Adopting VPC fails because of no default subnet specified

[mateocolina]

Describe the bug
We would like to adopt a VPC into our stack so that we can then reference it in other resources such as RDS or SecurityGroup. The VPC gets created by a central management account that is provisioning our accounts and we have no control over it, so we need to use it as-is.

For now we can instead of using vpcRef.from.name just specify vpcID.

apiVersion: ec2.services.k8s.aws/v1alpha1
kind: VPC
metadata:
  name: shared-vpc
  namespace: ack-system
  annotations:
    services.k8s.aws/adoption-policy: adopt
    services.k8s.aws/adoption-fields: |
      {"vpcID": "vpc-xxxx"}

But the resource returns following state and is thus not referable in any other resource.

kubectl describe vpc shared-vpc

Name:         shared-vpc
Namespace:    ack-system
Labels:       <none>
Annotations:  services.k8s.aws/adoption-fields: {"vpcID": "vpc-xxxx"}
              services.k8s.aws/adoption-policy: adopt
API Version:  ec2.services.k8s.aws/v1alpha1
Kind:         VPC
Metadata:
  Creation Timestamp:  2025-10-23T22:12:42Z
  Generation:          1
  Resource Version:    5594166
  UID:                 00000000-cbd5-442b-99a3-9d8c0c129c8a
Status:
  Ack Resource Metadata:
    Owner Account ID:  xxxxxx
    Region:            eu-central-2
  Conditions:
    Message:               default security group not found
    Status:                True
    Type:                  ACK.Recoverable
    Last Transition Time:  2025-10-23T22:34:37Z
    Message:               Unable to determine if desired resource state matches latest observed state
    Reason:                default security group not found
    Status:                Unknown
    Type:                  ACK.ResourceSynced
  Vpc ID:                  vpc-xxxx
Events:                    <none>

(fields such as Account ID and VPC ID have been redacted)

Steps to reproduce

1. Install ACK controller for EC2 using helm
2. Deploy K8s manifest with adoption

Expected outcome
I would expect that the VPC at least is reconciled/adopted and can be used as a reference in other resources.

Environment

• Kubernetes version -> 1.33
• Using EKS (yes/no), if so version? -> yes, eks.16
• AWS service targeted (S3, RDS, etc.) -> EC2

[github-actions]

Hello @mateocolina 👋 Thank you for opening an issue in ACK! A maintainer will triage this issue soon.

We encourage community contributions, so if you're interested in tackling this yourself or suggesting a solution, please check out our Contribution and Code of Conduct guidelines.

You can find more information about ACK on our website.

[cheeseandcereal]

Hi! Thanks for the report. Can you confirm if this adopted VPC has a default security group or not? We're trying to determine if this is ACK failing to find a default security group that exists, or if this is a VPC without a default security group entirely.

[mateocolina]

Hi @cheeseandcereal the VPC has no default subnet.

[michaelhtm]

Hello @mateocolina

the VPC has no default subnet.

Can you ensure you don't have the default SecurityGroup either?

In ACK we've had the assumption that the default security group cannot be removed from a VPC
https://github.com/aws-controllers-k8s/ec2-controller/blob/56e81eb0470108b5cc4bb3b669e93aeaa97d781d/pkg/resource/vpc/hooks.go#L540-L564

It looks like the controller is trying to look for the default SecurityGroup of your VPC, and it is not able to find it.

[mateocolina]

Hi, sorry for the typo, I meant security group, not subnet.

The VPC has no default security group.

[michaelhtm]

Maybe we can change the controller logic to be less opinionated.
If it can't find the default security group it does nothing.

I'd be happy to provide guidance if you'd like to contribute :)