Destroying Network Resources in Configurations with Lambda Functions

In recent weeks, AWS announced improved VPC networking for Lambda functions. These improvements represent a significant change in how elastic network interfaces (ENIs) are configured to connect to your VPCs. AWS Lambda now uses HyperPlane ENIs, which cannot be force detached unlike normal ENIs. These changes cause issues when destroying network resources in configurations containing Lambda functions in regions where the improvements were made. If affected, you may encounter the inability to delete specific VPC resources such as subnets and security groups with a DependencyViolation error.

In this post we’ll be discussing updates made to the aws_security_group and aws_subnet resources in response to the changes in VPC networking for Lambda functions.

In version 2.31.0 of the AWS provider we will be patching the two affected resources to support the improved VPC networking changes for Lambda Functions. The change increases the default deletion timeouts in the aws_subnet and aws_security_group resources to account for the longer Lambda function ENI cleanup process. On average, the cleanup takes anywhere from 18-33 minutes, but can extend up to 40 mins.

If you are unable to upgrade to 2.31.0 and are affected by this issue, please use the following workaround:

Add or update timeouts configuration for affected aws_security_group and aws_subnet resources as shown in the example below.


resource "aws_subnet" "example" {

 #... other configuration ...

timeouts = {

delete = "40m"

}

depends_on = ["aws_iam_role_policy_attachment.example”]

}

We recognize that this may cause a significant delay when running terraform destroy and are working with AWS to continue addressing the issue. For more details from HashiCorp refer to this pinned issue on the Terraform AWS Provider. For additional context from AWS, please refer to this blog post.

We recognize that improvements can sometimes have unexpected side effects. It’s our goal to work closely with our partners to ensure that any updates or resolutions happen in a timely fashion. We are thankful to our customers and community for making us aware of this issue’s impact. If you run into further difficulty with these resources unrelated to the ENI changes, please create a new issue on the AWS provider.