From 7313dc5acc611f40de6ad58112c449986f67dc4d Mon Sep 17 00:00:00 2001 From: Florian Stadler Date: Fri, 23 Aug 2024 13:16:59 +0200 Subject: [PATCH] Enhance docs for resources that depend on Lambda ENIs (#4392) The ENIs created by AWS Lambda get slowly cleaned up (~35mins) and because of that the provider has special delete logic for subnets and security groups that are associated with Lambda ENIs. For cleaning those up, it will wait up to 45 minutes until the ENIs are freed up even if users specify a shorter timeout. See [Source Code](https://github.com/hashicorp/terraform-provider-aws/blob/be7be81584b81d7b40c0a317882d6666da4444a3/internal/service/ec2/vpc_network_interface.go#L1485-L1489). This change makes it clearer in the docs that this is happening. resolves #4382 --- provider/cmd/pulumi-resource-aws/schema.json | 6 +++--- sdk/dotnet/Ec2/SecurityGroup.cs | 2 +- sdk/dotnet/Ec2/Subnet.cs | 2 +- sdk/dotnet/Lambda/Function.cs | 2 +- sdk/go/aws/ec2/securityGroup.go | 2 +- sdk/go/aws/ec2/subnet.go | 2 +- sdk/go/aws/lambda/function.go | 2 +- .../src/main/java/com/pulumi/aws/ec2/SecurityGroup.java | 2 +- sdk/java/src/main/java/com/pulumi/aws/ec2/Subnet.java | 2 +- sdk/java/src/main/java/com/pulumi/aws/lambda/Function.java | 2 +- sdk/nodejs/ec2/securityGroup.ts | 2 +- sdk/nodejs/ec2/subnet.ts | 2 +- sdk/nodejs/lambda/function.ts | 2 +- sdk/python/pulumi_aws/ec2/security_group.py | 4 ++-- sdk/python/pulumi_aws/ec2/subnet.py | 4 ++-- sdk/python/pulumi_aws/lambda_/function.py | 4 ++-- upstream-tools/pre-replacements.json | 6 +++--- 17 files changed, 24 insertions(+), 24 deletions(-) diff --git a/provider/cmd/pulumi-resource-aws/schema.json b/provider/cmd/pulumi-resource-aws/schema.json index 8dbf75aa0b6..1b601a9514c 100644 --- a/provider/cmd/pulumi-resource-aws/schema.json +++ b/provider/cmd/pulumi-resource-aws/schema.json @@ -234998,7 +234998,7 @@ } }, "aws:ec2/securityGroup:SecurityGroup": { - "description": "Provides a security group resource.\n\n\u003e **NOTE:** Avoid using the `ingress` and `egress` arguments of the `aws.ec2.SecurityGroup` resource to configure in-line rules, as they struggle with managing multiple CIDR blocks, and, due to the historical lack of unique IDs, tags and descriptions. To avoid these problems, use the current best practice of the `aws.vpc.SecurityGroupEgressRule` and `aws.vpc.SecurityGroupIngressRule` resources with one CIDR block per rule.\n\n!\u003e **WARNING:** You should not use the `aws.ec2.SecurityGroup` resource with _in-line rules_ (using the `ingress` and `egress` arguments of `aws.ec2.SecurityGroup`) in conjunction with the `aws.vpc.SecurityGroupEgressRule` and `aws.vpc.SecurityGroupIngressRule` resources or the `aws.ec2.SecurityGroupRule` resource. Doing so may cause rule conflicts, perpetual differences, and result in rules being overwritten.\n\n\u003e **NOTE:** Referencing Security Groups across VPC peering has certain restrictions. More information is available in the [VPC Peering User Guide](https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html).\n\n\u003e **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), security groups associated with Lambda Functions can take up to 45 minutes to successfully delete.\n\n\u003e **NOTE:** The `cidr_blocks` and `ipv6_cidr_blocks` parameters are optional in the `ingress` and `egress` blocks. If nothing is specified, traffic will be blocked as described in _NOTE on Egress rules_ later.\n\n## Example Usage\n\n### Basic Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst allowTls = new aws.ec2.SecurityGroup(\"allow_tls\", {\n name: \"allow_tls\",\n description: \"Allow TLS inbound traffic and all outbound traffic\",\n vpcId: main.id,\n tags: {\n Name: \"allow_tls\",\n },\n});\nconst allowTlsIpv4 = new aws.vpc.SecurityGroupIngressRule(\"allow_tls_ipv4\", {\n securityGroupId: allowTls.id,\n cidrIpv4: main.cidrBlock,\n fromPort: 443,\n ipProtocol: \"tcp\",\n toPort: 443,\n});\nconst allowTlsIpv6 = new aws.vpc.SecurityGroupIngressRule(\"allow_tls_ipv6\", {\n securityGroupId: allowTls.id,\n cidrIpv6: main.ipv6CidrBlock,\n fromPort: 443,\n ipProtocol: \"tcp\",\n toPort: 443,\n});\nconst allowAllTrafficIpv4 = new aws.vpc.SecurityGroupEgressRule(\"allow_all_traffic_ipv4\", {\n securityGroupId: allowTls.id,\n cidrIpv4: \"0.0.0.0/0\",\n ipProtocol: \"-1\",\n});\nconst allowAllTrafficIpv6 = new aws.vpc.SecurityGroupEgressRule(\"allow_all_traffic_ipv6\", {\n securityGroupId: allowTls.id,\n cidrIpv6: \"::/0\",\n ipProtocol: \"-1\",\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nallow_tls = aws.ec2.SecurityGroup(\"allow_tls\",\n name=\"allow_tls\",\n description=\"Allow TLS inbound traffic and all outbound traffic\",\n vpc_id=main[\"id\"],\n tags={\n \"Name\": \"allow_tls\",\n })\nallow_tls_ipv4 = aws.vpc.SecurityGroupIngressRule(\"allow_tls_ipv4\",\n security_group_id=allow_tls.id,\n cidr_ipv4=main[\"cidrBlock\"],\n from_port=443,\n ip_protocol=\"tcp\",\n to_port=443)\nallow_tls_ipv6 = aws.vpc.SecurityGroupIngressRule(\"allow_tls_ipv6\",\n security_group_id=allow_tls.id,\n cidr_ipv6=main[\"ipv6CidrBlock\"],\n from_port=443,\n ip_protocol=\"tcp\",\n to_port=443)\nallow_all_traffic_ipv4 = aws.vpc.SecurityGroupEgressRule(\"allow_all_traffic_ipv4\",\n security_group_id=allow_tls.id,\n cidr_ipv4=\"0.0.0.0/0\",\n ip_protocol=\"-1\")\nallow_all_traffic_ipv6 = aws.vpc.SecurityGroupEgressRule(\"allow_all_traffic_ipv6\",\n security_group_id=allow_tls.id,\n cidr_ipv6=\"::/0\",\n ip_protocol=\"-1\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var allowTls = new Aws.Ec2.SecurityGroup(\"allow_tls\", new()\n {\n Name = \"allow_tls\",\n Description = \"Allow TLS inbound traffic and all outbound traffic\",\n VpcId = main.Id,\n Tags = \n {\n { \"Name\", \"allow_tls\" },\n },\n });\n\n var allowTlsIpv4 = new Aws.Vpc.SecurityGroupIngressRule(\"allow_tls_ipv4\", new()\n {\n SecurityGroupId = allowTls.Id,\n CidrIpv4 = main.CidrBlock,\n FromPort = 443,\n IpProtocol = \"tcp\",\n ToPort = 443,\n });\n\n var allowTlsIpv6 = new Aws.Vpc.SecurityGroupIngressRule(\"allow_tls_ipv6\", new()\n {\n SecurityGroupId = allowTls.Id,\n CidrIpv6 = main.Ipv6CidrBlock,\n FromPort = 443,\n IpProtocol = \"tcp\",\n ToPort = 443,\n });\n\n var allowAllTrafficIpv4 = new Aws.Vpc.SecurityGroupEgressRule(\"allow_all_traffic_ipv4\", new()\n {\n SecurityGroupId = allowTls.Id,\n CidrIpv4 = \"0.0.0.0/0\",\n IpProtocol = \"-1\",\n });\n\n var allowAllTrafficIpv6 = new Aws.Vpc.SecurityGroupEgressRule(\"allow_all_traffic_ipv6\", new()\n {\n SecurityGroupId = allowTls.Id,\n CidrIpv6 = \"::/0\",\n IpProtocol = \"-1\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2\"\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/vpc\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tallowTls, err := ec2.NewSecurityGroup(ctx, \"allow_tls\", \u0026ec2.SecurityGroupArgs{\n\t\t\tName: pulumi.String(\"allow_tls\"),\n\t\t\tDescription: pulumi.String(\"Allow TLS inbound traffic and all outbound traffic\"),\n\t\t\tVpcId: pulumi.Any(main.Id),\n\t\t\tTags: pulumi.StringMap{\n\t\t\t\t\"Name\": pulumi.String(\"allow_tls\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = vpc.NewSecurityGroupIngressRule(ctx, \"allow_tls_ipv4\", \u0026vpc.SecurityGroupIngressRuleArgs{\n\t\t\tSecurityGroupId: allowTls.ID(),\n\t\t\tCidrIpv4: pulumi.Any(main.CidrBlock),\n\t\t\tFromPort: pulumi.Int(443),\n\t\t\tIpProtocol: pulumi.String(\"tcp\"),\n\t\t\tToPort: pulumi.Int(443),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = vpc.NewSecurityGroupIngressRule(ctx, \"allow_tls_ipv6\", \u0026vpc.SecurityGroupIngressRuleArgs{\n\t\t\tSecurityGroupId: allowTls.ID(),\n\t\t\tCidrIpv6: pulumi.Any(main.Ipv6CidrBlock),\n\t\t\tFromPort: pulumi.Int(443),\n\t\t\tIpProtocol: pulumi.String(\"tcp\"),\n\t\t\tToPort: pulumi.Int(443),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = vpc.NewSecurityGroupEgressRule(ctx, \"allow_all_traffic_ipv4\", \u0026vpc.SecurityGroupEgressRuleArgs{\n\t\t\tSecurityGroupId: allowTls.ID(),\n\t\t\tCidrIpv4: pulumi.String(\"0.0.0.0/0\"),\n\t\t\tIpProtocol: pulumi.String(\"-1\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = vpc.NewSecurityGroupEgressRule(ctx, \"allow_all_traffic_ipv6\", \u0026vpc.SecurityGroupEgressRuleArgs{\n\t\t\tSecurityGroupId: allowTls.ID(),\n\t\t\tCidrIpv6: pulumi.String(\"::/0\"),\n\t\t\tIpProtocol: pulumi.String(\"-1\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.ec2.SecurityGroup;\nimport com.pulumi.aws.ec2.SecurityGroupArgs;\nimport com.pulumi.aws.vpc.SecurityGroupIngressRule;\nimport com.pulumi.aws.vpc.SecurityGroupIngressRuleArgs;\nimport com.pulumi.aws.vpc.SecurityGroupEgressRule;\nimport com.pulumi.aws.vpc.SecurityGroupEgressRuleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var allowTls = new SecurityGroup(\"allowTls\", SecurityGroupArgs.builder()\n .name(\"allow_tls\")\n .description(\"Allow TLS inbound traffic and all outbound traffic\")\n .vpcId(main.id())\n .tags(Map.of(\"Name\", \"allow_tls\"))\n .build());\n\n var allowTlsIpv4 = new SecurityGroupIngressRule(\"allowTlsIpv4\", SecurityGroupIngressRuleArgs.builder()\n .securityGroupId(allowTls.id())\n .cidrIpv4(main.cidrBlock())\n .fromPort(443)\n .ipProtocol(\"tcp\")\n .toPort(443)\n .build());\n\n var allowTlsIpv6 = new SecurityGroupIngressRule(\"allowTlsIpv6\", SecurityGroupIngressRuleArgs.builder()\n .securityGroupId(allowTls.id())\n .cidrIpv6(main.ipv6CidrBlock())\n .fromPort(443)\n .ipProtocol(\"tcp\")\n .toPort(443)\n .build());\n\n var allowAllTrafficIpv4 = new SecurityGroupEgressRule(\"allowAllTrafficIpv4\", SecurityGroupEgressRuleArgs.builder()\n .securityGroupId(allowTls.id())\n .cidrIpv4(\"0.0.0.0/0\")\n .ipProtocol(\"-1\")\n .build());\n\n var allowAllTrafficIpv6 = new SecurityGroupEgressRule(\"allowAllTrafficIpv6\", SecurityGroupEgressRuleArgs.builder()\n .securityGroupId(allowTls.id())\n .cidrIpv6(\"::/0\")\n .ipProtocol(\"-1\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n allowTls:\n type: aws:ec2:SecurityGroup\n name: allow_tls\n properties:\n name: allow_tls\n description: Allow TLS inbound traffic and all outbound traffic\n vpcId: ${main.id}\n tags:\n Name: allow_tls\n allowTlsIpv4:\n type: aws:vpc:SecurityGroupIngressRule\n name: allow_tls_ipv4\n properties:\n securityGroupId: ${allowTls.id}\n cidrIpv4: ${main.cidrBlock}\n fromPort: 443\n ipProtocol: tcp\n toPort: 443\n allowTlsIpv6:\n type: aws:vpc:SecurityGroupIngressRule\n name: allow_tls_ipv6\n properties:\n securityGroupId: ${allowTls.id}\n cidrIpv6: ${main.ipv6CidrBlock}\n fromPort: 443\n ipProtocol: tcp\n toPort: 443\n allowAllTrafficIpv4:\n type: aws:vpc:SecurityGroupEgressRule\n name: allow_all_traffic_ipv4\n properties:\n securityGroupId: ${allowTls.id}\n cidrIpv4: 0.0.0.0/0\n ipProtocol: '-1'\n allowAllTrafficIpv6:\n type: aws:vpc:SecurityGroupEgressRule\n name: allow_all_traffic_ipv6\n properties:\n securityGroupId: ${allowTls.id}\n cidrIpv6: ::/0\n ipProtocol: '-1'\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n\u003e **NOTE on Egress rules:** By default, AWS creates an `ALLOW ALL` egress rule when creating a new Security Group inside of a VPC. When creating a new Security Group inside a VPC, **this provider will remove this default rule**, and require you specifically re-create it if you desire that rule. We feel this leads to fewer surprises in terms of controlling your egress rules. If you desire this rule to be in place, you can use this `egress` block:\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.ec2.SecurityGroup(\"example\", {egress: [{\n fromPort: 0,\n toPort: 0,\n protocol: \"-1\",\n cidrBlocks: [\"0.0.0.0/0\"],\n ipv6CidrBlocks: [\"::/0\"],\n}]});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.ec2.SecurityGroup(\"example\", egress=[{\n \"from_port\": 0,\n \"to_port\": 0,\n \"protocol\": \"-1\",\n \"cidr_blocks\": [\"0.0.0.0/0\"],\n \"ipv6_cidr_blocks\": [\"::/0\"],\n}])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Ec2.SecurityGroup(\"example\", new()\n {\n Egress = new[]\n {\n new Aws.Ec2.Inputs.SecurityGroupEgressArgs\n {\n FromPort = 0,\n ToPort = 0,\n Protocol = \"-1\",\n CidrBlocks = new[]\n {\n \"0.0.0.0/0\",\n },\n Ipv6CidrBlocks = new[]\n {\n \"::/0\",\n },\n },\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := ec2.NewSecurityGroup(ctx, \"example\", \u0026ec2.SecurityGroupArgs{\n\t\t\tEgress: ec2.SecurityGroupEgressArray{\n\t\t\t\t\u0026ec2.SecurityGroupEgressArgs{\n\t\t\t\t\tFromPort: pulumi.Int(0),\n\t\t\t\t\tToPort: pulumi.Int(0),\n\t\t\t\t\tProtocol: pulumi.String(\"-1\"),\n\t\t\t\t\tCidrBlocks: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"0.0.0.0/0\"),\n\t\t\t\t\t},\n\t\t\t\t\tIpv6CidrBlocks: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"::/0\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.ec2.SecurityGroup;\nimport com.pulumi.aws.ec2.SecurityGroupArgs;\nimport com.pulumi.aws.ec2.inputs.SecurityGroupEgressArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new SecurityGroup(\"example\", SecurityGroupArgs.builder()\n .egress(SecurityGroupEgressArgs.builder()\n .fromPort(0)\n .toPort(0)\n .protocol(\"-1\")\n .cidrBlocks(\"0.0.0.0/0\")\n .ipv6CidrBlocks(\"::/0\")\n .build())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:ec2:SecurityGroup\n properties:\n egress:\n - fromPort: 0\n toPort: 0\n protocol: '-1'\n cidrBlocks:\n - 0.0.0.0/0\n ipv6CidrBlocks:\n - ::/0\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Usage With Prefix List IDs\n\nPrefix Lists are either managed by AWS internally, or created by the customer using a\nPrefix List resource. Prefix Lists provided by\nAWS are associated with a prefix list name, or service name, that is linked to a specific region.\nPrefix list IDs are exported on VPC Endpoints, so you can use this format:\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst myEndpoint = new aws.ec2.VpcEndpoint(\"my_endpoint\", {});\nconst example = new aws.ec2.SecurityGroup(\"example\", {egress: [{\n fromPort: 0,\n toPort: 0,\n protocol: \"-1\",\n prefixListIds: [myEndpoint.prefixListId],\n}]});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nmy_endpoint = aws.ec2.VpcEndpoint(\"my_endpoint\")\nexample = aws.ec2.SecurityGroup(\"example\", egress=[{\n \"from_port\": 0,\n \"to_port\": 0,\n \"protocol\": \"-1\",\n \"prefix_list_ids\": [my_endpoint.prefix_list_id],\n}])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var myEndpoint = new Aws.Ec2.VpcEndpoint(\"my_endpoint\");\n\n var example = new Aws.Ec2.SecurityGroup(\"example\", new()\n {\n Egress = new[]\n {\n new Aws.Ec2.Inputs.SecurityGroupEgressArgs\n {\n FromPort = 0,\n ToPort = 0,\n Protocol = \"-1\",\n PrefixListIds = new[]\n {\n myEndpoint.PrefixListId,\n },\n },\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tmyEndpoint, err := ec2.NewVpcEndpoint(ctx, \"my_endpoint\", nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ec2.NewSecurityGroup(ctx, \"example\", \u0026ec2.SecurityGroupArgs{\n\t\t\tEgress: ec2.SecurityGroupEgressArray{\n\t\t\t\t\u0026ec2.SecurityGroupEgressArgs{\n\t\t\t\t\tFromPort: pulumi.Int(0),\n\t\t\t\t\tToPort: pulumi.Int(0),\n\t\t\t\t\tProtocol: pulumi.String(\"-1\"),\n\t\t\t\t\tPrefixListIds: pulumi.StringArray{\n\t\t\t\t\t\tmyEndpoint.PrefixListId,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.ec2.VpcEndpoint;\nimport com.pulumi.aws.ec2.SecurityGroup;\nimport com.pulumi.aws.ec2.SecurityGroupArgs;\nimport com.pulumi.aws.ec2.inputs.SecurityGroupEgressArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var myEndpoint = new VpcEndpoint(\"myEndpoint\");\n\n var example = new SecurityGroup(\"example\", SecurityGroupArgs.builder()\n .egress(SecurityGroupEgressArgs.builder()\n .fromPort(0)\n .toPort(0)\n .protocol(\"-1\")\n .prefixListIds(myEndpoint.prefixListId())\n .build())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:ec2:SecurityGroup\n properties:\n egress:\n - fromPort: 0\n toPort: 0\n protocol: '-1'\n prefixListIds:\n - ${myEndpoint.prefixListId}\n myEndpoint:\n type: aws:ec2:VpcEndpoint\n name: my_endpoint\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\nYou can also find a specific Prefix List using the `aws.ec2.getPrefixList` data source.\n\n### Removing All Ingress and Egress Rules\n\nThe `ingress` and `egress` arguments are processed in attributes-as-blocks mode. Due to this, removing these arguments from the configuration will **not** cause the provider to destroy the managed rules. To subsequently remove all managed ingress and egress rules:\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.ec2.SecurityGroup(\"example\", {\n name: \"sg\",\n vpcId: exampleAwsVpc.id,\n ingress: [],\n egress: [],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.ec2.SecurityGroup(\"example\",\n name=\"sg\",\n vpc_id=example_aws_vpc[\"id\"],\n ingress=[],\n egress=[])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Ec2.SecurityGroup(\"example\", new()\n {\n Name = \"sg\",\n VpcId = exampleAwsVpc.Id,\n Ingress = new[] {},\n Egress = new[] {},\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := ec2.NewSecurityGroup(ctx, \"example\", \u0026ec2.SecurityGroupArgs{\n\t\t\tName: pulumi.String(\"sg\"),\n\t\t\tVpcId: pulumi.Any(exampleAwsVpc.Id),\n\t\t\tIngress: ec2.SecurityGroupIngressArray{},\n\t\t\tEgress: ec2.SecurityGroupEgressArray{},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.ec2.SecurityGroup;\nimport com.pulumi.aws.ec2.SecurityGroupArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new SecurityGroup(\"example\", SecurityGroupArgs.builder()\n .name(\"sg\")\n .vpcId(exampleAwsVpc.id())\n .ingress()\n .egress()\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:ec2:SecurityGroup\n properties:\n name: sg\n vpcId: ${exampleAwsVpc.id}\n ingress: []\n egress: []\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Recreating a Security Group\n\nA simple security group `name` change \"forces new\" the security group--the provider destroys the security group and creates a new one. (Likewise, `description`, `name_prefix`, or `vpc_id` [cannot be changed](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html#creating-security-group).) Attempting to recreate the security group leads to a variety of complications depending on how it is used.\n\nSecurity groups are generally associated with other resources--**more than 100** AWS Provider resources reference security groups. Referencing a resource from another resource creates a one-way dependency. For example, if you create an EC2 `aws.ec2.Instance` that has a `vpc_security_group_ids` argument that refers to an `aws.ec2.SecurityGroup` resource, the `aws.ec2.SecurityGroup` is a dependent of the `aws.ec2.Instance`. Because of this, the provider will create the security group first so that it can then be associated with the EC2 instance.\n\nHowever, the dependency relationship actually goes both directions causing the _Security Group Deletion Problem_. AWS does not allow you to delete the security group associated with another resource (_e.g._, the `aws.ec2.Instance`).\n\nThe provider does not model bi-directional dependencies like this, but, even if it did, simply knowing the dependency situation would not be enough to solve it. For example, some resources must always have an associated security group while others don't need to. In addition, when the `aws.ec2.SecurityGroup` resource attempts to recreate, it receives a dependent object error, which does not provide information on whether the dependent object is a security group rule or, for example, an associated EC2 instance. Within the provider, the associated resource (_e.g._, `aws.ec2.Instance`) does not receive an error when the `aws.ec2.SecurityGroup` is trying to recreate even though that is where changes to the associated resource would need to take place (_e.g._, removing the security group association).\n\nDespite these sticky problems, below are some ways to improve your experience when you find it necessary to recreate a security group.\n\n### Shorter timeout\n\n(This example is one approach to recreating security groups. For more information on the challenges and the _Security Group Deletion Problem_, see the section above.)\n\nIf destroying a security group takes a long time, it may be because the provider cannot distinguish between a dependent object (_e.g._, a security group rule or EC2 instance) that is _in the process of being deleted_ and one that is not. In other words, it may be waiting for a train that isn't scheduled to arrive. To fail faster, shorten the `delete` timeout from the default timeout:\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.ec2.SecurityGroup(\"example\", {name: \"izizavle\"});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.ec2.SecurityGroup(\"example\", name=\"izizavle\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Ec2.SecurityGroup(\"example\", new()\n {\n Name = \"izizavle\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := ec2.NewSecurityGroup(ctx, \"example\", \u0026ec2.SecurityGroupArgs{\n\t\t\tName: pulumi.String(\"izizavle\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.ec2.SecurityGroup;\nimport com.pulumi.aws.ec2.SecurityGroupArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new SecurityGroup(\"example\", SecurityGroupArgs.builder()\n .name(\"izizavle\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:ec2:SecurityGroup\n properties:\n name: izizavle\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Provisioners\n\n(This example is one approach to recreating security groups. For more information on the challenges and the _Security Group Deletion Problem_, see the section above.)\n\n**DISCLAIMER:** We **_HIGHLY_** recommend using one of the above approaches and _NOT_ using local provisioners. Provisioners, like the one shown below, should be considered a **last resort** since they are _not readable_, _require skills outside standard configuration_, are _error prone_ and _difficult to maintain_, are not compatible with cloud environments and upgrade tools, require AWS CLI installation, and are subject to changes outside the AWS Provider.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as _null from \"@pulumi/null\";\nimport * as aws from \"@pulumi/aws\";\nimport * as command from \"@pulumi/command\";\nimport * as std from \"@pulumi/std\";\n\nconst default = aws.ec2.getSecurityGroup({\n name: \"default\",\n});\nconst example = new aws.ec2.SecurityGroup(\"example\", {\n name: \"sg\",\n tags: {\n workaround1: \"tagged-name\",\n workaround2: _default.then(_default =\u003e _default.id),\n },\n});\nconst exampleProvisioner0 = new command.local.Command(\"exampleProvisioner0\", {\n create: \"true\",\n update: \"true\",\n \"delete\": ` ENDPOINT_ID=`aws ec2 describe-vpc-endpoints --filters \"Name=tag:Name,Values=${tags.workaround1}\" --query \"VpcEndpoints[0].VpcEndpointId\" --output text` \u0026\u0026\n aws ec2 modify-vpc-endpoint --vpc-endpoint-id ${ENDPOINT_ID} --add-security-group-ids ${tags.workaround2} --remove-security-group-ids ${id}\n`,\n}, {\n dependsOn: [example],\n});\nconst exampleResource = new _null.Resource(\"example\", {triggers: {\n rerun_upon_change_of: std.join({\n separator: \",\",\n input: exampleAwsVpcEndpoint.securityGroupIds,\n }).then(invoke =\u003e invoke.result),\n}});\nconst exampleResourceProvisioner0 = new command.local.Command(\"exampleResourceProvisioner0\", {create: ` aws ec2 modify-vpc-endpoint --vpc-endpoint-id ${exampleAwsVpcEndpoint.id} --remove-security-group-ids ${_default.id}\n`}, {\n dependsOn: [exampleResource],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\nimport pulumi_command as command\nimport pulumi_null as null\nimport pulumi_std as std\n\ndefault = aws.ec2.get_security_group(name=\"default\")\nexample = aws.ec2.SecurityGroup(\"example\",\n name=\"sg\",\n tags={\n \"workaround1\": \"tagged-name\",\n \"workaround2\": default.id,\n })\nexample_provisioner0 = command.local.Command(\"exampleProvisioner0\",\n create=true,\n update=true,\n delete=f ENDPOINT_ID=`aws ec2 describe-vpc-endpoints --filters \"Name=tag:Name,Values={tags.workaround1}\" --query \"VpcEndpoints[0].VpcEndpointId\" --output text` \u0026\u0026\n aws ec2 modify-vpc-endpoint --vpc-endpoint-id ${{ENDPOINT_ID}} --add-security-group-ids {tags.workaround2} --remove-security-group-ids {id}\n,\n opts = pulumi.ResourceOptions(depends_on=[example]))\nexample_resource = null.Resource(\"example\", triggers={\n \"rerun_upon_change_of\": std.join(separator=\",\",\n input=example_aws_vpc_endpoint[\"securityGroupIds\"]).result,\n})\nexample_resource_provisioner0 = command.local.Command(\"exampleResourceProvisioner0\", create=f aws ec2 modify-vpc-endpoint --vpc-endpoint-id {example_aws_vpc_endpoint.id} --remove-security-group-ids {default.id}\n,\nopts = pulumi.ResourceOptions(depends_on=[example_resource]))\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\nusing Command = Pulumi.Command;\nusing Null = Pulumi.Null;\nusing Std = Pulumi.Std;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var @default = Aws.Ec2.GetSecurityGroup.Invoke(new()\n {\n Name = \"default\",\n });\n\n var example = new Aws.Ec2.SecurityGroup(\"example\", new()\n {\n Name = \"sg\",\n Tags = \n {\n { \"workaround1\", \"tagged-name\" },\n { \"workaround2\", @default.Apply(@default =\u003e @default.Apply(getSecurityGroupResult =\u003e getSecurityGroupResult.Id)) },\n },\n });\n\n var exampleProvisioner0 = new Command.Local.Command(\"exampleProvisioner0\", new()\n {\n Create = \"true\",\n Update = \"true\",\n Delete = @$\" ENDPOINT_ID=`aws ec2 describe-vpc-endpoints --filters \"\"Name=tag:Name,Values={tags.Workaround1}\"\" --query \"\"VpcEndpoints[0].VpcEndpointId\"\" --output text` \u0026\u0026\n aws ec2 modify-vpc-endpoint --vpc-endpoint-id ${{ENDPOINT_ID}} --add-security-group-ids {tags.Workaround2} --remove-security-group-ids {id}\n\",\n }, new CustomResourceOptions\n {\n DependsOn =\n {\n example,\n },\n });\n\n var exampleResource = new Null.Resource(\"example\", new()\n {\n Triggers = \n {\n { \"rerun_upon_change_of\", Std.Join.Invoke(new()\n {\n Separator = \",\",\n Input = exampleAwsVpcEndpoint.SecurityGroupIds,\n }).Apply(invoke =\u003e invoke.Result) },\n },\n });\n\n var exampleResourceProvisioner0 = new Command.Local.Command(\"exampleResourceProvisioner0\", new()\n {\n Create = @$\" aws ec2 modify-vpc-endpoint --vpc-endpoint-id {exampleAwsVpcEndpoint.Id} --remove-security-group-ids {@default.Apply(getSecurityGroupResult =\u003e getSecurityGroupResult.Id)}\n\",\n }, new CustomResourceOptions\n {\n DependsOn =\n {\n exampleResource,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2\"\n\t\"github.com/pulumi/pulumi-command/sdk/go/command/local\"\n\t\"github.com/pulumi/pulumi-null/sdk/go/null\"\n\t\"github.com/pulumi/pulumi-std/sdk/go/std\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_default, err := ec2.LookupSecurityGroup(ctx, \u0026ec2.LookupSecurityGroupArgs{\n\t\t\tName: pulumi.StringRef(\"default\"),\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\texample, err := ec2.NewSecurityGroup(ctx, \"example\", \u0026ec2.SecurityGroupArgs{\n\t\t\tName: pulumi.String(\"sg\"),\n\t\t\tTags: pulumi.StringMap{\n\t\t\t\t\"workaround1\": pulumi.String(\"tagged-name\"),\n\t\t\t\t\"workaround2\": pulumi.String(_default.Id),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = local.NewCommand(ctx, \"exampleProvisioner0\", \u0026local.CommandArgs{\n\t\t\tCreate: \"true\",\n\t\t\tUpdate: \"true\",\n\t\t\tDelete: fmt.Sprintf(\" ENDPOINT_ID=`aws ec2 describe-vpc-endpoints --filters \\\"Name=tag:Name,Values=%v\\\" --query \\\"VpcEndpoints[0].VpcEndpointId\\\" --output text` \u0026\u0026\\n aws ec2 modify-vpc-endpoint --vpc-endpoint-id ${ENDPOINT_ID} --add-security-group-ids %v --remove-security-group-ids %v\\n\", tags.Workaround1, tags.Workaround2, id),\n\t\t}, pulumi.DependsOn([]pulumi.Resource{\n\t\t\texample,\n\t\t}))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tinvokeJoin, err := std.Join(ctx, \u0026std.JoinArgs{\n\t\t\tSeparator: \",\",\n\t\t\tInput: exampleAwsVpcEndpoint.SecurityGroupIds,\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\texampleResource, err := null.NewResource(ctx, \"example\", \u0026null.ResourceArgs{\n\t\t\tTriggers: pulumi.StringMap{\n\t\t\t\t\"rerun_upon_change_of\": pulumi.String(invokeJoin.Result),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = local.NewCommand(ctx, \"exampleResourceProvisioner0\", \u0026local.CommandArgs{\n\t\t\tCreate: fmt.Sprintf(\" aws ec2 modify-vpc-endpoint --vpc-endpoint-id %v --remove-security-group-ids %v\\n\", exampleAwsVpcEndpoint.Id, _default.Id),\n\t\t}, pulumi.DependsOn([]pulumi.Resource{\n\t\t\texampleResource,\n\t\t}))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.ec2.Ec2Functions;\nimport com.pulumi.aws.ec2.inputs.GetSecurityGroupArgs;\nimport com.pulumi.aws.ec2.SecurityGroup;\nimport com.pulumi.aws.ec2.SecurityGroupArgs;\nimport com.pulumi.command.local.Command;\nimport com.pulumi.command.local.CommandArgs;\nimport com.pulumi.null.Resource;\nimport com.pulumi.null.ResourceArgs;\nimport com.pulumi.resources.CustomResourceOptions;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n final var default = Ec2Functions.getSecurityGroup(GetSecurityGroupArgs.builder()\n .name(\"default\")\n .build());\n\n var example = new SecurityGroup(\"example\", SecurityGroupArgs.builder()\n .name(\"sg\")\n .tags(Map.ofEntries(\n Map.entry(\"workaround1\", \"tagged-name\"),\n Map.entry(\"workaround2\", default_.id())\n ))\n .build());\n\n var exampleProvisioner0 = new Command(\"exampleProvisioner0\", CommandArgs.builder()\n .create(\"true\")\n .update(\"true\")\n .delete(\"\"\"\n ENDPOINT_ID=`aws ec2 describe-vpc-endpoints --filters \"Name=tag:Name,Values=%s\" --query \"VpcEndpoints[0].VpcEndpointId\" --output text` \u0026\u0026\n aws ec2 modify-vpc-endpoint --vpc-endpoint-id ${ENDPOINT_ID} --add-security-group-ids %s --remove-security-group-ids %s\n\", tags.workaround1(),tags.workaround2(),id))\n .build(), CustomResourceOptions.builder()\n .dependsOn(example)\n .build());\n\n var exampleResource = new Resource(\"exampleResource\", ResourceArgs.builder()\n .triggers(Map.of(\"rerun_upon_change_of\", StdFunctions.join(JoinArgs.builder()\n .separator(\",\")\n .input(exampleAwsVpcEndpoint.securityGroupIds())\n .build()).result()))\n .build());\n\n var exampleResourceProvisioner0 = new Command(\"exampleResourceProvisioner0\", CommandArgs.builder()\n .create(\"\"\"\n aws ec2 modify-vpc-endpoint --vpc-endpoint-id %s --remove-security-group-ids %s\n\", exampleAwsVpcEndpoint.id(),default_.id()))\n .build(), CustomResourceOptions.builder()\n .dependsOn(exampleResource)\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:ec2:SecurityGroup\n properties:\n name: sg\n tags:\n workaround1: tagged-name\n workaround2: ${default.id}\n exampleProvisioner0:\n type: command:local:Command\n properties:\n create: 'true'\n update: 'true'\n delete: |2\n ENDPOINT_ID=`aws ec2 describe-vpc-endpoints --filters \"Name=tag:Name,Values=${tags.workaround1}\" --query \"VpcEndpoints[0].VpcEndpointId\" --output text` \u0026\u0026\n aws ec2 modify-vpc-endpoint --vpc-endpoint-id ${ENDPOINT_ID} --add-security-group-ids ${tags.workaround2} --remove-security-group-ids ${id}\n options:\n dependson:\n - ${example}\n exampleResource:\n type: null:Resource\n name: example\n properties:\n triggers:\n rerun_upon_change_of:\n fn::invoke:\n Function: std:join\n Arguments:\n separator: ','\n input: ${exampleAwsVpcEndpoint.securityGroupIds}\n Return: result\n exampleResourceProvisioner0:\n type: command:local:Command\n properties:\n create: |2\n aws ec2 modify-vpc-endpoint --vpc-endpoint-id ${exampleAwsVpcEndpoint.id} --remove-security-group-ids ${default.id}\n options:\n dependson:\n - ${exampleResource}\nvariables:\n default:\n fn::invoke:\n Function: aws:ec2:getSecurityGroup\n Arguments:\n name: default\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nUsing `pulumi import`, import Security Groups using the security group `id`. For example:\n\n```sh\n$ pulumi import aws:ec2/securityGroup:SecurityGroup elb_sg sg-903004f8\n```\n", + "description": "Provides a security group resource.\n\n\u003e **NOTE:** Avoid using the `ingress` and `egress` arguments of the `aws.ec2.SecurityGroup` resource to configure in-line rules, as they struggle with managing multiple CIDR blocks, and, due to the historical lack of unique IDs, tags and descriptions. To avoid these problems, use the current best practice of the `aws.vpc.SecurityGroupEgressRule` and `aws.vpc.SecurityGroupIngressRule` resources with one CIDR block per rule.\n\n!\u003e **WARNING:** You should not use the `aws.ec2.SecurityGroup` resource with _in-line rules_ (using the `ingress` and `egress` arguments of `aws.ec2.SecurityGroup`) in conjunction with the `aws.vpc.SecurityGroupEgressRule` and `aws.vpc.SecurityGroupIngressRule` resources or the `aws.ec2.SecurityGroupRule` resource. Doing so may cause rule conflicts, perpetual differences, and result in rules being overwritten.\n\n\u003e **NOTE:** Referencing Security Groups across VPC peering has certain restrictions. More information is available in the [VPC Peering User Guide](https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html).\n\n\u003e **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. To allow for successful deletion, the provider will wait for at least 45 minutes even if a shorter delete timeout is specified.\n\n\u003e **NOTE:** The `cidr_blocks` and `ipv6_cidr_blocks` parameters are optional in the `ingress` and `egress` blocks. If nothing is specified, traffic will be blocked as described in _NOTE on Egress rules_ later.\n\n## Example Usage\n\n### Basic Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst allowTls = new aws.ec2.SecurityGroup(\"allow_tls\", {\n name: \"allow_tls\",\n description: \"Allow TLS inbound traffic and all outbound traffic\",\n vpcId: main.id,\n tags: {\n Name: \"allow_tls\",\n },\n});\nconst allowTlsIpv4 = new aws.vpc.SecurityGroupIngressRule(\"allow_tls_ipv4\", {\n securityGroupId: allowTls.id,\n cidrIpv4: main.cidrBlock,\n fromPort: 443,\n ipProtocol: \"tcp\",\n toPort: 443,\n});\nconst allowTlsIpv6 = new aws.vpc.SecurityGroupIngressRule(\"allow_tls_ipv6\", {\n securityGroupId: allowTls.id,\n cidrIpv6: main.ipv6CidrBlock,\n fromPort: 443,\n ipProtocol: \"tcp\",\n toPort: 443,\n});\nconst allowAllTrafficIpv4 = new aws.vpc.SecurityGroupEgressRule(\"allow_all_traffic_ipv4\", {\n securityGroupId: allowTls.id,\n cidrIpv4: \"0.0.0.0/0\",\n ipProtocol: \"-1\",\n});\nconst allowAllTrafficIpv6 = new aws.vpc.SecurityGroupEgressRule(\"allow_all_traffic_ipv6\", {\n securityGroupId: allowTls.id,\n cidrIpv6: \"::/0\",\n ipProtocol: \"-1\",\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nallow_tls = aws.ec2.SecurityGroup(\"allow_tls\",\n name=\"allow_tls\",\n description=\"Allow TLS inbound traffic and all outbound traffic\",\n vpc_id=main[\"id\"],\n tags={\n \"Name\": \"allow_tls\",\n })\nallow_tls_ipv4 = aws.vpc.SecurityGroupIngressRule(\"allow_tls_ipv4\",\n security_group_id=allow_tls.id,\n cidr_ipv4=main[\"cidrBlock\"],\n from_port=443,\n ip_protocol=\"tcp\",\n to_port=443)\nallow_tls_ipv6 = aws.vpc.SecurityGroupIngressRule(\"allow_tls_ipv6\",\n security_group_id=allow_tls.id,\n cidr_ipv6=main[\"ipv6CidrBlock\"],\n from_port=443,\n ip_protocol=\"tcp\",\n to_port=443)\nallow_all_traffic_ipv4 = aws.vpc.SecurityGroupEgressRule(\"allow_all_traffic_ipv4\",\n security_group_id=allow_tls.id,\n cidr_ipv4=\"0.0.0.0/0\",\n ip_protocol=\"-1\")\nallow_all_traffic_ipv6 = aws.vpc.SecurityGroupEgressRule(\"allow_all_traffic_ipv6\",\n security_group_id=allow_tls.id,\n cidr_ipv6=\"::/0\",\n ip_protocol=\"-1\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var allowTls = new Aws.Ec2.SecurityGroup(\"allow_tls\", new()\n {\n Name = \"allow_tls\",\n Description = \"Allow TLS inbound traffic and all outbound traffic\",\n VpcId = main.Id,\n Tags = \n {\n { \"Name\", \"allow_tls\" },\n },\n });\n\n var allowTlsIpv4 = new Aws.Vpc.SecurityGroupIngressRule(\"allow_tls_ipv4\", new()\n {\n SecurityGroupId = allowTls.Id,\n CidrIpv4 = main.CidrBlock,\n FromPort = 443,\n IpProtocol = \"tcp\",\n ToPort = 443,\n });\n\n var allowTlsIpv6 = new Aws.Vpc.SecurityGroupIngressRule(\"allow_tls_ipv6\", new()\n {\n SecurityGroupId = allowTls.Id,\n CidrIpv6 = main.Ipv6CidrBlock,\n FromPort = 443,\n IpProtocol = \"tcp\",\n ToPort = 443,\n });\n\n var allowAllTrafficIpv4 = new Aws.Vpc.SecurityGroupEgressRule(\"allow_all_traffic_ipv4\", new()\n {\n SecurityGroupId = allowTls.Id,\n CidrIpv4 = \"0.0.0.0/0\",\n IpProtocol = \"-1\",\n });\n\n var allowAllTrafficIpv6 = new Aws.Vpc.SecurityGroupEgressRule(\"allow_all_traffic_ipv6\", new()\n {\n SecurityGroupId = allowTls.Id,\n CidrIpv6 = \"::/0\",\n IpProtocol = \"-1\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2\"\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/vpc\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tallowTls, err := ec2.NewSecurityGroup(ctx, \"allow_tls\", \u0026ec2.SecurityGroupArgs{\n\t\t\tName: pulumi.String(\"allow_tls\"),\n\t\t\tDescription: pulumi.String(\"Allow TLS inbound traffic and all outbound traffic\"),\n\t\t\tVpcId: pulumi.Any(main.Id),\n\t\t\tTags: pulumi.StringMap{\n\t\t\t\t\"Name\": pulumi.String(\"allow_tls\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = vpc.NewSecurityGroupIngressRule(ctx, \"allow_tls_ipv4\", \u0026vpc.SecurityGroupIngressRuleArgs{\n\t\t\tSecurityGroupId: allowTls.ID(),\n\t\t\tCidrIpv4: pulumi.Any(main.CidrBlock),\n\t\t\tFromPort: pulumi.Int(443),\n\t\t\tIpProtocol: pulumi.String(\"tcp\"),\n\t\t\tToPort: pulumi.Int(443),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = vpc.NewSecurityGroupIngressRule(ctx, \"allow_tls_ipv6\", \u0026vpc.SecurityGroupIngressRuleArgs{\n\t\t\tSecurityGroupId: allowTls.ID(),\n\t\t\tCidrIpv6: pulumi.Any(main.Ipv6CidrBlock),\n\t\t\tFromPort: pulumi.Int(443),\n\t\t\tIpProtocol: pulumi.String(\"tcp\"),\n\t\t\tToPort: pulumi.Int(443),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = vpc.NewSecurityGroupEgressRule(ctx, \"allow_all_traffic_ipv4\", \u0026vpc.SecurityGroupEgressRuleArgs{\n\t\t\tSecurityGroupId: allowTls.ID(),\n\t\t\tCidrIpv4: pulumi.String(\"0.0.0.0/0\"),\n\t\t\tIpProtocol: pulumi.String(\"-1\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = vpc.NewSecurityGroupEgressRule(ctx, \"allow_all_traffic_ipv6\", \u0026vpc.SecurityGroupEgressRuleArgs{\n\t\t\tSecurityGroupId: allowTls.ID(),\n\t\t\tCidrIpv6: pulumi.String(\"::/0\"),\n\t\t\tIpProtocol: pulumi.String(\"-1\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.ec2.SecurityGroup;\nimport com.pulumi.aws.ec2.SecurityGroupArgs;\nimport com.pulumi.aws.vpc.SecurityGroupIngressRule;\nimport com.pulumi.aws.vpc.SecurityGroupIngressRuleArgs;\nimport com.pulumi.aws.vpc.SecurityGroupEgressRule;\nimport com.pulumi.aws.vpc.SecurityGroupEgressRuleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var allowTls = new SecurityGroup(\"allowTls\", SecurityGroupArgs.builder()\n .name(\"allow_tls\")\n .description(\"Allow TLS inbound traffic and all outbound traffic\")\n .vpcId(main.id())\n .tags(Map.of(\"Name\", \"allow_tls\"))\n .build());\n\n var allowTlsIpv4 = new SecurityGroupIngressRule(\"allowTlsIpv4\", SecurityGroupIngressRuleArgs.builder()\n .securityGroupId(allowTls.id())\n .cidrIpv4(main.cidrBlock())\n .fromPort(443)\n .ipProtocol(\"tcp\")\n .toPort(443)\n .build());\n\n var allowTlsIpv6 = new SecurityGroupIngressRule(\"allowTlsIpv6\", SecurityGroupIngressRuleArgs.builder()\n .securityGroupId(allowTls.id())\n .cidrIpv6(main.ipv6CidrBlock())\n .fromPort(443)\n .ipProtocol(\"tcp\")\n .toPort(443)\n .build());\n\n var allowAllTrafficIpv4 = new SecurityGroupEgressRule(\"allowAllTrafficIpv4\", SecurityGroupEgressRuleArgs.builder()\n .securityGroupId(allowTls.id())\n .cidrIpv4(\"0.0.0.0/0\")\n .ipProtocol(\"-1\")\n .build());\n\n var allowAllTrafficIpv6 = new SecurityGroupEgressRule(\"allowAllTrafficIpv6\", SecurityGroupEgressRuleArgs.builder()\n .securityGroupId(allowTls.id())\n .cidrIpv6(\"::/0\")\n .ipProtocol(\"-1\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n allowTls:\n type: aws:ec2:SecurityGroup\n name: allow_tls\n properties:\n name: allow_tls\n description: Allow TLS inbound traffic and all outbound traffic\n vpcId: ${main.id}\n tags:\n Name: allow_tls\n allowTlsIpv4:\n type: aws:vpc:SecurityGroupIngressRule\n name: allow_tls_ipv4\n properties:\n securityGroupId: ${allowTls.id}\n cidrIpv4: ${main.cidrBlock}\n fromPort: 443\n ipProtocol: tcp\n toPort: 443\n allowTlsIpv6:\n type: aws:vpc:SecurityGroupIngressRule\n name: allow_tls_ipv6\n properties:\n securityGroupId: ${allowTls.id}\n cidrIpv6: ${main.ipv6CidrBlock}\n fromPort: 443\n ipProtocol: tcp\n toPort: 443\n allowAllTrafficIpv4:\n type: aws:vpc:SecurityGroupEgressRule\n name: allow_all_traffic_ipv4\n properties:\n securityGroupId: ${allowTls.id}\n cidrIpv4: 0.0.0.0/0\n ipProtocol: '-1'\n allowAllTrafficIpv6:\n type: aws:vpc:SecurityGroupEgressRule\n name: allow_all_traffic_ipv6\n properties:\n securityGroupId: ${allowTls.id}\n cidrIpv6: ::/0\n ipProtocol: '-1'\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n\u003e **NOTE on Egress rules:** By default, AWS creates an `ALLOW ALL` egress rule when creating a new Security Group inside of a VPC. When creating a new Security Group inside a VPC, **this provider will remove this default rule**, and require you specifically re-create it if you desire that rule. We feel this leads to fewer surprises in terms of controlling your egress rules. If you desire this rule to be in place, you can use this `egress` block:\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.ec2.SecurityGroup(\"example\", {egress: [{\n fromPort: 0,\n toPort: 0,\n protocol: \"-1\",\n cidrBlocks: [\"0.0.0.0/0\"],\n ipv6CidrBlocks: [\"::/0\"],\n}]});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.ec2.SecurityGroup(\"example\", egress=[{\n \"from_port\": 0,\n \"to_port\": 0,\n \"protocol\": \"-1\",\n \"cidr_blocks\": [\"0.0.0.0/0\"],\n \"ipv6_cidr_blocks\": [\"::/0\"],\n}])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Ec2.SecurityGroup(\"example\", new()\n {\n Egress = new[]\n {\n new Aws.Ec2.Inputs.SecurityGroupEgressArgs\n {\n FromPort = 0,\n ToPort = 0,\n Protocol = \"-1\",\n CidrBlocks = new[]\n {\n \"0.0.0.0/0\",\n },\n Ipv6CidrBlocks = new[]\n {\n \"::/0\",\n },\n },\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := ec2.NewSecurityGroup(ctx, \"example\", \u0026ec2.SecurityGroupArgs{\n\t\t\tEgress: ec2.SecurityGroupEgressArray{\n\t\t\t\t\u0026ec2.SecurityGroupEgressArgs{\n\t\t\t\t\tFromPort: pulumi.Int(0),\n\t\t\t\t\tToPort: pulumi.Int(0),\n\t\t\t\t\tProtocol: pulumi.String(\"-1\"),\n\t\t\t\t\tCidrBlocks: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"0.0.0.0/0\"),\n\t\t\t\t\t},\n\t\t\t\t\tIpv6CidrBlocks: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"::/0\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.ec2.SecurityGroup;\nimport com.pulumi.aws.ec2.SecurityGroupArgs;\nimport com.pulumi.aws.ec2.inputs.SecurityGroupEgressArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new SecurityGroup(\"example\", SecurityGroupArgs.builder()\n .egress(SecurityGroupEgressArgs.builder()\n .fromPort(0)\n .toPort(0)\n .protocol(\"-1\")\n .cidrBlocks(\"0.0.0.0/0\")\n .ipv6CidrBlocks(\"::/0\")\n .build())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:ec2:SecurityGroup\n properties:\n egress:\n - fromPort: 0\n toPort: 0\n protocol: '-1'\n cidrBlocks:\n - 0.0.0.0/0\n ipv6CidrBlocks:\n - ::/0\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Usage With Prefix List IDs\n\nPrefix Lists are either managed by AWS internally, or created by the customer using a\nPrefix List resource. Prefix Lists provided by\nAWS are associated with a prefix list name, or service name, that is linked to a specific region.\nPrefix list IDs are exported on VPC Endpoints, so you can use this format:\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst myEndpoint = new aws.ec2.VpcEndpoint(\"my_endpoint\", {});\nconst example = new aws.ec2.SecurityGroup(\"example\", {egress: [{\n fromPort: 0,\n toPort: 0,\n protocol: \"-1\",\n prefixListIds: [myEndpoint.prefixListId],\n}]});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nmy_endpoint = aws.ec2.VpcEndpoint(\"my_endpoint\")\nexample = aws.ec2.SecurityGroup(\"example\", egress=[{\n \"from_port\": 0,\n \"to_port\": 0,\n \"protocol\": \"-1\",\n \"prefix_list_ids\": [my_endpoint.prefix_list_id],\n}])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var myEndpoint = new Aws.Ec2.VpcEndpoint(\"my_endpoint\");\n\n var example = new Aws.Ec2.SecurityGroup(\"example\", new()\n {\n Egress = new[]\n {\n new Aws.Ec2.Inputs.SecurityGroupEgressArgs\n {\n FromPort = 0,\n ToPort = 0,\n Protocol = \"-1\",\n PrefixListIds = new[]\n {\n myEndpoint.PrefixListId,\n },\n },\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tmyEndpoint, err := ec2.NewVpcEndpoint(ctx, \"my_endpoint\", nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ec2.NewSecurityGroup(ctx, \"example\", \u0026ec2.SecurityGroupArgs{\n\t\t\tEgress: ec2.SecurityGroupEgressArray{\n\t\t\t\t\u0026ec2.SecurityGroupEgressArgs{\n\t\t\t\t\tFromPort: pulumi.Int(0),\n\t\t\t\t\tToPort: pulumi.Int(0),\n\t\t\t\t\tProtocol: pulumi.String(\"-1\"),\n\t\t\t\t\tPrefixListIds: pulumi.StringArray{\n\t\t\t\t\t\tmyEndpoint.PrefixListId,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.ec2.VpcEndpoint;\nimport com.pulumi.aws.ec2.SecurityGroup;\nimport com.pulumi.aws.ec2.SecurityGroupArgs;\nimport com.pulumi.aws.ec2.inputs.SecurityGroupEgressArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var myEndpoint = new VpcEndpoint(\"myEndpoint\");\n\n var example = new SecurityGroup(\"example\", SecurityGroupArgs.builder()\n .egress(SecurityGroupEgressArgs.builder()\n .fromPort(0)\n .toPort(0)\n .protocol(\"-1\")\n .prefixListIds(myEndpoint.prefixListId())\n .build())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:ec2:SecurityGroup\n properties:\n egress:\n - fromPort: 0\n toPort: 0\n protocol: '-1'\n prefixListIds:\n - ${myEndpoint.prefixListId}\n myEndpoint:\n type: aws:ec2:VpcEndpoint\n name: my_endpoint\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\nYou can also find a specific Prefix List using the `aws.ec2.getPrefixList` data source.\n\n### Removing All Ingress and Egress Rules\n\nThe `ingress` and `egress` arguments are processed in attributes-as-blocks mode. Due to this, removing these arguments from the configuration will **not** cause the provider to destroy the managed rules. To subsequently remove all managed ingress and egress rules:\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.ec2.SecurityGroup(\"example\", {\n name: \"sg\",\n vpcId: exampleAwsVpc.id,\n ingress: [],\n egress: [],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.ec2.SecurityGroup(\"example\",\n name=\"sg\",\n vpc_id=example_aws_vpc[\"id\"],\n ingress=[],\n egress=[])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Ec2.SecurityGroup(\"example\", new()\n {\n Name = \"sg\",\n VpcId = exampleAwsVpc.Id,\n Ingress = new[] {},\n Egress = new[] {},\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := ec2.NewSecurityGroup(ctx, \"example\", \u0026ec2.SecurityGroupArgs{\n\t\t\tName: pulumi.String(\"sg\"),\n\t\t\tVpcId: pulumi.Any(exampleAwsVpc.Id),\n\t\t\tIngress: ec2.SecurityGroupIngressArray{},\n\t\t\tEgress: ec2.SecurityGroupEgressArray{},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.ec2.SecurityGroup;\nimport com.pulumi.aws.ec2.SecurityGroupArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new SecurityGroup(\"example\", SecurityGroupArgs.builder()\n .name(\"sg\")\n .vpcId(exampleAwsVpc.id())\n .ingress()\n .egress()\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:ec2:SecurityGroup\n properties:\n name: sg\n vpcId: ${exampleAwsVpc.id}\n ingress: []\n egress: []\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Recreating a Security Group\n\nA simple security group `name` change \"forces new\" the security group--the provider destroys the security group and creates a new one. (Likewise, `description`, `name_prefix`, or `vpc_id` [cannot be changed](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html#creating-security-group).) Attempting to recreate the security group leads to a variety of complications depending on how it is used.\n\nSecurity groups are generally associated with other resources--**more than 100** AWS Provider resources reference security groups. Referencing a resource from another resource creates a one-way dependency. For example, if you create an EC2 `aws.ec2.Instance` that has a `vpc_security_group_ids` argument that refers to an `aws.ec2.SecurityGroup` resource, the `aws.ec2.SecurityGroup` is a dependent of the `aws.ec2.Instance`. Because of this, the provider will create the security group first so that it can then be associated with the EC2 instance.\n\nHowever, the dependency relationship actually goes both directions causing the _Security Group Deletion Problem_. AWS does not allow you to delete the security group associated with another resource (_e.g._, the `aws.ec2.Instance`).\n\nThe provider does not model bi-directional dependencies like this, but, even if it did, simply knowing the dependency situation would not be enough to solve it. For example, some resources must always have an associated security group while others don't need to. In addition, when the `aws.ec2.SecurityGroup` resource attempts to recreate, it receives a dependent object error, which does not provide information on whether the dependent object is a security group rule or, for example, an associated EC2 instance. Within the provider, the associated resource (_e.g._, `aws.ec2.Instance`) does not receive an error when the `aws.ec2.SecurityGroup` is trying to recreate even though that is where changes to the associated resource would need to take place (_e.g._, removing the security group association).\n\nDespite these sticky problems, below are some ways to improve your experience when you find it necessary to recreate a security group.\n\n### Shorter timeout\n\n(This example is one approach to recreating security groups. For more information on the challenges and the _Security Group Deletion Problem_, see the section above.)\n\nIf destroying a security group takes a long time, it may be because the provider cannot distinguish between a dependent object (_e.g._, a security group rule or EC2 instance) that is _in the process of being deleted_ and one that is not. In other words, it may be waiting for a train that isn't scheduled to arrive. To fail faster, shorten the `delete` timeout from the default timeout:\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.ec2.SecurityGroup(\"example\", {name: \"izizavle\"});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.ec2.SecurityGroup(\"example\", name=\"izizavle\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Ec2.SecurityGroup(\"example\", new()\n {\n Name = \"izizavle\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := ec2.NewSecurityGroup(ctx, \"example\", \u0026ec2.SecurityGroupArgs{\n\t\t\tName: pulumi.String(\"izizavle\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.ec2.SecurityGroup;\nimport com.pulumi.aws.ec2.SecurityGroupArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new SecurityGroup(\"example\", SecurityGroupArgs.builder()\n .name(\"izizavle\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:ec2:SecurityGroup\n properties:\n name: izizavle\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Provisioners\n\n(This example is one approach to recreating security groups. For more information on the challenges and the _Security Group Deletion Problem_, see the section above.)\n\n**DISCLAIMER:** We **_HIGHLY_** recommend using one of the above approaches and _NOT_ using local provisioners. Provisioners, like the one shown below, should be considered a **last resort** since they are _not readable_, _require skills outside standard configuration_, are _error prone_ and _difficult to maintain_, are not compatible with cloud environments and upgrade tools, require AWS CLI installation, and are subject to changes outside the AWS Provider.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as _null from \"@pulumi/null\";\nimport * as aws from \"@pulumi/aws\";\nimport * as command from \"@pulumi/command\";\nimport * as std from \"@pulumi/std\";\n\nconst default = aws.ec2.getSecurityGroup({\n name: \"default\",\n});\nconst example = new aws.ec2.SecurityGroup(\"example\", {\n name: \"sg\",\n tags: {\n workaround1: \"tagged-name\",\n workaround2: _default.then(_default =\u003e _default.id),\n },\n});\nconst exampleProvisioner0 = new command.local.Command(\"exampleProvisioner0\", {\n create: \"true\",\n update: \"true\",\n \"delete\": ` ENDPOINT_ID=`aws ec2 describe-vpc-endpoints --filters \"Name=tag:Name,Values=${tags.workaround1}\" --query \"VpcEndpoints[0].VpcEndpointId\" --output text` \u0026\u0026\n aws ec2 modify-vpc-endpoint --vpc-endpoint-id ${ENDPOINT_ID} --add-security-group-ids ${tags.workaround2} --remove-security-group-ids ${id}\n`,\n}, {\n dependsOn: [example],\n});\nconst exampleResource = new _null.Resource(\"example\", {triggers: {\n rerun_upon_change_of: std.join({\n separator: \",\",\n input: exampleAwsVpcEndpoint.securityGroupIds,\n }).then(invoke =\u003e invoke.result),\n}});\nconst exampleResourceProvisioner0 = new command.local.Command(\"exampleResourceProvisioner0\", {create: ` aws ec2 modify-vpc-endpoint --vpc-endpoint-id ${exampleAwsVpcEndpoint.id} --remove-security-group-ids ${_default.id}\n`}, {\n dependsOn: [exampleResource],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\nimport pulumi_command as command\nimport pulumi_null as null\nimport pulumi_std as std\n\ndefault = aws.ec2.get_security_group(name=\"default\")\nexample = aws.ec2.SecurityGroup(\"example\",\n name=\"sg\",\n tags={\n \"workaround1\": \"tagged-name\",\n \"workaround2\": default.id,\n })\nexample_provisioner0 = command.local.Command(\"exampleProvisioner0\",\n create=true,\n update=true,\n delete=f ENDPOINT_ID=`aws ec2 describe-vpc-endpoints --filters \"Name=tag:Name,Values={tags.workaround1}\" --query \"VpcEndpoints[0].VpcEndpointId\" --output text` \u0026\u0026\n aws ec2 modify-vpc-endpoint --vpc-endpoint-id ${{ENDPOINT_ID}} --add-security-group-ids {tags.workaround2} --remove-security-group-ids {id}\n,\n opts = pulumi.ResourceOptions(depends_on=[example]))\nexample_resource = null.Resource(\"example\", triggers={\n \"rerun_upon_change_of\": std.join(separator=\",\",\n input=example_aws_vpc_endpoint[\"securityGroupIds\"]).result,\n})\nexample_resource_provisioner0 = command.local.Command(\"exampleResourceProvisioner0\", create=f aws ec2 modify-vpc-endpoint --vpc-endpoint-id {example_aws_vpc_endpoint.id} --remove-security-group-ids {default.id}\n,\nopts = pulumi.ResourceOptions(depends_on=[example_resource]))\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\nusing Command = Pulumi.Command;\nusing Null = Pulumi.Null;\nusing Std = Pulumi.Std;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var @default = Aws.Ec2.GetSecurityGroup.Invoke(new()\n {\n Name = \"default\",\n });\n\n var example = new Aws.Ec2.SecurityGroup(\"example\", new()\n {\n Name = \"sg\",\n Tags = \n {\n { \"workaround1\", \"tagged-name\" },\n { \"workaround2\", @default.Apply(@default =\u003e @default.Apply(getSecurityGroupResult =\u003e getSecurityGroupResult.Id)) },\n },\n });\n\n var exampleProvisioner0 = new Command.Local.Command(\"exampleProvisioner0\", new()\n {\n Create = \"true\",\n Update = \"true\",\n Delete = @$\" ENDPOINT_ID=`aws ec2 describe-vpc-endpoints --filters \"\"Name=tag:Name,Values={tags.Workaround1}\"\" --query \"\"VpcEndpoints[0].VpcEndpointId\"\" --output text` \u0026\u0026\n aws ec2 modify-vpc-endpoint --vpc-endpoint-id ${{ENDPOINT_ID}} --add-security-group-ids {tags.Workaround2} --remove-security-group-ids {id}\n\",\n }, new CustomResourceOptions\n {\n DependsOn =\n {\n example,\n },\n });\n\n var exampleResource = new Null.Resource(\"example\", new()\n {\n Triggers = \n {\n { \"rerun_upon_change_of\", Std.Join.Invoke(new()\n {\n Separator = \",\",\n Input = exampleAwsVpcEndpoint.SecurityGroupIds,\n }).Apply(invoke =\u003e invoke.Result) },\n },\n });\n\n var exampleResourceProvisioner0 = new Command.Local.Command(\"exampleResourceProvisioner0\", new()\n {\n Create = @$\" aws ec2 modify-vpc-endpoint --vpc-endpoint-id {exampleAwsVpcEndpoint.Id} --remove-security-group-ids {@default.Apply(getSecurityGroupResult =\u003e getSecurityGroupResult.Id)}\n\",\n }, new CustomResourceOptions\n {\n DependsOn =\n {\n exampleResource,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2\"\n\t\"github.com/pulumi/pulumi-command/sdk/go/command/local\"\n\t\"github.com/pulumi/pulumi-null/sdk/go/null\"\n\t\"github.com/pulumi/pulumi-std/sdk/go/std\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_default, err := ec2.LookupSecurityGroup(ctx, \u0026ec2.LookupSecurityGroupArgs{\n\t\t\tName: pulumi.StringRef(\"default\"),\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\texample, err := ec2.NewSecurityGroup(ctx, \"example\", \u0026ec2.SecurityGroupArgs{\n\t\t\tName: pulumi.String(\"sg\"),\n\t\t\tTags: pulumi.StringMap{\n\t\t\t\t\"workaround1\": pulumi.String(\"tagged-name\"),\n\t\t\t\t\"workaround2\": pulumi.String(_default.Id),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = local.NewCommand(ctx, \"exampleProvisioner0\", \u0026local.CommandArgs{\n\t\t\tCreate: \"true\",\n\t\t\tUpdate: \"true\",\n\t\t\tDelete: fmt.Sprintf(\" ENDPOINT_ID=`aws ec2 describe-vpc-endpoints --filters \\\"Name=tag:Name,Values=%v\\\" --query \\\"VpcEndpoints[0].VpcEndpointId\\\" --output text` \u0026\u0026\\n aws ec2 modify-vpc-endpoint --vpc-endpoint-id ${ENDPOINT_ID} --add-security-group-ids %v --remove-security-group-ids %v\\n\", tags.Workaround1, tags.Workaround2, id),\n\t\t}, pulumi.DependsOn([]pulumi.Resource{\n\t\t\texample,\n\t\t}))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tinvokeJoin, err := std.Join(ctx, \u0026std.JoinArgs{\n\t\t\tSeparator: \",\",\n\t\t\tInput: exampleAwsVpcEndpoint.SecurityGroupIds,\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\texampleResource, err := null.NewResource(ctx, \"example\", \u0026null.ResourceArgs{\n\t\t\tTriggers: pulumi.StringMap{\n\t\t\t\t\"rerun_upon_change_of\": pulumi.String(invokeJoin.Result),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = local.NewCommand(ctx, \"exampleResourceProvisioner0\", \u0026local.CommandArgs{\n\t\t\tCreate: fmt.Sprintf(\" aws ec2 modify-vpc-endpoint --vpc-endpoint-id %v --remove-security-group-ids %v\\n\", exampleAwsVpcEndpoint.Id, _default.Id),\n\t\t}, pulumi.DependsOn([]pulumi.Resource{\n\t\t\texampleResource,\n\t\t}))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.ec2.Ec2Functions;\nimport com.pulumi.aws.ec2.inputs.GetSecurityGroupArgs;\nimport com.pulumi.aws.ec2.SecurityGroup;\nimport com.pulumi.aws.ec2.SecurityGroupArgs;\nimport com.pulumi.command.local.Command;\nimport com.pulumi.command.local.CommandArgs;\nimport com.pulumi.null.Resource;\nimport com.pulumi.null.ResourceArgs;\nimport com.pulumi.resources.CustomResourceOptions;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n final var default = Ec2Functions.getSecurityGroup(GetSecurityGroupArgs.builder()\n .name(\"default\")\n .build());\n\n var example = new SecurityGroup(\"example\", SecurityGroupArgs.builder()\n .name(\"sg\")\n .tags(Map.ofEntries(\n Map.entry(\"workaround1\", \"tagged-name\"),\n Map.entry(\"workaround2\", default_.id())\n ))\n .build());\n\n var exampleProvisioner0 = new Command(\"exampleProvisioner0\", CommandArgs.builder()\n .create(\"true\")\n .update(\"true\")\n .delete(\"\"\"\n ENDPOINT_ID=`aws ec2 describe-vpc-endpoints --filters \"Name=tag:Name,Values=%s\" --query \"VpcEndpoints[0].VpcEndpointId\" --output text` \u0026\u0026\n aws ec2 modify-vpc-endpoint --vpc-endpoint-id ${ENDPOINT_ID} --add-security-group-ids %s --remove-security-group-ids %s\n\", tags.workaround1(),tags.workaround2(),id))\n .build(), CustomResourceOptions.builder()\n .dependsOn(example)\n .build());\n\n var exampleResource = new Resource(\"exampleResource\", ResourceArgs.builder()\n .triggers(Map.of(\"rerun_upon_change_of\", StdFunctions.join(JoinArgs.builder()\n .separator(\",\")\n .input(exampleAwsVpcEndpoint.securityGroupIds())\n .build()).result()))\n .build());\n\n var exampleResourceProvisioner0 = new Command(\"exampleResourceProvisioner0\", CommandArgs.builder()\n .create(\"\"\"\n aws ec2 modify-vpc-endpoint --vpc-endpoint-id %s --remove-security-group-ids %s\n\", exampleAwsVpcEndpoint.id(),default_.id()))\n .build(), CustomResourceOptions.builder()\n .dependsOn(exampleResource)\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:ec2:SecurityGroup\n properties:\n name: sg\n tags:\n workaround1: tagged-name\n workaround2: ${default.id}\n exampleProvisioner0:\n type: command:local:Command\n properties:\n create: 'true'\n update: 'true'\n delete: |2\n ENDPOINT_ID=`aws ec2 describe-vpc-endpoints --filters \"Name=tag:Name,Values=${tags.workaround1}\" --query \"VpcEndpoints[0].VpcEndpointId\" --output text` \u0026\u0026\n aws ec2 modify-vpc-endpoint --vpc-endpoint-id ${ENDPOINT_ID} --add-security-group-ids ${tags.workaround2} --remove-security-group-ids ${id}\n options:\n dependson:\n - ${example}\n exampleResource:\n type: null:Resource\n name: example\n properties:\n triggers:\n rerun_upon_change_of:\n fn::invoke:\n Function: std:join\n Arguments:\n separator: ','\n input: ${exampleAwsVpcEndpoint.securityGroupIds}\n Return: result\n exampleResourceProvisioner0:\n type: command:local:Command\n properties:\n create: |2\n aws ec2 modify-vpc-endpoint --vpc-endpoint-id ${exampleAwsVpcEndpoint.id} --remove-security-group-ids ${default.id}\n options:\n dependson:\n - ${exampleResource}\nvariables:\n default:\n fn::invoke:\n Function: aws:ec2:getSecurityGroup\n Arguments:\n name: default\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nUsing `pulumi import`, import Security Groups using the security group `id`. For example:\n\n```sh\n$ pulumi import aws:ec2/securityGroup:SecurityGroup elb_sg sg-903004f8\n```\n", "properties": { "arn": { "type": "string", @@ -237025,7 +237025,7 @@ } }, "aws:ec2/subnet:Subnet": { - "description": "Provides an VPC subnet resource.\n\n\u003e **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), subnets associated with Lambda Functions can take up to 45 minutes to successfully delete.\n\n## Example Usage\n\n### Basic Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst main = new aws.ec2.Subnet(\"main\", {\n vpcId: mainAwsVpc.id,\n cidrBlock: \"10.0.1.0/24\",\n tags: {\n Name: \"Main\",\n },\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nmain = aws.ec2.Subnet(\"main\",\n vpc_id=main_aws_vpc[\"id\"],\n cidr_block=\"10.0.1.0/24\",\n tags={\n \"Name\": \"Main\",\n })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var main = new Aws.Ec2.Subnet(\"main\", new()\n {\n VpcId = mainAwsVpc.Id,\n CidrBlock = \"10.0.1.0/24\",\n Tags = \n {\n { \"Name\", \"Main\" },\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := ec2.NewSubnet(ctx, \"main\", \u0026ec2.SubnetArgs{\n\t\t\tVpcId: pulumi.Any(mainAwsVpc.Id),\n\t\t\tCidrBlock: pulumi.String(\"10.0.1.0/24\"),\n\t\t\tTags: pulumi.StringMap{\n\t\t\t\t\"Name\": pulumi.String(\"Main\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.ec2.Subnet;\nimport com.pulumi.aws.ec2.SubnetArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var main = new Subnet(\"main\", SubnetArgs.builder()\n .vpcId(mainAwsVpc.id())\n .cidrBlock(\"10.0.1.0/24\")\n .tags(Map.of(\"Name\", \"Main\"))\n .build());\n\n }\n}\n```\n```yaml\nresources:\n main:\n type: aws:ec2:Subnet\n properties:\n vpcId: ${mainAwsVpc.id}\n cidrBlock: 10.0.1.0/24\n tags:\n Name: Main\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Subnets In Secondary VPC CIDR Blocks\n\nWhen managing subnets in one of a VPC's secondary CIDR blocks created using a `aws.ec2.VpcIpv4CidrBlockAssociation`\nresource, it is recommended to reference that resource's `vpc_id` attribute to ensure correct dependency ordering.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst secondaryCidr = new aws.ec2.VpcIpv4CidrBlockAssociation(\"secondary_cidr\", {\n vpcId: main.id,\n cidrBlock: \"172.20.0.0/16\",\n});\nconst inSecondaryCidr = new aws.ec2.Subnet(\"in_secondary_cidr\", {\n vpcId: secondaryCidr.vpcId,\n cidrBlock: \"172.20.0.0/24\",\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nsecondary_cidr = aws.ec2.VpcIpv4CidrBlockAssociation(\"secondary_cidr\",\n vpc_id=main[\"id\"],\n cidr_block=\"172.20.0.0/16\")\nin_secondary_cidr = aws.ec2.Subnet(\"in_secondary_cidr\",\n vpc_id=secondary_cidr.vpc_id,\n cidr_block=\"172.20.0.0/24\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var secondaryCidr = new Aws.Ec2.VpcIpv4CidrBlockAssociation(\"secondary_cidr\", new()\n {\n VpcId = main.Id,\n CidrBlock = \"172.20.0.0/16\",\n });\n\n var inSecondaryCidr = new Aws.Ec2.Subnet(\"in_secondary_cidr\", new()\n {\n VpcId = secondaryCidr.VpcId,\n CidrBlock = \"172.20.0.0/24\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tsecondaryCidr, err := ec2.NewVpcIpv4CidrBlockAssociation(ctx, \"secondary_cidr\", \u0026ec2.VpcIpv4CidrBlockAssociationArgs{\n\t\t\tVpcId: pulumi.Any(main.Id),\n\t\t\tCidrBlock: pulumi.String(\"172.20.0.0/16\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ec2.NewSubnet(ctx, \"in_secondary_cidr\", \u0026ec2.SubnetArgs{\n\t\t\tVpcId: secondaryCidr.VpcId,\n\t\t\tCidrBlock: pulumi.String(\"172.20.0.0/24\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.ec2.VpcIpv4CidrBlockAssociation;\nimport com.pulumi.aws.ec2.VpcIpv4CidrBlockAssociationArgs;\nimport com.pulumi.aws.ec2.Subnet;\nimport com.pulumi.aws.ec2.SubnetArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var secondaryCidr = new VpcIpv4CidrBlockAssociation(\"secondaryCidr\", VpcIpv4CidrBlockAssociationArgs.builder()\n .vpcId(main.id())\n .cidrBlock(\"172.20.0.0/16\")\n .build());\n\n var inSecondaryCidr = new Subnet(\"inSecondaryCidr\", SubnetArgs.builder()\n .vpcId(secondaryCidr.vpcId())\n .cidrBlock(\"172.20.0.0/24\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n secondaryCidr:\n type: aws:ec2:VpcIpv4CidrBlockAssociation\n name: secondary_cidr\n properties:\n vpcId: ${main.id}\n cidrBlock: 172.20.0.0/16\n inSecondaryCidr:\n type: aws:ec2:Subnet\n name: in_secondary_cidr\n properties:\n vpcId: ${secondaryCidr.vpcId}\n cidrBlock: 172.20.0.0/24\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nUsing `pulumi import`, import subnets using the subnet `id`. For example:\n\n```sh\n$ pulumi import aws:ec2/subnet:Subnet public_subnet subnet-9d4a7b6c\n```\n", + "description": "Provides an VPC subnet resource.\n\n\u003e **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), subnets associated with Lambda Functions can take up to 45 minutes to successfully delete. To allow for successful deletion, the provider will wait for at least 45 minutes even if a shorter delete timeout is specified.\n\n## Example Usage\n\n### Basic Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst main = new aws.ec2.Subnet(\"main\", {\n vpcId: mainAwsVpc.id,\n cidrBlock: \"10.0.1.0/24\",\n tags: {\n Name: \"Main\",\n },\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nmain = aws.ec2.Subnet(\"main\",\n vpc_id=main_aws_vpc[\"id\"],\n cidr_block=\"10.0.1.0/24\",\n tags={\n \"Name\": \"Main\",\n })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var main = new Aws.Ec2.Subnet(\"main\", new()\n {\n VpcId = mainAwsVpc.Id,\n CidrBlock = \"10.0.1.0/24\",\n Tags = \n {\n { \"Name\", \"Main\" },\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := ec2.NewSubnet(ctx, \"main\", \u0026ec2.SubnetArgs{\n\t\t\tVpcId: pulumi.Any(mainAwsVpc.Id),\n\t\t\tCidrBlock: pulumi.String(\"10.0.1.0/24\"),\n\t\t\tTags: pulumi.StringMap{\n\t\t\t\t\"Name\": pulumi.String(\"Main\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.ec2.Subnet;\nimport com.pulumi.aws.ec2.SubnetArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var main = new Subnet(\"main\", SubnetArgs.builder()\n .vpcId(mainAwsVpc.id())\n .cidrBlock(\"10.0.1.0/24\")\n .tags(Map.of(\"Name\", \"Main\"))\n .build());\n\n }\n}\n```\n```yaml\nresources:\n main:\n type: aws:ec2:Subnet\n properties:\n vpcId: ${mainAwsVpc.id}\n cidrBlock: 10.0.1.0/24\n tags:\n Name: Main\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Subnets In Secondary VPC CIDR Blocks\n\nWhen managing subnets in one of a VPC's secondary CIDR blocks created using a `aws.ec2.VpcIpv4CidrBlockAssociation`\nresource, it is recommended to reference that resource's `vpc_id` attribute to ensure correct dependency ordering.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst secondaryCidr = new aws.ec2.VpcIpv4CidrBlockAssociation(\"secondary_cidr\", {\n vpcId: main.id,\n cidrBlock: \"172.20.0.0/16\",\n});\nconst inSecondaryCidr = new aws.ec2.Subnet(\"in_secondary_cidr\", {\n vpcId: secondaryCidr.vpcId,\n cidrBlock: \"172.20.0.0/24\",\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nsecondary_cidr = aws.ec2.VpcIpv4CidrBlockAssociation(\"secondary_cidr\",\n vpc_id=main[\"id\"],\n cidr_block=\"172.20.0.0/16\")\nin_secondary_cidr = aws.ec2.Subnet(\"in_secondary_cidr\",\n vpc_id=secondary_cidr.vpc_id,\n cidr_block=\"172.20.0.0/24\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var secondaryCidr = new Aws.Ec2.VpcIpv4CidrBlockAssociation(\"secondary_cidr\", new()\n {\n VpcId = main.Id,\n CidrBlock = \"172.20.0.0/16\",\n });\n\n var inSecondaryCidr = new Aws.Ec2.Subnet(\"in_secondary_cidr\", new()\n {\n VpcId = secondaryCidr.VpcId,\n CidrBlock = \"172.20.0.0/24\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tsecondaryCidr, err := ec2.NewVpcIpv4CidrBlockAssociation(ctx, \"secondary_cidr\", \u0026ec2.VpcIpv4CidrBlockAssociationArgs{\n\t\t\tVpcId: pulumi.Any(main.Id),\n\t\t\tCidrBlock: pulumi.String(\"172.20.0.0/16\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ec2.NewSubnet(ctx, \"in_secondary_cidr\", \u0026ec2.SubnetArgs{\n\t\t\tVpcId: secondaryCidr.VpcId,\n\t\t\tCidrBlock: pulumi.String(\"172.20.0.0/24\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.ec2.VpcIpv4CidrBlockAssociation;\nimport com.pulumi.aws.ec2.VpcIpv4CidrBlockAssociationArgs;\nimport com.pulumi.aws.ec2.Subnet;\nimport com.pulumi.aws.ec2.SubnetArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var secondaryCidr = new VpcIpv4CidrBlockAssociation(\"secondaryCidr\", VpcIpv4CidrBlockAssociationArgs.builder()\n .vpcId(main.id())\n .cidrBlock(\"172.20.0.0/16\")\n .build());\n\n var inSecondaryCidr = new Subnet(\"inSecondaryCidr\", SubnetArgs.builder()\n .vpcId(secondaryCidr.vpcId())\n .cidrBlock(\"172.20.0.0/24\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n secondaryCidr:\n type: aws:ec2:VpcIpv4CidrBlockAssociation\n name: secondary_cidr\n properties:\n vpcId: ${main.id}\n cidrBlock: 172.20.0.0/16\n inSecondaryCidr:\n type: aws:ec2:Subnet\n name: in_secondary_cidr\n properties:\n vpcId: ${secondaryCidr.vpcId}\n cidrBlock: 172.20.0.0/24\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nUsing `pulumi import`, import subnets using the subnet `id`. For example:\n\n```sh\n$ pulumi import aws:ec2/subnet:Subnet public_subnet subnet-9d4a7b6c\n```\n", "properties": { "arn": { "type": "string", @@ -285013,7 +285013,7 @@ } }, "aws:lambda/function:Function": { - "description": "Provides a Lambda Function resource. Lambda allows you to trigger execution of code in response to events in AWS, enabling serverless backend solutions. The Lambda Function itself includes source code and runtime configuration.\n\nFor information about Lambda and how to use it, see [What is AWS Lambda?](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html)\n\n\n\u003e **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), EC2 subnets and security groups associated with Lambda Functions can take up to 45 minutes to successfully delete.\n\n\u003e **NOTE:** If you get a `KMSAccessDeniedException: Lambda was unable to decrypt the environment variables because KMS access was denied` error when invoking an `aws.lambda.Function` with environment variables, the IAM role associated with the function may have been deleted and recreated _after_ the function was created. You can fix the problem two ways: 1) updating the function's role to another role and then updating it back again to the recreated role, or 2) by using Pulumi to `taint` the function and `apply` your configuration again to recreate the function. (When you create a function, Lambda grants permissions on the KMS key to the function's IAM role. If the IAM role is recreated, the grant is no longer valid. Changing the function's role or recreating the function causes Lambda to update the grant.)\n\n\u003e To give an external source (like an EventBridge Rule, SNS, or S3) permission to access the Lambda function, use the `aws.lambda.Permission` resource. See [Lambda Permission Model](https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html) for more details. On the other hand, the `role` argument of this resource is the function's execution role for identity and access to AWS services and resources.\n\n## Example Usage\n\n### Basic Example\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as archive from \"@pulumi/archive\";\nimport * as aws from \"@pulumi/aws\";\n\nconst assumeRole = aws.iam.getPolicyDocument({\n statements: [{\n effect: \"Allow\",\n principals: [{\n type: \"Service\",\n identifiers: [\"lambda.amazonaws.com\"],\n }],\n actions: [\"sts:AssumeRole\"],\n }],\n});\nconst iamForLambda = new aws.iam.Role(\"iam_for_lambda\", {\n name: \"iam_for_lambda\",\n assumeRolePolicy: assumeRole.then(assumeRole =\u003e assumeRole.json),\n});\nconst lambda = archive.getFile({\n type: \"zip\",\n sourceFile: \"lambda.js\",\n outputPath: \"lambda_function_payload.zip\",\n});\nconst testLambda = new aws.lambda.Function(\"test_lambda\", {\n code: new pulumi.asset.FileArchive(\"lambda_function_payload.zip\"),\n name: \"lambda_function_name\",\n role: iamForLambda.arn,\n handler: \"index.test\",\n sourceCodeHash: lambda.then(lambda =\u003e lambda.outputBase64sha256),\n runtime: aws.lambda.Runtime.NodeJS18dX,\n environment: {\n variables: {\n foo: \"bar\",\n },\n },\n});\n```\n```python\nimport pulumi\nimport pulumi_archive as archive\nimport pulumi_aws as aws\n\nassume_role = aws.iam.get_policy_document(statements=[{\n \"effect\": \"Allow\",\n \"principals\": [{\n \"type\": \"Service\",\n \"identifiers\": [\"lambda.amazonaws.com\"],\n }],\n \"actions\": [\"sts:AssumeRole\"],\n}])\niam_for_lambda = aws.iam.Role(\"iam_for_lambda\",\n name=\"iam_for_lambda\",\n assume_role_policy=assume_role.json)\nlambda_ = archive.get_file(type=\"zip\",\n source_file=\"lambda.js\",\n output_path=\"lambda_function_payload.zip\")\ntest_lambda = aws.lambda_.Function(\"test_lambda\",\n code=pulumi.FileArchive(\"lambda_function_payload.zip\"),\n name=\"lambda_function_name\",\n role=iam_for_lambda.arn,\n handler=\"index.test\",\n source_code_hash=lambda_.output_base64sha256,\n runtime=aws.lambda_.Runtime.NODE_JS18D_X,\n environment={\n \"variables\": {\n \"foo\": \"bar\",\n },\n })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Archive = Pulumi.Archive;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var assumeRole = Aws.Iam.GetPolicyDocument.Invoke(new()\n {\n Statements = new[]\n {\n new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs\n {\n Effect = \"Allow\",\n Principals = new[]\n {\n new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs\n {\n Type = \"Service\",\n Identifiers = new[]\n {\n \"lambda.amazonaws.com\",\n },\n },\n },\n Actions = new[]\n {\n \"sts:AssumeRole\",\n },\n },\n },\n });\n\n var iamForLambda = new Aws.Iam.Role(\"iam_for_lambda\", new()\n {\n Name = \"iam_for_lambda\",\n AssumeRolePolicy = assumeRole.Apply(getPolicyDocumentResult =\u003e getPolicyDocumentResult.Json),\n });\n\n var lambda = Archive.GetFile.Invoke(new()\n {\n Type = \"zip\",\n SourceFile = \"lambda.js\",\n OutputPath = \"lambda_function_payload.zip\",\n });\n\n var testLambda = new Aws.Lambda.Function(\"test_lambda\", new()\n {\n Code = new FileArchive(\"lambda_function_payload.zip\"),\n Name = \"lambda_function_name\",\n Role = iamForLambda.Arn,\n Handler = \"index.test\",\n SourceCodeHash = lambda.Apply(getFileResult =\u003e getFileResult.OutputBase64sha256),\n Runtime = Aws.Lambda.Runtime.NodeJS18dX,\n Environment = new Aws.Lambda.Inputs.FunctionEnvironmentArgs\n {\n Variables = \n {\n { \"foo\", \"bar\" },\n },\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-archive/sdk/go/archive\"\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lambda\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tassumeRole, err := iam.GetPolicyDocument(ctx, \u0026iam.GetPolicyDocumentArgs{\n\t\t\tStatements: []iam.GetPolicyDocumentStatement{\n\t\t\t\t{\n\t\t\t\t\tEffect: pulumi.StringRef(\"Allow\"),\n\t\t\t\t\tPrincipals: []iam.GetPolicyDocumentStatementPrincipal{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tType: \"Service\",\n\t\t\t\t\t\t\tIdentifiers: []string{\n\t\t\t\t\t\t\t\t\"lambda.amazonaws.com\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tActions: []string{\n\t\t\t\t\t\t\"sts:AssumeRole\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tiamForLambda, err := iam.NewRole(ctx, \"iam_for_lambda\", \u0026iam.RoleArgs{\n\t\t\tName: pulumi.String(\"iam_for_lambda\"),\n\t\t\tAssumeRolePolicy: pulumi.String(assumeRole.Json),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tlambda, err := archive.LookupFile(ctx, \u0026archive.LookupFileArgs{\n\t\t\tType: \"zip\",\n\t\t\tSourceFile: pulumi.StringRef(\"lambda.js\"),\n\t\t\tOutputPath: \"lambda_function_payload.zip\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = lambda.NewFunction(ctx, \"test_lambda\", \u0026lambda.FunctionArgs{\n\t\t\tCode: pulumi.NewFileArchive(\"lambda_function_payload.zip\"),\n\t\t\tName: pulumi.String(\"lambda_function_name\"),\n\t\t\tRole: iamForLambda.Arn,\n\t\t\tHandler: pulumi.String(\"index.test\"),\n\t\t\tSourceCodeHash: pulumi.String(lambda.OutputBase64sha256),\n\t\t\tRuntime: pulumi.String(lambda.RuntimeNodeJS18dX),\n\t\t\tEnvironment: \u0026lambda.FunctionEnvironmentArgs{\n\t\t\t\tVariables: pulumi.StringMap{\n\t\t\t\t\t\"foo\": pulumi.String(\"bar\"),\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.IamFunctions;\nimport com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;\nimport com.pulumi.aws.iam.Role;\nimport com.pulumi.aws.iam.RoleArgs;\nimport com.pulumi.archive.ArchiveFunctions;\nimport com.pulumi.archive.inputs.GetFileArgs;\nimport com.pulumi.aws.lambda.Function;\nimport com.pulumi.aws.lambda.FunctionArgs;\nimport com.pulumi.aws.lambda.inputs.FunctionEnvironmentArgs;\nimport com.pulumi.asset.FileArchive;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()\n .statements(GetPolicyDocumentStatementArgs.builder()\n .effect(\"Allow\")\n .principals(GetPolicyDocumentStatementPrincipalArgs.builder()\n .type(\"Service\")\n .identifiers(\"lambda.amazonaws.com\")\n .build())\n .actions(\"sts:AssumeRole\")\n .build())\n .build());\n\n var iamForLambda = new Role(\"iamForLambda\", RoleArgs.builder()\n .name(\"iam_for_lambda\")\n .assumeRolePolicy(assumeRole.applyValue(getPolicyDocumentResult -\u003e getPolicyDocumentResult.json()))\n .build());\n\n final var lambda = ArchiveFunctions.getFile(GetFileArgs.builder()\n .type(\"zip\")\n .sourceFile(\"lambda.js\")\n .outputPath(\"lambda_function_payload.zip\")\n .build());\n\n var testLambda = new Function(\"testLambda\", FunctionArgs.builder()\n .code(new FileArchive(\"lambda_function_payload.zip\"))\n .name(\"lambda_function_name\")\n .role(iamForLambda.arn())\n .handler(\"index.test\")\n .sourceCodeHash(lambda.applyValue(getFileResult -\u003e getFileResult.outputBase64sha256()))\n .runtime(\"nodejs18.x\")\n .environment(FunctionEnvironmentArgs.builder()\n .variables(Map.of(\"foo\", \"bar\"))\n .build())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n iamForLambda:\n type: aws:iam:Role\n name: iam_for_lambda\n properties:\n name: iam_for_lambda\n assumeRolePolicy: ${assumeRole.json}\n testLambda:\n type: aws:lambda:Function\n name: test_lambda\n properties:\n code:\n fn::FileArchive: lambda_function_payload.zip\n name: lambda_function_name\n role: ${iamForLambda.arn}\n handler: index.test\n sourceCodeHash: ${lambda.outputBase64sha256}\n runtime: nodejs18.x\n environment:\n variables:\n foo: bar\nvariables:\n assumeRole:\n fn::invoke:\n Function: aws:iam:getPolicyDocument\n Arguments:\n statements:\n - effect: Allow\n principals:\n - type: Service\n identifiers:\n - lambda.amazonaws.com\n actions:\n - sts:AssumeRole\n lambda:\n fn::invoke:\n Function: archive:getFile\n Arguments:\n type: zip\n sourceFile: lambda.js\n outputPath: lambda_function_payload.zip\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Lambda Layers\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.lambda.LayerVersion(\"example\", {});\nconst exampleFunction = new aws.lambda.Function(\"example\", {layers: [example.arn]});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.lambda_.LayerVersion(\"example\")\nexample_function = aws.lambda_.Function(\"example\", layers=[example.arn])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Lambda.LayerVersion(\"example\");\n\n var exampleFunction = new Aws.Lambda.Function(\"example\", new()\n {\n Layers = new[]\n {\n example.Arn,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lambda\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\texample, err := lambda.NewLayerVersion(ctx, \"example\", nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = lambda.NewFunction(ctx, \"example\", \u0026lambda.FunctionArgs{\n\t\t\tLayers: pulumi.StringArray{\n\t\t\t\texample.Arn,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.lambda.LayerVersion;\nimport com.pulumi.aws.lambda.Function;\nimport com.pulumi.aws.lambda.FunctionArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new LayerVersion(\"example\");\n\n var exampleFunction = new Function(\"exampleFunction\", FunctionArgs.builder()\n .layers(example.arn())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:lambda:LayerVersion\n exampleFunction:\n type: aws:lambda:Function\n name: example\n properties:\n layers:\n - ${example.arn}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Lambda Ephemeral Storage\n\nLambda Function Ephemeral Storage(`/tmp`) allows you to configure the storage upto `10` GB. The default value set to `512` MB.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst assumeRole = aws.iam.getPolicyDocument({\n statements: [{\n effect: \"Allow\",\n principals: [{\n type: \"Service\",\n identifiers: [\"lambda.amazonaws.com\"],\n }],\n actions: [\"sts:AssumeRole\"],\n }],\n});\nconst iamForLambda = new aws.iam.Role(\"iam_for_lambda\", {\n name: \"iam_for_lambda\",\n assumeRolePolicy: assumeRole.then(assumeRole =\u003e assumeRole.json),\n});\nconst testLambda = new aws.lambda.Function(\"test_lambda\", {\n code: new pulumi.asset.FileArchive(\"lambda_function_payload.zip\"),\n name: \"lambda_function_name\",\n role: iamForLambda.arn,\n handler: \"index.test\",\n runtime: aws.lambda.Runtime.NodeJS18dX,\n ephemeralStorage: {\n size: 10240,\n },\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nassume_role = aws.iam.get_policy_document(statements=[{\n \"effect\": \"Allow\",\n \"principals\": [{\n \"type\": \"Service\",\n \"identifiers\": [\"lambda.amazonaws.com\"],\n }],\n \"actions\": [\"sts:AssumeRole\"],\n}])\niam_for_lambda = aws.iam.Role(\"iam_for_lambda\",\n name=\"iam_for_lambda\",\n assume_role_policy=assume_role.json)\ntest_lambda = aws.lambda_.Function(\"test_lambda\",\n code=pulumi.FileArchive(\"lambda_function_payload.zip\"),\n name=\"lambda_function_name\",\n role=iam_for_lambda.arn,\n handler=\"index.test\",\n runtime=aws.lambda_.Runtime.NODE_JS18D_X,\n ephemeral_storage={\n \"size\": 10240,\n })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var assumeRole = Aws.Iam.GetPolicyDocument.Invoke(new()\n {\n Statements = new[]\n {\n new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs\n {\n Effect = \"Allow\",\n Principals = new[]\n {\n new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs\n {\n Type = \"Service\",\n Identifiers = new[]\n {\n \"lambda.amazonaws.com\",\n },\n },\n },\n Actions = new[]\n {\n \"sts:AssumeRole\",\n },\n },\n },\n });\n\n var iamForLambda = new Aws.Iam.Role(\"iam_for_lambda\", new()\n {\n Name = \"iam_for_lambda\",\n AssumeRolePolicy = assumeRole.Apply(getPolicyDocumentResult =\u003e getPolicyDocumentResult.Json),\n });\n\n var testLambda = new Aws.Lambda.Function(\"test_lambda\", new()\n {\n Code = new FileArchive(\"lambda_function_payload.zip\"),\n Name = \"lambda_function_name\",\n Role = iamForLambda.Arn,\n Handler = \"index.test\",\n Runtime = Aws.Lambda.Runtime.NodeJS18dX,\n EphemeralStorage = new Aws.Lambda.Inputs.FunctionEphemeralStorageArgs\n {\n Size = 10240,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lambda\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tassumeRole, err := iam.GetPolicyDocument(ctx, \u0026iam.GetPolicyDocumentArgs{\n\t\t\tStatements: []iam.GetPolicyDocumentStatement{\n\t\t\t\t{\n\t\t\t\t\tEffect: pulumi.StringRef(\"Allow\"),\n\t\t\t\t\tPrincipals: []iam.GetPolicyDocumentStatementPrincipal{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tType: \"Service\",\n\t\t\t\t\t\t\tIdentifiers: []string{\n\t\t\t\t\t\t\t\t\"lambda.amazonaws.com\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tActions: []string{\n\t\t\t\t\t\t\"sts:AssumeRole\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tiamForLambda, err := iam.NewRole(ctx, \"iam_for_lambda\", \u0026iam.RoleArgs{\n\t\t\tName: pulumi.String(\"iam_for_lambda\"),\n\t\t\tAssumeRolePolicy: pulumi.String(assumeRole.Json),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = lambda.NewFunction(ctx, \"test_lambda\", \u0026lambda.FunctionArgs{\n\t\t\tCode: pulumi.NewFileArchive(\"lambda_function_payload.zip\"),\n\t\t\tName: pulumi.String(\"lambda_function_name\"),\n\t\t\tRole: iamForLambda.Arn,\n\t\t\tHandler: pulumi.String(\"index.test\"),\n\t\t\tRuntime: pulumi.String(lambda.RuntimeNodeJS18dX),\n\t\t\tEphemeralStorage: \u0026lambda.FunctionEphemeralStorageArgs{\n\t\t\t\tSize: pulumi.Int(10240),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.IamFunctions;\nimport com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;\nimport com.pulumi.aws.iam.Role;\nimport com.pulumi.aws.iam.RoleArgs;\nimport com.pulumi.aws.lambda.Function;\nimport com.pulumi.aws.lambda.FunctionArgs;\nimport com.pulumi.aws.lambda.inputs.FunctionEphemeralStorageArgs;\nimport com.pulumi.asset.FileArchive;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()\n .statements(GetPolicyDocumentStatementArgs.builder()\n .effect(\"Allow\")\n .principals(GetPolicyDocumentStatementPrincipalArgs.builder()\n .type(\"Service\")\n .identifiers(\"lambda.amazonaws.com\")\n .build())\n .actions(\"sts:AssumeRole\")\n .build())\n .build());\n\n var iamForLambda = new Role(\"iamForLambda\", RoleArgs.builder()\n .name(\"iam_for_lambda\")\n .assumeRolePolicy(assumeRole.applyValue(getPolicyDocumentResult -\u003e getPolicyDocumentResult.json()))\n .build());\n\n var testLambda = new Function(\"testLambda\", FunctionArgs.builder()\n .code(new FileArchive(\"lambda_function_payload.zip\"))\n .name(\"lambda_function_name\")\n .role(iamForLambda.arn())\n .handler(\"index.test\")\n .runtime(\"nodejs18.x\")\n .ephemeralStorage(FunctionEphemeralStorageArgs.builder()\n .size(10240)\n .build())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n iamForLambda:\n type: aws:iam:Role\n name: iam_for_lambda\n properties:\n name: iam_for_lambda\n assumeRolePolicy: ${assumeRole.json}\n testLambda:\n type: aws:lambda:Function\n name: test_lambda\n properties:\n code:\n fn::FileArchive: lambda_function_payload.zip\n name: lambda_function_name\n role: ${iamForLambda.arn}\n handler: index.test\n runtime: nodejs18.x\n ephemeralStorage:\n size: 10240\nvariables:\n assumeRole:\n fn::invoke:\n Function: aws:iam:getPolicyDocument\n Arguments:\n statements:\n - effect: Allow\n principals:\n - type: Service\n identifiers:\n - lambda.amazonaws.com\n actions:\n - sts:AssumeRole\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Lambda File Systems\n\nLambda File Systems allow you to connect an Amazon Elastic File System (EFS) file system to a Lambda function to share data across function invocations, access existing data including large files, and save function state.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\n// EFS file system\nconst efsForLambda = new aws.efs.FileSystem(\"efs_for_lambda\", {tags: {\n Name: \"efs_for_lambda\",\n}});\n// Mount target connects the file system to the subnet\nconst alpha = new aws.efs.MountTarget(\"alpha\", {\n fileSystemId: efsForLambda.id,\n subnetId: subnetForLambda.id,\n securityGroups: [sgForLambda.id],\n});\n// EFS access point used by lambda file system\nconst accessPointForLambda = new aws.efs.AccessPoint(\"access_point_for_lambda\", {\n fileSystemId: efsForLambda.id,\n rootDirectory: {\n path: \"/lambda\",\n creationInfo: {\n ownerGid: 1000,\n ownerUid: 1000,\n permissions: \"777\",\n },\n },\n posixUser: {\n gid: 1000,\n uid: 1000,\n },\n});\n// A lambda function connected to an EFS file system\nconst example = new aws.lambda.Function(\"example\", {\n fileSystemConfig: {\n arn: accessPointForLambda.arn,\n localMountPath: \"/mnt/efs\",\n },\n vpcConfig: {\n subnetIds: [subnetForLambda.id],\n securityGroupIds: [sgForLambda.id],\n },\n}, {\n dependsOn: [alpha],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\n# EFS file system\nefs_for_lambda = aws.efs.FileSystem(\"efs_for_lambda\", tags={\n \"Name\": \"efs_for_lambda\",\n})\n# Mount target connects the file system to the subnet\nalpha = aws.efs.MountTarget(\"alpha\",\n file_system_id=efs_for_lambda.id,\n subnet_id=subnet_for_lambda[\"id\"],\n security_groups=[sg_for_lambda[\"id\"]])\n# EFS access point used by lambda file system\naccess_point_for_lambda = aws.efs.AccessPoint(\"access_point_for_lambda\",\n file_system_id=efs_for_lambda.id,\n root_directory={\n \"path\": \"/lambda\",\n \"creation_info\": {\n \"owner_gid\": 1000,\n \"owner_uid\": 1000,\n \"permissions\": \"777\",\n },\n },\n posix_user={\n \"gid\": 1000,\n \"uid\": 1000,\n })\n# A lambda function connected to an EFS file system\nexample = aws.lambda_.Function(\"example\",\n file_system_config={\n \"arn\": access_point_for_lambda.arn,\n \"local_mount_path\": \"/mnt/efs\",\n },\n vpc_config={\n \"subnet_ids\": [subnet_for_lambda[\"id\"]],\n \"security_group_ids\": [sg_for_lambda[\"id\"]],\n },\n opts = pulumi.ResourceOptions(depends_on=[alpha]))\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n // EFS file system\n var efsForLambda = new Aws.Efs.FileSystem(\"efs_for_lambda\", new()\n {\n Tags = \n {\n { \"Name\", \"efs_for_lambda\" },\n },\n });\n\n // Mount target connects the file system to the subnet\n var alpha = new Aws.Efs.MountTarget(\"alpha\", new()\n {\n FileSystemId = efsForLambda.Id,\n SubnetId = subnetForLambda.Id,\n SecurityGroups = new[]\n {\n sgForLambda.Id,\n },\n });\n\n // EFS access point used by lambda file system\n var accessPointForLambda = new Aws.Efs.AccessPoint(\"access_point_for_lambda\", new()\n {\n FileSystemId = efsForLambda.Id,\n RootDirectory = new Aws.Efs.Inputs.AccessPointRootDirectoryArgs\n {\n Path = \"/lambda\",\n CreationInfo = new Aws.Efs.Inputs.AccessPointRootDirectoryCreationInfoArgs\n {\n OwnerGid = 1000,\n OwnerUid = 1000,\n Permissions = \"777\",\n },\n },\n PosixUser = new Aws.Efs.Inputs.AccessPointPosixUserArgs\n {\n Gid = 1000,\n Uid = 1000,\n },\n });\n\n // A lambda function connected to an EFS file system\n var example = new Aws.Lambda.Function(\"example\", new()\n {\n FileSystemConfig = new Aws.Lambda.Inputs.FunctionFileSystemConfigArgs\n {\n Arn = accessPointForLambda.Arn,\n LocalMountPath = \"/mnt/efs\",\n },\n VpcConfig = new Aws.Lambda.Inputs.FunctionVpcConfigArgs\n {\n SubnetIds = new[]\n {\n subnetForLambda.Id,\n },\n SecurityGroupIds = new[]\n {\n sgForLambda.Id,\n },\n },\n }, new CustomResourceOptions\n {\n DependsOn =\n {\n alpha,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/efs\"\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lambda\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t// EFS file system\n\t\tefsForLambda, err := efs.NewFileSystem(ctx, \"efs_for_lambda\", \u0026efs.FileSystemArgs{\n\t\t\tTags: pulumi.StringMap{\n\t\t\t\t\"Name\": pulumi.String(\"efs_for_lambda\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// Mount target connects the file system to the subnet\n\t\talpha, err := efs.NewMountTarget(ctx, \"alpha\", \u0026efs.MountTargetArgs{\n\t\t\tFileSystemId: efsForLambda.ID(),\n\t\t\tSubnetId: pulumi.Any(subnetForLambda.Id),\n\t\t\tSecurityGroups: pulumi.StringArray{\n\t\t\t\tsgForLambda.Id,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// EFS access point used by lambda file system\n\t\taccessPointForLambda, err := efs.NewAccessPoint(ctx, \"access_point_for_lambda\", \u0026efs.AccessPointArgs{\n\t\t\tFileSystemId: efsForLambda.ID(),\n\t\t\tRootDirectory: \u0026efs.AccessPointRootDirectoryArgs{\n\t\t\t\tPath: pulumi.String(\"/lambda\"),\n\t\t\t\tCreationInfo: \u0026efs.AccessPointRootDirectoryCreationInfoArgs{\n\t\t\t\t\tOwnerGid: pulumi.Int(1000),\n\t\t\t\t\tOwnerUid: pulumi.Int(1000),\n\t\t\t\t\tPermissions: pulumi.String(\"777\"),\n\t\t\t\t},\n\t\t\t},\n\t\t\tPosixUser: \u0026efs.AccessPointPosixUserArgs{\n\t\t\t\tGid: pulumi.Int(1000),\n\t\t\t\tUid: pulumi.Int(1000),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// A lambda function connected to an EFS file system\n\t\t_, err = lambda.NewFunction(ctx, \"example\", \u0026lambda.FunctionArgs{\n\t\t\tFileSystemConfig: \u0026lambda.FunctionFileSystemConfigArgs{\n\t\t\t\tArn: accessPointForLambda.Arn,\n\t\t\t\tLocalMountPath: pulumi.String(\"/mnt/efs\"),\n\t\t\t},\n\t\t\tVpcConfig: \u0026lambda.FunctionVpcConfigArgs{\n\t\t\t\tSubnetIds: pulumi.StringArray{\n\t\t\t\t\tsubnetForLambda.Id,\n\t\t\t\t},\n\t\t\t\tSecurityGroupIds: pulumi.StringArray{\n\t\t\t\t\tsgForLambda.Id,\n\t\t\t\t},\n\t\t\t},\n\t\t}, pulumi.DependsOn([]pulumi.Resource{\n\t\t\talpha,\n\t\t}))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.efs.FileSystem;\nimport com.pulumi.aws.efs.FileSystemArgs;\nimport com.pulumi.aws.efs.MountTarget;\nimport com.pulumi.aws.efs.MountTargetArgs;\nimport com.pulumi.aws.efs.AccessPoint;\nimport com.pulumi.aws.efs.AccessPointArgs;\nimport com.pulumi.aws.efs.inputs.AccessPointRootDirectoryArgs;\nimport com.pulumi.aws.efs.inputs.AccessPointRootDirectoryCreationInfoArgs;\nimport com.pulumi.aws.efs.inputs.AccessPointPosixUserArgs;\nimport com.pulumi.aws.lambda.Function;\nimport com.pulumi.aws.lambda.FunctionArgs;\nimport com.pulumi.aws.lambda.inputs.FunctionFileSystemConfigArgs;\nimport com.pulumi.aws.lambda.inputs.FunctionVpcConfigArgs;\nimport com.pulumi.resources.CustomResourceOptions;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n // EFS file system\n var efsForLambda = new FileSystem(\"efsForLambda\", FileSystemArgs.builder()\n .tags(Map.of(\"Name\", \"efs_for_lambda\"))\n .build());\n\n // Mount target connects the file system to the subnet\n var alpha = new MountTarget(\"alpha\", MountTargetArgs.builder()\n .fileSystemId(efsForLambda.id())\n .subnetId(subnetForLambda.id())\n .securityGroups(sgForLambda.id())\n .build());\n\n // EFS access point used by lambda file system\n var accessPointForLambda = new AccessPoint(\"accessPointForLambda\", AccessPointArgs.builder()\n .fileSystemId(efsForLambda.id())\n .rootDirectory(AccessPointRootDirectoryArgs.builder()\n .path(\"/lambda\")\n .creationInfo(AccessPointRootDirectoryCreationInfoArgs.builder()\n .ownerGid(1000)\n .ownerUid(1000)\n .permissions(\"777\")\n .build())\n .build())\n .posixUser(AccessPointPosixUserArgs.builder()\n .gid(1000)\n .uid(1000)\n .build())\n .build());\n\n // A lambda function connected to an EFS file system\n var example = new Function(\"example\", FunctionArgs.builder()\n .fileSystemConfig(FunctionFileSystemConfigArgs.builder()\n .arn(accessPointForLambda.arn())\n .localMountPath(\"/mnt/efs\")\n .build())\n .vpcConfig(FunctionVpcConfigArgs.builder()\n .subnetIds(subnetForLambda.id())\n .securityGroupIds(sgForLambda.id())\n .build())\n .build(), CustomResourceOptions.builder()\n .dependsOn(alpha)\n .build());\n\n }\n}\n```\n```yaml\nresources:\n # A lambda function connected to an EFS file system\n example:\n type: aws:lambda:Function\n properties:\n fileSystemConfig:\n arn: ${accessPointForLambda.arn}\n localMountPath: /mnt/efs\n vpcConfig:\n subnetIds:\n - ${subnetForLambda.id}\n securityGroupIds:\n - ${sgForLambda.id}\n options:\n dependson:\n - ${alpha}\n # EFS file system\n efsForLambda:\n type: aws:efs:FileSystem\n name: efs_for_lambda\n properties:\n tags:\n Name: efs_for_lambda\n # Mount target connects the file system to the subnet\n alpha:\n type: aws:efs:MountTarget\n properties:\n fileSystemId: ${efsForLambda.id}\n subnetId: ${subnetForLambda.id}\n securityGroups:\n - ${sgForLambda.id}\n # EFS access point used by lambda file system\n accessPointForLambda:\n type: aws:efs:AccessPoint\n name: access_point_for_lambda\n properties:\n fileSystemId: ${efsForLambda.id}\n rootDirectory:\n path: /lambda\n creationInfo:\n ownerGid: 1000\n ownerUid: 1000\n permissions: '777'\n posixUser:\n gid: 1000\n uid: 1000\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Lambda retries\n\nLambda Functions allow you to configure error handling for asynchronous invocation. The settings that it supports are `Maximum age of event` and `Retry attempts` as stated in [Lambda documentation for Configuring error handling for asynchronous invocation](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async.html#invocation-async-errors). To configure these settings, refer to the aws.lambda.FunctionEventInvokeConfig resource.\n\n## CloudWatch Logging and Permissions\n\nFor more information about CloudWatch Logs for Lambda, see the [Lambda User Guide](https://docs.aws.amazon.com/lambda/latest/dg/monitoring-functions-logs.html).\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst config = new pulumi.Config();\nconst lambdaFunctionName = config.get(\"lambdaFunctionName\") || \"lambda_function_name\";\n// This is to optionally manage the CloudWatch Log Group for the Lambda Function.\n// If skipping this resource configuration, also add \"logs:CreateLogGroup\" to the IAM policy below.\nconst example = new aws.cloudwatch.LogGroup(\"example\", {\n name: `/aws/lambda/${lambdaFunctionName}`,\n retentionInDays: 14,\n});\n// See also the following AWS managed policy: AWSLambdaBasicExecutionRole\nconst lambdaLogging = aws.iam.getPolicyDocument({\n statements: [{\n effect: \"Allow\",\n actions: [\n \"logs:CreateLogGroup\",\n \"logs:CreateLogStream\",\n \"logs:PutLogEvents\",\n ],\n resources: [\"arn:aws:logs:*:*:*\"],\n }],\n});\nconst lambdaLoggingPolicy = new aws.iam.Policy(\"lambda_logging\", {\n name: \"lambda_logging\",\n path: \"/\",\n description: \"IAM policy for logging from a lambda\",\n policy: lambdaLogging.then(lambdaLogging =\u003e lambdaLogging.json),\n});\nconst lambdaLogs = new aws.iam.RolePolicyAttachment(\"lambda_logs\", {\n role: iamForLambda.name,\n policyArn: lambdaLoggingPolicy.arn,\n});\nconst testLambda = new aws.lambda.Function(\"test_lambda\", {\n name: lambdaFunctionName,\n loggingConfig: {\n logFormat: \"Text\",\n },\n}, {\n dependsOn: [\n lambdaLogs,\n example,\n ],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nconfig = pulumi.Config()\nlambda_function_name = config.get(\"lambdaFunctionName\")\nif lambda_function_name is None:\n lambda_function_name = \"lambda_function_name\"\n# This is to optionally manage the CloudWatch Log Group for the Lambda Function.\n# If skipping this resource configuration, also add \"logs:CreateLogGroup\" to the IAM policy below.\nexample = aws.cloudwatch.LogGroup(\"example\",\n name=f\"/aws/lambda/{lambda_function_name}\",\n retention_in_days=14)\n# See also the following AWS managed policy: AWSLambdaBasicExecutionRole\nlambda_logging = aws.iam.get_policy_document(statements=[{\n \"effect\": \"Allow\",\n \"actions\": [\n \"logs:CreateLogGroup\",\n \"logs:CreateLogStream\",\n \"logs:PutLogEvents\",\n ],\n \"resources\": [\"arn:aws:logs:*:*:*\"],\n}])\nlambda_logging_policy = aws.iam.Policy(\"lambda_logging\",\n name=\"lambda_logging\",\n path=\"/\",\n description=\"IAM policy for logging from a lambda\",\n policy=lambda_logging.json)\nlambda_logs = aws.iam.RolePolicyAttachment(\"lambda_logs\",\n role=iam_for_lambda[\"name\"],\n policy_arn=lambda_logging_policy.arn)\ntest_lambda = aws.lambda_.Function(\"test_lambda\",\n name=lambda_function_name,\n logging_config={\n \"log_format\": \"Text\",\n },\n opts = pulumi.ResourceOptions(depends_on=[\n lambda_logs,\n example,\n ]))\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var config = new Config();\n var lambdaFunctionName = config.Get(\"lambdaFunctionName\") ?? \"lambda_function_name\";\n // This is to optionally manage the CloudWatch Log Group for the Lambda Function.\n // If skipping this resource configuration, also add \"logs:CreateLogGroup\" to the IAM policy below.\n var example = new Aws.CloudWatch.LogGroup(\"example\", new()\n {\n Name = $\"/aws/lambda/{lambdaFunctionName}\",\n RetentionInDays = 14,\n });\n\n // See also the following AWS managed policy: AWSLambdaBasicExecutionRole\n var lambdaLogging = Aws.Iam.GetPolicyDocument.Invoke(new()\n {\n Statements = new[]\n {\n new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs\n {\n Effect = \"Allow\",\n Actions = new[]\n {\n \"logs:CreateLogGroup\",\n \"logs:CreateLogStream\",\n \"logs:PutLogEvents\",\n },\n Resources = new[]\n {\n \"arn:aws:logs:*:*:*\",\n },\n },\n },\n });\n\n var lambdaLoggingPolicy = new Aws.Iam.Policy(\"lambda_logging\", new()\n {\n Name = \"lambda_logging\",\n Path = \"/\",\n Description = \"IAM policy for logging from a lambda\",\n PolicyDocument = lambdaLogging.Apply(getPolicyDocumentResult =\u003e getPolicyDocumentResult.Json),\n });\n\n var lambdaLogs = new Aws.Iam.RolePolicyAttachment(\"lambda_logs\", new()\n {\n Role = iamForLambda.Name,\n PolicyArn = lambdaLoggingPolicy.Arn,\n });\n\n var testLambda = new Aws.Lambda.Function(\"test_lambda\", new()\n {\n Name = lambdaFunctionName,\n LoggingConfig = new Aws.Lambda.Inputs.FunctionLoggingConfigArgs\n {\n LogFormat = \"Text\",\n },\n }, new CustomResourceOptions\n {\n DependsOn =\n {\n lambdaLogs,\n example,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudwatch\"\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lambda\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tcfg := config.New(ctx, \"\")\n\t\tlambdaFunctionName := \"lambda_function_name\"\n\t\tif param := cfg.Get(\"lambdaFunctionName\"); param != \"\" {\n\t\t\tlambdaFunctionName = param\n\t\t}\n\t\t// This is to optionally manage the CloudWatch Log Group for the Lambda Function.\n\t\t// If skipping this resource configuration, also add \"logs:CreateLogGroup\" to the IAM policy below.\n\t\texample, err := cloudwatch.NewLogGroup(ctx, \"example\", \u0026cloudwatch.LogGroupArgs{\n\t\t\tName: pulumi.Sprintf(\"/aws/lambda/%v\", lambdaFunctionName),\n\t\t\tRetentionInDays: pulumi.Int(14),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// See also the following AWS managed policy: AWSLambdaBasicExecutionRole\n\t\tlambdaLogging, err := iam.GetPolicyDocument(ctx, \u0026iam.GetPolicyDocumentArgs{\n\t\t\tStatements: []iam.GetPolicyDocumentStatement{\n\t\t\t\t{\n\t\t\t\t\tEffect: pulumi.StringRef(\"Allow\"),\n\t\t\t\t\tActions: []string{\n\t\t\t\t\t\t\"logs:CreateLogGroup\",\n\t\t\t\t\t\t\"logs:CreateLogStream\",\n\t\t\t\t\t\t\"logs:PutLogEvents\",\n\t\t\t\t\t},\n\t\t\t\t\tResources: []string{\n\t\t\t\t\t\t\"arn:aws:logs:*:*:*\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tlambdaLoggingPolicy, err := iam.NewPolicy(ctx, \"lambda_logging\", \u0026iam.PolicyArgs{\n\t\t\tName: pulumi.String(\"lambda_logging\"),\n\t\t\tPath: pulumi.String(\"/\"),\n\t\t\tDescription: pulumi.String(\"IAM policy for logging from a lambda\"),\n\t\t\tPolicy: pulumi.String(lambdaLogging.Json),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tlambdaLogs, err := iam.NewRolePolicyAttachment(ctx, \"lambda_logs\", \u0026iam.RolePolicyAttachmentArgs{\n\t\t\tRole: pulumi.Any(iamForLambda.Name),\n\t\t\tPolicyArn: lambdaLoggingPolicy.Arn,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = lambda.NewFunction(ctx, \"test_lambda\", \u0026lambda.FunctionArgs{\n\t\t\tName: pulumi.String(lambdaFunctionName),\n\t\t\tLoggingConfig: \u0026lambda.FunctionLoggingConfigArgs{\n\t\t\t\tLogFormat: pulumi.String(\"Text\"),\n\t\t\t},\n\t\t}, pulumi.DependsOn([]pulumi.Resource{\n\t\t\tlambdaLogs,\n\t\t\texample,\n\t\t}))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.cloudwatch.LogGroup;\nimport com.pulumi.aws.cloudwatch.LogGroupArgs;\nimport com.pulumi.aws.iam.IamFunctions;\nimport com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;\nimport com.pulumi.aws.iam.Policy;\nimport com.pulumi.aws.iam.PolicyArgs;\nimport com.pulumi.aws.iam.RolePolicyAttachment;\nimport com.pulumi.aws.iam.RolePolicyAttachmentArgs;\nimport com.pulumi.aws.lambda.Function;\nimport com.pulumi.aws.lambda.FunctionArgs;\nimport com.pulumi.aws.lambda.inputs.FunctionLoggingConfigArgs;\nimport com.pulumi.resources.CustomResourceOptions;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n final var config = ctx.config();\n final var lambdaFunctionName = config.get(\"lambdaFunctionName\").orElse(\"lambda_function_name\");\n // This is to optionally manage the CloudWatch Log Group for the Lambda Function.\n // If skipping this resource configuration, also add \"logs:CreateLogGroup\" to the IAM policy below.\n var example = new LogGroup(\"example\", LogGroupArgs.builder()\n .name(String.format(\"/aws/lambda/%s\", lambdaFunctionName))\n .retentionInDays(14)\n .build());\n\n // See also the following AWS managed policy: AWSLambdaBasicExecutionRole\n final var lambdaLogging = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()\n .statements(GetPolicyDocumentStatementArgs.builder()\n .effect(\"Allow\")\n .actions( \n \"logs:CreateLogGroup\",\n \"logs:CreateLogStream\",\n \"logs:PutLogEvents\")\n .resources(\"arn:aws:logs:*:*:*\")\n .build())\n .build());\n\n var lambdaLoggingPolicy = new Policy(\"lambdaLoggingPolicy\", PolicyArgs.builder()\n .name(\"lambda_logging\")\n .path(\"/\")\n .description(\"IAM policy for logging from a lambda\")\n .policy(lambdaLogging.applyValue(getPolicyDocumentResult -\u003e getPolicyDocumentResult.json()))\n .build());\n\n var lambdaLogs = new RolePolicyAttachment(\"lambdaLogs\", RolePolicyAttachmentArgs.builder()\n .role(iamForLambda.name())\n .policyArn(lambdaLoggingPolicy.arn())\n .build());\n\n var testLambda = new Function(\"testLambda\", FunctionArgs.builder()\n .name(lambdaFunctionName)\n .loggingConfig(FunctionLoggingConfigArgs.builder()\n .logFormat(\"Text\")\n .build())\n .build(), CustomResourceOptions.builder()\n .dependsOn( \n lambdaLogs,\n example)\n .build());\n\n }\n}\n```\n```yaml\nconfiguration:\n lambdaFunctionName:\n type: string\n default: lambda_function_name\nresources:\n testLambda:\n type: aws:lambda:Function\n name: test_lambda\n properties:\n name: ${lambdaFunctionName}\n loggingConfig:\n logFormat: Text\n options:\n dependson:\n - ${lambdaLogs}\n - ${example}\n # This is to optionally manage the CloudWatch Log Group for the Lambda Function.\n # If skipping this resource configuration, also add \"logs:CreateLogGroup\" to the IAM policy below.\n example:\n type: aws:cloudwatch:LogGroup\n properties:\n name: /aws/lambda/${lambdaFunctionName}\n retentionInDays: 14\n lambdaLoggingPolicy:\n type: aws:iam:Policy\n name: lambda_logging\n properties:\n name: lambda_logging\n path: /\n description: IAM policy for logging from a lambda\n policy: ${lambdaLogging.json}\n lambdaLogs:\n type: aws:iam:RolePolicyAttachment\n name: lambda_logs\n properties:\n role: ${iamForLambda.name}\n policyArn: ${lambdaLoggingPolicy.arn}\nvariables:\n # See also the following AWS managed policy: AWSLambdaBasicExecutionRole\n lambdaLogging:\n fn::invoke:\n Function: aws:iam:getPolicyDocument\n Arguments:\n statements:\n - effect: Allow\n actions:\n - logs:CreateLogGroup\n - logs:CreateLogStream\n - logs:PutLogEvents\n resources:\n - arn:aws:logs:*:*:*\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Specifying the Deployment Package\n\nAWS Lambda expects source code to be provided as a deployment package whose structure varies depending on which `runtime` is in use. See [Runtimes](https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime) for the valid values of `runtime`. The expected structure of the deployment package can be found in [the AWS Lambda documentation for each runtime](https://docs.aws.amazon.com/lambda/latest/dg/deployment-package-v2.html).\n\nOnce you have created your deployment package you can specify it either directly as a local file (using the `filename` argument) or indirectly via Amazon S3 (using the `s3_bucket`, `s3_key` and `s3_object_version` arguments). When providing the deployment package via S3 it may be useful to use the `aws.s3.BucketObjectv2` resource to upload it.\n\nFor larger deployment packages it is recommended by Amazon to upload via S3, since the S3 API has better support for uploading large files efficiently.\n\n## Import\n\nUsing `pulumi import`, import Lambda Functions using the `function_name`. For example:\n\n```sh\n$ pulumi import aws:lambda/function:Function test_lambda my_test_lambda_function\n```\n", + "description": "Provides a Lambda Function resource. Lambda allows you to trigger execution of code in response to events in AWS, enabling serverless backend solutions. The Lambda Function itself includes source code and runtime configuration.\n\nFor information about Lambda and how to use it, see [What is AWS Lambda?](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html)\n\n\n\u003e **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), EC2 subnets and security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. To allow for successful deletion, the provider will wait for at least 45 minutes even if a shorter delete timeout is specified.\n\n\u003e **NOTE:** If you get a `KMSAccessDeniedException: Lambda was unable to decrypt the environment variables because KMS access was denied` error when invoking an `aws.lambda.Function` with environment variables, the IAM role associated with the function may have been deleted and recreated _after_ the function was created. You can fix the problem two ways: 1) updating the function's role to another role and then updating it back again to the recreated role, or 2) by using Pulumi to `taint` the function and `apply` your configuration again to recreate the function. (When you create a function, Lambda grants permissions on the KMS key to the function's IAM role. If the IAM role is recreated, the grant is no longer valid. Changing the function's role or recreating the function causes Lambda to update the grant.)\n\n\u003e To give an external source (like an EventBridge Rule, SNS, or S3) permission to access the Lambda function, use the `aws.lambda.Permission` resource. See [Lambda Permission Model](https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html) for more details. On the other hand, the `role` argument of this resource is the function's execution role for identity and access to AWS services and resources.\n\n## Example Usage\n\n### Basic Example\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as archive from \"@pulumi/archive\";\nimport * as aws from \"@pulumi/aws\";\n\nconst assumeRole = aws.iam.getPolicyDocument({\n statements: [{\n effect: \"Allow\",\n principals: [{\n type: \"Service\",\n identifiers: [\"lambda.amazonaws.com\"],\n }],\n actions: [\"sts:AssumeRole\"],\n }],\n});\nconst iamForLambda = new aws.iam.Role(\"iam_for_lambda\", {\n name: \"iam_for_lambda\",\n assumeRolePolicy: assumeRole.then(assumeRole =\u003e assumeRole.json),\n});\nconst lambda = archive.getFile({\n type: \"zip\",\n sourceFile: \"lambda.js\",\n outputPath: \"lambda_function_payload.zip\",\n});\nconst testLambda = new aws.lambda.Function(\"test_lambda\", {\n code: new pulumi.asset.FileArchive(\"lambda_function_payload.zip\"),\n name: \"lambda_function_name\",\n role: iamForLambda.arn,\n handler: \"index.test\",\n sourceCodeHash: lambda.then(lambda =\u003e lambda.outputBase64sha256),\n runtime: aws.lambda.Runtime.NodeJS18dX,\n environment: {\n variables: {\n foo: \"bar\",\n },\n },\n});\n```\n```python\nimport pulumi\nimport pulumi_archive as archive\nimport pulumi_aws as aws\n\nassume_role = aws.iam.get_policy_document(statements=[{\n \"effect\": \"Allow\",\n \"principals\": [{\n \"type\": \"Service\",\n \"identifiers\": [\"lambda.amazonaws.com\"],\n }],\n \"actions\": [\"sts:AssumeRole\"],\n}])\niam_for_lambda = aws.iam.Role(\"iam_for_lambda\",\n name=\"iam_for_lambda\",\n assume_role_policy=assume_role.json)\nlambda_ = archive.get_file(type=\"zip\",\n source_file=\"lambda.js\",\n output_path=\"lambda_function_payload.zip\")\ntest_lambda = aws.lambda_.Function(\"test_lambda\",\n code=pulumi.FileArchive(\"lambda_function_payload.zip\"),\n name=\"lambda_function_name\",\n role=iam_for_lambda.arn,\n handler=\"index.test\",\n source_code_hash=lambda_.output_base64sha256,\n runtime=aws.lambda_.Runtime.NODE_JS18D_X,\n environment={\n \"variables\": {\n \"foo\": \"bar\",\n },\n })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Archive = Pulumi.Archive;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var assumeRole = Aws.Iam.GetPolicyDocument.Invoke(new()\n {\n Statements = new[]\n {\n new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs\n {\n Effect = \"Allow\",\n Principals = new[]\n {\n new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs\n {\n Type = \"Service\",\n Identifiers = new[]\n {\n \"lambda.amazonaws.com\",\n },\n },\n },\n Actions = new[]\n {\n \"sts:AssumeRole\",\n },\n },\n },\n });\n\n var iamForLambda = new Aws.Iam.Role(\"iam_for_lambda\", new()\n {\n Name = \"iam_for_lambda\",\n AssumeRolePolicy = assumeRole.Apply(getPolicyDocumentResult =\u003e getPolicyDocumentResult.Json),\n });\n\n var lambda = Archive.GetFile.Invoke(new()\n {\n Type = \"zip\",\n SourceFile = \"lambda.js\",\n OutputPath = \"lambda_function_payload.zip\",\n });\n\n var testLambda = new Aws.Lambda.Function(\"test_lambda\", new()\n {\n Code = new FileArchive(\"lambda_function_payload.zip\"),\n Name = \"lambda_function_name\",\n Role = iamForLambda.Arn,\n Handler = \"index.test\",\n SourceCodeHash = lambda.Apply(getFileResult =\u003e getFileResult.OutputBase64sha256),\n Runtime = Aws.Lambda.Runtime.NodeJS18dX,\n Environment = new Aws.Lambda.Inputs.FunctionEnvironmentArgs\n {\n Variables = \n {\n { \"foo\", \"bar\" },\n },\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-archive/sdk/go/archive\"\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lambda\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tassumeRole, err := iam.GetPolicyDocument(ctx, \u0026iam.GetPolicyDocumentArgs{\n\t\t\tStatements: []iam.GetPolicyDocumentStatement{\n\t\t\t\t{\n\t\t\t\t\tEffect: pulumi.StringRef(\"Allow\"),\n\t\t\t\t\tPrincipals: []iam.GetPolicyDocumentStatementPrincipal{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tType: \"Service\",\n\t\t\t\t\t\t\tIdentifiers: []string{\n\t\t\t\t\t\t\t\t\"lambda.amazonaws.com\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tActions: []string{\n\t\t\t\t\t\t\"sts:AssumeRole\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tiamForLambda, err := iam.NewRole(ctx, \"iam_for_lambda\", \u0026iam.RoleArgs{\n\t\t\tName: pulumi.String(\"iam_for_lambda\"),\n\t\t\tAssumeRolePolicy: pulumi.String(assumeRole.Json),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tlambda, err := archive.LookupFile(ctx, \u0026archive.LookupFileArgs{\n\t\t\tType: \"zip\",\n\t\t\tSourceFile: pulumi.StringRef(\"lambda.js\"),\n\t\t\tOutputPath: \"lambda_function_payload.zip\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = lambda.NewFunction(ctx, \"test_lambda\", \u0026lambda.FunctionArgs{\n\t\t\tCode: pulumi.NewFileArchive(\"lambda_function_payload.zip\"),\n\t\t\tName: pulumi.String(\"lambda_function_name\"),\n\t\t\tRole: iamForLambda.Arn,\n\t\t\tHandler: pulumi.String(\"index.test\"),\n\t\t\tSourceCodeHash: pulumi.String(lambda.OutputBase64sha256),\n\t\t\tRuntime: pulumi.String(lambda.RuntimeNodeJS18dX),\n\t\t\tEnvironment: \u0026lambda.FunctionEnvironmentArgs{\n\t\t\t\tVariables: pulumi.StringMap{\n\t\t\t\t\t\"foo\": pulumi.String(\"bar\"),\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.IamFunctions;\nimport com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;\nimport com.pulumi.aws.iam.Role;\nimport com.pulumi.aws.iam.RoleArgs;\nimport com.pulumi.archive.ArchiveFunctions;\nimport com.pulumi.archive.inputs.GetFileArgs;\nimport com.pulumi.aws.lambda.Function;\nimport com.pulumi.aws.lambda.FunctionArgs;\nimport com.pulumi.aws.lambda.inputs.FunctionEnvironmentArgs;\nimport com.pulumi.asset.FileArchive;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()\n .statements(GetPolicyDocumentStatementArgs.builder()\n .effect(\"Allow\")\n .principals(GetPolicyDocumentStatementPrincipalArgs.builder()\n .type(\"Service\")\n .identifiers(\"lambda.amazonaws.com\")\n .build())\n .actions(\"sts:AssumeRole\")\n .build())\n .build());\n\n var iamForLambda = new Role(\"iamForLambda\", RoleArgs.builder()\n .name(\"iam_for_lambda\")\n .assumeRolePolicy(assumeRole.applyValue(getPolicyDocumentResult -\u003e getPolicyDocumentResult.json()))\n .build());\n\n final var lambda = ArchiveFunctions.getFile(GetFileArgs.builder()\n .type(\"zip\")\n .sourceFile(\"lambda.js\")\n .outputPath(\"lambda_function_payload.zip\")\n .build());\n\n var testLambda = new Function(\"testLambda\", FunctionArgs.builder()\n .code(new FileArchive(\"lambda_function_payload.zip\"))\n .name(\"lambda_function_name\")\n .role(iamForLambda.arn())\n .handler(\"index.test\")\n .sourceCodeHash(lambda.applyValue(getFileResult -\u003e getFileResult.outputBase64sha256()))\n .runtime(\"nodejs18.x\")\n .environment(FunctionEnvironmentArgs.builder()\n .variables(Map.of(\"foo\", \"bar\"))\n .build())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n iamForLambda:\n type: aws:iam:Role\n name: iam_for_lambda\n properties:\n name: iam_for_lambda\n assumeRolePolicy: ${assumeRole.json}\n testLambda:\n type: aws:lambda:Function\n name: test_lambda\n properties:\n code:\n fn::FileArchive: lambda_function_payload.zip\n name: lambda_function_name\n role: ${iamForLambda.arn}\n handler: index.test\n sourceCodeHash: ${lambda.outputBase64sha256}\n runtime: nodejs18.x\n environment:\n variables:\n foo: bar\nvariables:\n assumeRole:\n fn::invoke:\n Function: aws:iam:getPolicyDocument\n Arguments:\n statements:\n - effect: Allow\n principals:\n - type: Service\n identifiers:\n - lambda.amazonaws.com\n actions:\n - sts:AssumeRole\n lambda:\n fn::invoke:\n Function: archive:getFile\n Arguments:\n type: zip\n sourceFile: lambda.js\n outputPath: lambda_function_payload.zip\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Lambda Layers\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.lambda.LayerVersion(\"example\", {});\nconst exampleFunction = new aws.lambda.Function(\"example\", {layers: [example.arn]});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.lambda_.LayerVersion(\"example\")\nexample_function = aws.lambda_.Function(\"example\", layers=[example.arn])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Lambda.LayerVersion(\"example\");\n\n var exampleFunction = new Aws.Lambda.Function(\"example\", new()\n {\n Layers = new[]\n {\n example.Arn,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lambda\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\texample, err := lambda.NewLayerVersion(ctx, \"example\", nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = lambda.NewFunction(ctx, \"example\", \u0026lambda.FunctionArgs{\n\t\t\tLayers: pulumi.StringArray{\n\t\t\t\texample.Arn,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.lambda.LayerVersion;\nimport com.pulumi.aws.lambda.Function;\nimport com.pulumi.aws.lambda.FunctionArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new LayerVersion(\"example\");\n\n var exampleFunction = new Function(\"exampleFunction\", FunctionArgs.builder()\n .layers(example.arn())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:lambda:LayerVersion\n exampleFunction:\n type: aws:lambda:Function\n name: example\n properties:\n layers:\n - ${example.arn}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Lambda Ephemeral Storage\n\nLambda Function Ephemeral Storage(`/tmp`) allows you to configure the storage upto `10` GB. The default value set to `512` MB.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst assumeRole = aws.iam.getPolicyDocument({\n statements: [{\n effect: \"Allow\",\n principals: [{\n type: \"Service\",\n identifiers: [\"lambda.amazonaws.com\"],\n }],\n actions: [\"sts:AssumeRole\"],\n }],\n});\nconst iamForLambda = new aws.iam.Role(\"iam_for_lambda\", {\n name: \"iam_for_lambda\",\n assumeRolePolicy: assumeRole.then(assumeRole =\u003e assumeRole.json),\n});\nconst testLambda = new aws.lambda.Function(\"test_lambda\", {\n code: new pulumi.asset.FileArchive(\"lambda_function_payload.zip\"),\n name: \"lambda_function_name\",\n role: iamForLambda.arn,\n handler: \"index.test\",\n runtime: aws.lambda.Runtime.NodeJS18dX,\n ephemeralStorage: {\n size: 10240,\n },\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nassume_role = aws.iam.get_policy_document(statements=[{\n \"effect\": \"Allow\",\n \"principals\": [{\n \"type\": \"Service\",\n \"identifiers\": [\"lambda.amazonaws.com\"],\n }],\n \"actions\": [\"sts:AssumeRole\"],\n}])\niam_for_lambda = aws.iam.Role(\"iam_for_lambda\",\n name=\"iam_for_lambda\",\n assume_role_policy=assume_role.json)\ntest_lambda = aws.lambda_.Function(\"test_lambda\",\n code=pulumi.FileArchive(\"lambda_function_payload.zip\"),\n name=\"lambda_function_name\",\n role=iam_for_lambda.arn,\n handler=\"index.test\",\n runtime=aws.lambda_.Runtime.NODE_JS18D_X,\n ephemeral_storage={\n \"size\": 10240,\n })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var assumeRole = Aws.Iam.GetPolicyDocument.Invoke(new()\n {\n Statements = new[]\n {\n new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs\n {\n Effect = \"Allow\",\n Principals = new[]\n {\n new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs\n {\n Type = \"Service\",\n Identifiers = new[]\n {\n \"lambda.amazonaws.com\",\n },\n },\n },\n Actions = new[]\n {\n \"sts:AssumeRole\",\n },\n },\n },\n });\n\n var iamForLambda = new Aws.Iam.Role(\"iam_for_lambda\", new()\n {\n Name = \"iam_for_lambda\",\n AssumeRolePolicy = assumeRole.Apply(getPolicyDocumentResult =\u003e getPolicyDocumentResult.Json),\n });\n\n var testLambda = new Aws.Lambda.Function(\"test_lambda\", new()\n {\n Code = new FileArchive(\"lambda_function_payload.zip\"),\n Name = \"lambda_function_name\",\n Role = iamForLambda.Arn,\n Handler = \"index.test\",\n Runtime = Aws.Lambda.Runtime.NodeJS18dX,\n EphemeralStorage = new Aws.Lambda.Inputs.FunctionEphemeralStorageArgs\n {\n Size = 10240,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lambda\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tassumeRole, err := iam.GetPolicyDocument(ctx, \u0026iam.GetPolicyDocumentArgs{\n\t\t\tStatements: []iam.GetPolicyDocumentStatement{\n\t\t\t\t{\n\t\t\t\t\tEffect: pulumi.StringRef(\"Allow\"),\n\t\t\t\t\tPrincipals: []iam.GetPolicyDocumentStatementPrincipal{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tType: \"Service\",\n\t\t\t\t\t\t\tIdentifiers: []string{\n\t\t\t\t\t\t\t\t\"lambda.amazonaws.com\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tActions: []string{\n\t\t\t\t\t\t\"sts:AssumeRole\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tiamForLambda, err := iam.NewRole(ctx, \"iam_for_lambda\", \u0026iam.RoleArgs{\n\t\t\tName: pulumi.String(\"iam_for_lambda\"),\n\t\t\tAssumeRolePolicy: pulumi.String(assumeRole.Json),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = lambda.NewFunction(ctx, \"test_lambda\", \u0026lambda.FunctionArgs{\n\t\t\tCode: pulumi.NewFileArchive(\"lambda_function_payload.zip\"),\n\t\t\tName: pulumi.String(\"lambda_function_name\"),\n\t\t\tRole: iamForLambda.Arn,\n\t\t\tHandler: pulumi.String(\"index.test\"),\n\t\t\tRuntime: pulumi.String(lambda.RuntimeNodeJS18dX),\n\t\t\tEphemeralStorage: \u0026lambda.FunctionEphemeralStorageArgs{\n\t\t\t\tSize: pulumi.Int(10240),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.IamFunctions;\nimport com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;\nimport com.pulumi.aws.iam.Role;\nimport com.pulumi.aws.iam.RoleArgs;\nimport com.pulumi.aws.lambda.Function;\nimport com.pulumi.aws.lambda.FunctionArgs;\nimport com.pulumi.aws.lambda.inputs.FunctionEphemeralStorageArgs;\nimport com.pulumi.asset.FileArchive;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()\n .statements(GetPolicyDocumentStatementArgs.builder()\n .effect(\"Allow\")\n .principals(GetPolicyDocumentStatementPrincipalArgs.builder()\n .type(\"Service\")\n .identifiers(\"lambda.amazonaws.com\")\n .build())\n .actions(\"sts:AssumeRole\")\n .build())\n .build());\n\n var iamForLambda = new Role(\"iamForLambda\", RoleArgs.builder()\n .name(\"iam_for_lambda\")\n .assumeRolePolicy(assumeRole.applyValue(getPolicyDocumentResult -\u003e getPolicyDocumentResult.json()))\n .build());\n\n var testLambda = new Function(\"testLambda\", FunctionArgs.builder()\n .code(new FileArchive(\"lambda_function_payload.zip\"))\n .name(\"lambda_function_name\")\n .role(iamForLambda.arn())\n .handler(\"index.test\")\n .runtime(\"nodejs18.x\")\n .ephemeralStorage(FunctionEphemeralStorageArgs.builder()\n .size(10240)\n .build())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n iamForLambda:\n type: aws:iam:Role\n name: iam_for_lambda\n properties:\n name: iam_for_lambda\n assumeRolePolicy: ${assumeRole.json}\n testLambda:\n type: aws:lambda:Function\n name: test_lambda\n properties:\n code:\n fn::FileArchive: lambda_function_payload.zip\n name: lambda_function_name\n role: ${iamForLambda.arn}\n handler: index.test\n runtime: nodejs18.x\n ephemeralStorage:\n size: 10240\nvariables:\n assumeRole:\n fn::invoke:\n Function: aws:iam:getPolicyDocument\n Arguments:\n statements:\n - effect: Allow\n principals:\n - type: Service\n identifiers:\n - lambda.amazonaws.com\n actions:\n - sts:AssumeRole\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Lambda File Systems\n\nLambda File Systems allow you to connect an Amazon Elastic File System (EFS) file system to a Lambda function to share data across function invocations, access existing data including large files, and save function state.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\n// EFS file system\nconst efsForLambda = new aws.efs.FileSystem(\"efs_for_lambda\", {tags: {\n Name: \"efs_for_lambda\",\n}});\n// Mount target connects the file system to the subnet\nconst alpha = new aws.efs.MountTarget(\"alpha\", {\n fileSystemId: efsForLambda.id,\n subnetId: subnetForLambda.id,\n securityGroups: [sgForLambda.id],\n});\n// EFS access point used by lambda file system\nconst accessPointForLambda = new aws.efs.AccessPoint(\"access_point_for_lambda\", {\n fileSystemId: efsForLambda.id,\n rootDirectory: {\n path: \"/lambda\",\n creationInfo: {\n ownerGid: 1000,\n ownerUid: 1000,\n permissions: \"777\",\n },\n },\n posixUser: {\n gid: 1000,\n uid: 1000,\n },\n});\n// A lambda function connected to an EFS file system\nconst example = new aws.lambda.Function(\"example\", {\n fileSystemConfig: {\n arn: accessPointForLambda.arn,\n localMountPath: \"/mnt/efs\",\n },\n vpcConfig: {\n subnetIds: [subnetForLambda.id],\n securityGroupIds: [sgForLambda.id],\n },\n}, {\n dependsOn: [alpha],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\n# EFS file system\nefs_for_lambda = aws.efs.FileSystem(\"efs_for_lambda\", tags={\n \"Name\": \"efs_for_lambda\",\n})\n# Mount target connects the file system to the subnet\nalpha = aws.efs.MountTarget(\"alpha\",\n file_system_id=efs_for_lambda.id,\n subnet_id=subnet_for_lambda[\"id\"],\n security_groups=[sg_for_lambda[\"id\"]])\n# EFS access point used by lambda file system\naccess_point_for_lambda = aws.efs.AccessPoint(\"access_point_for_lambda\",\n file_system_id=efs_for_lambda.id,\n root_directory={\n \"path\": \"/lambda\",\n \"creation_info\": {\n \"owner_gid\": 1000,\n \"owner_uid\": 1000,\n \"permissions\": \"777\",\n },\n },\n posix_user={\n \"gid\": 1000,\n \"uid\": 1000,\n })\n# A lambda function connected to an EFS file system\nexample = aws.lambda_.Function(\"example\",\n file_system_config={\n \"arn\": access_point_for_lambda.arn,\n \"local_mount_path\": \"/mnt/efs\",\n },\n vpc_config={\n \"subnet_ids\": [subnet_for_lambda[\"id\"]],\n \"security_group_ids\": [sg_for_lambda[\"id\"]],\n },\n opts = pulumi.ResourceOptions(depends_on=[alpha]))\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n // EFS file system\n var efsForLambda = new Aws.Efs.FileSystem(\"efs_for_lambda\", new()\n {\n Tags = \n {\n { \"Name\", \"efs_for_lambda\" },\n },\n });\n\n // Mount target connects the file system to the subnet\n var alpha = new Aws.Efs.MountTarget(\"alpha\", new()\n {\n FileSystemId = efsForLambda.Id,\n SubnetId = subnetForLambda.Id,\n SecurityGroups = new[]\n {\n sgForLambda.Id,\n },\n });\n\n // EFS access point used by lambda file system\n var accessPointForLambda = new Aws.Efs.AccessPoint(\"access_point_for_lambda\", new()\n {\n FileSystemId = efsForLambda.Id,\n RootDirectory = new Aws.Efs.Inputs.AccessPointRootDirectoryArgs\n {\n Path = \"/lambda\",\n CreationInfo = new Aws.Efs.Inputs.AccessPointRootDirectoryCreationInfoArgs\n {\n OwnerGid = 1000,\n OwnerUid = 1000,\n Permissions = \"777\",\n },\n },\n PosixUser = new Aws.Efs.Inputs.AccessPointPosixUserArgs\n {\n Gid = 1000,\n Uid = 1000,\n },\n });\n\n // A lambda function connected to an EFS file system\n var example = new Aws.Lambda.Function(\"example\", new()\n {\n FileSystemConfig = new Aws.Lambda.Inputs.FunctionFileSystemConfigArgs\n {\n Arn = accessPointForLambda.Arn,\n LocalMountPath = \"/mnt/efs\",\n },\n VpcConfig = new Aws.Lambda.Inputs.FunctionVpcConfigArgs\n {\n SubnetIds = new[]\n {\n subnetForLambda.Id,\n },\n SecurityGroupIds = new[]\n {\n sgForLambda.Id,\n },\n },\n }, new CustomResourceOptions\n {\n DependsOn =\n {\n alpha,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/efs\"\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lambda\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t// EFS file system\n\t\tefsForLambda, err := efs.NewFileSystem(ctx, \"efs_for_lambda\", \u0026efs.FileSystemArgs{\n\t\t\tTags: pulumi.StringMap{\n\t\t\t\t\"Name\": pulumi.String(\"efs_for_lambda\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// Mount target connects the file system to the subnet\n\t\talpha, err := efs.NewMountTarget(ctx, \"alpha\", \u0026efs.MountTargetArgs{\n\t\t\tFileSystemId: efsForLambda.ID(),\n\t\t\tSubnetId: pulumi.Any(subnetForLambda.Id),\n\t\t\tSecurityGroups: pulumi.StringArray{\n\t\t\t\tsgForLambda.Id,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// EFS access point used by lambda file system\n\t\taccessPointForLambda, err := efs.NewAccessPoint(ctx, \"access_point_for_lambda\", \u0026efs.AccessPointArgs{\n\t\t\tFileSystemId: efsForLambda.ID(),\n\t\t\tRootDirectory: \u0026efs.AccessPointRootDirectoryArgs{\n\t\t\t\tPath: pulumi.String(\"/lambda\"),\n\t\t\t\tCreationInfo: \u0026efs.AccessPointRootDirectoryCreationInfoArgs{\n\t\t\t\t\tOwnerGid: pulumi.Int(1000),\n\t\t\t\t\tOwnerUid: pulumi.Int(1000),\n\t\t\t\t\tPermissions: pulumi.String(\"777\"),\n\t\t\t\t},\n\t\t\t},\n\t\t\tPosixUser: \u0026efs.AccessPointPosixUserArgs{\n\t\t\t\tGid: pulumi.Int(1000),\n\t\t\t\tUid: pulumi.Int(1000),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// A lambda function connected to an EFS file system\n\t\t_, err = lambda.NewFunction(ctx, \"example\", \u0026lambda.FunctionArgs{\n\t\t\tFileSystemConfig: \u0026lambda.FunctionFileSystemConfigArgs{\n\t\t\t\tArn: accessPointForLambda.Arn,\n\t\t\t\tLocalMountPath: pulumi.String(\"/mnt/efs\"),\n\t\t\t},\n\t\t\tVpcConfig: \u0026lambda.FunctionVpcConfigArgs{\n\t\t\t\tSubnetIds: pulumi.StringArray{\n\t\t\t\t\tsubnetForLambda.Id,\n\t\t\t\t},\n\t\t\t\tSecurityGroupIds: pulumi.StringArray{\n\t\t\t\t\tsgForLambda.Id,\n\t\t\t\t},\n\t\t\t},\n\t\t}, pulumi.DependsOn([]pulumi.Resource{\n\t\t\talpha,\n\t\t}))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.efs.FileSystem;\nimport com.pulumi.aws.efs.FileSystemArgs;\nimport com.pulumi.aws.efs.MountTarget;\nimport com.pulumi.aws.efs.MountTargetArgs;\nimport com.pulumi.aws.efs.AccessPoint;\nimport com.pulumi.aws.efs.AccessPointArgs;\nimport com.pulumi.aws.efs.inputs.AccessPointRootDirectoryArgs;\nimport com.pulumi.aws.efs.inputs.AccessPointRootDirectoryCreationInfoArgs;\nimport com.pulumi.aws.efs.inputs.AccessPointPosixUserArgs;\nimport com.pulumi.aws.lambda.Function;\nimport com.pulumi.aws.lambda.FunctionArgs;\nimport com.pulumi.aws.lambda.inputs.FunctionFileSystemConfigArgs;\nimport com.pulumi.aws.lambda.inputs.FunctionVpcConfigArgs;\nimport com.pulumi.resources.CustomResourceOptions;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n // EFS file system\n var efsForLambda = new FileSystem(\"efsForLambda\", FileSystemArgs.builder()\n .tags(Map.of(\"Name\", \"efs_for_lambda\"))\n .build());\n\n // Mount target connects the file system to the subnet\n var alpha = new MountTarget(\"alpha\", MountTargetArgs.builder()\n .fileSystemId(efsForLambda.id())\n .subnetId(subnetForLambda.id())\n .securityGroups(sgForLambda.id())\n .build());\n\n // EFS access point used by lambda file system\n var accessPointForLambda = new AccessPoint(\"accessPointForLambda\", AccessPointArgs.builder()\n .fileSystemId(efsForLambda.id())\n .rootDirectory(AccessPointRootDirectoryArgs.builder()\n .path(\"/lambda\")\n .creationInfo(AccessPointRootDirectoryCreationInfoArgs.builder()\n .ownerGid(1000)\n .ownerUid(1000)\n .permissions(\"777\")\n .build())\n .build())\n .posixUser(AccessPointPosixUserArgs.builder()\n .gid(1000)\n .uid(1000)\n .build())\n .build());\n\n // A lambda function connected to an EFS file system\n var example = new Function(\"example\", FunctionArgs.builder()\n .fileSystemConfig(FunctionFileSystemConfigArgs.builder()\n .arn(accessPointForLambda.arn())\n .localMountPath(\"/mnt/efs\")\n .build())\n .vpcConfig(FunctionVpcConfigArgs.builder()\n .subnetIds(subnetForLambda.id())\n .securityGroupIds(sgForLambda.id())\n .build())\n .build(), CustomResourceOptions.builder()\n .dependsOn(alpha)\n .build());\n\n }\n}\n```\n```yaml\nresources:\n # A lambda function connected to an EFS file system\n example:\n type: aws:lambda:Function\n properties:\n fileSystemConfig:\n arn: ${accessPointForLambda.arn}\n localMountPath: /mnt/efs\n vpcConfig:\n subnetIds:\n - ${subnetForLambda.id}\n securityGroupIds:\n - ${sgForLambda.id}\n options:\n dependson:\n - ${alpha}\n # EFS file system\n efsForLambda:\n type: aws:efs:FileSystem\n name: efs_for_lambda\n properties:\n tags:\n Name: efs_for_lambda\n # Mount target connects the file system to the subnet\n alpha:\n type: aws:efs:MountTarget\n properties:\n fileSystemId: ${efsForLambda.id}\n subnetId: ${subnetForLambda.id}\n securityGroups:\n - ${sgForLambda.id}\n # EFS access point used by lambda file system\n accessPointForLambda:\n type: aws:efs:AccessPoint\n name: access_point_for_lambda\n properties:\n fileSystemId: ${efsForLambda.id}\n rootDirectory:\n path: /lambda\n creationInfo:\n ownerGid: 1000\n ownerUid: 1000\n permissions: '777'\n posixUser:\n gid: 1000\n uid: 1000\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Lambda retries\n\nLambda Functions allow you to configure error handling for asynchronous invocation. The settings that it supports are `Maximum age of event` and `Retry attempts` as stated in [Lambda documentation for Configuring error handling for asynchronous invocation](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async.html#invocation-async-errors). To configure these settings, refer to the aws.lambda.FunctionEventInvokeConfig resource.\n\n## CloudWatch Logging and Permissions\n\nFor more information about CloudWatch Logs for Lambda, see the [Lambda User Guide](https://docs.aws.amazon.com/lambda/latest/dg/monitoring-functions-logs.html).\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst config = new pulumi.Config();\nconst lambdaFunctionName = config.get(\"lambdaFunctionName\") || \"lambda_function_name\";\n// This is to optionally manage the CloudWatch Log Group for the Lambda Function.\n// If skipping this resource configuration, also add \"logs:CreateLogGroup\" to the IAM policy below.\nconst example = new aws.cloudwatch.LogGroup(\"example\", {\n name: `/aws/lambda/${lambdaFunctionName}`,\n retentionInDays: 14,\n});\n// See also the following AWS managed policy: AWSLambdaBasicExecutionRole\nconst lambdaLogging = aws.iam.getPolicyDocument({\n statements: [{\n effect: \"Allow\",\n actions: [\n \"logs:CreateLogGroup\",\n \"logs:CreateLogStream\",\n \"logs:PutLogEvents\",\n ],\n resources: [\"arn:aws:logs:*:*:*\"],\n }],\n});\nconst lambdaLoggingPolicy = new aws.iam.Policy(\"lambda_logging\", {\n name: \"lambda_logging\",\n path: \"/\",\n description: \"IAM policy for logging from a lambda\",\n policy: lambdaLogging.then(lambdaLogging =\u003e lambdaLogging.json),\n});\nconst lambdaLogs = new aws.iam.RolePolicyAttachment(\"lambda_logs\", {\n role: iamForLambda.name,\n policyArn: lambdaLoggingPolicy.arn,\n});\nconst testLambda = new aws.lambda.Function(\"test_lambda\", {\n name: lambdaFunctionName,\n loggingConfig: {\n logFormat: \"Text\",\n },\n}, {\n dependsOn: [\n lambdaLogs,\n example,\n ],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nconfig = pulumi.Config()\nlambda_function_name = config.get(\"lambdaFunctionName\")\nif lambda_function_name is None:\n lambda_function_name = \"lambda_function_name\"\n# This is to optionally manage the CloudWatch Log Group for the Lambda Function.\n# If skipping this resource configuration, also add \"logs:CreateLogGroup\" to the IAM policy below.\nexample = aws.cloudwatch.LogGroup(\"example\",\n name=f\"/aws/lambda/{lambda_function_name}\",\n retention_in_days=14)\n# See also the following AWS managed policy: AWSLambdaBasicExecutionRole\nlambda_logging = aws.iam.get_policy_document(statements=[{\n \"effect\": \"Allow\",\n \"actions\": [\n \"logs:CreateLogGroup\",\n \"logs:CreateLogStream\",\n \"logs:PutLogEvents\",\n ],\n \"resources\": [\"arn:aws:logs:*:*:*\"],\n}])\nlambda_logging_policy = aws.iam.Policy(\"lambda_logging\",\n name=\"lambda_logging\",\n path=\"/\",\n description=\"IAM policy for logging from a lambda\",\n policy=lambda_logging.json)\nlambda_logs = aws.iam.RolePolicyAttachment(\"lambda_logs\",\n role=iam_for_lambda[\"name\"],\n policy_arn=lambda_logging_policy.arn)\ntest_lambda = aws.lambda_.Function(\"test_lambda\",\n name=lambda_function_name,\n logging_config={\n \"log_format\": \"Text\",\n },\n opts = pulumi.ResourceOptions(depends_on=[\n lambda_logs,\n example,\n ]))\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var config = new Config();\n var lambdaFunctionName = config.Get(\"lambdaFunctionName\") ?? \"lambda_function_name\";\n // This is to optionally manage the CloudWatch Log Group for the Lambda Function.\n // If skipping this resource configuration, also add \"logs:CreateLogGroup\" to the IAM policy below.\n var example = new Aws.CloudWatch.LogGroup(\"example\", new()\n {\n Name = $\"/aws/lambda/{lambdaFunctionName}\",\n RetentionInDays = 14,\n });\n\n // See also the following AWS managed policy: AWSLambdaBasicExecutionRole\n var lambdaLogging = Aws.Iam.GetPolicyDocument.Invoke(new()\n {\n Statements = new[]\n {\n new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs\n {\n Effect = \"Allow\",\n Actions = new[]\n {\n \"logs:CreateLogGroup\",\n \"logs:CreateLogStream\",\n \"logs:PutLogEvents\",\n },\n Resources = new[]\n {\n \"arn:aws:logs:*:*:*\",\n },\n },\n },\n });\n\n var lambdaLoggingPolicy = new Aws.Iam.Policy(\"lambda_logging\", new()\n {\n Name = \"lambda_logging\",\n Path = \"/\",\n Description = \"IAM policy for logging from a lambda\",\n PolicyDocument = lambdaLogging.Apply(getPolicyDocumentResult =\u003e getPolicyDocumentResult.Json),\n });\n\n var lambdaLogs = new Aws.Iam.RolePolicyAttachment(\"lambda_logs\", new()\n {\n Role = iamForLambda.Name,\n PolicyArn = lambdaLoggingPolicy.Arn,\n });\n\n var testLambda = new Aws.Lambda.Function(\"test_lambda\", new()\n {\n Name = lambdaFunctionName,\n LoggingConfig = new Aws.Lambda.Inputs.FunctionLoggingConfigArgs\n {\n LogFormat = \"Text\",\n },\n }, new CustomResourceOptions\n {\n DependsOn =\n {\n lambdaLogs,\n example,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudwatch\"\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lambda\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tcfg := config.New(ctx, \"\")\n\t\tlambdaFunctionName := \"lambda_function_name\"\n\t\tif param := cfg.Get(\"lambdaFunctionName\"); param != \"\" {\n\t\t\tlambdaFunctionName = param\n\t\t}\n\t\t// This is to optionally manage the CloudWatch Log Group for the Lambda Function.\n\t\t// If skipping this resource configuration, also add \"logs:CreateLogGroup\" to the IAM policy below.\n\t\texample, err := cloudwatch.NewLogGroup(ctx, \"example\", \u0026cloudwatch.LogGroupArgs{\n\t\t\tName: pulumi.Sprintf(\"/aws/lambda/%v\", lambdaFunctionName),\n\t\t\tRetentionInDays: pulumi.Int(14),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// See also the following AWS managed policy: AWSLambdaBasicExecutionRole\n\t\tlambdaLogging, err := iam.GetPolicyDocument(ctx, \u0026iam.GetPolicyDocumentArgs{\n\t\t\tStatements: []iam.GetPolicyDocumentStatement{\n\t\t\t\t{\n\t\t\t\t\tEffect: pulumi.StringRef(\"Allow\"),\n\t\t\t\t\tActions: []string{\n\t\t\t\t\t\t\"logs:CreateLogGroup\",\n\t\t\t\t\t\t\"logs:CreateLogStream\",\n\t\t\t\t\t\t\"logs:PutLogEvents\",\n\t\t\t\t\t},\n\t\t\t\t\tResources: []string{\n\t\t\t\t\t\t\"arn:aws:logs:*:*:*\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tlambdaLoggingPolicy, err := iam.NewPolicy(ctx, \"lambda_logging\", \u0026iam.PolicyArgs{\n\t\t\tName: pulumi.String(\"lambda_logging\"),\n\t\t\tPath: pulumi.String(\"/\"),\n\t\t\tDescription: pulumi.String(\"IAM policy for logging from a lambda\"),\n\t\t\tPolicy: pulumi.String(lambdaLogging.Json),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tlambdaLogs, err := iam.NewRolePolicyAttachment(ctx, \"lambda_logs\", \u0026iam.RolePolicyAttachmentArgs{\n\t\t\tRole: pulumi.Any(iamForLambda.Name),\n\t\t\tPolicyArn: lambdaLoggingPolicy.Arn,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = lambda.NewFunction(ctx, \"test_lambda\", \u0026lambda.FunctionArgs{\n\t\t\tName: pulumi.String(lambdaFunctionName),\n\t\t\tLoggingConfig: \u0026lambda.FunctionLoggingConfigArgs{\n\t\t\t\tLogFormat: pulumi.String(\"Text\"),\n\t\t\t},\n\t\t}, pulumi.DependsOn([]pulumi.Resource{\n\t\t\tlambdaLogs,\n\t\t\texample,\n\t\t}))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.cloudwatch.LogGroup;\nimport com.pulumi.aws.cloudwatch.LogGroupArgs;\nimport com.pulumi.aws.iam.IamFunctions;\nimport com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;\nimport com.pulumi.aws.iam.Policy;\nimport com.pulumi.aws.iam.PolicyArgs;\nimport com.pulumi.aws.iam.RolePolicyAttachment;\nimport com.pulumi.aws.iam.RolePolicyAttachmentArgs;\nimport com.pulumi.aws.lambda.Function;\nimport com.pulumi.aws.lambda.FunctionArgs;\nimport com.pulumi.aws.lambda.inputs.FunctionLoggingConfigArgs;\nimport com.pulumi.resources.CustomResourceOptions;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n final var config = ctx.config();\n final var lambdaFunctionName = config.get(\"lambdaFunctionName\").orElse(\"lambda_function_name\");\n // This is to optionally manage the CloudWatch Log Group for the Lambda Function.\n // If skipping this resource configuration, also add \"logs:CreateLogGroup\" to the IAM policy below.\n var example = new LogGroup(\"example\", LogGroupArgs.builder()\n .name(String.format(\"/aws/lambda/%s\", lambdaFunctionName))\n .retentionInDays(14)\n .build());\n\n // See also the following AWS managed policy: AWSLambdaBasicExecutionRole\n final var lambdaLogging = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()\n .statements(GetPolicyDocumentStatementArgs.builder()\n .effect(\"Allow\")\n .actions( \n \"logs:CreateLogGroup\",\n \"logs:CreateLogStream\",\n \"logs:PutLogEvents\")\n .resources(\"arn:aws:logs:*:*:*\")\n .build())\n .build());\n\n var lambdaLoggingPolicy = new Policy(\"lambdaLoggingPolicy\", PolicyArgs.builder()\n .name(\"lambda_logging\")\n .path(\"/\")\n .description(\"IAM policy for logging from a lambda\")\n .policy(lambdaLogging.applyValue(getPolicyDocumentResult -\u003e getPolicyDocumentResult.json()))\n .build());\n\n var lambdaLogs = new RolePolicyAttachment(\"lambdaLogs\", RolePolicyAttachmentArgs.builder()\n .role(iamForLambda.name())\n .policyArn(lambdaLoggingPolicy.arn())\n .build());\n\n var testLambda = new Function(\"testLambda\", FunctionArgs.builder()\n .name(lambdaFunctionName)\n .loggingConfig(FunctionLoggingConfigArgs.builder()\n .logFormat(\"Text\")\n .build())\n .build(), CustomResourceOptions.builder()\n .dependsOn( \n lambdaLogs,\n example)\n .build());\n\n }\n}\n```\n```yaml\nconfiguration:\n lambdaFunctionName:\n type: string\n default: lambda_function_name\nresources:\n testLambda:\n type: aws:lambda:Function\n name: test_lambda\n properties:\n name: ${lambdaFunctionName}\n loggingConfig:\n logFormat: Text\n options:\n dependson:\n - ${lambdaLogs}\n - ${example}\n # This is to optionally manage the CloudWatch Log Group for the Lambda Function.\n # If skipping this resource configuration, also add \"logs:CreateLogGroup\" to the IAM policy below.\n example:\n type: aws:cloudwatch:LogGroup\n properties:\n name: /aws/lambda/${lambdaFunctionName}\n retentionInDays: 14\n lambdaLoggingPolicy:\n type: aws:iam:Policy\n name: lambda_logging\n properties:\n name: lambda_logging\n path: /\n description: IAM policy for logging from a lambda\n policy: ${lambdaLogging.json}\n lambdaLogs:\n type: aws:iam:RolePolicyAttachment\n name: lambda_logs\n properties:\n role: ${iamForLambda.name}\n policyArn: ${lambdaLoggingPolicy.arn}\nvariables:\n # See also the following AWS managed policy: AWSLambdaBasicExecutionRole\n lambdaLogging:\n fn::invoke:\n Function: aws:iam:getPolicyDocument\n Arguments:\n statements:\n - effect: Allow\n actions:\n - logs:CreateLogGroup\n - logs:CreateLogStream\n - logs:PutLogEvents\n resources:\n - arn:aws:logs:*:*:*\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Specifying the Deployment Package\n\nAWS Lambda expects source code to be provided as a deployment package whose structure varies depending on which `runtime` is in use. See [Runtimes](https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime) for the valid values of `runtime`. The expected structure of the deployment package can be found in [the AWS Lambda documentation for each runtime](https://docs.aws.amazon.com/lambda/latest/dg/deployment-package-v2.html).\n\nOnce you have created your deployment package you can specify it either directly as a local file (using the `filename` argument) or indirectly via Amazon S3 (using the `s3_bucket`, `s3_key` and `s3_object_version` arguments). When providing the deployment package via S3 it may be useful to use the `aws.s3.BucketObjectv2` resource to upload it.\n\nFor larger deployment packages it is recommended by Amazon to upload via S3, since the S3 API has better support for uploading large files efficiently.\n\n## Import\n\nUsing `pulumi import`, import Lambda Functions using the `function_name`. For example:\n\n```sh\n$ pulumi import aws:lambda/function:Function test_lambda my_test_lambda_function\n```\n", "properties": { "architectures": { "type": "array", diff --git a/sdk/dotnet/Ec2/SecurityGroup.cs b/sdk/dotnet/Ec2/SecurityGroup.cs index 4fd32cea980..214d985f450 100644 --- a/sdk/dotnet/Ec2/SecurityGroup.cs +++ b/sdk/dotnet/Ec2/SecurityGroup.cs @@ -18,7 +18,7 @@ namespace Pulumi.Aws.Ec2 /// /// > **NOTE:** Referencing Security Groups across VPC peering has certain restrictions. More information is available in the [VPC Peering User Guide](https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html). /// - /// > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. + /// > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. To allow for successful deletion, the provider will wait for at least 45 minutes even if a shorter delete timeout is specified. /// /// > **NOTE:** The `cidr_blocks` and `ipv6_cidr_blocks` parameters are optional in the `ingress` and `egress` blocks. If nothing is specified, traffic will be blocked as described in _NOTE on Egress rules_ later. /// diff --git a/sdk/dotnet/Ec2/Subnet.cs b/sdk/dotnet/Ec2/Subnet.cs index f4ccce62611..ed834a8f3c5 100644 --- a/sdk/dotnet/Ec2/Subnet.cs +++ b/sdk/dotnet/Ec2/Subnet.cs @@ -12,7 +12,7 @@ namespace Pulumi.Aws.Ec2 /// /// Provides an VPC subnet resource. /// - /// > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), subnets associated with Lambda Functions can take up to 45 minutes to successfully delete. + /// > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), subnets associated with Lambda Functions can take up to 45 minutes to successfully delete. To allow for successful deletion, the provider will wait for at least 45 minutes even if a shorter delete timeout is specified. /// /// ## Example Usage /// diff --git a/sdk/dotnet/Lambda/Function.cs b/sdk/dotnet/Lambda/Function.cs index 406237fff7a..c1524bed33b 100644 --- a/sdk/dotnet/Lambda/Function.cs +++ b/sdk/dotnet/Lambda/Function.cs @@ -14,7 +14,7 @@ namespace Pulumi.Aws.Lambda /// /// For information about Lambda and how to use it, see [What is AWS Lambda?](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) /// - /// > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), EC2 subnets and security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. + /// > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), EC2 subnets and security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. To allow for successful deletion, the provider will wait for at least 45 minutes even if a shorter delete timeout is specified. /// /// > **NOTE:** If you get a `KMSAccessDeniedException: Lambda was unable to decrypt the environment variables because KMS access was denied` error when invoking an `aws.lambda.Function` with environment variables, the IAM role associated with the function may have been deleted and recreated _after_ the function was created. You can fix the problem two ways: 1) updating the function's role to another role and then updating it back again to the recreated role, or 2) by using Pulumi to `taint` the function and `apply` your configuration again to recreate the function. (When you create a function, Lambda grants permissions on the KMS key to the function's IAM role. If the IAM role is recreated, the grant is no longer valid. Changing the function's role or recreating the function causes Lambda to update the grant.) /// diff --git a/sdk/go/aws/ec2/securityGroup.go b/sdk/go/aws/ec2/securityGroup.go index d606f38b3d2..39e6629821b 100644 --- a/sdk/go/aws/ec2/securityGroup.go +++ b/sdk/go/aws/ec2/securityGroup.go @@ -19,7 +19,7 @@ import ( // // > **NOTE:** Referencing Security Groups across VPC peering has certain restrictions. More information is available in the [VPC Peering User Guide](https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html). // -// > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. +// > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. To allow for successful deletion, the provider will wait for at least 45 minutes even if a shorter delete timeout is specified. // // > **NOTE:** The `cidrBlocks` and `ipv6CidrBlocks` parameters are optional in the `ingress` and `egress` blocks. If nothing is specified, traffic will be blocked as described in _NOTE on Egress rules_ later. // diff --git a/sdk/go/aws/ec2/subnet.go b/sdk/go/aws/ec2/subnet.go index b9b20a435b8..4e71fa89277 100644 --- a/sdk/go/aws/ec2/subnet.go +++ b/sdk/go/aws/ec2/subnet.go @@ -14,7 +14,7 @@ import ( // Provides an VPC subnet resource. // -// > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), subnets associated with Lambda Functions can take up to 45 minutes to successfully delete. +// > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), subnets associated with Lambda Functions can take up to 45 minutes to successfully delete. To allow for successful deletion, the provider will wait for at least 45 minutes even if a shorter delete timeout is specified. // // ## Example Usage // diff --git a/sdk/go/aws/lambda/function.go b/sdk/go/aws/lambda/function.go index 8bb3c1c78ec..e05cb6e23a4 100644 --- a/sdk/go/aws/lambda/function.go +++ b/sdk/go/aws/lambda/function.go @@ -16,7 +16,7 @@ import ( // // For information about Lambda and how to use it, see [What is AWS Lambda?](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) // -// > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), EC2 subnets and security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. +// > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), EC2 subnets and security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. To allow for successful deletion, the provider will wait for at least 45 minutes even if a shorter delete timeout is specified. // // > **NOTE:** If you get a `KMSAccessDeniedException: Lambda was unable to decrypt the environment variables because KMS access was denied` error when invoking an `lambda.Function` with environment variables, the IAM role associated with the function may have been deleted and recreated _after_ the function was created. You can fix the problem two ways: 1) updating the function's role to another role and then updating it back again to the recreated role, or 2) by using Pulumi to `taint` the function and `apply` your configuration again to recreate the function. (When you create a function, Lambda grants permissions on the KMS key to the function's IAM role. If the IAM role is recreated, the grant is no longer valid. Changing the function's role or recreating the function causes Lambda to update the grant.) // diff --git a/sdk/java/src/main/java/com/pulumi/aws/ec2/SecurityGroup.java b/sdk/java/src/main/java/com/pulumi/aws/ec2/SecurityGroup.java index 640b9ffae62..66e928f006f 100644 --- a/sdk/java/src/main/java/com/pulumi/aws/ec2/SecurityGroup.java +++ b/sdk/java/src/main/java/com/pulumi/aws/ec2/SecurityGroup.java @@ -28,7 +28,7 @@ * * > **NOTE:** Referencing Security Groups across VPC peering has certain restrictions. More information is available in the [VPC Peering User Guide](https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html). * - * > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. + * > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. To allow for successful deletion, the provider will wait for at least 45 minutes even if a shorter delete timeout is specified. * * > **NOTE:** The `cidr_blocks` and `ipv6_cidr_blocks` parameters are optional in the `ingress` and `egress` blocks. If nothing is specified, traffic will be blocked as described in _NOTE on Egress rules_ later. * diff --git a/sdk/java/src/main/java/com/pulumi/aws/ec2/Subnet.java b/sdk/java/src/main/java/com/pulumi/aws/ec2/Subnet.java index c61d4082877..e702c75442f 100644 --- a/sdk/java/src/main/java/com/pulumi/aws/ec2/Subnet.java +++ b/sdk/java/src/main/java/com/pulumi/aws/ec2/Subnet.java @@ -20,7 +20,7 @@ /** * Provides an VPC subnet resource. * - * > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), subnets associated with Lambda Functions can take up to 45 minutes to successfully delete. + * > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), subnets associated with Lambda Functions can take up to 45 minutes to successfully delete. To allow for successful deletion, the provider will wait for at least 45 minutes even if a shorter delete timeout is specified. * * ## Example Usage * diff --git a/sdk/java/src/main/java/com/pulumi/aws/lambda/Function.java b/sdk/java/src/main/java/com/pulumi/aws/lambda/Function.java index 47152243794..4180046e6c7 100644 --- a/sdk/java/src/main/java/com/pulumi/aws/lambda/Function.java +++ b/sdk/java/src/main/java/com/pulumi/aws/lambda/Function.java @@ -33,7 +33,7 @@ * * For information about Lambda and how to use it, see [What is AWS Lambda?](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) * - * > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), EC2 subnets and security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. + * > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), EC2 subnets and security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. To allow for successful deletion, the provider will wait for at least 45 minutes even if a shorter delete timeout is specified. * * > **NOTE:** If you get a `KMSAccessDeniedException: Lambda was unable to decrypt the environment variables because KMS access was denied` error when invoking an `aws.lambda.Function` with environment variables, the IAM role associated with the function may have been deleted and recreated _after_ the function was created. You can fix the problem two ways: 1) updating the function's role to another role and then updating it back again to the recreated role, or 2) by using Pulumi to `taint` the function and `apply` your configuration again to recreate the function. (When you create a function, Lambda grants permissions on the KMS key to the function's IAM role. If the IAM role is recreated, the grant is no longer valid. Changing the function's role or recreating the function causes Lambda to update the grant.) * diff --git a/sdk/nodejs/ec2/securityGroup.ts b/sdk/nodejs/ec2/securityGroup.ts index b0f5d5753dc..a1d70bc1336 100644 --- a/sdk/nodejs/ec2/securityGroup.ts +++ b/sdk/nodejs/ec2/securityGroup.ts @@ -16,7 +16,7 @@ import * as utilities from "../utilities"; * * > **NOTE:** Referencing Security Groups across VPC peering has certain restrictions. More information is available in the [VPC Peering User Guide](https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html). * - * > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. + * > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. To allow for successful deletion, the provider will wait for at least 45 minutes even if a shorter delete timeout is specified. * * > **NOTE:** The `cidrBlocks` and `ipv6CidrBlocks` parameters are optional in the `ingress` and `egress` blocks. If nothing is specified, traffic will be blocked as described in _NOTE on Egress rules_ later. * diff --git a/sdk/nodejs/ec2/subnet.ts b/sdk/nodejs/ec2/subnet.ts index 4422d8eaec8..8f032a482e5 100644 --- a/sdk/nodejs/ec2/subnet.ts +++ b/sdk/nodejs/ec2/subnet.ts @@ -7,7 +7,7 @@ import * as utilities from "../utilities"; /** * Provides an VPC subnet resource. * - * > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), subnets associated with Lambda Functions can take up to 45 minutes to successfully delete. + * > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), subnets associated with Lambda Functions can take up to 45 minutes to successfully delete. To allow for successful deletion, the provider will wait for at least 45 minutes even if a shorter delete timeout is specified. * * ## Example Usage * diff --git a/sdk/nodejs/lambda/function.ts b/sdk/nodejs/lambda/function.ts index 17690897bab..44ab93021d0 100644 --- a/sdk/nodejs/lambda/function.ts +++ b/sdk/nodejs/lambda/function.ts @@ -14,7 +14,7 @@ import {ARN} from ".."; * * For information about Lambda and how to use it, see [What is AWS Lambda?](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) * - * > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), EC2 subnets and security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. + * > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), EC2 subnets and security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. To allow for successful deletion, the provider will wait for at least 45 minutes even if a shorter delete timeout is specified. * * > **NOTE:** If you get a `KMSAccessDeniedException: Lambda was unable to decrypt the environment variables because KMS access was denied` error when invoking an `aws.lambda.Function` with environment variables, the IAM role associated with the function may have been deleted and recreated _after_ the function was created. You can fix the problem two ways: 1) updating the function's role to another role and then updating it back again to the recreated role, or 2) by using Pulumi to `taint` the function and `apply` your configuration again to recreate the function. (When you create a function, Lambda grants permissions on the KMS key to the function's IAM role. If the IAM role is recreated, the grant is no longer valid. Changing the function's role or recreating the function causes Lambda to update the grant.) * diff --git a/sdk/python/pulumi_aws/ec2/security_group.py b/sdk/python/pulumi_aws/ec2/security_group.py index 9226c643387..ba746455b1f 100644 --- a/sdk/python/pulumi_aws/ec2/security_group.py +++ b/sdk/python/pulumi_aws/ec2/security_group.py @@ -369,7 +369,7 @@ def __init__(__self__, > **NOTE:** Referencing Security Groups across VPC peering has certain restrictions. More information is available in the [VPC Peering User Guide](https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html). - > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. + > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. To allow for successful deletion, the provider will wait for at least 45 minutes even if a shorter delete timeout is specified. > **NOTE:** The `cidr_blocks` and `ipv6_cidr_blocks` parameters are optional in the `ingress` and `egress` blocks. If nothing is specified, traffic will be blocked as described in _NOTE on Egress rules_ later. @@ -557,7 +557,7 @@ def __init__(__self__, > **NOTE:** Referencing Security Groups across VPC peering has certain restrictions. More information is available in the [VPC Peering User Guide](https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html). - > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. + > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. To allow for successful deletion, the provider will wait for at least 45 minutes even if a shorter delete timeout is specified. > **NOTE:** The `cidr_blocks` and `ipv6_cidr_blocks` parameters are optional in the `ingress` and `egress` blocks. If nothing is specified, traffic will be blocked as described in _NOTE on Egress rules_ later. diff --git a/sdk/python/pulumi_aws/ec2/subnet.py b/sdk/python/pulumi_aws/ec2/subnet.py index cf8f7512609..16cb0107cb4 100644 --- a/sdk/python/pulumi_aws/ec2/subnet.py +++ b/sdk/python/pulumi_aws/ec2/subnet.py @@ -689,7 +689,7 @@ def __init__(__self__, """ Provides an VPC subnet resource. - > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), subnets associated with Lambda Functions can take up to 45 minutes to successfully delete. + > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), subnets associated with Lambda Functions can take up to 45 minutes to successfully delete. To allow for successful deletion, the provider will wait for at least 45 minutes even if a shorter delete timeout is specified. ## Example Usage @@ -766,7 +766,7 @@ def __init__(__self__, """ Provides an VPC subnet resource. - > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), subnets associated with Lambda Functions can take up to 45 minutes to successfully delete. + > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), subnets associated with Lambda Functions can take up to 45 minutes to successfully delete. To allow for successful deletion, the provider will wait for at least 45 minutes even if a shorter delete timeout is specified. ## Example Usage diff --git a/sdk/python/pulumi_aws/lambda_/function.py b/sdk/python/pulumi_aws/lambda_/function.py index 6ea3c098de8..1b4c0910ba0 100644 --- a/sdk/python/pulumi_aws/lambda_/function.py +++ b/sdk/python/pulumi_aws/lambda_/function.py @@ -1338,7 +1338,7 @@ def __init__(__self__, For information about Lambda and how to use it, see [What is AWS Lambda?](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) - > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), EC2 subnets and security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. + > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), EC2 subnets and security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. To allow for successful deletion, the provider will wait for at least 45 minutes even if a shorter delete timeout is specified. > **NOTE:** If you get a `KMSAccessDeniedException: Lambda was unable to decrypt the environment variables because KMS access was denied` error when invoking an `lambda.Function` with environment variables, the IAM role associated with the function may have been deleted and recreated _after_ the function was created. You can fix the problem two ways: 1) updating the function's role to another role and then updating it back again to the recreated role, or 2) by using Pulumi to `taint` the function and `apply` your configuration again to recreate the function. (When you create a function, Lambda grants permissions on the KMS key to the function's IAM role. If the IAM role is recreated, the grant is no longer valid. Changing the function's role or recreating the function causes Lambda to update the grant.) @@ -1585,7 +1585,7 @@ def __init__(__self__, For information about Lambda and how to use it, see [What is AWS Lambda?](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) - > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), EC2 subnets and security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. + > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), EC2 subnets and security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. To allow for successful deletion, the provider will wait for at least 45 minutes even if a shorter delete timeout is specified. > **NOTE:** If you get a `KMSAccessDeniedException: Lambda was unable to decrypt the environment variables because KMS access was denied` error when invoking an `lambda.Function` with environment variables, the IAM role associated with the function may have been deleted and recreated _after_ the function was created. You can fix the problem two ways: 1) updating the function's role to another role and then updating it back again to the recreated role, or 2) by using Pulumi to `taint` the function and `apply` your configuration again to recreate the function. (When you create a function, Lambda grants permissions on the KMS key to the function's IAM role. If the IAM role is recreated, the grant is no longer valid. Changing the function's role or recreating the function causes Lambda to update the grant.) diff --git a/upstream-tools/pre-replacements.json b/upstream-tools/pre-replacements.json index b63f92cd48c..d630b3f223d 100644 --- a/upstream-tools/pre-replacements.json +++ b/upstream-tools/pre-replacements.json @@ -3496,7 +3496,7 @@ "website/docs/r/lambda_function.html.markdown": [ { "old": "~> **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), EC2 subnets and security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. Terraform AWS Provider version 2.31.0 and later automatically handles this increased timeout, however prior versions require setting the customizable deletion timeouts of those Terraform resources to 45 minutes (`delete = \"45m\"`). AWS and HashiCorp are working together to reduce the amount of time required for resource deletion and updates can be tracked in this [GitHub issue](https://github.com/hashicorp/terraform-provider-aws/issues/10329).", - "new": "~> **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), EC2 subnets and security groups associated with Lambda Functions can take up to 45 minutes to successfully delete." + "new": "~> **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), EC2 subnets and security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. To allow for successful deletion, the provider will wait for at least 45 minutes even if a shorter delete timeout is specified." }, { "old": "~> **NOTE:** The `aws_lambda_layer_version` attribute values for `arn` and `layer_arn` were swapped in version 2.0.0 of the Terraform AWS Provider. For version 1.x, use `layer_arn` references. For version 2.x, use `arn` references.\n" @@ -5145,7 +5145,7 @@ }, { "old": "~> **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. Terraform AWS Provider version 2.31.0 and later automatically handles this increased timeout, however prior versions require setting the [customizable deletion timeout](#timeouts) to 45 minutes (`delete = \"45m\"`). AWS and HashiCorp are working together to reduce the amount of time required for resource deletion and updates can be tracked in this [GitHub issue](https://github.com/hashicorp/terraform-provider-aws/issues/10329).", - "new": "~> **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), security groups associated with Lambda Functions can take up to 45 minutes to successfully delete." + "new": "~> **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. To allow for successful deletion, the provider will wait for at least 45 minutes even if a shorter delete timeout is specified." }, { "old": "~> **NOTE on Egress rules:** By default, AWS creates an `ALLOW ALL` egress rule when creating a new Security Group inside of a VPC. When creating a new Security Group inside a VPC, **Terraform will remove this default rule**, and require you specifically re-create it if you desire that rule. We feel this leads to fewer surprises in terms of controlling your egress rules. If you desire this rule to be in place, you can use this `egress` block:", @@ -5695,7 +5695,7 @@ "website/docs/r/subnet.html.markdown": [ { "old": "~> **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), subnets associated with Lambda Functions can take up to 45 minutes to successfully delete. Terraform AWS Provider version 2.31.0 and later automatically handles this increased timeout, however prior versions require setting the [customizable deletion timeout](#timeouts) to 45 minutes (`delete = \"45m\"`). AWS and HashiCorp are working together to reduce the amount of time required for resource deletion and updates can be tracked in this [GitHub issue](https://github.com/hashicorp/terraform-provider-aws/issues/10329).", - "new": "~> **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), subnets associated with Lambda Functions can take up to 45 minutes to successfully delete." + "new": "~> **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), subnets associated with Lambda Functions can take up to 45 minutes to successfully delete. To allow for successful deletion, the provider will wait for at least 45 minutes even if a shorter delete timeout is specified." }, { "old": "* `tags` - (Optional) A map of tags to assign to the resource. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level.",