Giters

commitdev / zero-aws-eks-stack

zero module for a basic AWS kubernetes stack on EKS

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

"make teardown-secrets" doesn't seem to run to conclusion

GrooveStomp opened this issue · comments

commented 
↳ make teardown-secrets
Deleting secrets is not reversible, are you sure you want to delete the secrets? [y/N]:
y
{
    "ARN": "arn:aws:secretsmanager:us-west-2:514226198018:secret:ci-user-aws-keysd7db59ec-kS3uv6",
    "Name": "ci-user-aws-keysd7db59ec",
    "DeletionDate": "2020-10-16T16:22:44.857000+00:00"
}
{
    "ARN": "arn:aws:secretsmanager:us-west-2:514226198018:secret:terminus-k-stage-rds-d7db59ec-vfASuh",
    "Name": "terminus-k-stage-rds-d7db59ec",
    "DeletionDate": "2020-10-16T16:22:48.114000+00:00"
}

An error occurred (ResourceNotFoundException) when calling the DeleteSecret operation: Secrets Manager can't find the specified secret.
make: *** [Makefile:53: teardown-secrets] Error 123

There's an attempt to remove a secret that apparently doesn't exist.

commented

This is happening because the sendgrid secret is only conditionally added but there's not a condition when it's removed. For each of these secret removal lines we can just add a || echo "Secret already removed" or something. To do that we'll need to change the fact that they are all chained together with && \ which I don't like anyway.
And to remove that I think we'll need to define the region and pager at the top, I think the only reason they are chained is for those vars:

export AWS_DEFAULT_REGION := <% index .Params `region` %>
export AWS_PAGER := ''

This would be nice too because then we can just use this region var in any place in the makefile where we were previously using the templated value, which is in quite a few places.

commented

Things not destroyed properly with me:

    • aws secret - piggycloud2-me_cf_keypair
    • aws secret - piggycloud2-me-stage-vpn-wg-privatekey-E4979216
    • aws role - piggycloud2-me-eks-cluster-creator

Solution:
#1 - need a separate script together with scripts/import* one
#2 - need put a fix into Makefile
#3 - error as below
$ aws iam delete-role --role-name $PROJECT-eks-cluster-creator An error occurred (DeleteConflict) when calling the DeleteRole operation: Cannot delete entity, must detach all policies first.

Tested steps for deleting my role (in order):

  1. aws iam list-role-policies --role-name piggycloud2-me-eks-cluster-creator
  2. aws iam delete-role-policy --role-name piggycloud2-me-eks-cluster-creator --policy-name manage_eks
  3. aws iam list-attached-role-policies --role-name piggycloud2-me-eks-cluster-creator
  4. aws iam detach-role-policy --role-name piggycloud2-me-eks-cluster-creator --policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
  5. aws iam delete-role --role-name piggycloud2-me-eks-cluster-creator
commented

AWS_DEFAULT_REGION doesnt actually work on some resources
some commands requires explicit --region , they somehow just doesnt honor the default region