Serverless remove hangs on delete of security group


#1

This is probably an AWS issue, but wanted to run it by y’all.

I have a serverless.yml that use the LambdaSecurityGroup defined as:

LambdaExecSecurityGroup: 
  Type: AWS::EC2::SecurityGroup
  DependsOn:  AWSLambdaVPCAccessExecutionRole
  Properties : 
        GroupDescription: "walkmeApi-${self:custom.stage}-${self:custom.region} Lambda functions execute with this group"
        VpcId: vpc-54f76630
        Tags :
          -
            Key: Name
            Value: walkmeApi-${self:custom.stage}-${self:custom.region}-LambdaExecSecurityGroup

Despite my attempt to name the group, the stack fails deletion with a message like “resource sg-b49640cc has a dependent object”

When I look at that security group, it is clearly the one I created, so seems like something that the group is being applied to is not being deleted during the “serverless remove” process.


#2

Just to clarify, I then have to remove the stack manually by checking the box that says to bypass the security group.

If I try to delete the security group manually, it tells me the SG is associated with one or more network interfaces:

Note that the following security groups cannot be deleted:

These security groups are associated with one or more network interfaces. Delete the network interfaces, or associate them with different security groups. View your network interfaces.
sg-b49640cc - walkmeApi-prod-LambdaExecSecurityGroup-FAXKKSZRYI1P (walkmeApi-prod-LambdaExecSecurityGroup)

Looking at network interfaces, associated to that, I find only the one created by this template: AWS Lambda VPC ENI: 0535f9b2-7fed-4892-8be8-c167dc7068ed


#3

I can concur with the behaviour. I am testing again now but I believe the behaviour is easily replicated if you add an existing function to a vpc. Was this similar to your scenario? Did you start the function off outside a vpc then add it to a vpc?