Sometimes AWS fails to release an allocated IP address when tearing down the associated resources. This lambda will release/delete all network interfaces that are in Status: Available as they are not associated with a current AWS resource but can't be used by a new AWS resource.
An exception is made for ENIs attached to DataSync tasks since DataSync only establishes ENIs at task creation time.
This includes a 24 hour cloudwatch alarm to trigger the lambda regularly in an effort to keep the account clean and make the resources available for another consumer.
| Name | Version |
|---|---|
| terraform | >= 0.14 |
| archive | ~> 2.2 |
| aws | > 4.0 |
| random | >= 3.1.0 |
| Name | Version |
|---|---|
| archive | ~> 2.2 |
| aws | > 4.0 |
| Name | Source | Version |
|---|---|---|
| iam | ./iam | n/a |
| Name | Type |
|---|---|
| aws_cloudwatch_event_rule.ip_address_release_lambda_interval | resource |
| aws_cloudwatch_event_target.ip_address_release_lambda_attach | resource |
| aws_lambda_function.ip_address_release_lambda | resource |
| aws_lambda_permission.event_permission | resource |
| archive_file.lambda_source | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_name | The account name for use in alarm description. | string |
n/a | yes |
| iam_role_arn | The ARN of the IAM Role to use (creates a new one if set to null) |
string |
null |
no |
| internet_egress_security_group_id | security group id that allows internet outbound calls to port 443 | string |
n/a | yes |
| kms_key_arn | ARN of the key to give to Lambda for access | string |
n/a | yes |
| lambda_runtime | Python runtime to use for this lambda | string |
"python3.9" |
no |
| permissions_boundary_arn | The ARN of the policy that is used to set the permissions boundary for the IAM roles. | string |
null |
no |
| prefix | prefix name, can be a team or product name. E.g., 'SRE' | string |
n/a | yes |
| subnet_ids | Subnets that Lambda will be created with in the VPC | list(string) |
n/a | yes |
| timeout | Timeout value for the lambda | number |
300 |
no |
| vpc_id | VPC ID to attach the IP Address Release lambda to. | string |
n/a | yes |
| Name | Description |
|---|---|
| iam_role_arn | The IAM Role created, or the one passed in. |
The IAM role created for the initial region can be reused for the second region by referencing the outputs from the first region.
* assumes a non-aliased provider is setup elsewhere
module "ip-address-release-primary" {
source = "git::https://github.com/StateFarmIns/terraform-aws-ip-address-release?ref=1.0.0"
providers = {
aws = aws
}
prefix = "SRE"
account_name = var.account_name
permissions_boundary_arn = local.permissions_boundary
internet_egress_security_group_id = data.aws_security_group.https-internet-egress_primary.id
vpc_id = data.aws_vpc.internal_primary.id
subnet_ids = data.aws_subnets.private_subnets_primary.ids
kms_key_arn = data.aws_kms_key.master_primary.arn
}
* assumes an aliased (secondary) provider is setup elsewhere
module "ip-address-release-secondary" {
source = "git::https://github.com/StateFarmIns/terraform-aws-ip-address-release?ref=1.0.0"
providers = {
aws = aws.secondary
}
prefix = "SRE"
account_name = var.account_name
permissions_boundary_arn = local.permissions_boundary
internet_egress_security_group_id = data.aws_security_group.https-internet-egress_secondary.id
iam_role_arn = module.ip-address-release-primary.iam_role_arn # reference the IAM Role created earlier
vpc_id = data.aws_vpc.internal_secondary.id
subnet_ids = data.aws_subnets.private_subnets_secondary.ids
kms_key_arn = data.aws_kms_key.master_secondary.arn
}- Why can't I detach or delete an elastic network interface that Lambda created?
- Requester Managed Network Interfaces
- findassociations script in AWS-support-tools can help track down why an ENI is stuck