Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: when deleting lambdas in a VPC, detach security group first, then delete #2642

Open
AaronFriel opened this issue Jul 25, 2023 · 4 comments
Open

Feature request: when deleting lambdas in a VPC, detach security group first, then delete #2642

AaronFriel opened this issue Jul 25, 2023 · 4 comments
Labels
impact/performance Something is slower than expected kind/enhancement Improvements or new features service/lambda Lambda issues

Comments

@AaronFriel
Copy link
Contributor

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

When deleting a lambda attached to a VPC, it can take up to 20 minutes for the ENIs to detach, and those ENIs are configured with the Lambda's security group association. This causes extremely long delete times on security groups when deleting a lambda and its security group.

The lambda itself takes very little time to delete, and AWS will clean up the ENIs in the background, which may take up to 20 minutes.

However, the attached SG, if it is also being deleted, must wait for the ENIs to detach.

I observed this empirically with two security groups taking 1105s to delete, each.

This may be a more appropriate feature request for aws-native.

Affected area/feature

aws.lambda.Function, and associated wrappers.
@AaronFriel AaronFriel added kind/enhancement Improvements or new features needs-triage Needs attention from the triage team labels Jul 25, 2023
@rquitales
Copy link
Member

Thanks for reporting this potential performance improvement. It makes sense not to wait for ENIs to detach when also deleting an attached SG by detaching first!

@rquitales rquitales added impact/performance Something is slower than expected and removed needs-triage Needs attention from the triage team labels Jul 26, 2023
@t0yv0 t0yv0 added the service/lambda Lambda issues label Apr 11, 2024
@vizero1
Copy link

vizero1 commented May 11, 2024

Any way to mitigate this issue?
This is really annoying. In my case I create a security group and then a lambda and attach the security group to the lambda. When I do a pulumi destroy, it deletes the lambda but its not able to delete the security group as it is attached to it. Sometimes it works after like 10 minutes but in most cases it can not delete the security group because it has an attached ENI.
Any way to prevent this behaviour as at the moment I am not able to delete the security group of a lambda.

@vizero1 vizero1 mentioned this issue May 21, 2024
Closed
@vtk9
Copy link

vtk9 commented Jul 25, 2024

Running into the same issue. Takes 20 minutes to delete a lambda in a VPC

@flostadler
Copy link
Contributor

FYI, this is possible today.

AWS Lambda does not allow removing the Security Groups of a function, but the resource has a built in feature for replacing it on destroy.
You can use the replaceSecurityGroupsOnDestroy input property to enable this and replacementSecurityGroupIds to control which security group is used for the replacement. If you do not specify replacementSecurityGroupIds it will use the default security group of the VPC.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
impact/performance Something is slower than expected kind/enhancement Improvements or new features service/lambda Lambda issues
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@t0yv0 @AaronFriel @flostadler @vtk9 @rquitales @vizero1