[Enhancement]: Can't delete resources associated with ENIs

[Folling]

Description

Deleting subnets and security groups often fails because ENIs are created outside of terraform for various resources.

It would be nice to be able to create the ENIs within terraform, which would allow deleting the resources properly. Alternatively, perhaps terraform could delete the associated ENIs first before attempting to destroy the resources.

Affected Resource(s) and/or Data Source(s)

aws_vpc_endpoint (type "Interface")
aws_eks_cluster

Potential Terraform Configuration

resource "aws_vpc" "example" {
  instance_tenancy     = "default"
  enable_dns_support   = true
  enable_dns_hostnames = true

  cidr_block = "10.0.0.0/16"
}

data "aws_availability_zone" "example" {
  zone_id = "euc1-az1"
}

resource "aws_subnet" "example" {
  for_each = toset(var.network_config.availability_zones)

  vpc_id               = aws_vpc.example.ud
  availability_zone_id = data.aws_availability_zone.example.id
  cidr_block           = "10.1.0.0/24"
}

data "aws_vpc_endpoint_service" "ecr_api" {
  service      = "ecr.api"
  service_type = "Interface"
}

resource "aws_vpc_endpoint" "ecr_api" {
  vpc_id              = aws_vpc.example.id
  service_name        = data.aws_vpc_endpoint_service.ecr_api.service_name
  vpc_endpoint_type   = "Interface"
  private_dns_enabled = true
  subnet_ids          = [aws_subnet.example.id]
}

References

hashicorp/terraform#10272

Would you like to implement a fix?

No

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @Folling 👋 Thank you for taking the time to raise this! Similar conversations have popped up a few times that I think may be worth reviewing. Can you read over these and see if they help to resolve the issues you've run into?

• [Enhancement]: Cleanup dangling ENIs on EKS Cluster Deletion #38887
• Terraform EKS Cluster security group deletion fails says it associated to ENI  #30640
• [Bug]: DependencyViolation with ENIs associated with security group of lambda #37046 (maybe not quite as relevant, but I figured it was worth linking)

[aakash-acquia]

hey @justinretzolk

I'm facing a dependency deadlock issue between aws_vpc_endpoint (of type Interface) and subnets in the same Terraform state.

In my configuration, the VPC endpoint references the subnet IDs, which creates a Terraform dependency from the endpoint to the subnets.
However, when AWS creates the interface endpoint, it automatically provisions ENIs inside those subnets, which introduces an implicit AWS-level dependency from the subnets back to the endpoint.

As a result, during updates or deletions (for example, when I try to delete or replace a subnet), Terraform attempts to delete the subnet first — but AWS blocks the deletion because the ENIs from the VPC endpoint are still attached.
This causes a circular dependency:

Terraform won’t delete the VPC endpoint first, because it depends on the subnet.

AWS won’t delete the subnet first, because it depends on the VPC endpoint’s ENIs.

Is there a recommended way to handle or break this deadlock between Terraform’s dependency graph and AWS’s internal resource dependencies for interface VPC endpoints?