detachment? Also Security groups attach to Network interfaces; I would remove the rule in the sec group, then delete both, sec group then network interface. – strongjz Jun 27 '18 at 19:42
  • 1
    This question has similar recommendations https://stackoverflow.com/questions/37232965/issue-in-deleting-vpc-and-network-interface – strongjz Jun 27 '18 at 19:48
  • Of course I tried the 'force'; told me I have no permissions. Can't force through that ) – alexakarpov Jun 27 '18 at 23:14

1 Answers1

2

Got the bugger!

As I was clearing out the Roles created by Terraform, I discovered a Service-owned role; it had "RDS" in it's name. Surprised (I thought I killed those among the first), I went to check, and indeed there was an instance lurking. After killing that, removing NI and VPC (and the role) was unblocked.

It's interesting to me now - how come the error didn't mention the RDS as a blocker? All it could tell me was the NI is blocking it; now I guess I know who was the owner of the Attachment - that RDS instance. But why the heck was it a "permission" issue for me? 'Force' should have dealt with it!

alexakarpov
  • 1,553
  • 1
  • 14
  • 31