Cluster Troubleshoot

Within this section you will find the common errors you might encounter when deploying or running your clusters with Qovery

How do I delete a cluster with dependency violation errors?

When attempting to delete a Qovery cluster, you may encounter dependency violation errors (DependencyViolation) indicating that certain items cannot be deleted due to existing dependencies. This typically happens when there are resources using the items (here: subnets) that were not deployed or managed by Qovery. Example:

DeleteError - Unknown error while performing Terraform command (`terraform destroy -lock=false -no-color -auto-approve`), here is the error:
Error: deleting EC2 Subnet (subnet-xxx): operation error EC2: DeleteSubnet, https response error StatusCode: 400, RequestID: xxx, api error DependencyViolation: The subnet 'subnet-xxx' has dependencies and cannot be deleted.

To resolve subnet deletion errors and successfully delete your cluster, follow these steps:

  1. Log in to your cloud provider console
  2. Navigate to the VPC section (or the section where deletion items are in failure)
  3. Attempt to delete the items (here: subnet) that is failing. This will trigger a notification showing the blocking elements

AWS VPC subnet

  1. Review the items (here: Network interfaces) that are blocking the deletion:
  • Check the Interface Type and Description for each blocking resource
  • Verify that these resources are safe to delete and not being used by any critical services.

AWS network interfaces

  1. Delete the identified blocking network interfaces if they are no longer needed
  2. Return to Qovery and retry the cluster deletion process

I don't have Qovery access anymore, how could I delete Qovery deployed resources on my AWS account?

From the AWS console

Unfortunately, there is no automatic way to do it with Qovery once we don't have access. However, AWS provides an easy way to retrieve those resources, so you can manually perform the delete. To do so, go on the AWS web console, and search for "Resource Groups & Tag Editor" service, then:

Resource groups search by tag

  1. Click on "Create Resource Group".
  2. In Tags, enter: "ClusterLongId".
  3. In the "Optional Tag value", enter the Qovery cluster ID. If you don't have it, let AWS suggest it for you. If you have Qovery deployed elements remainings, it will propose the Cluster long ID automatically.
  4. Click on "Add".
  5. You should see the filter with the information you just entered.
  6. Click on "Preview groups resources".
  7. You'll have all elements deployed by Qovery and you can delete what you want.

From the CLI

If you want to be able to delete the resources deployed by Qovery, you can use the AWS CLI to list and delete the resources. Here is an example of how to list all the resources deployed by Qovery:

#!/bin/bash
VPC_ID=$1
echo "Resources in VPC: $VPC_ID"
echo "Subnets:"
aws ec2 describe-subnets --filters "Name=vpc-id,Values=$VPC_ID"
echo "Route Tables:"
aws ec2 describe-route-tables --filters "Name=vpc-id,Values=$VPC_ID"
echo "Security Groups:"
aws ec2 describe-security-groups --filters "Name=vpc-id,Values=$VPC_ID"
echo "NATs Gateway:"
aws ec2 describe-nat-gateways --filter "Name=vpc-id,Values=$VPC_ID"
echo "Internet Gateway:"
aws ec2 describe-internet-gateways --filters "Name=attachment.vpc-id,Values=$VPC_ID"
echo "Instances:"
aws ec2 describe-instances --filters "Name=vpc-id,Values=$VPC_ID"
echo "Network Interfaces:"
aws ec2 describe-network-interfaces --filters "Name=vpc-id,Values=$VPC_ID"
echo "EC2 Instances:"
aws ec2 describe-instances --filters "Name=vpc-id,Values=$VPC_ID"
echo "S3 VPC Endpoints:"
aws ec2 describe-vpc-endpoints --filters "Name=vpc-id,Values=$VPC_ID"
echo "Load Balancers:"
aws elbv2 describe-load-balancers --query "LoadBalancers[?VpcId=='$VPC_ID']"
echo "Load Balancers:"
aws elb describe-load-balancers --query "LoadBalancers[?VpcId=='$VPC_ID']"

My cloud account has been blockVed, what should I do?

If you encounter this kind of error during an infrastructure deployment (including managed DBs):

This account is currently blocked by your cloud provider, please contact them directly.

Or

This AWS account is currently blocked and not recognized as a valid account.
Please contact aws-verification@amazon.com directly to get more details.
Maybe you are not allowed to use your free tier in this region?
Maybe you need to provide billing info?

This error is likely due to a billing issue or blocked free-tier usage in the given region.

Unfortunately, there is nothing Qovery can do. You need to reach out directly to your cloud provider to get more details and get your account unblocked.

Permissions Issue When Installing an AWS Cluster

When creating an AWS cluster with Karpenter, we verify that the provided credentials include the necessary SQS permissions.

If you encounter the following error:

"Permissions issue. Check your AWS permissions to ensure you have the necessary authorizations for this action."

Follow these steps to troubleshoot the issue:

1. Verify Your IAM Policy

Ensure your IAM policy matches the content of the file provided here.

2. Check AWS Organization SCP Restrictions

If the issue persists, it may be due to Service Control Policies (SCPs) in your AWS Organization blocking the required permissions.

Steps to Verify SCP Restrictions

  1. Go to AWS Policy Simulator.
  2. Select your user from the left panel.
  3. Choose SQS as the service and select all available actions.
  4. Open the first result, replace the queue value (*) with: arn:aws:sqs:::qovery*

Then, run the simulation.

Interpreting the Results

  • If permissions are allowed while AWS Organizations SCPs is enabled, AWS permissions are correctly set, and you should contact Qovery Support.

AWS SQS permissions allowed

  • If permissions are denied when AWS Organizations SCPs is enabled but allowed when disabled, an SCP in your organization is blocking access. You must contact your AWS administrator.

AWS SQS permissions denied

More

You are looking to troubleshoot your application with Qovery? Read this very short guide