Terraform cant delete security group for lambda ENI

Question

I have a terraform script that creates a lambda function in a VPC. Because the lambda is deployed to a VPC it creates an ENI and associates it with my security group. However, when I go to change that security group (destroy) it fails due to a timeout of the ENI being in use.

What I assume is happening is that Terraform is recognising that the ENI is dependent on the security group but isn't recognising that the lambda function is dependent on the ENI and therefore is not trying to delete the lambda function before trying to delete the ENI.

The desired outcome would be the ability to change the security group's name and description without having to manually delete the lambda function and ENIs.

I have tried creating various 'depends_on' and also settings a lifecycle for the lambda function to be destroyed on changes to the security group but neither has worked. I am using version 1.3.3 of Terraform and version 4.37.0 of the AWS provider.

Error: deleting ENIs using Security Group (sg-01ba40a4b03c5ddd2): 2 errors occurred:

waiting for Lambda ENI (eni-02cd7771540d50f8e) to become available for detachment: timeout while waiting for state to become 'available' (last state: 'in-use', timeout: 45m0s)

waiting for Lambda ENI (eni-030c34234a51be116) to become available for detachment: timeout while waiting for state to become 'available' (last state: 'in-use', timeout: 45m0s)

# ----------------------------------------------------------------------
# Security group
# ----------------------------------------------------------------------
resource "aws_security_group" "public" {
  name        = "test-sg"
  vpc_id      = var.vpc_id
  description = "Security group for the lambda functions." # I cant modify this
}


# ----------------------------------------------------------------------
# Lambda Function
# ----------------------------------------------------------------------
resource "aws_lambda_function" "lambda_function" {
  function_name    = var.name
  handler          = var.handler
  description      = var.description
  runtime          = var.runtime
  package_type     = "Zip"
  filename         = var.file_path
  source_code_hash = filebase64sha256(var.file_path)
  role             = aws_iam_role.lambda_execution_role.arn
  timeout          = 30
  memory_size      = var.memory_size
  vpc_config {
    subnet_ids         = var.subnet_ids
    security_group_ids = [aws_security_group.public.id]
  }
}

Thanks.

Answer 1

i've run across this as well. it is, as you know, quite frustrating.

my workaround (not ideal by any means) is to edit each eni using the aws console to change the security group assigned (add any random security group and delete the offending security group). when the next terraform apply is executed, the security group can be replaced, the eni/nic will be updated and everything is reset.