pulumi-aws
pulumi-aws copied to clipboard
pulumi
Pulumi destroy not working due to ENI attachment of deleted lambda
What happened?
Hi, I have two pulumi programs which create a lambda function and one for invoking the lambda in AWS. During pulumi up it creates all resources without issue (vpc, subnet, security group, lambda function). Also invoking the lambda with pulumi in the other program does not lead to errors. While destroying my resources (first I delete the stack of the invoked lambda function) I get stuck while deleting the security group for the lambda. The lambda gets deleted first, but the security groups has the ENI (automatically generated by lambda) attached. Deleting the ENI manually does also not work as the AWS console complains that the ENI is used by the lambda function although the lambda function is already deleted. Due to this issue it is not possible for me to automate (create and delete my lambda resources) with Pulumi.
Is this the intended behaviour or can it be seen as a bug? Any clever way to get my problem solved? Thanks a lot
I am using python3 with pulumi-aws 6.34.1
Example
lambda_security_group = aws.ec2.SecurityGroup(f"db-setup-lambda-sg-{setup_input.rds_instance_id}",
vpc_id=setup_input.vpc_id,
tags={"Name": f"db-setup-lambda-sg-{setup_input.rds_instance_id}"})
# Define egress rules for the security group
egress_rule_https = aws.ec2.SecurityGroupRule(f"egress-https-{setup_input.rds_instance_id}",
type="egress",
security_group_id=lambda_security_group.id,
protocol="tcp",
from_port=443,
to_port=443,
cidr_blocks=["0.0.0.0/0"],
opts=ResourceOptions(parent=lambda_security_group))
egress_rule_db = aws.ec2.SecurityGroupRule(f"egress-db-{setup_input.rds_instance_id}",
type="egress",
security_group_id=lambda_security_group.id,
protocol="tcp",
from_port=5432,
to_port=5432,
source_security_group_id=setup_input.sg_rds,
opts=ResourceOptions(parent=lambda_security_group))
. . . . .
lambda_func = aws.lambda_.Function(f"lambda-fnc-db-setup-{setup_input.rds_instance_id}",
role=iam_for_lambda.arn,
package_type="Image",
image_uri=f"{SETUP_DB_CONTAINER_REGISTRY_URL}:{setup_input.lambda_version}",
vpc_config=aws.lambda_.FunctionVpcConfigArgs(
subnet_ids=setup_input.rds_subnets,
security_group_ids=[lambda_security_group.id],
),
timeout=60,
environment=aws.lambda_.FunctionEnvironmentArgs(
variables={"rds_host": f"{setup_input.rds_endpoint}",
"rds_secret_key": f"{setup_input.secret_id}"}
),
opts=ResourceOptions(
depends_on=[lambda_security_group, egress_rule_https, egress_rule_db,
iam_for_lambda]),
tags={"Name": f"lambda-fnc-db-setup-{setup_input.rds_instance_id}"})
Output of pulumi about
CLI
Version 3.106.0
Go Version go1.22.0
Go Compiler gc
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
Would it be possible get a minimal program demonstrating the issue (pulumi up && pulumi destroy)? And also the output of pulumi about. Much appreciated.
Yes, will post it the next days a small example with the output. I guess the issue is related to following issue: https://github.com/pulumi/pulumi-aws/issues/2642
E.g. it helps to cancel the pulumi destroy command after the lambda is deleted and the program is stuck and rerun it. But for that I will provide a small example.
I'm also seeing this issue, where lambdas are creating and associating ENIs, but upon an update to replace the VPC, those ENIs cannot be detached or removed, causing deployments to never resolve. This requires manual effort to find the hanging ENIs, associate them with another resource that exists, then remove them before rerunning the pulumi program.
@mjeffryes why was this closed as completed?
Was it not reproducible?
