-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
r/aws_lambda_function: Remove replace_security_groups_on_destroy
attribute
#31911
Comments
Community NoteVoting for Prioritization
Volunteering to Work on This Issue
|
Rather than removing these two attributes, Almost a year on, the underlying problem still exists in AWS, and so there is still value to be gained. Furthermore, we can confirm that the above approach does still successfully solve the problem too - making a huge difference. In other words, rather than the now deprecated (read: now non-functional) approach whereby the provider looks up all related ENIs and modifies each individual ENI's security groups (which AWS no longer allows, for understandable reasons), instead the provider should simply modify the Lambda function's nominated security groups (and let Lambda deal with re-creating the new ENIs, which it can actually do very quickly in practice). The overall objective (i.e. ending up with ENIs in a different security group, one way or another) and the overall goal (i.e. speeding up the Lambda function destroy) is still the same as before. So, the naming of these two attributes, If anyone is curious: we are adopting this approach in all our If the |
Hey @theipster 👋 - Thanks for the detailed request, and especially for the context on how you're implementing this within Terraform test suites! For some reason my previous understanding was that modifying the lambda security groups prior to deletion did not yield significant reductions in destroy times of the associated security groups. However, given you (and the commenter linked above) have evidence of significant time reductions, it seems my test configuration was too limited (and therefore missed the observed advantages), or AWS has made some internal changes which now make this more viable. Either way, this feels like a feature worth revisiting given the potential benefits. I'm going to assign myself to this to investigate. |
First pass at this has yielded some definitive improvements on run time of acceptance tests (previously on the order of % make testacc PKG=lambda TESTS="TestAccLambdaFunction_VPC_replaceSGWithDefault|TestAccLambdaFunction_VPC_replaceSGWithCustom"
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.22.2 test ./internal/service/lambda/... -v -count 1 -parallel 20 -run='TestAccLambdaFunction_VPC_replaceSGWithDefault|TestAccLambdaFunction_VPC_replaceSGWithCustom' -timeout 360m
--- PASS: TestAccLambdaFunction_VPC_replaceSGWithDefault (424.23s)
--- PASS: TestAccLambdaFunction_VPC_replaceSGWithCustom (615.75s)
PASS
ok github.com/hashicorp/terraform-provider-aws/internal/service/lambda 620.855s I also discovered my mistake with the previous attempt at this alternative - I missed waiting for the VPC configuration update to take effect prior to calling the delete operation. This effectively left the security groups intended to be "removed" still assigned to the lambda function during deletion, and therefore resulted in the same long-running destroy operations observed when this argument is not configured at all. Thanks again for bringing this proposal up, @theipster ! I'm planning to get the full test suite run and a PR up shortly. |
Thanks @jar-b for looking at this so promptly - much appreciated! Yes, it seems to hinge on the timing of when the Lambda function gets deleted... or potentially (just a thought) more specifically when the Lambda function's IAM execution role gets deleted, given that execution roles for VPC-enabled Lambdas require those additional Let me know if there's anything I can help with; otherwise, I look forward to the improvement! 👍 |
Warning This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them. Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed. |
This functionality has been released in v5.51.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Description
The
replace_security_groups_on_destroy
andreplacement_security_group_ids
attributes were deprecated in #31904. These should be removed, along with acceptance tests referencing these attributes.References
Relates #31904
Relates #31520
Would you like to implement a fix?
None
The text was updated successfully, but these errors were encountered: