terraform-aws-ip-address-release
Sometimes AWS fails to release an allocated IP address when tearing down the associated resources. This lambda will release/delete all network interfaces that are in Status: Available
as they are not associated with a current AWS resource but can't be used by a new AWS resource.
An exception is made for ENIs attached to DataSync tasks since DataSync only establishes ENIs at task creation time.
This includes a 24 hour cloudwatch alarm to trigger the lambda regularly in an effort to keep the account clean and make the resources available for another consumer.
Name
Source
Version
iam
./iam
n/a
Name
Description
Type
Default
Required
account_name
The account name for use in alarm description.
string
n/a
yes
iam_role_arn
The ARN of the IAM Role to use (creates a new one if set to null
)
string
null
no
internet_egress_security_group_id
security group id that allows internet outbound calls to port 443
string
n/a
yes
kms_key_arn
ARN of the key to give to Lambda for access
string
n/a
yes
lambda_runtime
Python runtime to use for this lambda
string
"python3.9"
no
permissions_boundary_arn
The ARN of the policy that is used to set the permissions boundary for the IAM roles.
string
null
no
prefix
prefix name, can be a team or product name. E.g., 'SRE'
string
n/a
yes
subnet_ids
Subnets that Lambda will be created with in the VPC
list(string)
n/a
yes
timeout
Timeout value for the lambda
number
300
no
vpc_id
VPC ID to attach the IP Address Release lambda to.
string
n/a
yes
Name
Description
iam_role_arn
The IAM Role created, or the one passed in.
The IAM role created for the initial region can be reused for the second region by referencing the outputs from the first region.
* assumes a non- aliased provider is setup elsewhere
module "ip-address-release-primary" {
source = " git::https://github.com/StateFarmIns/terraform-aws-ip-address-release?ref=1.0.0"
providers = {
aws = aws
}
prefix = " SRE"
account_name = var. account_name
permissions_boundary_arn = local. permissions_boundary
internet_egress_security_group_id = data. aws_security_group . https-internet-egress_primary . id
vpc_id = data. aws_vpc . internal_primary . id
subnet_ids = data. aws_subnets . private_subnets_primary . ids
kms_key_arn = data. aws_kms_key . master_primary . arn
}
* assumes an aliased (secondary) provider is setup elsewhere
module "ip-address-release-secondary" {
source = " git::https://github.com/StateFarmIns/terraform-aws-ip-address-release?ref=1.0.0"
providers = {
aws = aws.secondary
}
prefix = " SRE"
account_name = var. account_name
permissions_boundary_arn = local. permissions_boundary
internet_egress_security_group_id = data. aws_security_group . https-internet-egress_secondary . id
iam_role_arn = module. ip-address-release-primary . iam_role_arn # reference the IAM Role created earlier
vpc_id = data. aws_vpc . internal_secondary . id
subnet_ids = data. aws_subnets . private_subnets_secondary . ids
kms_key_arn = data. aws_kms_key . master_secondary . arn
}