Upgrading to 7.20.x is causing a VPC policy issue

[kramen22]

Description

I am using this lambda module with a simple vpc config and was updating from 7.16.0 -> 7.20.0 and got the following error

Error: deleting IAM Policy (arn:aws:iam::'my-account-id':policy/'my-lambda-name'-vpc): operation error IAM: DeletePolicy, https response error StatusCode: 409, RequestID: 'my-request-id', DeleteConflict: Cannot delete a policy attached to entities.

The only vpc settings I pass into the module are:

  vpc_subnet_ids                 = var.vpc_subnet_ids // a list of my subnet IDs.
  vpc_security_group_ids         = var.vpc_security_group_ids // a list of my security group IDs.

I found the following PR from the release notes that references that it could be considered a breaking change: "this change is breaking (in theory) since the new policies will be inline. But it is very unlikely that users did this." #615 (comment)

But I cannot find any information on remediation if you in fact did trigger the breaking change.

• ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [Required]: upgrading from 7.16.0 -> 7.20.0

• Terraform version:

• Terraform v1.9.8 on linux_arm64

Reproduction Code [Required]

• Create a lambda with a vpc connection from vpc_subnet_ids and vpc_security_group_ids using module version 7.16.0
• Update to module version 7.20.0
• Run terraform apply

Expected behavior

Terraform apply runs successfully

Actual behavior

Terraform apply fails

Terminal Output Screenshot(s)

Error: deleting IAM Policy (arn:aws:iam::'my-account-id':policy/'my-lambda-name'-vpc): operation error IAM: DeletePolicy, https response error StatusCode: 409, RequestID: 'my-request-id', DeleteConflict: Cannot delete a policy attached to entities.

Additional context

Here is a sample of my module that I reuse in my own code:

module "lambda_function" {
  source  = "terraform-aws-modules/lambda/aws"
  version = "7.16.0"

  allowed_triggers = var.allowed_triggers

  attach_cloudwatch_logs_policy = true
  attach_network_policy         = true
  attach_policy_statements      = true
  attach_tracing_policy         = true

  cloudwatch_logs_retention_in_days = 30

  create_package                 = false
  environment_variables          = merge(local.datadog_env, var.environment_variables)
  event_source_mapping           = var.event_source_mapping
  function_name                  = local.fn_name
  handler                        = "bootstrap"
  layers                         = concat([local.datadog_lambda_layer_arn], var.lambda_layers)
  memory_size                    = var.memory_size
  policy_statements              = merge(local.datadog_iam, var.policy_statements)
  publish                        = true
  reserved_concurrent_executions = var.max_concurrent_executions
  runtime                        = "provided.al2"
  tags                           = merge(var.tags, { name = local.fn_name })
  timeout                        = var.timeout
  tracing_mode                   = "Active"
  vpc_subnet_ids                 = var.vpc_subnet_ids
  vpc_security_group_ids         = var.vpc_security_group_ids

  s3_existing_package = {
    bucket     = local.s3_bucket
    key        = aws_s3_object.this.id
    version_id = aws_s3_object.this.version_id
  }
}

Please let me know if there is anything else I can provide to help or if I missed something trying to do this upgrade, thanks!