feat: Added configuration options to replace security groups on destroy of Lambda function (#422)

Author: ricoli

README.md

@@ -659,7 +659,7 @@ Q4: What does this error mean - `"We currently do not support adding policies fo
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.44 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.54 |
 | <a name="requirement_external"></a> [external](#requirement\_external) | >= 1.0 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | >= 1.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 2.0 |
@@ -668,7 +668,7 @@ Q4: What does this error mean - `"We currently do not support adding policies fo
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.44 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.54 |
 | <a name="provider_external"></a> [external](#provider\_external) | >= 1.0 |
 | <a name="provider_local"></a> [local](#provider\_local) | >= 1.0 |
 | <a name="provider_null"></a> [null](#provider\_null) | >= 2.0 |
@@ -816,6 +816,8 @@ No modules.
 | <a name="input_publish"></a> [publish](#input\_publish) | Whether to publish creation/change as new Lambda Function Version. | `bool` | `false` | no |
 | <a name="input_putin_khuylo"></a> [putin\_khuylo](#input\_putin\_khuylo) | Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! | `bool` | `true` | no |
 | <a name="input_recreate_missing_package"></a> [recreate\_missing\_package](#input\_recreate\_missing\_package) | Whether to recreate missing Lambda package if it is missing locally or not | `bool` | `true` | no |
+| <a name="input_replace_security_groups_on_destroy"></a> [replace\_security\_groups\_on\_destroy](#input\_replace\_security\_groups\_on\_destroy) | (Optional) When true, all security groups defined in vpc\_security\_group\_ids will be replaced with the default security group after the function is destroyed. Set the replacement\_security\_group\_ids variable to use a custom list of security groups for replacement instead. | `bool` | `null` | no |
+| <a name="input_replacement_security_group_ids"></a> [replacement\_security\_group\_ids](#input\_replacement\_security\_group\_ids) | (Optional) List of security group IDs to assign to orphaned Lambda function network interfaces upon destruction. replace\_security\_groups\_on\_destroy must be set to true to use this attribute. | `list(string)` | `[]` | no |
 | <a name="input_reserved_concurrent_executions"></a> [reserved\_concurrent\_executions](#input\_reserved\_concurrent\_executions) | The amount of reserved concurrent executions for this Lambda Function. A value of 0 disables Lambda Function from being triggered and -1 removes any concurrency limitations. Defaults to Unreserved Concurrency Limits -1. | `number` | `-1` | no |
 | <a name="input_role_description"></a> [role\_description](#input\_role\_description) | Description of IAM role to use for Lambda Function | `string` | `null` | no |
 | <a name="input_role_force_detach_policies"></a> [role\_force\_detach\_policies](#input\_role\_force\_detach\_policies) | Specifies to force detaching any policies the IAM role has before destroying it. | `bool` | `true` | no |

examples/with-vpc/main.tf

@@ -23,9 +23,11 @@ module "lambda_function_in_vpc" {
 
   source_path = "${path.module}/../fixtures/python3.8-app1"
 
-  vpc_subnet_ids         = module.vpc.intra_subnets
-  vpc_security_group_ids = [module.vpc.default_security_group_id]
-  attach_network_policy  = true
+  vpc_subnet_ids                     = module.vpc.intra_subnets
+  vpc_security_group_ids             = [module.vpc.default_security_group_id]
+  attach_network_policy              = true
+  replace_security_groups_on_destroy = true
+  replacement_security_group_ids     = [module.vpc.default_security_group_id]
 }
 
 module "vpc" {

main.tf

@@ -24,21 +24,23 @@ locals {
 resource "aws_lambda_function" "this" {
   count = local.create && var.create_function && !var.create_layer ? 1 : 0
 
-  function_name                  = var.function_name
-  description                    = var.description
-  role                           = var.create_role ? aws_iam_role.lambda[0].arn : var.lambda_role
-  handler                        = var.package_type != "Zip" ? null : var.handler
-  memory_size                    = var.memory_size
-  reserved_concurrent_executions = var.reserved_concurrent_executions
-  runtime                        = var.package_type != "Zip" ? null : var.runtime
-  layers                         = var.layers
-  timeout                        = var.lambda_at_edge ? min(var.timeout, 30) : var.timeout
-  publish                        = (var.lambda_at_edge || var.snap_start) ? true : var.publish
-  kms_key_arn                    = var.kms_key_arn
-  image_uri                      = var.image_uri
-  package_type                   = var.package_type
-  architectures                  = var.architectures
-  code_signing_config_arn        = var.code_signing_config_arn
+  function_name                      = var.function_name
+  description                        = var.description
+  role                               = var.create_role ? aws_iam_role.lambda[0].arn : var.lambda_role
+  handler                            = var.package_type != "Zip" ? null : var.handler
+  memory_size                        = var.memory_size
+  reserved_concurrent_executions     = var.reserved_concurrent_executions
+  runtime                            = var.package_type != "Zip" ? null : var.runtime
+  layers                             = var.layers
+  timeout                            = var.lambda_at_edge ? min(var.timeout, 30) : var.timeout
+  publish                            = (var.lambda_at_edge || var.snap_start) ? true : var.publish
+  kms_key_arn                        = var.kms_key_arn
+  image_uri                          = var.image_uri
+  package_type                       = var.package_type
+  architectures                      = var.architectures
+  code_signing_config_arn            = var.code_signing_config_arn
+  replace_security_groups_on_destroy = var.replace_security_groups_on_destroy
+  replacement_security_group_ids     = var.replacement_security_group_ids
 
   /* ephemeral_storage is not supported in gov-cloud region, so it should be set to `null` */
   dynamic "ephemeral_storage" {

variables.tf

@@ -223,6 +223,18 @@ variable "snap_start" {
   default     = false
 }
 
+variable "replace_security_groups_on_destroy" {
+  description = "(Optional) When true, all security groups defined in vpc_security_group_ids will be replaced with the default security group after the function is destroyed. Set the replacement_security_group_ids variable to use a custom list of security groups for replacement instead."
+  type        = bool
+  default     = null
+}
+
+variable "replacement_security_group_ids" {
+  description = "(Optional) List of security group IDs to assign to orphaned Lambda function network interfaces upon destruction. replace_security_groups_on_destroy must be set to true to use this attribute."
+  type        = list(string)
+  default     = []
+}
+
 ###############
 # Function URL
 ###############

versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.44"
+      version = ">= 4.54"
     }
     external = {
       source  = "hashicorp/external"