pulumi
Feature request: when deleting lambdas in a VPC, detach security group first, then delete
Hello!
- Vote on this issue by adding a 👍 reaction
- If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)
Issue details
When deleting a lambda attached to a VPC, it can take up to 20 minutes for the ENIs to detach, and those ENIs are configured with the Lambda's security group association. This causes extremely long delete times on security groups when deleting a lambda and its security group.
The lambda itself takes very little time to delete, and AWS will clean up the ENIs in the background, which may take up to 20 minutes.
However, the attached SG, if it is also being deleted, must wait for the ENIs to detach.
I observed this empirically with two security groups taking 1105s to delete, each.
This may be a more appropriate feature request for aws-native.
Affected area/feature
aws.lambda.Function, and associated wrappers.
Thanks for reporting this potential performance improvement. It makes sense not to wait for ENIs to detach when also deleting an attached SG by detaching first!
Any way to mitigate this issue? This is really annoying. In my case I create a security group and then a lambda and attach the security group to the lambda. When I do a pulumi destroy, it deletes the lambda but its not able to delete the security group as it is attached to it. Sometimes it works after like 10 minutes but in most cases it can not delete the security group because it has an attached ENI. Any way to prevent this behaviour as at the moment I am not able to delete the security group of a lambda.
