AWS changes in eu-west-1 region impacting aws_lambda_function proper deletion #10044
Comments
obourdon
added
the
question
github-actions
bot
added
the
needs-triage
|
@obourdon This could be related to the recently announced improved VPC networking for AWS Lambda functions. Lambdas now share a pool of ENIs (where appropriate) so the idea that the lambda effectively owns the associated ENI is invalid. From that blog post:
but no mention of deleted lambdas. |
|
Same issue here |
|
+1 same issue for me |
|
|
|
@ohuez @luthor2016ad Which AWS region(s) are you working in? |
|
@ewbankkit many thanks for this info. I managed to get deeper into Terraform traces and also used CloudTrail to try to figure out what is wrong. What I was able to diagnose properly so far right now is that I have an ELBV2 resource (Application Load Balancer) that gets removed and I see: on the 3 interfaces attached to it (eni-attach-xxxx) within the CloudTrail entries. Again, code, permissions, roles, ... nothing changed on our side since this happened (I triple made sure of this also today) so this is either on AWS side or Terraform provider for AWS. I also took some AWS cli JSON output before deletion for network interfaces, elbs, asgs, ... so that I can sync what I see in CloudTrail output, Terraform TRACE logs and others. As for the other errors due to lambdas, I am still analyzing further before adding more comments. |
|
BTW, forgot to mention that we are running the latest available version of Terraform AWS provider (2.27.0) and 0.11.14 for Terraform itself and again this was working even using former versions some time back (2.11.0 and 0.11.1 back in late may 2019) |
|
@ewbankkit We are working in eu-west-1. |
|
I get the same error when running the lambda VPC acceptance tests in $ AWS_DEFAULT_REGION=eu-west-1 make testacc TEST=./aws TESTARGS='-run=TestAccAWSLambdaFunction_VPC'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -parallel 20 -run=TestAccAWSLambdaFunction_VPC -timeout 120m
=== RUN TestAccAWSLambdaFunction_VPC
=== PAUSE TestAccAWSLambdaFunction_VPC
=== RUN TestAccAWSLambdaFunction_VPCRemoval
=== PAUSE TestAccAWSLambdaFunction_VPCRemoval
=== RUN TestAccAWSLambdaFunction_VPCUpdate
=== PAUSE TestAccAWSLambdaFunction_VPCUpdate
=== RUN TestAccAWSLambdaFunction_VPC_withInvocation
=== PAUSE TestAccAWSLambdaFunction_VPC_withInvocation
=== CONT TestAccAWSLambdaFunction_VPC
=== CONT TestAccAWSLambdaFunction_VPCUpdate
=== CONT TestAccAWSLambdaFunction_VPC_withInvocation
=== CONT TestAccAWSLambdaFunction_VPCRemoval
--- FAIL: TestAccAWSLambdaFunction_VPC (1257.19s)
testing.go:630: Error destroying resource! WARNING: Dangling resources
may exist. The full state and error is shown below.
Error: errors during apply: 2 problems:
- Error deleting subnet: timeout while waiting for state to become 'destroyed' (last state: 'pending', timeout: 20m0s)
- Error deleting security group: DependencyViolation: resource sg-0fc6365b91ab5362f has a dependent object
status code: 400, request id: 0225bc3a-d43d-4a99-bee0-e2e0065f06dd
FAIL
FAIL github.com/terraform-providers/terraform-provider-aws/aws 1295.431s
make: *** [testacc] Error 1The same tests runs fine in the default acceptance test region ( $ make testacc TEST=./aws TESTARGS='-run=TestAccAWSLambdaFunction_VPC'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -parallel 20 -run=TestAccAWSLambdaFunction_VPC -timeout 120m
=== RUN TestAccAWSLambdaFunction_VPC
=== PAUSE TestAccAWSLambdaFunction_VPC
=== RUN TestAccAWSLambdaFunction_VPCRemoval
=== PAUSE TestAccAWSLambdaFunction_VPCRemoval
=== RUN TestAccAWSLambdaFunction_VPCUpdate
=== PAUSE TestAccAWSLambdaFunction_VPCUpdate
=== RUN TestAccAWSLambdaFunction_VPC_withInvocation
=== PAUSE TestAccAWSLambdaFunction_VPC_withInvocation
=== CONT TestAccAWSLambdaFunction_VPC
=== CONT TestAccAWSLambdaFunction_VPC_withInvocation
=== CONT TestAccAWSLambdaFunction_VPCUpdate
=== CONT TestAccAWSLambdaFunction_VPCRemoval
--- PASS: TestAccAWSLambdaFunction_VPC (54.10s)
--- PASS: TestAccAWSLambdaFunction_VPCRemoval (75.89s)
--- PASS: TestAccAWSLambdaFunction_VPCUpdate (79.97s)
--- PASS: TestAccAWSLambdaFunction_VPC_withInvocation (87.53s)
PASS
ok github.com/terraform-providers/terraform-provider-aws/aws 87.608sThe ENI attachments in the first case are owned by
whereas in the second case they are owned by
I can't manually delete the security groups and subnets created during the acceptance tests as they are in use by those same ENIs:
|
|
@ewbankkit thanks a lot for reproducing this. In the meantime I may have found the cause of the issue and I am currently testing a trial fix in my environment. Should have the result pretty soon so please stay tuned |
obourdon
changed the title
|
Part of the issue is contained in this line of code in the AWS provider The descriptions of the attached network interfaces are:
which obviously do not match the pattern
Fixing this and using
in my test AWS provider does allow to go a bit further as I now see traces of deletion tentative on the interfaces. However, this is not sufficient because the interfaces were created using the role (and 'fake' user) attached to the lambda whereas the deletion in this part of the code is done via my own terraform user therefore the error messages: As far as my current provider knowledge is concerned, I have no clue on how to get further on this. |
|
I created an AWS developer forum post: https://forums.aws.amazon.com/thread.jspa?messageID=915634󟢲. |
|
@obourdon Can you open an AWS Technical Support case for this? |
|
@ewbankkit will try to. |
|
How can I remove the question label on this github issue entry and replace it with a bug/issue one instead ? |
|
@ewbankkit I have updated my AWS Tech Support case with latest information from this issue |
bflad
added
service/ec2
|
@bflad thanks for retagging this |
|
We are experiencing the same issue since monday september 9th |
|
@plum117 @luthor2016ad could you please click the thumbs up (+1) at the bottom of the top comment. Many thanks in advance |
|
@ewbankkit how do you cleanup the AWS provider acceptance test resilient AWS resources after failure ? Seems like I can not delete anything remaining in the AWS UI |
|
Here is AWS answer to the support case: "to answer your concern, the issue that you're seeing might be a result of the new improved in the case of provider acceptance case items, I am affraid we have to fall into the following: "To fix this issue we'll have to reach out to our internal team with the specific resources that you're seeing this issue with and then release the resources so that you can delete them manually. That being said, if you're still having issues while deleting any ENIs then please provide us the IDs so that we can open an internal request with our teams to look into them further. " :-( |
|
@obourdon The standard way to clean up after acceptance testing failures is via test sweepers but be aware that they are very indiscriminate about destroying resources so please only run in an AWS account that is dedicated to testing. $ go test ./aws -v -sweep=eu-west-1 -sweep-run= aws_lambda_function,aws_security_groupBut in this particular case I don't think there's anything that can be done except wait for AWS to reclaim the ENIs after the indeterminate time period and then cleanup manually. |
|
Hi Folks - apologizes for the delayed response here. I've been following the thread and looking into getting out a fix for the upstream changes. @obourdon you mentioned a fix in the works if you want to open a PR with what you have we might be able to collaborate on it. I'm currently looking into confirming the timeout issues mentioned above. I will update this thread shortly with more details. Thanks to everyone for your help in triaging this issue and working towards a fix. |
|
@nywilken many thanks for looking into this. On my side I have posted my current changes in a branch of my own but so far I still have some issues that I am trying to solve. I have also tried the WIP PR provider by @ewbankkit but again there are some (other) remaining issues. Will post progress also on my side as soon as possible |
|
@obourdon Please feel free to cherry pick my commit in the WIP PR and adapt, if it helps. |
|
@ewbankkit this is what I have done already, currently trying to mix both for the final solution |
|
@nywilken @ewbankkit one issue I am still having seems to be due to a strange "timing" in one of the acceptance tests. In fact, I have noticed that there is a destroy phase which is called while one of the underlying ENI was about to move from available to in-use. I am currently trying to figure out which test is involved and if this can occur in the other regions where lambda mechanism has not been changed |
|
@obourdon @ewbankkit thanks again for the help with this issue. After testing and looking at the changes on @obourdon branch I see three issues two of which pertain to the inability to detach AWS managed ENIs. Please note that not all solutions listed below have been tested (mainly solution for issue 3). I am sharing so that we can level set on what we are seeing the issues being and possible ways forward. Feel free to call out any gaps in my representation of the issues or gaps in my thinking. Issue 1: Describe Network Interface Filters requires a slight change to the filter value in order to identify the attached ENIs. Failure to do so results in an error to delete the security and subnets due to dependency errors. Solution: Issue 2: Unable to detach AWS managed ENIs. After updating the filter description value the identified ENIs throw an error when calling DeteachNetworkInterface. AWS will automatically detach the ENI after a set time interval which appears to be over the 20 minute mark. Possible solutions:
Open question: in the case where one lambda function is associated to multiple security groups/subnets will all ENIs become available at same time? Issue 3: Shared ENIs will not become available. More specifically if there is a case where two lambda functions are using the same security group/subnet combination then the attached ENI may not become available if the two lambda functions are being manged by sepearate configurations. Possible Solution:
|
|
@nywilken many thanks for this very detailed information. Please note also that as stated by @ewbankkit in the following comment and associated issue modifying delete timeouts does not work. However I am experiencing some other weird cases like I mentioned here. Any insights on this ? Furthermore, I ran another test yesterday evening (~6PM CEST) (aws provider acceptance test suite for lambdas) with a lot of traces added in the provider code and seems like one of the created interface is still in use with no lambda associated to it. BTW where does the 20+ minutes timeout come from and is there a way to modify this at lambda creation time ? Does it make sense to wait that long for a resource to be lingering after resources using it being destroyed ? Just for being more specific, most of these issues are happening in the eu-west-1 zone and do not seem to be 'consistent' across failing zones. eu-central-1 does not exhibit the same behaviour for instance even if it is also part of the failing zones where AWS lambda mechanism seems to have been upgraded. @ewbankkit is it possible (and how) to run acceptance tests with terraform 0.11.x and not 0.12.x ? |
|
@obourdon There were no AWS API changes made for the improved VPC networking, so no way to change that 20 minutes which is an Amazon-decided value. |
|
Please note that integration of PR#10165 might also have an impact on final results (@ewbankkit) |
|
@obourdon Good catch, thanks. I don't think that missing |
|
@ewbankkit fully agree |
|
Seems like I finally got very very close to a working fix for this issue: see my updated branch. Note that there are currently a lot of additional and personal traces which helped me figure out what could be wrong. I have combined it with the missing return PR, a workaround for the delete timeout It passed the acceptance tests in:
I also checked that there were no resources remaining on AWS after acceptance tests passed (network interfaces, security groups, VPCs, ...) I am currently checking the collected logs to see what could be next ... |
Reference: #10044 Reference: #10114 Reference: #10329 The introduction of [improved VPC networking for Lambda]() brought some welcome enhancements to Lambda functionality, but initially has some unintentional consequences when working with Terraform due to the underlying infrastructure changes. The main issue is that these new Hyperplane ENIs associated with Lambda take additional time currently to detach/delete and that the Lambda service itself is the owner of these ENIs, which prevents early detachment. In working with the AWS Lambda service team, we have received some confirmation on expected detachment/deletion timeframes for Lambda Hyperplane ENIs. Using this information, we set the Lambda ENI timeout to be at a minimum the expected deletion time to match the service expectations without adjusting the overall default `aws_security_group` or `aws_subnet` resource deletion timeouts. This is to ensure legitimate `DependencyViolation` errors return to operators in a fairly timely manner (left as 10 minutes and 20 minutes respectfully). Output from AWS Commerical (us-east-2 - Hyperplane enabled) ``` --- PASS: TestAccAWSLambdaFunction_basic (23.37s) --- PASS: TestAccAWSLambdaFunction_concurrency (30.76s) --- PASS: TestAccAWSLambdaFunction_concurrencyCycle (43.12s) --- PASS: TestAccAWSLambdaFunction_DeadLetterConfig (42.40s) --- PASS: TestAccAWSLambdaFunction_DeadLetterConfigUpdated (41.70s) --- PASS: TestAccAWSLambdaFunction_EmptyVpcConfig (22.99s) --- PASS: TestAccAWSLambdaFunction_encryptedEnvVariables (51.21s) --- PASS: TestAccAWSLambdaFunction_envVariables (45.14s) --- PASS: TestAccAWSLambdaFunction_expectFilenameAndS3Attributes (10.90s) --- PASS: TestAccAWSLambdaFunction_importLocalFile (31.12s) --- PASS: TestAccAWSLambdaFunction_importLocalFile_VPC (1422.82s) --- PASS: TestAccAWSLambdaFunction_importS3 (22.66s) --- PASS: TestAccAWSLambdaFunction_Layers (34.75s) --- PASS: TestAccAWSLambdaFunction_LayersUpdate (54.60s) --- PASS: TestAccAWSLambdaFunction_localUpdate (31.40s) --- PASS: TestAccAWSLambdaFunction_localUpdate_nameOnly (24.21s) --- PASS: TestAccAWSLambdaFunction_nilDeadLetterConfig (12.71s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_java8 (23.05s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_NodeJs10x (26.99s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_NodeJs810 (26.53s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_noRuntime (0.72s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_provided (18.66s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_python27 (27.62s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_python36 (22.87s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_python37 (27.09s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_ruby25 (27.87s) --- PASS: TestAccAWSLambdaFunction_s3 (22.59s) --- PASS: TestAccAWSLambdaFunction_s3Update_basic (32.58s) --- PASS: TestAccAWSLambdaFunction_s3Update_unversioned (31.07s) --- PASS: TestAccAWSLambdaFunction_tags (42.41s) --- PASS: TestAccAWSLambdaFunction_tracingConfig (39.12s) --- PASS: TestAccAWSLambdaFunction_updateRuntime (29.16s) --- PASS: TestAccAWSLambdaFunction_versioned (28.09s) --- PASS: TestAccAWSLambdaFunction_versionedUpdate (47.13s) --- PASS: TestAccAWSLambdaFunction_VPC (1331.55s) --- PASS: TestAccAWSLambdaFunction_VPC_withInvocation (1376.24s) --- PASS: TestAccAWSLambdaFunction_VpcConfig_ProperIamDependencies (1327.69s) --- PASS: TestAccAWSLambdaFunction_VPCRemoval (1490.19s) --- PASS: TestAccAWSLambdaFunction_VPCUpdate (1685.40s) ``` Output from AWS Commercial (us-west-2 - Hyperplane not deployed) ``` --- PASS: TestAccAWSLambdaFunction_basic (40.50s) --- PASS: TestAccAWSLambdaFunction_concurrency (47.79s) --- PASS: TestAccAWSLambdaFunction_concurrencyCycle (62.65s) --- PASS: TestAccAWSLambdaFunction_DeadLetterConfig (55.95s) --- PASS: TestAccAWSLambdaFunction_DeadLetterConfigUpdated (50.23s) --- PASS: TestAccAWSLambdaFunction_EmptyVpcConfig (37.47s) --- PASS: TestAccAWSLambdaFunction_encryptedEnvVariables (73.66s) --- PASS: TestAccAWSLambdaFunction_envVariables (80.88s) --- PASS: TestAccAWSLambdaFunction_expectFilenameAndS3Attributes (22.59s) --- PASS: TestAccAWSLambdaFunction_importLocalFile (42.78s) --- PASS: TestAccAWSLambdaFunction_importLocalFile_VPC (39.40s) --- PASS: TestAccAWSLambdaFunction_importS3 (36.62s) --- PASS: TestAccAWSLambdaFunction_Layers (53.78s) --- PASS: TestAccAWSLambdaFunction_LayersUpdate (89.78s) --- PASS: TestAccAWSLambdaFunction_localUpdate (54.31s) --- PASS: TestAccAWSLambdaFunction_localUpdate_nameOnly (56.10s) --- PASS: TestAccAWSLambdaFunction_nilDeadLetterConfig (26.12s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_java8 (46.49s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_NodeJs10x (52.25s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_NodeJs810 (43.59s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_noRuntime (2.71s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_provided (43.88s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_python27 (47.91s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_python36 (45.95s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_python37 (41.40s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_ruby25 (50.32s) --- PASS: TestAccAWSLambdaFunction_s3 (35.28s) --- PASS: TestAccAWSLambdaFunction_s3Update_basic (57.89s) --- PASS: TestAccAWSLambdaFunction_s3Update_unversioned (58.81s) --- PASS: TestAccAWSLambdaFunction_tags (75.77s) --- PASS: TestAccAWSLambdaFunction_tracingConfig (55.61s) --- PASS: TestAccAWSLambdaFunction_updateRuntime (57.19s) --- PASS: TestAccAWSLambdaFunction_versioned (33.52s) --- PASS: TestAccAWSLambdaFunction_versionedUpdate (58.25s) --- PASS: TestAccAWSLambdaFunction_VPC (56.81s) --- PASS: TestAccAWSLambdaFunction_VPC_withInvocation (86.81s) --- PASS: TestAccAWSLambdaFunction_VpcConfig_ProperIamDependencies (42.99s) --- PASS: TestAccAWSLambdaFunction_VPCRemoval (80.28s) --- PASS: TestAccAWSLambdaFunction_VPCUpdate (81.84s) --- PASS: TestAccAWSSecurityGroup_basic (10.14s) --- PASS: TestAccAWSSecurityGroup_Change (19.36s) --- PASS: TestAccAWSSecurityGroup_CIDRandGroups (31.78s) --- PASS: TestAccAWSSecurityGroup_DefaultEgress_Classic (6.53s) --- PASS: TestAccAWSSecurityGroup_DefaultEgress_VPC (25.29s) --- PASS: TestAccAWSSecurityGroup_drift (7.55s) --- PASS: TestAccAWSSecurityGroup_drift_complex (31.62s) --- PASS: TestAccAWSSecurityGroup_Egress_ConfigMode (23.76s) --- PASS: TestAccAWSSecurityGroup_egressWithPrefixList (24.51s) --- PASS: TestAccAWSSecurityGroup_failWithDiffMismatch (12.13s) --- PASS: TestAccAWSSecurityGroup_forceRevokeRules_false (1228.05s) --- PASS: TestAccAWSSecurityGroup_forceRevokeRules_true (1242.70s) --- PASS: TestAccAWSSecurityGroup_generatedName (25.26s) --- PASS: TestAccAWSSecurityGroup_importBasic (12.91s) --- PASS: TestAccAWSSecurityGroup_importIPRangeAndSecurityGroupWithSameRules (14.68s) --- PASS: TestAccAWSSecurityGroup_importIPRangesWithSameRules (12.19s) --- PASS: TestAccAWSSecurityGroup_importIpv6 (30.08s) --- PASS: TestAccAWSSecurityGroup_importPrefixList (25.01s) --- PASS: TestAccAWSSecurityGroup_importSelf (31.64s) --- PASS: TestAccAWSSecurityGroup_importSourceSecurityGroup (30.19s) --- PASS: TestAccAWSSecurityGroup_Ingress_ConfigMode (23.47s) --- PASS: TestAccAWSSecurityGroup_ingressWithCidrAndSGs (31.60s) --- PASS: TestAccAWSSecurityGroup_ingressWithCidrAndSGs_classic (9.86s) --- PASS: TestAccAWSSecurityGroup_ingressWithPrefixList (44.12s) --- PASS: TestAccAWSSecurityGroup_invalidCIDRBlock (1.28s) --- PASS: TestAccAWSSecurityGroup_ipv4andipv6Egress (11.90s) --- PASS: TestAccAWSSecurityGroup_ipv6 (12.77s) --- PASS: TestAccAWSSecurityGroup_MultiIngress (12.33s) --- PASS: TestAccAWSSecurityGroup_namePrefix (6.47s) --- PASS: TestAccAWSSecurityGroup_RuleDescription (26.52s) --- PASS: TestAccAWSSecurityGroup_ruleGathering (24.55s) --- PASS: TestAccAWSSecurityGroup_ruleLimitCidrBlockExceededAppend (48.89s) --- PASS: TestAccAWSSecurityGroup_ruleLimitExceededAllNew (53.89s) --- PASS: TestAccAWSSecurityGroup_ruleLimitExceededAppend (50.48s) --- PASS: TestAccAWSSecurityGroup_ruleLimitExceededPrepend (54.09s) --- PASS: TestAccAWSSecurityGroup_rulesDropOnError (22.40s) --- PASS: TestAccAWSSecurityGroup_self (11.93s) --- PASS: TestAccAWSSecurityGroup_tags (40.86s) --- PASS: TestAccAWSSecurityGroup_vpc (10.39s) --- PASS: TestAccAWSSecurityGroup_vpcNegOneIngress (10.55s) --- PASS: TestAccAWSSecurityGroup_vpcProtoNumIngress (11.84s) --- PASS: TestAccAWSSubnet_availabilityZoneId (26.56s) --- PASS: TestAccAWSSubnet_basic (26.69s) --- PASS: TestAccAWSSubnet_enableIpv6 (42.97s) --- PASS: TestAccAWSSubnet_ipv6 (69.30s) ```
Reference: #10044 Reference: #10114 Reference: #10329 The introduction of [improved VPC networking for Lambda]() brought some welcome enhancements to Lambda functionality, but initially has some unintentional consequences when working with Terraform due to the underlying infrastructure changes. The main issue is that these new Hyperplane ENIs associated with Lambda take additional time currently to detach/delete and that the Lambda service itself is the owner of these ENIs, which prevents early detachment. In working with the AWS Lambda service team, we have received some confirmation on expected detachment/deletion timeframes for Lambda Hyperplane ENIs. Using this information, we set the Lambda ENI timeout to be at a minimum the expected deletion time to match the service expectations without adjusting the overall default `aws_security_group` or `aws_subnet` resource deletion timeouts. This is to ensure legitimate `DependencyViolation` errors return to operators in a fairly timely manner (left as 10 minutes and 20 minutes respectfully). Output from AWS Commerical (us-east-2 - Hyperplane enabled) ``` --- PASS: TestAccAWSLambdaFunction_basic (23.37s) --- PASS: TestAccAWSLambdaFunction_concurrency (30.76s) --- PASS: TestAccAWSLambdaFunction_concurrencyCycle (43.12s) --- PASS: TestAccAWSLambdaFunction_DeadLetterConfig (42.40s) --- PASS: TestAccAWSLambdaFunction_DeadLetterConfigUpdated (41.70s) --- PASS: TestAccAWSLambdaFunction_EmptyVpcConfig (22.99s) --- PASS: TestAccAWSLambdaFunction_encryptedEnvVariables (51.21s) --- PASS: TestAccAWSLambdaFunction_envVariables (45.14s) --- PASS: TestAccAWSLambdaFunction_expectFilenameAndS3Attributes (10.90s) --- PASS: TestAccAWSLambdaFunction_importLocalFile (31.12s) --- PASS: TestAccAWSLambdaFunction_importLocalFile_VPC (1422.82s) --- PASS: TestAccAWSLambdaFunction_importS3 (22.66s) --- PASS: TestAccAWSLambdaFunction_Layers (34.75s) --- PASS: TestAccAWSLambdaFunction_LayersUpdate (54.60s) --- PASS: TestAccAWSLambdaFunction_localUpdate (31.40s) --- PASS: TestAccAWSLambdaFunction_localUpdate_nameOnly (24.21s) --- PASS: TestAccAWSLambdaFunction_nilDeadLetterConfig (12.71s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_java8 (23.05s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_NodeJs10x (26.99s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_NodeJs810 (26.53s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_noRuntime (0.72s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_provided (18.66s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_python27 (27.62s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_python36 (22.87s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_python37 (27.09s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_ruby25 (27.87s) --- PASS: TestAccAWSLambdaFunction_s3 (22.59s) --- PASS: TestAccAWSLambdaFunction_s3Update_basic (32.58s) --- PASS: TestAccAWSLambdaFunction_s3Update_unversioned (31.07s) --- PASS: TestAccAWSLambdaFunction_tags (42.41s) --- PASS: TestAccAWSLambdaFunction_tracingConfig (39.12s) --- PASS: TestAccAWSLambdaFunction_updateRuntime (29.16s) --- PASS: TestAccAWSLambdaFunction_versioned (28.09s) --- PASS: TestAccAWSLambdaFunction_versionedUpdate (47.13s) --- PASS: TestAccAWSLambdaFunction_VPC (1331.55s) --- PASS: TestAccAWSLambdaFunction_VPC_withInvocation (1376.24s) --- PASS: TestAccAWSLambdaFunction_VpcConfig_ProperIamDependencies (1327.69s) --- PASS: TestAccAWSLambdaFunction_VPCRemoval (1490.19s) --- PASS: TestAccAWSLambdaFunction_VPCUpdate (1685.40s) ``` Output from AWS Commercial (us-west-2 - Hyperplane not deployed) ``` --- PASS: TestAccAWSLambdaFunction_basic (40.50s) --- PASS: TestAccAWSLambdaFunction_concurrency (47.79s) --- PASS: TestAccAWSLambdaFunction_concurrencyCycle (62.65s) --- PASS: TestAccAWSLambdaFunction_DeadLetterConfig (55.95s) --- PASS: TestAccAWSLambdaFunction_DeadLetterConfigUpdated (50.23s) --- PASS: TestAccAWSLambdaFunction_EmptyVpcConfig (37.47s) --- PASS: TestAccAWSLambdaFunction_encryptedEnvVariables (73.66s) --- PASS: TestAccAWSLambdaFunction_envVariables (80.88s) --- PASS: TestAccAWSLambdaFunction_expectFilenameAndS3Attributes (22.59s) --- PASS: TestAccAWSLambdaFunction_importLocalFile (42.78s) --- PASS: TestAccAWSLambdaFunction_importLocalFile_VPC (39.40s) --- PASS: TestAccAWSLambdaFunction_importS3 (36.62s) --- PASS: TestAccAWSLambdaFunction_Layers (53.78s) --- PASS: TestAccAWSLambdaFunction_LayersUpdate (89.78s) --- PASS: TestAccAWSLambdaFunction_localUpdate (54.31s) --- PASS: TestAccAWSLambdaFunction_localUpdate_nameOnly (56.10s) --- PASS: TestAccAWSLambdaFunction_nilDeadLetterConfig (26.12s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_java8 (46.49s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_NodeJs10x (52.25s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_NodeJs810 (43.59s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_noRuntime (2.71s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_provided (43.88s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_python27 (47.91s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_python36 (45.95s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_python37 (41.40s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_ruby25 (50.32s) --- PASS: TestAccAWSLambdaFunction_s3 (35.28s) --- PASS: TestAccAWSLambdaFunction_s3Update_basic (57.89s) --- PASS: TestAccAWSLambdaFunction_s3Update_unversioned (58.81s) --- PASS: TestAccAWSLambdaFunction_tags (75.77s) --- PASS: TestAccAWSLambdaFunction_tracingConfig (55.61s) --- PASS: TestAccAWSLambdaFunction_updateRuntime (57.19s) --- PASS: TestAccAWSLambdaFunction_versioned (33.52s) --- PASS: TestAccAWSLambdaFunction_versionedUpdate (58.25s) --- PASS: TestAccAWSLambdaFunction_VPC (56.81s) --- PASS: TestAccAWSLambdaFunction_VPC_withInvocation (86.81s) --- PASS: TestAccAWSLambdaFunction_VpcConfig_ProperIamDependencies (42.99s) --- PASS: TestAccAWSLambdaFunction_VPCRemoval (80.28s) --- PASS: TestAccAWSLambdaFunction_VPCUpdate (81.84s) --- PASS: TestAccAWSSecurityGroup_basic (10.14s) --- PASS: TestAccAWSSecurityGroup_Change (19.36s) --- PASS: TestAccAWSSecurityGroup_CIDRandGroups (31.78s) --- PASS: TestAccAWSSecurityGroup_DefaultEgress_Classic (6.53s) --- PASS: TestAccAWSSecurityGroup_DefaultEgress_VPC (25.29s) --- PASS: TestAccAWSSecurityGroup_drift (7.55s) --- PASS: TestAccAWSSecurityGroup_drift_complex (31.62s) --- PASS: TestAccAWSSecurityGroup_Egress_ConfigMode (23.76s) --- PASS: TestAccAWSSecurityGroup_egressWithPrefixList (24.51s) --- PASS: TestAccAWSSecurityGroup_failWithDiffMismatch (12.13s) --- PASS: TestAccAWSSecurityGroup_forceRevokeRules_false (1228.05s) --- PASS: TestAccAWSSecurityGroup_forceRevokeRules_true (1242.70s) --- PASS: TestAccAWSSecurityGroup_generatedName (25.26s) --- PASS: TestAccAWSSecurityGroup_importBasic (12.91s) --- PASS: TestAccAWSSecurityGroup_importIPRangeAndSecurityGroupWithSameRules (14.68s) --- PASS: TestAccAWSSecurityGroup_importIPRangesWithSameRules (12.19s) --- PASS: TestAccAWSSecurityGroup_importIpv6 (30.08s) --- PASS: TestAccAWSSecurityGroup_importPrefixList (25.01s) --- PASS: TestAccAWSSecurityGroup_importSelf (31.64s) --- PASS: TestAccAWSSecurityGroup_importSourceSecurityGroup (30.19s) --- PASS: TestAccAWSSecurityGroup_Ingress_ConfigMode (23.47s) --- PASS: TestAccAWSSecurityGroup_ingressWithCidrAndSGs (31.60s) --- PASS: TestAccAWSSecurityGroup_ingressWithCidrAndSGs_classic (9.86s) --- PASS: TestAccAWSSecurityGroup_ingressWithPrefixList (44.12s) --- PASS: TestAccAWSSecurityGroup_invalidCIDRBlock (1.28s) --- PASS: TestAccAWSSecurityGroup_ipv4andipv6Egress (11.90s) --- PASS: TestAccAWSSecurityGroup_ipv6 (12.77s) --- PASS: TestAccAWSSecurityGroup_MultiIngress (12.33s) --- PASS: TestAccAWSSecurityGroup_namePrefix (6.47s) --- PASS: TestAccAWSSecurityGroup_RuleDescription (26.52s) --- PASS: TestAccAWSSecurityGroup_ruleGathering (24.55s) --- PASS: TestAccAWSSecurityGroup_ruleLimitCidrBlockExceededAppend (48.89s) --- PASS: TestAccAWSSecurityGroup_ruleLimitExceededAllNew (53.89s) --- PASS: TestAccAWSSecurityGroup_ruleLimitExceededAppend (50.48s) --- PASS: TestAccAWSSecurityGroup_ruleLimitExceededPrepend (54.09s) --- PASS: TestAccAWSSecurityGroup_rulesDropOnError (22.40s) --- PASS: TestAccAWSSecurityGroup_self (11.93s) --- PASS: TestAccAWSSecurityGroup_tags (40.86s) --- PASS: TestAccAWSSecurityGroup_vpc (10.39s) --- PASS: TestAccAWSSecurityGroup_vpcNegOneIngress (10.55s) --- PASS: TestAccAWSSecurityGroup_vpcProtoNumIngress (11.84s) --- PASS: TestAccAWSSubnet_availabilityZoneId (26.56s) --- PASS: TestAccAWSSubnet_basic (26.69s) --- PASS: TestAccAWSSubnet_enableIpv6 (42.97s) --- PASS: TestAccAWSSubnet_ipv6 (69.30s) ```
Reference: #10044 Reference: #10114 Reference: #10329 The introduction of [improved VPC networking for Lambda]() brought some welcome enhancements to Lambda functionality, but initially has some unintentional consequences when working with Terraform due to the underlying infrastructure changes. The main issue is that these new Hyperplane ENIs associated with Lambda take additional time currently to detach/delete and that the Lambda service itself is the owner of these ENIs, which prevents early detachment. In working with the AWS Lambda service team, we have received some confirmation on expected detachment/deletion timeframes for Lambda Hyperplane ENIs. Using this information, we set the Lambda ENI timeout to be at a minimum the expected deletion time to match the service expectations without adjusting the overall default `aws_security_group` or `aws_subnet` resource deletion timeouts. This is to ensure legitimate `DependencyViolation` errors return to operators in a fairly timely manner (left as 10 minutes and 20 minutes respectfully). Output from AWS Commerical (us-east-2 - Hyperplane enabled) ``` --- PASS: TestAccAWSLambdaFunction_basic (23.37s) --- PASS: TestAccAWSLambdaFunction_concurrency (30.76s) --- PASS: TestAccAWSLambdaFunction_concurrencyCycle (43.12s) --- PASS: TestAccAWSLambdaFunction_DeadLetterConfig (42.40s) --- PASS: TestAccAWSLambdaFunction_DeadLetterConfigUpdated (41.70s) --- PASS: TestAccAWSLambdaFunction_EmptyVpcConfig (22.99s) --- PASS: TestAccAWSLambdaFunction_encryptedEnvVariables (51.21s) --- PASS: TestAccAWSLambdaFunction_envVariables (45.14s) --- PASS: TestAccAWSLambdaFunction_expectFilenameAndS3Attributes (10.90s) --- PASS: TestAccAWSLambdaFunction_importLocalFile (31.12s) --- PASS: TestAccAWSLambdaFunction_importLocalFile_VPC (1422.82s) --- PASS: TestAccAWSLambdaFunction_importS3 (22.66s) --- PASS: TestAccAWSLambdaFunction_Layers (34.75s) --- PASS: TestAccAWSLambdaFunction_LayersUpdate (54.60s) --- PASS: TestAccAWSLambdaFunction_localUpdate (31.40s) --- PASS: TestAccAWSLambdaFunction_localUpdate_nameOnly (24.21s) --- PASS: TestAccAWSLambdaFunction_nilDeadLetterConfig (12.71s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_java8 (23.05s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_NodeJs10x (26.99s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_NodeJs810 (26.53s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_noRuntime (0.72s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_provided (18.66s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_python27 (27.62s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_python36 (22.87s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_python37 (27.09s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_ruby25 (27.87s) --- PASS: TestAccAWSLambdaFunction_s3 (22.59s) --- PASS: TestAccAWSLambdaFunction_s3Update_basic (32.58s) --- PASS: TestAccAWSLambdaFunction_s3Update_unversioned (31.07s) --- PASS: TestAccAWSLambdaFunction_tags (42.41s) --- PASS: TestAccAWSLambdaFunction_tracingConfig (39.12s) --- PASS: TestAccAWSLambdaFunction_updateRuntime (29.16s) --- PASS: TestAccAWSLambdaFunction_versioned (28.09s) --- PASS: TestAccAWSLambdaFunction_versionedUpdate (47.13s) --- PASS: TestAccAWSLambdaFunction_VPC (1331.55s) --- PASS: TestAccAWSLambdaFunction_VPC_withInvocation (1376.24s) --- PASS: TestAccAWSLambdaFunction_VpcConfig_ProperIamDependencies (1327.69s) --- PASS: TestAccAWSLambdaFunction_VPCRemoval (1490.19s) --- PASS: TestAccAWSLambdaFunction_VPCUpdate (1685.40s) ``` Output from AWS Commercial (us-west-2 - Hyperplane not deployed) ``` --- PASS: TestAccAWSLambdaFunction_basic (40.50s) --- PASS: TestAccAWSLambdaFunction_concurrency (47.79s) --- PASS: TestAccAWSLambdaFunction_concurrencyCycle (62.65s) --- PASS: TestAccAWSLambdaFunction_DeadLetterConfig (55.95s) --- PASS: TestAccAWSLambdaFunction_DeadLetterConfigUpdated (50.23s) --- PASS: TestAccAWSLambdaFunction_EmptyVpcConfig (37.47s) --- PASS: TestAccAWSLambdaFunction_encryptedEnvVariables (73.66s) --- PASS: TestAccAWSLambdaFunction_envVariables (80.88s) --- PASS: TestAccAWSLambdaFunction_expectFilenameAndS3Attributes (22.59s) --- PASS: TestAccAWSLambdaFunction_importLocalFile (42.78s) --- PASS: TestAccAWSLambdaFunction_importLocalFile_VPC (39.40s) --- PASS: TestAccAWSLambdaFunction_importS3 (36.62s) --- PASS: TestAccAWSLambdaFunction_Layers (53.78s) --- PASS: TestAccAWSLambdaFunction_LayersUpdate (89.78s) --- PASS: TestAccAWSLambdaFunction_localUpdate (54.31s) --- PASS: TestAccAWSLambdaFunction_localUpdate_nameOnly (56.10s) --- PASS: TestAccAWSLambdaFunction_nilDeadLetterConfig (26.12s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_java8 (46.49s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_NodeJs10x (52.25s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_NodeJs810 (43.59s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_noRuntime (2.71s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_provided (43.88s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_python27 (47.91s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_python36 (45.95s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_python37 (41.40s) --- PASS: TestAccAWSLambdaFunction_runtimeValidation_ruby25 (50.32s) --- PASS: TestAccAWSLambdaFunction_s3 (35.28s) --- PASS: TestAccAWSLambdaFunction_s3Update_basic (57.89s) --- PASS: TestAccAWSLambdaFunction_s3Update_unversioned (58.81s) --- PASS: TestAccAWSLambdaFunction_tags (75.77s) --- PASS: TestAccAWSLambdaFunction_tracingConfig (55.61s) --- PASS: TestAccAWSLambdaFunction_updateRuntime (57.19s) --- PASS: TestAccAWSLambdaFunction_versioned (33.52s) --- PASS: TestAccAWSLambdaFunction_versionedUpdate (58.25s) --- PASS: TestAccAWSLambdaFunction_VPC (56.81s) --- PASS: TestAccAWSLambdaFunction_VPC_withInvocation (86.81s) --- PASS: TestAccAWSLambdaFunction_VpcConfig_ProperIamDependencies (42.99s) --- PASS: TestAccAWSLambdaFunction_VPCRemoval (80.28s) --- PASS: TestAccAWSLambdaFunction_VPCUpdate (81.84s) --- PASS: TestAccAWSSecurityGroup_basic (10.14s) --- PASS: TestAccAWSSecurityGroup_Change (19.36s) --- PASS: TestAccAWSSecurityGroup_CIDRandGroups (31.78s) --- PASS: TestAccAWSSecurityGroup_DefaultEgress_Classic (6.53s) --- PASS: TestAccAWSSecurityGroup_DefaultEgress_VPC (25.29s) --- PASS: TestAccAWSSecurityGroup_drift (7.55s) --- PASS: TestAccAWSSecurityGroup_drift_complex (31.62s) --- PASS: TestAccAWSSecurityGroup_Egress_ConfigMode (23.76s) --- PASS: TestAccAWSSecurityGroup_egressWithPrefixList (24.51s) --- PASS: TestAccAWSSecurityGroup_failWithDiffMismatch (12.13s) --- PASS: TestAccAWSSecurityGroup_forceRevokeRules_false (1228.05s) --- PASS: TestAccAWSSecurityGroup_forceRevokeRules_true (1242.70s) --- PASS: TestAccAWSSecurityGroup_generatedName (25.26s) --- PASS: TestAccAWSSecurityGroup_importBasic (12.91s) --- PASS: TestAccAWSSecurityGroup_importIPRangeAndSecurityGroupWithSameRules (14.68s) --- PASS: TestAccAWSSecurityGroup_importIPRangesWithSameRules (12.19s) --- PASS: TestAccAWSSecurityGroup_importIpv6 (30.08s) --- PASS: TestAccAWSSecurityGroup_importPrefixList (25.01s) --- PASS: TestAccAWSSecurityGroup_importSelf (31.64s) --- PASS: TestAccAWSSecurityGroup_importSourceSecurityGroup (30.19s) --- PASS: TestAccAWSSecurityGroup_Ingress_ConfigMode (23.47s) --- PASS: TestAccAWSSecurityGroup_ingressWithCidrAndSGs (31.60s) --- PASS: TestAccAWSSecurityGroup_ingressWithCidrAndSGs_classic (9.86s) --- PASS: TestAccAWSSecurityGroup_ingressWithPrefixList (44.12s) --- PASS: TestAccAWSSecurityGroup_invalidCIDRBlock (1.28s) --- PASS: TestAccAWSSecurityGroup_ipv4andipv6Egress (11.90s) --- PASS: TestAccAWSSecurityGroup_ipv6 (12.77s) --- PASS: TestAccAWSSecurityGroup_MultiIngress (12.33s) --- PASS: TestAccAWSSecurityGroup_namePrefix (6.47s) --- PASS: TestAccAWSSecurityGroup_RuleDescription (26.52s) --- PASS: TestAccAWSSecurityGroup_ruleGathering (24.55s) --- PASS: TestAccAWSSecurityGroup_ruleLimitCidrBlockExceededAppend (48.89s) --- PASS: TestAccAWSSecurityGroup_ruleLimitExceededAllNew (53.89s) --- PASS: TestAccAWSSecurityGroup_ruleLimitExceededAppend (50.48s) --- PASS: TestAccAWSSecurityGroup_ruleLimitExceededPrepend (54.09s) --- PASS: TestAccAWSSecurityGroup_rulesDropOnError (22.40s) --- PASS: TestAccAWSSecurityGroup_self (11.93s) --- PASS: TestAccAWSSecurityGroup_tags (40.86s) --- PASS: TestAccAWSSecurityGroup_vpc (10.39s) --- PASS: TestAccAWSSecurityGroup_vpcNegOneIngress (10.55s) --- PASS: TestAccAWSSecurityGroup_vpcProtoNumIngress (11.84s) --- PASS: TestAccAWSSubnet_availabilityZoneId (26.56s) --- PASS: TestAccAWSSubnet_basic (26.69s) --- PASS: TestAccAWSSubnet_enableIpv6 (42.97s) --- PASS: TestAccAWSSubnet_ipv6 (69.30s) ```
|
Hi folks 👋 We have merged in #10347 which was based off of #10114 and the excellent work done by @ewbankkit and @obourdon. This will release in version 2.31.0 of the Terraform AWS Provider, tomorrow. We mitigate this issue by fixing the ENI description lookup and updating the Lambda ENI deletion logic to always wait a 45 minute grace period (based on Lambda service team analytics) for background processes in the Lambda infrastructure to detach Lambda Hyperplane ENIs. All Terraform AWS Providers environments using Lambda functions with VPC configurations should strongly consider updating to version 2.31.0 or higher as the Lambda service changes are planned to continue rolling out to all AWS regions and accounts in the coming weeks. For environments that cannot upgrade yet, there is now a followup issue, #10329, which highlights some Terraform configuration changes that can help mitigate the issue in older Terraform AWS Provider versions. That issue can also be followed for future updates about deletion time reductions for the new Lambda networking. |
|
This has been released in version 2.31.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
|
Just a small comment to confirm that 2.31.0 completely fix the issue |
|
Many thanks to all who have worked for solving this |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
Up until end of last week (aka until Sep 6th), our code(s) worked like a charm for creating and deleting aws_lambda_function(s) all based in eu-west-1 region with 3 zones (a,b,c) VPC and associated security group.
Starting today, the deletion is failing due to timeout on deleting security group with DependencyViolation and we can see that the 3 network interfaces created to be used by the lambda in the 3 zones are not deleted still in 'in-use' therefore preventing the proper deletion of the security group. After a while (~15mn) they go into in 'available' state,
at which time we can manually delete them which also allow to re-run terraform destroy successfully.
Looking at the logs in debug mode does not exhibit anything worth mentioning here to help with this...
This is reproductible 100% of the time and our code base did not change for several weeks now.
Any one else having the same kind of issue, advice, ... ?
The text was updated successfully, but these errors were encountered: