Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

r/aws_lambda_function: deprecate replace_security_groups_on_destroy attribute #31904

Merged
merged 2 commits into from
Jun 12, 2023
Merged

r/aws_lambda_function: deprecate replace_security_groups_on_destroy attribute #31904

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b248c75
r/aws_lambda_function: deprecate replace_sg_on_destroy attribute
jar-b Jun 12, 2023
7a3e1fa
chore: changelog
jar-b Jun 12, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .changelog/31904.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:note
resource/aws_lambda_function: The `replace_security_groups_on_destroy` and `replacement_security_group_ids` attributes are being deprecated as AWS no longer supports this operation. These attributes now have no effect, and will be removed in a future major version.
```
18 changes: 0 additions & 18 deletions internal/service/ec2/find.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1645,24 +1645,6 @@ func FindNetworkInterfaceByID(ctx context.Context, conn *ec2.EC2, id string) (*e
return output, nil
}

func FindLambdaNetworkInterfacesBySecurityGroupIDsAndFunctionName(ctx context.Context, conn *ec2.EC2, securityGroupIDs []string, functionName string) ([]*ec2.NetworkInterface, error) {
// lambdaENIDescriptionPrefix is the common prefix used in the description for Lambda function
// elastic network interfaces (ENI). This can be used with a function name to filter to only
// ENIs associated with a single function.
lambdaENIDescriptionPrefix := "AWS Lambda VPC ENI-"
description := fmt.Sprintf("%s%s-*", lambdaENIDescriptionPrefix, functionName)

input := &ec2.DescribeNetworkInterfacesInput{
Filters: BuildAttributeFilterList(map[string]string{
"interface-type": ec2.NetworkInterfaceTypeLambda,
"description": description,
}),
}
input.Filters = append(input.Filters, NewFilter("group-id", securityGroupIDs))

return FindNetworkInterfaces(ctx, conn, input)
}

func FindNetworkInterfacesByAttachmentInstanceOwnerIDAndDescription(ctx context.Context, conn *ec2.EC2, attachmentInstanceOwnerID, description string) ([]*ec2.NetworkInterface, error) {
input := &ec2.DescribeNetworkInterfacesInput{
Filters: BuildAttributeFilterList(map[string]string{
Expand Down
62 changes: 4 additions & 58 deletions internal/service/lambda/function.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@ import (
"github.com/aws/aws-sdk-go-v2/service/lambda"
"github.com/aws/aws-sdk-go-v2/service/lambda/types"
"github.com/aws/aws-sdk-go/aws/endpoints"
"github.com/aws/aws-sdk-go/service/ec2"
"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/customdiff"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry"
Expand All @@ -26,7 +25,6 @@ import (
"github.com/hashicorp/terraform-provider-aws/internal/errs"
"github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag"
"github.com/hashicorp/terraform-provider-aws/internal/flex"
tfec2 "github.com/hashicorp/terraform-provider-aws/internal/service/ec2"
tftags "github.com/hashicorp/terraform-provider-aws/internal/tags"
"github.com/hashicorp/terraform-provider-aws/internal/tfresource"
"github.com/hashicorp/terraform-provider-aws/internal/verify"
Expand Down Expand Up @@ -258,10 +256,14 @@ func ResourceFunction() *schema.Resource {
Computed: true,
},
"replace_security_groups_on_destroy": {
Deprecated: "AWS no longer supports this operation. This attribute now has " +
"no effect and will be removed in a future major version.",
Type: schema.TypeBool,
Optional: true,
},
"replacement_security_group_ids": {
Deprecated: "AWS no longer supports this operation. This attribute now has " +
"no effect and will be removed in a future major version.",
Type: schema.TypeSet,
Optional: true,
Elem: &schema.Schema{Type: schema.TypeString},
Expand Down Expand Up @@ -1013,12 +1015,6 @@ func resourceFunctionDelete(ctx context.Context, d *schema.ResourceData, meta in
return sdkdiag.AppendErrorf(diags, "deleting Lambda Function (%s): %s", d.Id(), err)
}

if _, ok := d.GetOk("replace_security_groups_on_destroy"); ok {
if err := replaceSecurityGroups(ctx, d, meta); err != nil {
return sdkdiag.AppendFromErr(diags, err)
}
}

return diags
}

Expand Down Expand Up @@ -1077,56 +1073,6 @@ func findLatestFunctionVersionByName(ctx context.Context, conn *lambda.Client, n
return output, nil
}

// replaceSecurityGroups will replace the security groups on orphaned lambda ENI's
//
// If the replacement_security_group_ids attribute is set, those values will be used as
// replacements. Otherwise, the default security group is used.
func replaceSecurityGroups(ctx context.Context, d *schema.ResourceData, meta interface{}) error {
ec2Conn := meta.(*conns.AWSClient).EC2Conn(ctx)

var sgIDs []string
var vpcID string
if v, ok := d.GetOk("vpc_config"); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil {
tfMap := v.([]interface{})[0].(map[string]interface{})
sgIDs = flex.ExpandStringValueSet(tfMap["security_group_ids"].(*schema.Set))
vpcID = tfMap["vpc_id"].(string)
} else { // empty VPC config, nothing to do
return nil
}

if len(sgIDs) == 0 { // no security groups, nothing to do
return nil
}

var replacmentSGIDs []*string
if v, ok := d.GetOk("replacement_security_group_ids"); ok {
replacmentSGIDs = flex.ExpandStringSet(v.(*schema.Set))
} else {
defaultSG, err := tfec2.FindSecurityGroupByNameAndVPCID(ctx, ec2Conn, "default", vpcID)
if err != nil || defaultSG == nil {
return fmt.Errorf("finding VPC (%s) default security group: %s", vpcID, err)
}
replacmentSGIDs = []*string{defaultSG.GroupId}
}

networkInterfaces, err := tfec2.FindLambdaNetworkInterfacesBySecurityGroupIDsAndFunctionName(ctx, ec2Conn, sgIDs, d.Id())
if err != nil {
return fmt.Errorf("finding Lambda Function (%s) network interfaces: %s", d.Id(), err)
}

for _, ni := range networkInterfaces {
_, err := ec2Conn.ModifyNetworkInterfaceAttributeWithContext(ctx, &ec2.ModifyNetworkInterfaceAttributeInput{
NetworkInterfaceId: ni.NetworkInterfaceId,
Groups: replacmentSGIDs,
})
if err != nil {
return fmt.Errorf("modifying Lambda Function (%s) network interfaces: %s", d.Id(), err)
}
}

return nil
}

func statusFunctionLastUpdateStatus(ctx context.Context, conn *lambda.Client, name string) retry.StateRefreshFunc {
return func() (interface{}, string, error) {
output, err := FindFunctionByName(ctx, conn, name)
Expand Down
4 changes: 2 additions & 2 deletions website/docs/r/lambda_function.html.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -274,8 +274,8 @@ The following arguments are optional:
* `package_type` - (Optional) Lambda deployment package type. Valid values are `Zip` and `Image`. Defaults to `Zip`.
* `publish` - (Optional) Whether to publish creation/change as new Lambda Function Version. Defaults to `false`.
* `reserved_concurrent_executions` - (Optional) Amount of reserved concurrent executions for this lambda function. A value of `0` disables lambda from being triggered and `-1` removes any concurrency limitations. Defaults to Unreserved Concurrency Limits `-1`. See [Managing Concurrency][9]
* `replace_security_groups_on_destroy` - (Optional) Whether to replace the security groups on associated lambda network interfaces upon destruction. Removing these security groups from orphaned network interfaces can speed up security group deletion times by avoiding a dependency on AWS's internal cleanup operations. By default, the ENI security groups will be replaced with the `default` security group in the function's VPC. Set the `replacement_security_group_ids` attribute to use a custom list of security groups for replacement.
* `replacement_security_group_ids` - (Optional) List of security group IDs to assign to orphaned Lambda function network interfaces upon destruction. `replace_security_groups_on_destroy` must be set to `true` to use this attribute.
* `replace_security_groups_on_destroy` - (Optional, **Deprecated**) **AWS no longer supports this operation. This attribute now has no effect and will be removed in a future major version.** Whether to replace the security groups on associated lambda network interfaces upon destruction. Removing these security groups from orphaned network interfaces can speed up security group deletion times by avoiding a dependency on AWS's internal cleanup operations. By default, the ENI security groups will be replaced with the `default` security group in the function's VPC. Set the `replacement_security_group_ids` attribute to use a custom list of security groups for replacement.
* `replacement_security_group_ids` - (Optional, **Deprecated**) List of security group IDs to assign to orphaned Lambda function network interfaces upon destruction. `replace_security_groups_on_destroy` must be set to `true` to use this attribute.
* `runtime` - (Optional) Identifier of the function's runtime. See [Runtimes][6] for valid values.
* `s3_bucket` - (Optional) S3 bucket location containing the function's deployment package. This bucket must reside in the same AWS region where you are creating the Lambda function. Exactly one of `filename`, `image_uri`, or `s3_bucket` must be specified. When `s3_bucket` is set, `s3_key` is required.
* `s3_key` - (Optional) S3 key of an object containing the function's deployment package. When `s3_bucket` is set, `s3_key` is required.
Expand Down