Script has been handy to clean up security groups which have been used with VPC honed AWS Lambda functions and maintain an ENI association.
Why this is a problem:
- Lambda function is created within the given VPC subnet(s) and assigned security group.
- During deployment, AWS on your behalf creates ENIs assigned to the security group and placed into the instructed subnet(s).
- Next, change is made to Lambda involving new security group association. AWS now creates new ENIs - as ENI reuse between Lambdas is only for the same security group/subnet combination.
- Finally, user wishes to clean up legacy security group - but can't as existing ENIs still use security group.
By running this script against the offending legacy security group ID:
- All ENI's are located with association to the security group.
- Offending ENIs are updated to use the default VPC security group - releasing the security group.
- Security group can now be deleted.
- AWS will now come along and clean up the now unused ENIs.
Here you might want a little different version of this script, where security group is just detached.