diff --git a/.changelog/31904.txt b/.changelog/31904.txt new file mode 100644 index 00000000000..296bac2db9f --- /dev/null +++ b/.changelog/31904.txt @@ -0,0 +1,3 @@ +```release-note:note +resource/aws_lambda_function: The `replace_security_groups_on_destroy` and `replacement_security_group_ids` attributes are being deprecated as AWS no longer supports this operation. These attributes now have no effect, and will be removed in a future major version. +``` diff --git a/internal/service/ec2/find.go b/internal/service/ec2/find.go index ce3b71a98c3..3a8797e852a 100644 --- a/internal/service/ec2/find.go +++ b/internal/service/ec2/find.go @@ -1645,24 +1645,6 @@ func FindNetworkInterfaceByID(ctx context.Context, conn *ec2.EC2, id string) (*e return output, nil } -func FindLambdaNetworkInterfacesBySecurityGroupIDsAndFunctionName(ctx context.Context, conn *ec2.EC2, securityGroupIDs []string, functionName string) ([]*ec2.NetworkInterface, error) { - // lambdaENIDescriptionPrefix is the common prefix used in the description for Lambda function - // elastic network interfaces (ENI). This can be used with a function name to filter to only - // ENIs associated with a single function. - lambdaENIDescriptionPrefix := "AWS Lambda VPC ENI-" - description := fmt.Sprintf("%s%s-*", lambdaENIDescriptionPrefix, functionName) - - input := &ec2.DescribeNetworkInterfacesInput{ - Filters: BuildAttributeFilterList(map[string]string{ - "interface-type": ec2.NetworkInterfaceTypeLambda, - "description": description, - }), - } - input.Filters = append(input.Filters, NewFilter("group-id", securityGroupIDs)) - - return FindNetworkInterfaces(ctx, conn, input) -} - func FindNetworkInterfacesByAttachmentInstanceOwnerIDAndDescription(ctx context.Context, conn *ec2.EC2, attachmentInstanceOwnerID, description string) ([]*ec2.NetworkInterface, error) { input := &ec2.DescribeNetworkInterfacesInput{ Filters: BuildAttributeFilterList(map[string]string{ diff --git a/internal/service/lambda/function.go b/internal/service/lambda/function.go index d5ecb0abc34..c8cdb0dcf86 100644 --- a/internal/service/lambda/function.go +++ b/internal/service/lambda/function.go @@ -15,7 +15,6 @@ import ( "github.com/aws/aws-sdk-go-v2/service/lambda" "github.com/aws/aws-sdk-go-v2/service/lambda/types" "github.com/aws/aws-sdk-go/aws/endpoints" - "github.com/aws/aws-sdk-go/service/ec2" "github.com/hashicorp/terraform-plugin-sdk/v2/diag" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/customdiff" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry" @@ -26,7 +25,6 @@ import ( "github.com/hashicorp/terraform-provider-aws/internal/errs" "github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag" "github.com/hashicorp/terraform-provider-aws/internal/flex" - tfec2 "github.com/hashicorp/terraform-provider-aws/internal/service/ec2" tftags "github.com/hashicorp/terraform-provider-aws/internal/tags" "github.com/hashicorp/terraform-provider-aws/internal/tfresource" "github.com/hashicorp/terraform-provider-aws/internal/verify" @@ -258,10 +256,14 @@ func ResourceFunction() *schema.Resource { Computed: true, }, "replace_security_groups_on_destroy": { + Deprecated: "AWS no longer supports this operation. This attribute now has " + + "no effect and will be removed in a future major version.", Type: schema.TypeBool, Optional: true, }, "replacement_security_group_ids": { + Deprecated: "AWS no longer supports this operation. This attribute now has " + + "no effect and will be removed in a future major version.", Type: schema.TypeSet, Optional: true, Elem: &schema.Schema{Type: schema.TypeString}, @@ -1013,12 +1015,6 @@ func resourceFunctionDelete(ctx context.Context, d *schema.ResourceData, meta in return sdkdiag.AppendErrorf(diags, "deleting Lambda Function (%s): %s", d.Id(), err) } - if _, ok := d.GetOk("replace_security_groups_on_destroy"); ok { - if err := replaceSecurityGroups(ctx, d, meta); err != nil { - return sdkdiag.AppendFromErr(diags, err) - } - } - return diags } @@ -1077,56 +1073,6 @@ func findLatestFunctionVersionByName(ctx context.Context, conn *lambda.Client, n return output, nil } -// replaceSecurityGroups will replace the security groups on orphaned lambda ENI's -// -// If the replacement_security_group_ids attribute is set, those values will be used as -// replacements. Otherwise, the default security group is used. -func replaceSecurityGroups(ctx context.Context, d *schema.ResourceData, meta interface{}) error { - ec2Conn := meta.(*conns.AWSClient).EC2Conn(ctx) - - var sgIDs []string - var vpcID string - if v, ok := d.GetOk("vpc_config"); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil { - tfMap := v.([]interface{})[0].(map[string]interface{}) - sgIDs = flex.ExpandStringValueSet(tfMap["security_group_ids"].(*schema.Set)) - vpcID = tfMap["vpc_id"].(string) - } else { // empty VPC config, nothing to do - return nil - } - - if len(sgIDs) == 0 { // no security groups, nothing to do - return nil - } - - var replacmentSGIDs []*string - if v, ok := d.GetOk("replacement_security_group_ids"); ok { - replacmentSGIDs = flex.ExpandStringSet(v.(*schema.Set)) - } else { - defaultSG, err := tfec2.FindSecurityGroupByNameAndVPCID(ctx, ec2Conn, "default", vpcID) - if err != nil || defaultSG == nil { - return fmt.Errorf("finding VPC (%s) default security group: %s", vpcID, err) - } - replacmentSGIDs = []*string{defaultSG.GroupId} - } - - networkInterfaces, err := tfec2.FindLambdaNetworkInterfacesBySecurityGroupIDsAndFunctionName(ctx, ec2Conn, sgIDs, d.Id()) - if err != nil { - return fmt.Errorf("finding Lambda Function (%s) network interfaces: %s", d.Id(), err) - } - - for _, ni := range networkInterfaces { - _, err := ec2Conn.ModifyNetworkInterfaceAttributeWithContext(ctx, &ec2.ModifyNetworkInterfaceAttributeInput{ - NetworkInterfaceId: ni.NetworkInterfaceId, - Groups: replacmentSGIDs, - }) - if err != nil { - return fmt.Errorf("modifying Lambda Function (%s) network interfaces: %s", d.Id(), err) - } - } - - return nil -} - func statusFunctionLastUpdateStatus(ctx context.Context, conn *lambda.Client, name string) retry.StateRefreshFunc { return func() (interface{}, string, error) { output, err := FindFunctionByName(ctx, conn, name) diff --git a/website/docs/r/lambda_function.html.markdown b/website/docs/r/lambda_function.html.markdown index 56c842bdf57..1b853923ba9 100644 --- a/website/docs/r/lambda_function.html.markdown +++ b/website/docs/r/lambda_function.html.markdown @@ -274,8 +274,8 @@ The following arguments are optional: * `package_type` - (Optional) Lambda deployment package type. Valid values are `Zip` and `Image`. Defaults to `Zip`. * `publish` - (Optional) Whether to publish creation/change as new Lambda Function Version. Defaults to `false`. * `reserved_concurrent_executions` - (Optional) Amount of reserved concurrent executions for this lambda function. A value of `0` disables lambda from being triggered and `-1` removes any concurrency limitations. Defaults to Unreserved Concurrency Limits `-1`. See [Managing Concurrency][9] -* `replace_security_groups_on_destroy` - (Optional) Whether to replace the security groups on associated lambda network interfaces upon destruction. Removing these security groups from orphaned network interfaces can speed up security group deletion times by avoiding a dependency on AWS's internal cleanup operations. By default, the ENI security groups will be replaced with the `default` security group in the function's VPC. Set the `replacement_security_group_ids` attribute to use a custom list of security groups for replacement. -* `replacement_security_group_ids` - (Optional) List of security group IDs to assign to orphaned Lambda function network interfaces upon destruction. `replace_security_groups_on_destroy` must be set to `true` to use this attribute. +* `replace_security_groups_on_destroy` - (Optional, **Deprecated**) **AWS no longer supports this operation. This attribute now has no effect and will be removed in a future major version.** Whether to replace the security groups on associated lambda network interfaces upon destruction. Removing these security groups from orphaned network interfaces can speed up security group deletion times by avoiding a dependency on AWS's internal cleanup operations. By default, the ENI security groups will be replaced with the `default` security group in the function's VPC. Set the `replacement_security_group_ids` attribute to use a custom list of security groups for replacement. +* `replacement_security_group_ids` - (Optional, **Deprecated**) List of security group IDs to assign to orphaned Lambda function network interfaces upon destruction. `replace_security_groups_on_destroy` must be set to `true` to use this attribute. * `runtime` - (Optional) Identifier of the function's runtime. See [Runtimes][6] for valid values. * `s3_bucket` - (Optional) S3 bucket location containing the function's deployment package. This bucket must reside in the same AWS region where you are creating the Lambda function. Exactly one of `filename`, `image_uri`, or `s3_bucket` must be specified. When `s3_bucket` is set, `s3_key` is required. * `s3_key` - (Optional) S3 key of an object containing the function's deployment package. When `s3_bucket` is set, `s3_key` is required.