aws_lambda_function - destroy still not removing ENI's consistently.

[hashibot]

This issue was originally opened by @stevegroner as hashicorp/terraform#15105. It was migrated here as part of the provider split. The original body of the issue is below.

---

There is still an issue when deleting a Lambda with vpc_config. I have (2) Lambda functions with vpc_configs and one fails and one doesn't I am not sure why, but it seems to continue to be an issue.

Terraform Version

0.9.5

Affected Resource(s)

aws_lambda_function (with vpc_config)

Terraform Configuration Files

First Lambda Function

# Create the Lambda Function
resource "aws_lambda_function" "rds_db_mgmt" {
  description      = "${var.IC_PREFIX} Remote RDS Mgmt"
  filename         = "${var.IC_PACKAGE_PATH}\\${var.IC_PACKAGE_NAME}"
  function_name    = "${var.IC_PREFIX}-remote-rds-db-mgmt"
  timeout          = "300"
  role             = "${alks_iamrole.iam_rds_db_mgmt_service_role.arn}"
  handler          = "RdsDBManagement::RdsDBManagement.Functions::Get"
  runtime          = "dotnetcore1.0"
  source_code_hash = "${base64sha256(file("${var.IC_PACKAGE_PATH}\\${var.IC_PACKAGE_NAME}"))}"
  memory_size      = 512

  vpc_config {
    subnet_ids = ["${data.terraform_remote_state.sharedstate.intsubnets.0}","${data.terraform_remote_state.sharedstate.intsubnets.1}","${data.terraform_remote_state.sharedstate.intsubnets.2}"]
    security_group_ids = ["${data.terraform_remote_state.stacksecurity.EBSecurityGroupID}"]
  }

  environment {
    variables = {
      DatabaseConnection        = "Data Source={0},1433;Initial Catalog={1};User id=mydbadmin;password={removed for security"
    }
  }
}

2nd Lambda Function

# Create the Lambda Function
resource "aws_lambda_function" "rds_sql_metric" {
  description      = "${var.IC_PREFIX} Custom RDS SQL Metric"
  filename         = "${var.IC_PACKAGE_PATH}\\${var.IC_PACKAGE_NAME}"
  function_name    = "${var.IC_PREFIX}-rds-sql-metric"
  timeout          = "300"
  role             = "${alks_iamrole.iam_rds_sql_metric_service_role.arn}"
  handler          = "RdsHeartbeatCloudWatchMetric::RdsHeartbeatCloudWatchMetric.Function::FunctionHandler"
  runtime          = "dotnetcore1.0"
  source_code_hash = "${base64sha256(file("${var.IC_PACKAGE_PATH}\\${var.IC_PACKAGE_NAME}"))}"
  memory_size      = 512

  vpc_config {
    subnet_ids = ["${data.terraform_remote_state.sharedstate.intsubnets.0}","${data.terraform_remote_state.sharedstate.intsubnets.1}","${data.terraform_remote_state.sharedstate.intsubnets.2}"]
    security_group_ids = ["${data.terraform_remote_state.stacksecurity.EBSecurityGroupID}"]
  }

  environment {
    variables = {
      DatabaseList = "SQLDB1|SQLDB2|SQLDB3|SQLDB4|SQLDB5"
      RdsInstances = "${data.terraform_remote_state.rds_state.rds-instance-1}"
      DatabaseConnection = "Data Source={0},1433;Initial Catalog={1};User id={service account};password={removed for security}"
      Prefix = "${var.IC_PREFIX}"
    }
  }
}

Debug Output

Not Available

Panic Output

Not Available

Expected Behavior

When removing Lambda functions with vpc_config that the Lambda and any ENI's linked should be removed.

Actual Behavior

Inconsistent ENI removal. When the (2) lambdas above are removed 1 of the ENI's appears to be removed while the other doesn't.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply
2. execute lambda
3. terraform destroy

Important Factoids

When I started typing this, the ENI appeared as IN USE even the both Lambdas no longer existed. By the time I completed writing this, the ENI showed a available. Perhaps this is an issue with timing between removal of the Lambda and removal of the ENI.

The security group that is used in these ENI's comes from Elastic BeanStalk creation. In the vpc_config for these I add the EB Security group created when aws_elastic_beanstalk_env is used. So if the functionality to clean these up was added to aws_security_group delete that will not work for my scenario.

References

There was another issue reported as being fixed back in November but I do not think this issue is completely resolved.

• r/spot_instance_request: add import support + refactor tests #12787
• Update module k8s.io/klog to v1 #10272
• Data source aws_db_snapshot: Shared and public snapshot fix (issue #3907) #5767
• [WIP] r/aws_opsworks_stack: Use correct region for ARN when updating tags #11849
• Added install and uninstall make targets #8486

[shahim]

The Lambda function execution role must have permissions to create, describe and delete ENIs. AWS Lambda provides a permissions policy, AWSLambdaVPCAccessExecutionRole, with permissions for the necessary EC2 actions (ec2:CreateNetworkInterface, ec2:DescribeNetworkInterfaces, and ec2:DeleteNetworkInterface) that you can use when creating a role. You can review the policy in the IAM console. Do not delete this role immediately after your Lambda function execution. There is a delay between the time your Lambda function executes and ENI deletion. If you do delete the role immediately after function execution, you are responsible for deleting the ENIs.

So the best option is to move the lambda execution role provisioning into another terraform script to make sure it wont be deleted before ENI deletion. You can retrieve the role arn via aws_iam_role data source in the script which provisions the lambda function.

For more information visit here

[bflad]

The fix for this was merged in as part of #4884 and will release with version 1.38.0 of the AWS provider, likely later today.

[bflad]

This has been released in version 1.38.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!