Turbot unable to delete default VPC

One default VPC in each region along with other default resources are provisioned when a new AWS account is created. Often, companies will have specific VPC requirements that include removing the default VPC. The policy AWS > VPC > Default VPCs will automate this deletion if the policy value is set to Enforce: Delete default VPC in each region.  However, sometimes this policy will fail to delete a default VPC in one or many regions. 

In certain circumstances, a company will have automation in place that will create resources within the default VPC. Resources such as custom security groups will prevent Turbot from automatically taking the required action.

  1. To verify, navigate to the account in the Turbot UI and click on the Controls tab.
  2. Search for default VPC to find the control in alarm.mceclip0.png
  3. Click on the control, then click on the Apply button. The control will run and display the result. If the default VPC contains a custom resource (in this case, a custom network interface), a message will be displayed detailing the resource within the VPC.mceclip1.png

In the above scenario, the custom resource must be deleted in order to move the control into an Ok state. Once the resource is removed, the control can be re-applied via the Turbot UI and the default VPC will be deleted. Alternatively, the VPC can be removed via the VPC dashboard in the AWS console. With sufficient permissions the VPC will be deleted regardless of what custom resources exist. However, for resources such as a NAT gateway, the delete VPC event will sometimes timeout as the NAT gateway is known to take a minute or two to be removed. 

After the custom resource is confirmed to be deleted, the default VPC can be finally removed. If the error message in the control is unrelated to a custom resource or if after removing the custom resources the VPC still cannot be removed, contact Turbot support at help@turbot.com

Was this article helpful?
0 out of 0 found this helpful