JPERF-1208: Clean up security groups before stacks

Network stacks contain VPCs, and VPCs depend on security groups. Some security groups are provisioned outside of the stack, so deleting such a stack will fail due to the dependency.
atlassian-labs · Jan 3, 2024 · 594bb81 · 594bb81
1 parent 335c74e
commit 594bb81
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -29,9 +29,11 @@ Dropping a requirement of a major version of a dependency is a new contract.
 ### Fixed
 - Add missing `iam:GetRole` permission. You have to update the policy manually. Fix [JPERF-1407].
 - Reduce pressure on CloudFormation when cleaning long lists of expired stacks. Help [JPERF-1332].
+- Clean up EC2 security groups before CloudFormation stacks. Fix [JPERF-1208].
 
 [JPERF-1407]: https://ecosystem.atlassian.net/browse/JPERF-1407
 [JPERF-1332]: https://ecosystem.atlassian.net/browse/JPERF-1332
+[JPERF-1208]: https://ecosystem.atlassian.net/browse/JPERF-1208
 
 ## [1.13.0] - 2023-08-14
 [1.13.0]: https://github.com/atlassian-labs/aws-resources/compare/release-1.12.2...release-1.13.0

diff --git a/...ain/kotlin/com/atlassian/performance/tools/aws/api/housekeeping/ConcurrentHousekeeping.kt b/...ain/kotlin/com/atlassian/performance/tools/aws/api/housekeeping/ConcurrentHousekeeping.kt
@@ -18,6 +18,11 @@ class ConcurrentHousekeeping(
     private val logger = LogManager.getLogger(this::class.java)
 
     override fun cleanLeftovers(aws: Aws) {
+        val securityGroups = aws.ec2.describeSecurityGroups().securityGroups.map { securityGroup ->
+            Ec2SecurityGroup(securityGroup, aws.ec2)
+        }.filter { it.isExpired() }
+        waitUntilReleased(securityGroups)
+
         Cloudformation(aws, aws.cloudformation).consumeExpiredStacks(Consumer { stacks ->
             waitUntilReleased(stacks, stackTimeout)
         })
@@ -31,13 +36,7 @@ class ConcurrentHousekeeping(
         val keys = aws.ec2.describeKeyPairs().keyPairs.map { key ->
             RemoteSshKey(SshKeyName(key.keyName), aws.ec2)
         }.filter { it.isExpired() }
-
-        val securityGroups = aws.ec2.describeSecurityGroups().securityGroups.map { securityGroup ->
-            Ec2SecurityGroup(securityGroup, aws.ec2)
-        }.filter { it.isExpired() }
-
         waitUntilReleased(keys)
-        waitUntilReleased(securityGroups)
     }
 
     private fun waitUntilReleased(