Upgrading to 7.20.x is causing a VPC policy issue

[kramen22]

Description

I am using this lambda module with a simple vpc config and was updating from 7.16.0 -> 7.20.0 and got the following error

Error: deleting IAM Policy (arn:aws:iam::'my-account-id':policy/'my-lambda-name'-vpc): operation error IAM: DeletePolicy, https response error StatusCode: 409, RequestID: 'my-request-id', DeleteConflict: Cannot delete a policy attached to entities.

The only vpc settings I pass into the module are:

  vpc_subnet_ids                 = var.vpc_subnet_ids // a list of my subnet IDs.
  vpc_security_group_ids         = var.vpc_security_group_ids // a list of my security group IDs.

I found the following PR from the release notes that references that it could be considered a breaking change: "this change is breaking (in theory) since the new policies will be inline. But it is very unlikely that users did this." #615 (comment)

But I cannot find any information on remediation if you in fact did trigger the breaking change.

• ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [Required]: upgrading from 7.16.0 -> 7.20.0

• Terraform version:

• Terraform v1.9.8 on linux_arm64

Reproduction Code [Required]

• Create a lambda with a vpc connection from vpc_subnet_ids and vpc_security_group_ids using module version 7.16.0
• Update to module version 7.20.0
• Run terraform apply

Expected behavior

Terraform apply runs successfully

Actual behavior

Terraform apply fails

Terminal Output Screenshot(s)

Error: deleting IAM Policy (arn:aws:iam::'my-account-id':policy/'my-lambda-name'-vpc): operation error IAM: DeletePolicy, https response error StatusCode: 409, RequestID: 'my-request-id', DeleteConflict: Cannot delete a policy attached to entities.

Additional context

Here is a sample of my module that I reuse in my own code:

module "lambda_function" {
  source  = "terraform-aws-modules/lambda/aws"
  version = "7.16.0"

  allowed_triggers = var.allowed_triggers

  attach_cloudwatch_logs_policy = true
  attach_network_policy         = true
  attach_policy_statements      = true
  attach_tracing_policy         = true

  cloudwatch_logs_retention_in_days = 30

  create_package                 = false
  environment_variables          = merge(local.datadog_env, var.environment_variables)
  event_source_mapping           = var.event_source_mapping
  function_name                  = local.fn_name
  handler                        = "bootstrap"
  layers                         = concat([local.datadog_lambda_layer_arn], var.lambda_layers)
  memory_size                    = var.memory_size
  policy_statements              = merge(local.datadog_iam, var.policy_statements)
  publish                        = true
  reserved_concurrent_executions = var.max_concurrent_executions
  runtime                        = "provided.al2"
  tags                           = merge(var.tags, { name = local.fn_name })
  timeout                        = var.timeout
  tracing_mode                   = "Active"
  vpc_subnet_ids                 = var.vpc_subnet_ids
  vpc_security_group_ids         = var.vpc_security_group_ids

  s3_existing_package = {
    bucket     = local.s3_bucket
    key        = aws_s3_object.this.id
    version_id = aws_s3_object.this.version_id
  }
}

Please let me know if there is anything else I can provide to help or if I missed something trying to do this upgrade, thanks!

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions]

This issue was automatically closed because of stale in 10 days

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.