Skip to content

Commit a8d838e

Browse files
fidiegofidiego
committed
feat: error-destroy.sh: more robust script
1 parent 7f5f268 commit a8d838e

File tree

1 file changed

+128
-28
lines changed

1 file changed

+128
-28
lines changed

aws-eks/error-destroy.sh

+128-28
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11
#!/bin/sh
22

3+
# script that runs if tf fails: attempts to delete any and all trailing resources
4+
35
set -u
46
set -o pipefail
57

@@ -15,65 +17,163 @@ echo
1517
echo "ensuring AWS is setup"
1618
aws sts get-caller-identity > /dev/null
1719

20+
#
21+
# Nat Gateways
22+
#
23+
1824
echo "looking for NAT Gateways"
19-
NAT_GATEWAYS=$(aws ec2 describe-nat-gateways --filter Name=tag:Name,Values=$NUON_INSTALL_ID*)
25+
NAT_GATEWAYS=$(aws --profile $AWS_PROFILE --region $AWS_REGION ec2 describe-nat-gateways --filter Name=tag:Name,Values=$NUON_INSTALL_ID*)
2026
echo $NAT_GATEWAYS | jq -r '.NatGateways[].NatGatewayId' | while read -r nat_gateway_id; do
2127
echo "deleting NAT Gateway "$nat_gateway_id
22-
aws ec2 delete-nat-gateway --nat-gateway-id $nat_gateway_id
28+
aws --profile $AWS_PROFILE --region $AWS_REGION ec2 delete-nat-gateway --nat-gateway-id $nat_gateway_id
29+
done
30+
31+
#
32+
# VPC Cleanup: Resources
33+
#
34+
35+
function delete_vpc_subnets() {
36+
SNS=`aws --profile $AWS_PROFILE --region $AWS_REGION ec2 describe-subnets --filters 'Name=vpc-id,Values='$vpc_id | jq -r '.Subnets'`
37+
echo $SNS | jq -r '.[].SubnetId' | while read sn_id; do
38+
echo " - deleting subnet "$sn_id
39+
aws --profile $AWS_PROFILE --region $AWS_REGION ec2 delete-subnet --subnet-id $sn_id
40+
done
41+
}
42+
43+
function delete_vpc_security_groups() {
44+
SGS=`aws --profile $AWS_PROFILE --region $AWS_REGION ec2 describe-security-groups --filters 'Name=vpc-id,Values='$vpc_id | jq -r '.SecurityGroups'`
45+
echo $SGS | jq -r '.[].GroupId' | while read sg_id; do
46+
echo " - deleting sg "$sg_id
47+
aws --profile $AWS_PROFILE --region $AWS_REGION ec2 delete-security-group --group-id $sg_id
48+
done
49+
}
50+
51+
function disassociate_vpc_security_groups() {
52+
# useful for SGs that reference each other
53+
# in the context of this script, it should only be run near then end right before we delete the sg then vpc.
54+
# it exists only because there are a small number of SGs that cannot be deletd otherwise.
55+
SGS=`aws --profile $AWS_PROFILE --region $AWS_REGION ec2 describe-security-groups --filters 'Name=vpc-id,Values='$vpc_id | jq -r '.SecurityGroups'`
56+
echo $SGS | jq -c '.[]' | while read sg; do
57+
sg_name=`echo "$sg" | jq -r '.Name'`
58+
if [[ "$sg_name" == "default" ]]; then
59+
echo "politely refusing to delete default vpc security group"
60+
else
61+
sg_id=`echo "$sg" | jq -r '.GroupId'`
62+
group_ids=`aws --profile $AWS_PROFILE --region $AWS_REGION ec2 describe-security-group-rules --filters 'Name=group-id,Values='$sg_id | jq -r '.SecurityGroupRules.[].SecurityGroupRuleId'`
63+
aws --profile $AWS_PROFILE --region $AWS_REGION ec2 revoke-security-group-ingress --group-id $sg_id --security-group-rule-ids $group_ids
64+
fi
65+
done
66+
}
67+
68+
function delete_vpc_resources() {
69+
# deletes all of the resources tagged with a specific VPC.
70+
# this is intended to be run multiple times.
71+
vpc_id=$1
72+
echo "["$vpc_id"] Looking for resources"
73+
74+
delete_vpc_security_groups $vpc_id
75+
76+
IGWS=`aws --profile $AWS_PROFILE --region $AWS_REGION ec2 describe-internet-gateways --filters 'Name=attachment.vpc-id,Values='$vpc_id | jq -r '.InternetGateways'`
77+
echo $IGWS | jq -r '.[].InternetGatewayId' | while read ig_id; do
78+
echo " - detaching internet gateway "$ig_id
79+
aws --profile $AWS_PROFILE --region $AWS_REGION ec2 detach-internet-gateway --internet-gateway-id $ig_id --vpc-id $vpc_id
80+
echo " - deleting internet gateway "$ig_id
81+
aws --profile $AWS_PROFILE --region $AWS_REGION ec2 delete-internet-gateway --internet-gateway-id $ig_id
82+
done
83+
84+
delete_vpc_subnets $vpc_id
85+
86+
NACLS=`aws --profile $AWS_PROFILE --region $AWS_REGION ec2 describe-network-acls --filters 'Name=vpc-id,Values='$vpc_id | jq -r '.NetworkAcls'`
87+
echo $NACLS | jq -r '.[].NetworkAclId' | while read na_id; do
88+
echo "- deleting network acl "$na_id
89+
aws --profile $AWS_PROFILE --region $AWS_REGION ec2 delete-network-acl --network-acl-id $na_id
90+
done
91+
92+
RTTBLS=`aws --profile $AWS_PROFILE --region $AWS_REGION ec2 describe-route-tables --filters 'Name=vpc-id,Values='$vpc_id | jq -r '.RouteTables'`
93+
echo $RTTBLS | jq -r '.[].RouteTableId' | while read rt_id; do
94+
echo " - deleting route table "$rt_id
95+
aws --profile $AWS_PROFILE --region $AWS_REGION ec2 delete-route-table --route-table-id $rt_id
96+
done
97+
98+
NGWS=`aws --profile $AWS_PROFILE --region $AWS_REGION ec2 describe-nat-gateways --filter 'Name=vpc-id,Values='$vpc_id | jq -r '.NatGateways'`
99+
echo $NGWS | jq -r '.[].NatGatewayId' | while read ngw_id; do
100+
echo "- deleting nat gateway "$ngw_id
101+
aws --profile $AWS_PROFILE --region $AWS_REGION ec2 delete-nat-gateway --nat-gateway-id $ngw_id
102+
done
103+
}
104+
105+
echo "looking for vpc..."
106+
VPCS=$(aws --profile $AWS_PROFILE --region $AWS_REGION ec2 \
107+
describe-vpcs \
108+
--filters Name=tag:Name,Values=$NUON_INSTALL_ID)
109+
110+
echo $VPCS | jq -r '.Vpcs[].VpcId' | while read -r vpc_id ; do
111+
delete_vpc_resources $vpc_id
23112
done
24113

114+
#
115+
# Load Balancers
116+
#
25117
echo "looking for Load Balancers"
26-
NLBS=$(aws elbv2 describe-load-balancers | jq '.LoadBalancers')
118+
NLBS=$(aws --profile $AWS_PROFILE --region $AWS_REGION elbv2 describe-load-balancers | jq '.LoadBalancers')
27119
echo $NLBS | jq -r '.[].LoadBalancerArn' | while read -r lb_arn; do
28-
echo $lb_arn
29-
tag_values=$(aws elbv2 describe-tags --resource-arn $lb_arn | jq -r '.TagDescriptions[].Tags.[].Value')
120+
tag_values=$(aws --profile $AWS_PROFILE --region $AWS_REGION elbv2 describe-tags --resource-arn $lb_arn | jq -r '.TagDescriptions[].Tags.[].Value')
30121
if [[ $tag_values == *"$NUON_INSTALL_ID"* ]]; then
31122
echo "deleting load balancer "$lb_arn
32-
aws elbv2 delete-load-balancer --load-balancer-arn $lb_arn
123+
aws --profile $AWS_PROFILE --region $AWS_REGION elbv2 delete-load-balancer --load-balancer-arn $lb_arn
33124
fi
34125
done
35126

127+
echo "looking for loadbalancer security groups..."
128+
SGS=$(aws --profile $AWS_PROFILE --region $AWS_REGION ec2 \
129+
describe-security-groups \
130+
--filters Name=tag:elbv2.k8s.aws/cluster,Values=$NUON_INSTALL_ID)
131+
132+
echo $SGS | jq -r '.SecurityGroups[].GroupId' | while read -r sg_id ; do
133+
echo "deleting security group $sg_id"
134+
aws --profile $AWS_PROFILE --region $AWS_REGION ec2 delete-security-group --group-id=$sg_id
135+
done
136+
137+
#
138+
# ENIs
139+
#
140+
36141
echo "looking for ENIs which were orphaned by vpc-cni plugin"
37-
ENIS=$(aws ec2 \
142+
ENIS=$(aws --profile $AWS_PROFILE --region $AWS_REGION ec2 \
38143
describe-network-interfaces \
39144
--filters Name=tag:cluster.k8s.amazonaws.com/name,Values=$NUON_INSTALL_ID)
40145

41146
echo $ENIS | jq -r '.NetworkInterfaces[].NetworkInterfaceId' | while read -r eni_id ; do
42147
echo "deleting ENI $eni_id"
43-
aws ec2 delete-network-interface --network-interface-id=$eni_id
148+
aws --profile $AWS_PROFILE --region $AWS_REGION ec2 delete-network-interface --network-interface-id=$eni_id
44149
done
45150

46-
echo "looking loadbalancer security groups..."
47-
SGS=$(aws ec2 \
48-
describe-security-groups \
49-
--filters Name=tag:elbv2.k8s.aws/cluster,Values=$NUON_INSTALL_ID)
50-
51-
echo $SGS | jq -r '.SecurityGroups[].GroupId' | while read -r sg_id ; do
52-
echo "deleting security group $sg_id"
53-
aws ec2 delete-security-group --group-id=$sg_id
54-
done
151+
#
152+
# Security Groups: Clean up remaining security groups
153+
#
55154

56155
echo "looking for nuon security groups..."
57-
SGS=$(aws ec2 \
156+
SGS=$(aws --profile $AWS_PROFILE --region $AWS_REGION ec2 \
58157
describe-security-groups \
59158
--filters Name=tag:nuon_id,Values=$NUON_INSTALL_ID)
60159

61160
echo $SGS | jq -r '.SecurityGroups[].GroupId' | while read -r sg_id ; do
62161
echo "deleting security group $sg_id"
63-
aws ec2 delete-security-group --group-id=$sg_id
162+
aws --profile $AWS_PROFILE --region $AWS_REGION ec2 delete-security-group --group-id=$sg_id
64163
done
65164

66-
echo $SGS | jq -r '.SecurityGroups[].GroupId' | while read -r sg_id ; do
67-
echo "deleting security group $sg_id"
68-
aws ec2 delete-security-group --group-id=$sg_id
69-
done
165+
#
166+
# VPC Cleanup: VPC
167+
#
70168

71-
echo "looking for vpc..."
72-
VPCS=$(aws ec2 \
73-
describe-vpcs \
74-
--filters Name=tag:nuon_id,Values=$NUON_INSTALL_ID)
169+
# clean up any resources we couldn't get to before
170+
echo $VPCS | jq -r '.Vpcs[].VpcId' | while read -r vpc_id ; do
171+
disassociate_vpc_security_groups $vpc_id
172+
delete_vpc_resources $vpc_id
173+
done
75174

175+
echo $VPCS | jq -r '.Vpcs[].VpcId'
76176
echo $VPCS | jq -r '.Vpcs[].VpcId' | while read -r vpc_id ; do
77177
echo "deleting vpc $vpc_id"
78-
aws ec2 delete-vpc --vpc-id=$vpc_id
178+
aws --profile $AWS_PROFILE --region $AWS_REGION ec2 delete-vpc --vpc-id=$vpc_id
79179
done

0 commit comments

Comments
 (0)