This is probably an AWS issue, but wanted to run it by y’all.
I have a serverless.yml that use the LambdaSecurityGroup defined as:
LambdaExecSecurityGroup:
Type: AWS::EC2::SecurityGroup
DependsOn: AWSLambdaVPCAccessExecutionRole
Properties :
GroupDescription: "walkmeApi-${self:custom.stage}-${self:custom.region} Lambda functions execute with this group"
VpcId: vpc-54f76630
Tags :
-
Key: Name
Value: walkmeApi-${self:custom.stage}-${self:custom.region}-LambdaExecSecurityGroup
Despite my attempt to name the group, the stack fails deletion with a message like “resource sg-b49640cc has a dependent object”
When I look at that security group, it is clearly the one I created, so seems like something that the group is being applied to is not being deleted during the “serverless remove” process.
Just to clarify, I then have to remove the stack manually by checking the box that says to bypass the security group.
If I try to delete the security group manually, it tells me the SG is associated with one or more network interfaces:
Note that the following security groups cannot be deleted:
These security groups are associated with one or more network interfaces. Delete the network interfaces, or associate them with different security groups. View your network interfaces.
sg-b49640cc - walkmeApi-prod-LambdaExecSecurityGroup-FAXKKSZRYI1P (walkmeApi-prod-LambdaExecSecurityGroup)
Looking at network interfaces, associated to that, I find only the one created by this template: AWS Lambda VPC ENI: 0535f9b2-7fed-4892-8be8-c167dc7068ed
I can concur with the behaviour. I am testing again now but I believe the behaviour is easily replicated if you add an existing function to a vpc. Was this similar to your scenario? Did you start the function off outside a vpc then add it to a vpc?