#chiroito ’s blog

Java を中心とした趣味の技術について

AWS 上に IPI で OpenShift を構築したら削除処理が止まった

AWS も OpenShift も超初心者なので OpenShift を壊してしまったため IPI で再構築しようとopenshift-install destroy clusterで削除してたら止まってしまった。 openshift-install --log-level debug destroy clusterで再実行したら以下の様なログが出た。どうやら AWS の Security Group に依存関係があるため消せなくなったようだ。

DEBUG search for and delete matching resources by tag in us-east-2 matching aws.Filter{"kubernetes.io/cluster/cluster-9373-dlhk2":"owned"}
DEBUG DependencyViolation: The dhcpOptions 'dopt-085c2dada1f343ae4' has dependencies and cannot be deleted.
        status code: 400, request id: 45d53455-d1d7-41ce-ad6f-66934e8eca4b  arn="arn:aws:ec2:us-east-2:434612646751:dhcp-options/dopt-085c2dada1f343ae4"
DEBUG DependencyViolation: resource sg-0a444d2ee4b09f1a1 has a dependent object
        status code: 400, request id: b7665590-49ae-4179-98f8-1ffc1f268c5e  arn="arn:aws:ec2:us-east-2:434612646751:security-group/sg-0a444d2ee4b09f1a1"
DEBUG Skipping default security group               arn="arn:aws:ec2:us-east-2:434612646751:vpc/vpc-004bba1a4101c1ff0" id=vpc-004bba1a4101c1ff0 security group=sg-009a1a514280a6428
DEBUG deleting EC2 security group sg-0a444d2ee4b09f1a1: DependencyViolation: resource sg-0a444d2ee4b09f1a1 has a dependent object
        status code: 400, request id: e09c5452-30cc-40a5-a250-68206a0c0500  arn="arn:aws:ec2:us-east-2:434612646751:vpc/vpc-004bba1a4101c1ff0"
DEBUG search for and delete matching resources by tag in us-east-2 matching aws.Filter{"openshiftClusterID":"2ec853c4-fdb5-4048-b121-4b2cdb884949"}
DEBUG search for and delete matching resources by tag in us-east-1 matching aws.Filter{"kubernetes.io/cluster/cluster-9373-dlhk2":"owned"}
DEBUG NoSuchHostedZone: No hosted zone found with ID: Z05082143QIXIT5Y0HD82
        status code: 404, request id: 775594c5-092d-41a4-bac6-d610faad2aa1  arn="arn:aws:route53:::hostedzone/Z05082143QIXIT5Y0HD82"
DEBUG search for and delete matching resources by tag in us-east-1 matching aws.Filter{"openshiftClusterID":"2ec853c4-fdb5-4048-b121-4b2cdb884949"}

Webコンソールにはアクセスできないので、AWS CLI を使って対応していきます。 消せない Security Group は sg-0a444d2ee4b09f1a1 です。これを探してみると、default の Security Group である sg-009a1a514280a6428 に追加されているようです。

$ aws ec2 describe-security-groups
{
    "SecurityGroups": [
        {
            "Description": "default VPC security group",
            "GroupName": "default",
            "IpPermissions": [
                {
                    "IpProtocol": "-1",
                    "IpRanges": [],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "UserIdGroupPairs": [
                        {
                            "GroupId": "sg-009a1a514280a6428",
                            "UserId": "434612646751"
                        },
                        {
                            "GroupId": "sg-0a444d2ee4b09f1a1",
                            "UserId": "434612646751"
                        }
                    ]
                }
            ],
(略)

Security Group の ingress 情報を削除するのは aws ec2 revoke-security-group-ingress らしい。以下の様にして取り除きます。

aws ec2 revoke-security-group-ingress --group-id sg-009a1a514280a6428 --ip-permissions '[{"IpProtocol":"-1","UserIdGroupPairs":[{"GroupId":"sg-0a444d2ee4b09f1a1","UserId":"434612646751"}]}]'

確認してみます。

$ aws ec2 describe-security-groups
{
    "SecurityGroups": [
        {
            "Description": "default VPC security group",
            "GroupName": "default",
            "IpPermissions": [
                {
                    "IpProtocol": "-1",
                    "IpRanges": [],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "UserIdGroupPairs": [
                        {
                            "GroupId": "sg-021e9474e3577bea9",
                            "UserId": "434612646751"
                        }
                    ]
                }
            ],

消えた!これでopenshift-install destroy clusterで削除できるようになりました。