Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Optionally replace Lambda function ENI security groups on destroy #29289

Merged

Conversation

jar-b
Copy link
Member

@jar-b jar-b commented Feb 7, 2023

Description

Adds optional replace_security_groups_on_destroy and replacement_security_group_ids attributes to speed up lambda security group destruction under certain conditions. This implementation largely follows the design of the local-exec provisioner described in this comment.

resource "aws_lambda_function" "example" {
  # ... other configuration ...

  # by itself, this attribute will replace all security groups defined in vpc_config.security_group_ids
  # with the default security group after the function is destroyed
  replace_security_groups_on_destroy = true

  # if this attribute is configured, these groups are used instead of the default security group
  replacement_security_group_ids = ["sg-1234"]

  vpc_config {
    subnet_ids         = [aws_subnet.example.id]
    security_group_ids = [aws_security_group.example.id]
  }
}

Some caveats to this feature:

  • This will only replace the security groups on network interfaces belonging to the destroyed function. If the configured VPC security group(s) are used elsewhere, those dependencies could still prevent the security group from being destroyed promptly.
  • This will not improve aws_subnet destroy times. Subnets containing ENIs from deleted lambda functions will still depend on AWS's internal cleanup process. Be sure to preserve the appropriate IAM permissions on the lambda execution role to allow the Lambda service to clean these up.
resource "aws_iam_role_policy_attachment" "example" {
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
  role       = "${aws_iam_role.example.id}"
}

resource "aws_subnet" "example" {
  # ... other configuration ...

  depends_on = ["aws_iam_role_policy_attachment.example"]
}

Relations

Relates #10329

Output from Acceptance Testing

$ make testacc PKG=lambda TESTS=TestAccLambdaFunction_
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/lambda/... -v -count 1 -parallel 20 -run='TestAccLambdaFunction_'  -timeout 180m
go: downloading github.com/hashicorp/terraform-plugin-log v0.8.0
=== RUN   TestAccLambdaFunction_basic
=== PAUSE TestAccLambdaFunction_basic
=== RUN   TestAccLambdaFunction_disappears
=== PAUSE TestAccLambdaFunction_disappears                                                                                                                                                                     === RUN   TestAccLambdaFunction_tags
=== PAUSE TestAccLambdaFunction_tags
=== RUN   TestAccLambdaFunction_unpublishedCodeUpdate
=== PAUSE TestAccLambdaFunction_unpublishedCodeUpdate
=== RUN   TestAccLambdaFunction_codeSigning
=== PAUSE TestAccLambdaFunction_codeSigning
=== RUN   TestAccLambdaFunction_concurrency
=== PAUSE TestAccLambdaFunction_concurrency
=== RUN   TestAccLambdaFunction_concurrencyCycle
=== PAUSE TestAccLambdaFunction_concurrencyCycle
=== RUN   TestAccLambdaFunction_expectFilenameAndS3Attributes
=== PAUSE TestAccLambdaFunction_expectFilenameAndS3Attributes
=== RUN   TestAccLambdaFunction_envVariables
=== PAUSE TestAccLambdaFunction_envVariables
=== RUN   TestAccLambdaFunction_EnvironmentVariables_noValue
=== PAUSE TestAccLambdaFunction_EnvironmentVariables_noValue
=== RUN   TestAccLambdaFunction_encryptedEnvVariables
=== PAUSE TestAccLambdaFunction_encryptedEnvVariables
=== RUN   TestAccLambdaFunction_nameValidation
=== PAUSE TestAccLambdaFunction_nameValidation
=== RUN   TestAccLambdaFunction_versioned
=== PAUSE TestAccLambdaFunction_versioned
=== RUN   TestAccLambdaFunction_versionedUpdate
=== PAUSE TestAccLambdaFunction_versionedUpdate
=== RUN   TestAccLambdaFunction_enablePublish
=== PAUSE TestAccLambdaFunction_enablePublish
=== RUN   TestAccLambdaFunction_disablePublish
=== PAUSE TestAccLambdaFunction_disablePublish
=== RUN   TestAccLambdaFunction_deadLetter
=== PAUSE TestAccLambdaFunction_deadLetter
=== RUN   TestAccLambdaFunction_deadLetterUpdated
=== PAUSE TestAccLambdaFunction_deadLetterUpdated
=== RUN   TestAccLambdaFunction_nilDeadLetter
=== PAUSE TestAccLambdaFunction_nilDeadLetter
=== RUN   TestAccLambdaFunction_fileSystem
=== PAUSE TestAccLambdaFunction_fileSystem
=== RUN   TestAccLambdaFunction_image
    function_test.go:923: Environment variable AWS_LAMBDA_IMAGE_LATEST_ID is not set
--- SKIP: TestAccLambdaFunction_image (0.00s)
=== RUN   TestAccLambdaFunction_architectures
=== PAUSE TestAccLambdaFunction_architectures
=== RUN   TestAccLambdaFunction_architecturesUpdate
=== PAUSE TestAccLambdaFunction_architecturesUpdate
=== RUN   TestAccLambdaFunction_architecturesWithLayer
=== PAUSE TestAccLambdaFunction_architecturesWithLayer
=== RUN   TestAccLambdaFunction_ephemeralStorage
=== PAUSE TestAccLambdaFunction_ephemeralStorage
=== RUN   TestAccLambdaFunction_tracing
=== PAUSE TestAccLambdaFunction_tracing
=== RUN   TestAccLambdaFunction_KMSKeyARN_noEnvironmentVariables
=== PAUSE TestAccLambdaFunction_KMSKeyARN_noEnvironmentVariables
=== RUN   TestAccLambdaFunction_layers
=== PAUSE TestAccLambdaFunction_layers
=== RUN   TestAccLambdaFunction_layersUpdate
=== PAUSE TestAccLambdaFunction_layersUpdate
=== RUN   TestAccLambdaFunction_vpc
=== PAUSE TestAccLambdaFunction_vpc
=== RUN   TestAccLambdaFunction_vpcRemoval
=== PAUSE TestAccLambdaFunction_vpcRemoval
=== RUN   TestAccLambdaFunction_vpcUpdate
=== PAUSE TestAccLambdaFunction_vpcUpdate
=== RUN   TestAccLambdaFunction_VPC_withInvocation
=== PAUSE TestAccLambdaFunction_VPC_withInvocation
=== RUN   TestAccLambdaFunction_VPCPublishNo_changes
=== PAUSE TestAccLambdaFunction_VPCPublishNo_changes
=== RUN   TestAccLambdaFunction_VPCPublishHas_changes
=== PAUSE TestAccLambdaFunction_VPCPublishHas_changes
=== RUN   TestAccLambdaFunction_VPC_properIAMDependencies
=== PAUSE TestAccLambdaFunction_VPC_properIAMDependencies
=== RUN   TestAccLambdaFunction_VPC_replaceSGWithDefault
=== PAUSE TestAccLambdaFunction_VPC_replaceSGWithDefault
=== RUN   TestAccLambdaFunction_VPC_replaceSGWithCustom
=== PAUSE TestAccLambdaFunction_VPC_replaceSGWithCustom
=== RUN   TestAccLambdaFunction_emptyVPC
=== PAUSE TestAccLambdaFunction_emptyVPC
=== RUN   TestAccLambdaFunction_s3
=== PAUSE TestAccLambdaFunction_s3
=== RUN   TestAccLambdaFunction_localUpdate
=== PAUSE TestAccLambdaFunction_localUpdate
=== RUN   TestAccLambdaFunction_LocalUpdate_nameOnly
=== PAUSE TestAccLambdaFunction_LocalUpdate_nameOnly
=== RUN   TestAccLambdaFunction_S3Update_basic
=== PAUSE TestAccLambdaFunction_S3Update_basic
=== RUN   TestAccLambdaFunction_S3Update_unversioned
=== PAUSE TestAccLambdaFunction_S3Update_unversioned
=== RUN   TestAccLambdaFunction_snapStart
=== PAUSE TestAccLambdaFunction_snapStart
=== RUN   TestAccLambdaFunction_runtimes
=== PAUSE TestAccLambdaFunction_runtimes
=== RUN   TestAccLambdaFunction_Zip_validation
=== PAUSE TestAccLambdaFunction_Zip_validation
=== CONT  TestAccLambdaFunction_basic
=== CONT  TestAccLambdaFunction_ephemeralStorage
=== CONT  TestAccLambdaFunction_VPC_replaceSGWithDefault
=== CONT  TestAccLambdaFunction_versioned
=== CONT  TestAccLambdaFunction_concurrencyCycle
=== CONT  TestAccLambdaFunction_S3Update_basic
=== CONT  TestAccLambdaFunction_unpublishedCodeUpdate
=== CONT  TestAccLambdaFunction_concurrency
=== CONT  TestAccLambdaFunction_codeSigning
=== CONT  TestAccLambdaFunction_tags
=== CONT  TestAccLambdaFunction_architecturesWithLayer
=== CONT  TestAccLambdaFunction_disappears
=== CONT  TestAccLambdaFunction_LocalUpdate_nameOnly
=== CONT  TestAccLambdaFunction_localUpdate
=== CONT  TestAccLambdaFunction_runtimes
=== CONT  TestAccLambdaFunction_s3
=== CONT  TestAccLambdaFunction_Zip_validation
=== CONT  TestAccLambdaFunction_vpcRemoval
=== CONT  TestAccLambdaFunction_vpc
=== CONT  TestAccLambdaFunction_VPC_properIAMDependencies
--- PASS: TestAccLambdaFunction_Zip_validation (8.27s)
=== CONT  TestAccLambdaFunction_VPCPublishNo_changes
--- PASS: TestAccLambdaFunction_s3 (39.82s)
=== CONT  TestAccLambdaFunction_layersUpdate
--- PASS: TestAccLambdaFunction_disappears (61.06s)
=== CONT  TestAccLambdaFunction_VPCPublishHas_changes
--- PASS: TestAccLambdaFunction_S3Update_basic (62.57s)
=== CONT  TestAccLambdaFunction_layers
--- PASS: TestAccLambdaFunction_basic (75.36s)
=== CONT  TestAccLambdaFunction_snapStart
--- PASS: TestAccLambdaFunction_codeSigning (77.75s)
=== CONT  TestAccLambdaFunction_KMSKeyARN_noEnvironmentVariables
--- PASS: TestAccLambdaFunction_concurrency (82.90s)
=== CONT  TestAccLambdaFunction_S3Update_unversioned
--- PASS: TestAccLambdaFunction_versioned (93.67s)
=== CONT  TestAccLambdaFunction_deadLetterUpdated
--- PASS: TestAccLambdaFunction_tags (107.91s)
=== CONT  TestAccLambdaFunction_envVariables
--- PASS: TestAccLambdaFunction_ephemeralStorage (124.30s)
=== CONT  TestAccLambdaFunction_architecturesUpdate
--- PASS: TestAccLambdaFunction_concurrencyCycle (125.78s)
=== CONT  TestAccLambdaFunction_architectures
--- PASS: TestAccLambdaFunction_S3Update_unversioned (52.26s)
=== CONT  TestAccLambdaFunction_fileSystem
--- PASS: TestAccLambdaFunction_VPC_properIAMDependencies (332.82s)
=== CONT  TestAccLambdaFunction_nilDeadLetter
--- PASS: TestAccLambdaFunction_runtimes (381.58s)
=== CONT  TestAccLambdaFunction_emptyVPC
--- PASS: TestAccLambdaFunction_VPC_replaceSGWithDefault (515.56s)
=== CONT  TestAccLambdaFunction_nameValidation
--- PASS: TestAccLambdaFunction_nameValidation (0.95s)
=== CONT  TestAccLambdaFunction_disablePublish
--- PASS: TestAccLambdaFunction_vpcRemoval (720.49s)
=== CONT  TestAccLambdaFunction_deadLetter
--- PASS: TestAccLambdaFunction_vpc (1055.10s)
=== CONT  TestAccLambdaFunction_VPC_replaceSGWithCustom
--- PASS: TestAccLambdaFunction_localUpdate (1063.74s)
=== CONT  TestAccLambdaFunction_enablePublish
--- PASS: TestAccLambdaFunction_LocalUpdate_nameOnly (1069.73s)
=== CONT  TestAccLambdaFunction_versionedUpdate
--- PASS: TestAccLambdaFunction_layersUpdate (1067.50s)
=== CONT  TestAccLambdaFunction_encryptedEnvVariables
--- PASS: TestAccLambdaFunction_layers (1225.77s)
=== CONT  TestAccLambdaFunction_vpcUpdate
--- PASS: TestAccLambdaFunction_unpublishedCodeUpdate (1300.38s)
=== CONT  TestAccLambdaFunction_VPC_withInvocation
--- PASS: TestAccLambdaFunction_KMSKeyARN_noEnvironmentVariables (1229.09s)
=== CONT  TestAccLambdaFunction_EnvironmentVariables_noValue
--- PASS: TestAccLambdaFunction_snapStart (1236.89s)
=== CONT  TestAccLambdaFunction_tracing
--- PASS: TestAccLambdaFunction_deadLetterUpdated (1237.26s)
=== CONT  TestAccLambdaFunction_expectFilenameAndS3Attributes
--- PASS: TestAccLambdaFunction_expectFilenameAndS3Attributes (0.90s)
--- PASS: TestAccLambdaFunction_architectures (1216.15s)
--- PASS: TestAccLambdaFunction_envVariables (1265.23s)
--- PASS: TestAccLambdaFunction_nilDeadLetter (1170.64s)
--- PASS: TestAccLambdaFunction_emptyVPC (1137.18s)
--- PASS: TestAccLambdaFunction_VPCPublishHas_changes (1463.66s)
--- PASS: TestAccLambdaFunction_architecturesWithLayer (1526.67s)
--- PASS: TestAccLambdaFunction_disablePublish (1031.93s)
--- PASS: TestAccLambdaFunction_deadLetter (839.45s)
--- PASS: TestAccLambdaFunction_enablePublish (700.30s)
--- PASS: TestAccLambdaFunction_VPC_replaceSGWithCustom (718.39s)
--- PASS: TestAccLambdaFunction_encryptedEnvVariables (682.67s)
--- PASS: TestAccLambdaFunction_fileSystem (1918.63s)
--- PASS: TestAccLambdaFunction_EnvironmentVariables_noValue (825.65s)
--- PASS: TestAccLambdaFunction_architecturesUpdate (2017.86s)
--- PASS: TestAccLambdaFunction_tracing (843.85s)
--- PASS: TestAccLambdaFunction_versionedUpdate (1099.19s)
--- PASS: TestAccLambdaFunction_VPC_withInvocation (1023.00s)
--- PASS: TestAccLambdaFunction_VPCPublishNo_changes (2339.35s)
--- PASS: TestAccLambdaFunction_vpcUpdate (2215.16s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/lambda     3507.200s

@github-actions
Copy link

github-actions bot commented Feb 7, 2023

Community Note

Voting for Prioritization

  • Please vote on this pull request by adding a 👍 reaction to the original post to help the community and maintainers prioritize this pull request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

For Submitters

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@github-actions github-actions bot added documentation Introduces or discusses updates to documentation. service/lambda Issues and PRs that pertain to the lambda service. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. size/XL Managed by automation to categorize the size of a PR. labels Feb 7, 2023
@jar-b jar-b force-pushed the td-aws_lambda_function-remove_security_groups_on_destroy branch 3 times, most recently from 767ba70 to b336899 Compare February 8, 2023 17:58
@jar-b jar-b marked this pull request as ready for review February 8, 2023 18:35
@jar-b jar-b force-pushed the td-aws_lambda_function-remove_security_groups_on_destroy branch from b336899 to 4fadf46 Compare February 9, 2023 18:58
@jar-b jar-b merged commit 7ee651b into main Feb 9, 2023
@jar-b jar-b deleted the td-aws_lambda_function-remove_security_groups_on_destroy branch February 9, 2023 20:20
@github-actions github-actions bot added this to the v4.54.0 milestone Feb 9, 2023
github-actions bot pushed a commit that referenced this pull request Feb 9, 2023
@github-actions
Copy link

github-actions bot commented Feb 9, 2023

This functionality has been released in v4.54.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
documentation Introduces or discusses updates to documentation. service/lambda Issues and PRs that pertain to the lambda service. size/XL Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant