In the AWS Console I can edit the name attribute for varying resources (e.g. EC2 instances, VPC resources, etc), but can this name attribute be modified via the CLI/SDK?
Yes, it's just a tag. Make sure you are using Name (capitalized)
Example
aws ec2 create-tags --resources "vpc-xxxxxxxxx" --tags Key=Name,Value=something-other-than-default
I did the AWS misfits tutorial and I thought the cleanup would be as simple as deleting the Cloud Formation stack. However, items failed to delete so I am trying to clean them up manually to assist the Cloud Formation stack deletion.
I keep getting an error when trying to Detach the network interfaces (I am logged into the root account):
Error detaching network interfaces:
eni-0047gfhfgh8ab0e: You are not allowed to manage 'ela-attach' attachments.
eni-0f4a46hgfha757e: You are not allowed to manage 'ela-attach' attachments.
I am unable to delete my VPC without these being deleted.
The stack as a whole is failing to delete because of the following:
The following resource(s) failed to delete: [InternetGateway,
PublicSubnetTwo, VPC, GatewayAttachement, PublicSubnetOne].
I had the same issue, which gave me the following message:
This could be because there is a service in use which still uses the network interface. You could try some of the following things:
Remove unused VPC links from API gateway
Remove unused VPC Endpoint services
Remove unused NAT gateways
Remove unused ECS/EKS clusters
Remove unused load balancers
Remove unused EFS mounts
If that doesn't help, there is something wrong/stuck on the underlying OS, you should wait for it to resolve by itself or report it. I had an ENI deployed by a Lambda function after deleting the lambda function, the ENI got stuck. After some time I was able to detach the ENI.
Update: for the people using the aws cli, AWS support posted a bash script and documentation to easily identify ENIs that are still hanging around somewhere (source).
AWS offers this bash script as help to find out the dependencies:
#!/bin/bash
vpc="vpc-xxxxxxxxxxxxx"
region="yy-yyyy-y"
aws ec2 describe-internet-gateways --region $region --filters 'Name=attachment.vpc-id,Values='$vpc | grep InternetGatewayId
aws ec2 describe-subnets --region $region --filters 'Name=vpc-id,Values='$vpc | grep SubnetId
aws ec2 describe-route-tables --region $region --filters 'Name=vpc-id,Values='$vpc | grep RouteTableId
aws ec2 describe-network-acls --region $region --filters 'Name=vpc-id,Values='$vpc | grep NetworkAclId
aws ec2 describe-vpc-peering-connections --region $region --filters 'Name=requester-vpc-info.vpc-id,Values='$vpc | grep VpcPeeringConnectionId
aws ec2 describe-vpc-endpoints --region $region --filters 'Name=vpc-id,Values='$vpc | grep VpcEndpointId
aws ec2 describe-nat-gateways --region $region --filter 'Name=vpc-id,Values='$vpc | grep NatGatewayId
aws ec2 describe-security-groups --region $region --filters 'Name=vpc-id,Values='$vpc | grep GroupId
aws ec2 describe-instances --region $region --filters 'Name=vpc-id,Values='$vpc | grep InstanceId
aws ec2 describe-vpn-connections --region $region --filters 'Name=vpc-id,Values='$vpc | grep VpnConnectionId
aws ec2 describe-vpn-gateways --region $region --filters 'Name=attachment.vpc-id,Values='$vpc | grep VpnGatewayId
aws ec2 describe-network-interfaces --region $region --filters 'Name=vpc-id,Values='$vpc | grep NetworkInterfaceId
aws ec2 describe-carrier-gateways --region $region --filters Name=vpc-id,Values=$vpc | grep CarrierGatewayId
aws ec2 describe-local-gateway-route-table-vpc-associations --region $region --filters Name=vpc-id,Values=$vpc | grep LocalGatewayRouteTableVpcAssociationId
My issue was a Transit Gateway Attachment and I could figure it out at some point.
Source: https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-dependency-error-delete-vpc/
If you're working with Lambda Functions in VPC.
This is caused by old Lambda version is still referring to the ENI.
Try below to see if it's this case:
aws lambda list-versions-by-function --function-name FUNCTIONNAME | jq -r '.Versions | .[] | [.LastModified, .Version, .VpcConfig.VpcId] | #tsv' | sort
I had this same issue. For me, I had to delete an Endpoint Service associated with my ELB first, then I could start to get rid of the network interfaces that were set up.
Try to verify if you have a EFS mount target asociated at the ENI and delete it, after try to delete the network interface that's work for me.
Modify the VPC Endpoint Service to reject VPC Endpoint (deselect
Require acceptance for endpoint) https://docs.aws.amazon.com/vpc/latest/userguide/modify-endpoint-service.html
Delete the VPC Endpoint Service
Continue deleting other resources or try again the stack deletion task in
Cloudformation.
The VPC Endpoint Service deletion is restricted by the no longer existing VPC Endpoint.
In my case I had an EFS mount that was preventing my subnets from being deleted. My solution was to visit the AWS Management Console, search for EFS, and delete the corresponding mount. After that I was able to delete the subnets and VPC.
I had the same issue. The root problem is that it won't let you delete anything because everything has something else dependent on it. The solution was to scroll down below the list of each type of resource and find the right tab to edit/delete the connections to other resources. Once those are gone, you will be able to delete the resource at the top of the page. I'm not sure which break ultimately enabled the cloudformation to delete successfully, but just going through the VPC dashboard and hitting each of these should fix the problem.
The problem for me was that my load balancer was created with "Deletion protection"
enabled. I logged on to AWS console, found my load balancer and edited its attributes setting "Deletion protection" to false. This allowed me to delete the load balancer and everything else.
if error occurs on network interface deletion , wait until NAT gateway and internet gateway entry removes on the respective page. Otherwise remove public or static IP associate with service in the vpc
In my case I had a DataSync instance - when I removed that I could delete these resources
Check whether any lambda function/db instance/ec2 instance still there in the VPC-> any of the subnet.
Delete that particular instance first and then the network interface will get deleted automatically.
For identifying the instance you can follow the following steps :
1.Search for the network interface in the AWS Network interface console.
2.Click on that open the detailed view and then check for interface type and delete the mentioned resource from there.
Error:
Failed to detach the network interface. API error: "You do not have
permission to access the specified resource."
Solution: In order to find the resources that are still using the Elastic Network Interface, pull up the ENI details by clicking on the Network Interface ID, and use these two fields:
Description: should indicate which service is using the ENI (ie ECS, ELB, Lambda, etc), but you might have to use some clues in the attachment ARN.
Security groups: should help you associate the specific cluster that's associated with it.
Once I deleted the ECS cluster that was associated with the ENI, the ENI resources went away automatically.
Also delete any Global Accelerator instances associated with the VPC.
I'd like to add to this conversation.
I had a similar issue and had to clear out some roles and 2x cloud9 environments, that I had ignored.
Worked the charm as my network interface was no longer associated with my cloud9 environments.
I have cloud formation template which creates auto-scaling group with desired state 2. I need instances to be attached to existing eips when they get launched. How can I do this?
You need to write a custom user data script that assigns the elastic IP to the instance. You can not do this using CloudFormation templates yet. The AWS CLI to be used is: aws ec2 associate-address. For this, the best practice would be to assign and IAM role with ec2:AssociateAddress permission.
The command will look like this: aws ec2 associate-address --instance-id $INSTANCE_ID --allocation-id $ALLOCATION_ID --allow-reassociation
While the allocation id will need to be hardcoded in the template, you can get the instance id within the instance using the command: curl -s http://169.254.169.254/latest/meta-data/instance-id. Refer this thread
for more details.
I am trying to find out which security groups a specific aws ec2 instance is in. I know I can do aws ec2 describe-instances
and then filter this result and do various things to it by piping the result to grep, but what has frustrated me is that I cannot use aws ec2 describe-instance-attribute --instance-id [instance-id] --attribute securityGroups or aws ec2 describe-instance-attribute --instance-id [instance-id] --attribute Groups , despite the documentation at: describe-instance-attribute suggesting that you can. Any ideas how to do this?
There is no such attribute called Groups. Refer: http://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instance-attribute.html
from above link:
Same is mentioned in EC2 API Reference Guide: http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ApiReference-query-DescribeInstanceAttribute.html
From Above link:
Probably groupSet attribute is what you are looking for:
e,g:
aws ec2 describe-instance-attribute --instance-id [instance-id] --attribute groupSet
Is there any way to find out status of AWS EC2 instances, which are running on various different regions, from one EC2 instance which is present in any one of region by using EC2 API tool ?
How this is possible ?
I got the answer :-
ec2-describe-instances instance-ID --region region
Example :-
ec2-describe-instances i-f82d5ca0 --region eu-west-1
Where instance ID is EC2 instance ID which is located in region eu-west-1
Thats all .
Or in the new unified AWS CLI, this is slightly different:
aws ec2 describe-instances --instance-id i-f82d5ca0
You can also change the --output into json, text, or a table