How do I terminate or rebuild my Elastic Beanstalk environment when the AWSEBSecurityGroup fails to delete?
When I terminate or rebuild my AWS Elastic Beanstalk environment, I receive the following error: "Stack deletion failed: The following resource(s) failed to delete: [AWSEBSecurityGroup]."
Short description
AWSEBSecurityGroup is an Amazon Elastic Compute Cloud (Amazon EC2) security group that the underlying AWS CloudFormation stack creates through Elastic Beanstalk. When an elastic network interface or security group that's created outside your Elastic Beanstalk environment uses AWSEBSecurityGroup, the environment fails when you terminate or rebuild it.
Note: To manage the resources that Elastic Beanstalk creates, it's a best practice to use one of the following: the Elastic Beanstalk console, Elastic Beanstalk Command Line Interface (EB CLI), or the AWS Command Line Interface (AWS CLI). If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Resolution
To resolve this issue, complete one of the following tasks:
- Use either the AWS CloudFormation console or AWS CLI to delete the CloudFormation stack that the Elastic Beanstalk environment created. Then, terminate or rebuild the Elastic Beanstalk environment.
- Remove the dependent objects from your Elastic Beanstalk security group. Then, terminate or rebuild the Elastic Beanstalk environment.
Note: In the following AWS CLI commands, enter the values for your stack name, environment name, AWS Region, and other environment-specific variables.
Delete the stack from the CloudFormation console
Important: If your Elastic Beanstalk environment has an integrated Amazon Relational Database Service (Amazon RDS) database, then first decouple the Amazon RDS DB instance.
You can use either the CloudFormation console or the AWS CLI to delete the stack.
CloudFormation console
- Open the CloudFormation console.
- On the Stacks page, choose the stack that failed to delete.
Note: The Status column of your stack shows DELETE_FAILED. - Choose Delete.
- In the Delete Stack pop-up window, choose AWSEBSecurityGroup, and then choose Delete.
Important: Be sure to delete the security group. The AWSEBSecurityGroup isn't automatically deleted when you delete the stack. If the environment termination fails because of another dependent resource, first choose the appropriate resource in the DELETE_FAILED state from the Delete Stack pop-up window. Then, choose Delete. - Terminate or rebuild the Elastic Beanstalk environment.
AWS CLI
-
To delete the CloudFormation stack, run the describe-network-interface-attribute command:
aws cloudformation delete-stack --stack-name awseb-e-ztrauxujck-stack --retain-resources "AWSEBSecurityGroup" --region us-east-1
-
To terminate the Elastic Beanstalk environment, run the terminate-environment command:
aws elasticbeanstalk terminate-environment --environment-name my-env --region us-east-1
-
To rebuild the Elastic Beanstalk environment, run the rebuild-environment command:
aws elasticbeanstalk rebuild-environment --environment-name my-env --region us-east-1
Find and remove the dependent objects for the Elastic Beanstalk security group
To find the dependent network interface or a dependent security group that doesn't allow you to delete the AWSEBSecurityGroup, complete the following steps. You can use either the Amazon EC2 console or the AWS CLI.
Amazon EC2 console
- Get the security group ID of AWSEBSecurityGroup from the error message in the Elastic Beanstalk event stream.
- Open the Amazon EC2 console.
- In the navigation pane, choose Security Groups. Then, choose the AWSEBSecurityGroup ID.
- Choose Actions, and then choose Delete Security Group to find the dependencies on AWSEBSecurityGroup.
- On the Delete Security Groups pop-up window, complete the following steps:
Choose View your associated instance.
Choose Actions, and then choose Networking.
Choose Change Security Group.
Clear the AWSEBSecurityGroup ID and Assign Security Groups check boxes. - On the Delete Security Groups pop-up window, choose View your referencing security groups.
- To remove the association of the AWSEBSecurityGroup ID, choose Actions, and then choose Edit inbound rules or Edit outbound rules.
- Terminate or rebuild the Elastic Beanstalk environment.
AWS CLI
-
Get the security group ID of AWSEBSecurityGroup from the error message in the Elastic Beanstalk event stream.
-
In the .ebextensions folder, create a configuration file based on the following example:
#!/bin/bash SecurityGroupID=$1 Region=$2 DependentENI=$(aws ec2 describe-network-interfaces --filters Name=group-id,Values=[$SecurityGroupID] --region $Region | jq '.NetworkInterfaces[].NetworkInterfaceId') DependentSGingress=$(aws ec2 describe-security-groups --filters Name=ip-permission.group-id,Values=[$SecurityGroupID] --region $Region | jq '.SecurityGroups[] .GroupId') DependentSGegress=$(aws ec2 describe-security-groups --filters Name=egress.ip-permission.group-id,Values=[$SecurityGroupID] --region $Region | jq '.SecurityGroups[] .GroupId') echo "The dependent ENI is $DependentENI" echo "The security group id with a dependency in ingress rule : $DependentSGingress" echo "The security group id with a dependency in egress rule : $DependentSGegress"
-
Save the bash script as sg_dependency.sh.
-
Install the jq utility from the jq website.
-
To get your network interface ID and security group ID, run the following command:
./sg_dependency.sh sg-111aaa22 us-east-1
Note: Replace sg-111aaa22 with your AWSEBSecurityGroup ID. Replace us-east-1 with your AWS Region.
-
To find the security groups that are attached to the network interface ID, run the describe-network-interface-attribute command:
aws ec2 describe-network-interface-attribute --network-interface-id eni-1099d901 --attribute groupSet
-
To detach the AWSEBSecurityGroup ID, run the modify-network-interface-attribute command:
aws ec2 modify-network-interface-attribute --network-interface-id eni-1099d901 --groups sg-030644d6c95b6470a sg-d34a33a8 sg-059c081ab30c3e38e sg-0e4eabc747368e6c9
Important: In the preceding command, don't include the AWSEBSecurityGroup ID. Include other security group IDs to remain attached to the network interface. If you include AWSEBSecurityGroup ID in the AWS service that created the network interface, then the command output returns the following error: "An error occurred (AuthFailure) when calling the ModifyNetworkInterfaceAttribute operation: You don't have permission to access the specified resource".
-
Run the describe-security-groups command to list all the ingress and egress rules of the dependent security group.
-
Run the revoke-security-group-ingress or revoke-security-group-egress command based on the output from step 7.
Example: If the AWSEBSecurityGroup ID is sg-111aaa22 and the output from step 8 has that security group ID in ingress rules, then run the following command:aws ec2 revoke-security-group-ingress --group-id sg-0018a2fbdcd5797ea --ip-permissions '\[{"PrefixListIds":\[\],"FromPort":0,"IpRanges":\[\],"ToPort":65535,"IpProtocol":"tcp","UserIdGroupPairs":\[{"UserId":"123456789102","GroupId":"sg-111aaa22"}\],"Ipv6Ranges":\[\]}\]'
Note: The UserId is the AWS account ID.
-
To terminate the Elastic Beanstalk environment, run the terminate-environment command:
aws elasticbeanstalk terminate-environment --environment-name my-env --region us-east-1
-
To rebuild the Elastic Beanstalk environment, run the rebuild-environment command:
aws elasticbeanstalk rebuild-environment --environment-name my-env --region us-east-1
Related information
Vídeos relacionados
Conteúdo relevante
- AWS OFICIALAtualizada há 7 meses
- AWS OFICIALAtualizada há 2 anos
- AWS OFICIALAtualizada há 6 meses
- AWS OFICIALAtualizada há 4 anos