gpt4 book ai didi

Terraform cant delete security group for lambda ENI(TerraForm无法删除lambda网卡的安全组)

转载 作者:bug小助手 更新时间:2023-10-24 22:59:50 26 4
gpt4 key购买 nike



I have a terraform script that creates a lambda function in a VPC. Because the lambda is deployed to a VPC it creates an ENI and associates it with my security group. However, when I go to change that security group (destroy) it fails due to a timeout of the ENI being in use.

我有一个在VPC中创建lambda函数的terraform脚本。因为lambda部署到私有网络,所以它会创建一个弹性网卡,并将其关联到我的安全组。但是,当我去更换安全组(销毁)时,由于弹性网卡正在使用超时而失败。


What I assume is happening is that Terraform is recognising that the ENI is dependent on the security group but isn't recognising that the lambda function is dependent on the ENI and therefore is not trying to delete the lambda function before trying to delete the ENI.

我假设发生的情况是,Terraform正在认识到网卡依赖于安全组,但没有认识到lambda函数依赖于网卡,因此在尝试删除网卡之前没有尝试删除lambda函数。


The desired outcome would be the ability to change the security group's name and description without having to manually delete the lambda function and ENIs.

期望的结果将是能够更改安全组的名称和描述,而不必手动删除lambda函数和eni。


I have tried creating various 'depends_on' and also settings a lifecycle for the lambda function to be destroyed on changes to the security group but neither has worked. I am using version 1.3.3 of Terraform and version 4.37.0 of the AWS provider.

我尝试创建各种‘Dependent_on’,并为lambda函数设置生命周期,使其在安全组发生变化时被销毁,但这两种方法都不起作用。我使用的是1.3.3版的Terraform和4.37.0版的AWS提供程序。



Error: deleting ENIs using Security Group (sg-01ba40a4b03c5ddd2): 2 errors occurred:


waiting for Lambda ENI (eni-02cd7771540d50f8e) to become available for
detachment: timeout while waiting for state to become 'available'
(last state: 'in-use', timeout: 45m0s)


waiting for Lambda ENI (eni-030c34234a51be116) to become available for
detachment: timeout while waiting for state to become 'available'
(last state: 'in-use', timeout: 45m0s)



# ----------------------------------------------------------------------
# Security group
# ----------------------------------------------------------------------
resource "aws_security_group" "public" {
name = "test-sg"
vpc_id = var.vpc_id
description = "Security group for the lambda functions." # I cant modify this
}


# ----------------------------------------------------------------------
# Lambda Function
# ----------------------------------------------------------------------
resource "aws_lambda_function" "lambda_function" {
function_name = var.name
handler = var.handler
description = var.description
runtime = var.runtime
package_type = "Zip"
filename = var.file_path
source_code_hash = filebase64sha256(var.file_path)
role = aws_iam_role.lambda_execution_role.arn
timeout = 30
memory_size = var.memory_size
vpc_config {
subnet_ids = var.subnet_ids
security_group_ids = [aws_security_group.public.id]
}
}

Thanks.

谢谢。


更多回答

Take a look here: github.com/hashicorp/terraform-provider-aws/issues/10329.

看看这里:github.com/hashicorp/terraform-provider-aws/issues/10329.

Hi, I've had a look at that resource but in their discussions, they're talking about the ENIs not deleting after the lambda delete call. However, in my example, the lambda function delete call never happens. This is further backed up by the fact I can destroy the whole infrastructure perfectly well, but I am failing to update the individual resource.

嗨,我已经看过该资源了,但在他们的讨论中,他们谈论的是在lambda删除调用之后Eni没有删除。然而,在我的示例中,lambda函数的删除调用从未发生过。我可以很好地销毁整个基础设施,但我无法更新个别资源,这进一步支持了这一点。

Terraform has lots of long-standing issues with attempting to delete security groups before everything using that security group is deleted. It's a known problem with several issues being tracked, like the one linked above. I've just resigned myself to deleting security groups manually when needed.

TerraForm在删除使用该安全组的所有内容之前尝试删除安全组有很多长期存在的问题。这是一个已知的问题,有几个问题正在被跟踪,就像上面链接的那个。我刚刚接受了在需要时手动删除安全组的做法。

The problem isn't with deleting the security per se, it recognises that the ENI is dependent on it and must be destroyed first. However, it's failing to recognise that the lambda function must be deleted before the ENI can be deleted thus allowing the security group to be destroyed.

问题不是删除安全本身,它认识到弹性网卡依赖于它,必须首先摧毁它。然而,它没有认识到,必须先删除lambda函数,然后才能删除弹性网卡,从而允许销毁安全组。

Does the SG get deleted then?

那么SG会被删除吗?

优秀答案推荐

One discovery that helped our org after we encountered a similar issue was that older Lambda versions might hold a reference to the security group (and corresponding ENI) that you wish to delete.

在我们遇到类似问题后,帮助我们组织的一个发现是,较早的Lambda版本可能包含对您希望删除的安全组(和对应的弹性网卡)的引用。


To solve the issue, we had to delete any Lambda version that referenced the security group value before we could delete the security group.

要解决该问题,我们必须先删除引用安全组值的任何Lambda版本,然后才能删除该安全组。



i've run across this as well. it is, as you know, quite frustrating.

我也遇到过这种情况。如你所知,这是相当令人沮丧的。


my workaround (not ideal by any means) is to edit each eni using the aws console to change the security group assigned (add any random security group and delete the offending security group). when the next terraform apply is executed, the security group can be replaced, the eni/nic will be updated and everything is reset.

我的解决办法(无论如何都不理想)是使用AWS控制台编辑每个弹性网卡,以更改分配的安全组(添加任何随机安全组并删除违规的安全组)。当执行下一个Terraform Apply时,可以替换安全组,更新网卡/网卡并重置所有内容。


更多回答

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com