/kind bug

What steps did you take and what happened:

When deprovisioning an IPv6 for EKS cluster, CAPA is supposed to delete the eigw attached to the cluster-owned VPC. However, we observed that CAPA deleted all eigw in the region regardless of whether the eigw is attached to cluster-owned VPC or not.

This is very catastrophic as it can break other workloads in other VPCs.

What did you expect to happen:

CAPA should only clean up eigw that it manages.

Anything else you would like to add:

The API for DescribeEgressOnlyInternetGateways does not support attachment.vpc-id filter. See API Reference) and below code reference from AWS SDK reference:

type DescribeEgressOnlyInternetGatewaysInput struct {
	// The filters.
	//
	//    * tag:<key> - The key/value combination of a tag assigned to the resource.
	//    Use the tag key in the filter name and the tag value as the filter value.
	//    For example, to find all resources that have a tag with the key Owner
	//    and the value TeamA, specify tag:Owner for the filter name and TeamA for
	//    the filter value.
	//
	//    * tag-key - The key of a tag assigned to the resource. Use this filter
	//    to find all resources assigned a tag with a specific key, regardless of
	//    the tag value.
	Filters []*Filter `locationName:"Filter" locationNameList:"Filter" type:"list"`

This means the AWS API will return all eigws. That being said, during provisioning steps, if there are more than 1 eigw available, CAPA might select the wrong eigw, instead of creating one for the cluster-owned VPC.

Environment:

• Cluster-api-provider-aws version: Latest main
• Kubernetes version: (use kubectl version): N/A
• OS (e.g. from /etc/os-release): N/A