Sometimes AWS fails to release an allocated IP address when tearing down the associated resources. This lambda will release/delete all network interfaces that are in Status: Available
as they are not associated with a current AWS resource but can't be used by a new AWS resource.
An exception is made for ENIs attached to DataSync tasks since DataSync only establishes ENIs at task creation time.
This includes a 24 hour cloudwatch alarm to trigger the lambda regularly in an effort to keep the account clean and make the resources available for another consumer.
Name | Version |
---|---|
terraform | >= 0.14 |
archive | ~> 2.2 |
aws | > 4.0 |
random | >= 3.1.0 |
Name | Version |
---|---|
archive | ~> 2.2 |
aws | > 4.0 |
Name | Source | Version |
---|---|---|
iam | ./iam | n/a |
Name | Type |
---|---|
aws_cloudwatch_event_rule.ip_address_release_lambda_interval | resource |
aws_cloudwatch_event_target.ip_address_release_lambda_attach | resource |
aws_lambda_function.ip_address_release_lambda | resource |
aws_lambda_permission.event_permission | resource |
archive_file.lambda_source | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
account_name | The account name for use in alarm description. | string |
n/a | yes |
iam_role_arn | The ARN of the IAM Role to use (creates a new one if set to null ) |
string |
null |
no |
internet_egress_security_group_id | security group id that allows internet outbound calls to port 443 | string |
n/a | yes |
kms_key_arn | ARN of the key to give to Lambda for access | string |
n/a | yes |
lambda_runtime | Python runtime to use for this lambda | string |
"python3.9" |
no |
permissions_boundary_arn | The ARN of the policy that is used to set the permissions boundary for the IAM roles. | string |
null |
no |
prefix | prefix name, can be a team or product name. E.g., 'SRE' | string |
n/a | yes |
subnet_ids | Subnets that Lambda will be created with in the VPC | list(string) |
n/a | yes |
timeout | Timeout value for the lambda | number |
300 |
no |
vpc_id | VPC ID to attach the IP Address Release lambda to. | string |
n/a | yes |
Name | Description |
---|---|
iam_role_arn | The IAM Role created, or the one passed in. |
The IAM role created for the initial region can be reused for the second region by referencing the outputs from the first region.
* assumes a non-aliased provider is setup elsewhere
module "ip-address-release-primary" {
source = "git::https://github.com/StateFarmIns/terraform-aws-ip-address-release?ref=1.0.0"
providers = {
aws = aws
}
prefix = "SRE"
account_name = var.account_name
permissions_boundary_arn = local.permissions_boundary
internet_egress_security_group_id = data.aws_security_group.https-internet-egress_primary.id
vpc_id = data.aws_vpc.internal_primary.id
subnet_ids = data.aws_subnets.private_subnets_primary.ids
kms_key_arn = data.aws_kms_key.master_primary.arn
}
* assumes an aliased (secondary) provider is setup elsewhere
module "ip-address-release-secondary" {
source = "git::https://github.com/StateFarmIns/terraform-aws-ip-address-release?ref=1.0.0"
providers = {
aws = aws.secondary
}
prefix = "SRE"
account_name = var.account_name
permissions_boundary_arn = local.permissions_boundary
internet_egress_security_group_id = data.aws_security_group.https-internet-egress_secondary.id
iam_role_arn = module.ip-address-release-primary.iam_role_arn # reference the IAM Role created earlier
vpc_id = data.aws_vpc.internal_secondary.id
subnet_ids = data.aws_subnets.private_subnets_secondary.ids
kms_key_arn = data.aws_kms_key.master_secondary.arn
}
- Why can't I detach or delete an elastic network interface that Lambda created?
- Requester Managed Network Interfaces
- findassociations script in AWS-support-tools can help track down why an ENI is stuck