Terraform-provider-aws: TerraForm is not flagging changes to computed values of aws_lambda_function

Created on 10 Jan 2018 · 6Comments · Source: hashicorp/terraform-provider-aws

_This issue was originally opened by @ChristopherGAndrews as hashicorp/terraform#17070. It was migrated here as a result of the provider split. The original body of the issue is below._

I have a module that contains a AWS Lambda function so that it is easy to apply this function to different AWS Accounts. I have the module configured to publish a new version every time the zip is updated. There is an aws_lambda_alias called "production" that is associated with this latest version of of the Lamda, so that a CloudWatch Event can target that specific version. We do not want to target $LATEST, because that can be edited. We do not want to have to track the version numbers of the Lambda function across all of the accounts, so we tie it to the last version. When I update the local ZIP file with a new version of the Lambda function, Terraform will update the code in AWS , increment the version at AWS, record these changes in the TerraForm state, and the values of qualified_arn and version, but all resources dependent on the qualified_arn and version changing do not see the change and so do not update . Everything that is set to use "${aws_lambda_function.main.version}" fails to update until you run TerraForm a second time.

Terraform Version

Terraform v0.11.1

provider.aws v1.6.0
provider.null v1.0.0

Terraform Configuration Files

Tags and environment variables removed to reduce clutter:

resource "aws_lambda_function" "check_alerts" {
  filename         = "${var.module_path}check_alerts.zip"
  function_name    = "check_alerts"
  description      = "Check for EC2 instance scheduled for reboot or retirement"
  role             = "${aws_iam_role.check_alerts.arn}"
  handler          = "check_alerts.lambda_handler"
  source_code_hash = "${base64sha256(file("${var.module_path}check_alerts.zip"))}"
  runtime          = "python2.7"
  timeout          = 30
  publish          = true
}

resource "aws_lambda_alias" "check_alerts" {
  depends_on = ["aws_lambda_function.check_alerts"]
  name             = "production"
  description      = "The Production version of check_alerts"
  function_name    = "${aws_lambda_function.check_alerts.arn}"
  function_version = "${aws_lambda_function.check_alerts.version}"
}

Even running this through a null data source does not help.

data "null_data_source" "check_alerts" {
  depends_on = ["aws_lambda_function.check_alerts"]
  inputs = {
      "version" = "${aws_lambda_function.check_alerts.version}"
    }
}

resource "aws_lambda_alias" "check_alerts" {
  depends_on = ["data.null_data_source.check_alerts"]
  name             = "production"
  description      = "The Production version of check_alerts"
  function_name    = "${aws_lambda_function.check_alerts.arn}"
  function_version = "${data.null_data_source.check_alerts.inputs.version}"
}

Moving the alias out of the module does not help either:

resource "aws_lambda_alias" "check_alerts" {
  name             = "production"
  description      = "The Production version of check_alerts"
  function_name    = "${module.check_alerts.check_alerts-arn}"
  function_version = "${module.check_alerts.check_alerts-version}"
}

Debug Output

The Lambda function was at version = 4 when terraform plan-out terraform.out was run. You can see the new version and qualified arn coming back to TerraForm during the terraform apply terraform.out

2018-01-09T12:52:59.358-0500 [DEBUG] plugin.terraform-provider-aws_v1.6.0_x4.exe: 2018/01/09 12:52:59 [DEBUG] [aws-sdk-go] {"CodeSha256":"sBEY9yTx9rmrattAiq6KStbhRy4JJSh8fojUKuGICAs=","CodeSize":2220,"DeadLetterConfig":null,"Description":"Check for EC2 instance scheduled for reboot or retirement","Environment":{"Error":null,"Variables":{"env_ec2_regions":"us-east-1;us-east-2;us-west-1;us-west-2","env_op_code":"1.1.19","env_op_url":"https://XXXXXXXX/cccccccc","env_sesconfset":"XXXXXXX","env_sesfrom":"XXXXXXX","env_sesto":"XXXXXXX"}},"FunctionArn":"arn:aws:lambda:us-east-1:XXXXXXXXXX:function:check_alerts:5","FunctionName":"check_alerts","Handler":"check_alerts.lambda_handler","KMSKeyArn":null,"LastModified":"2018-01-09T17:52:59.200+0000","MasterArn":null,"MemorySize":128,"RevisionId":null,"Role":"arn:aws:iam::XXXXXXXXXX:role/lambda_check_alerts","Runtime":"python2.7","Timeout":30,"TracingConfig":{"Mode":"PassThrough"},"Version":"5","VpcConfig":{"SecurityGroupIds":[],"SubnetIds":[],"VpcId":null}}

The state output section after the run, is now set to 5, like it should be:

aws_lambda_function.check_alerts |  
-- | --
type | "aws_lambda_function"
depends_on |  
0 | "aws_iam_role.check_alerts"
primary |  
id | "check_alerts"
attributes |  
arn | "arn:aws:lambda:us-east-1:XXXXXXXXXX:function:check_alerts"
dead_letter_config.# | "0"
description | "Check for EC2 instance scheduled for reboot or retirement"
version | "5"
vpc_config.# | "0"
meta | {}
tainted | false
deposed | []
provider | "provider.aws"

The Lambda Alias is still stuck at 4

```
aws_lambda_alias.check_alerts |
-- | --
type | "aws_lambda_alias"
depends_on |
0 | "aws_lambda_function.check_alerts"
primary |
id | "arn:aws:lambda:us-east-1:XXXXXXXXXX:function:check_alerts:prod_check_alerts"
attributes |
arn | "arn:aws:lambda:us-east-1:XXXXXXXXXX:function:check_alerts:prod_check_alerts"
description | "The Production version of check_alerts"
function_name | "arn:aws:lambda:us-east-1:XXXXXXXXXX:function:check_alerts"
function_version | "4"
id | "arn:aws:lambda:us-east-1:XXXXXXXXXX:function:check_alerts:prod_check_alerts"
name | "prod_check_alerts"
meta | {}
tainted | false
deposed | []
provider | "provider.aws"
````

Crash Output

Expected Behavior

You should run TerraForm once to update the Lambda function and alias

Update the lambda function in the local zip file
terraform plan -out terraform.plan
1. The Lambda function file hash change is noted, triggering an update
1. The Lambda Function Alias has its version flagged to be updated
terraform apply terraform.plan
1. The Lambda function is updated
1. The Lambda Function Alias is updated

Actual Behavior/Steps to Reproduce

You have to run terraform twice to update the alias

Update the lambda function in the local zip file
terraform plan -out terraform.plan
1. The Lambda function file hash change is noted, triggering an update
terraform apply terraform.plan
1. The Lambda function is updated
1. The Lambda Function Alias is NOT updated
terraform plan -out terraform.plan
1. The Lambda Function Alias has its version flagged to be updated
terraform apply terraform.plan
1. The Lambda Function Alias is updated

Additional Context

The Lambda function and all of its related objects:

CloudWatch logging
CloudWatch Event Rule/Target
IAM role
Lambda Permissions
Lambda Alias
are in side of a TerraForm module.

References

bug serviclambda

Source

hashibot

Most helpful comment

This has been released in version 1.10.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

bflad on 27 Feb 2018

🎉2

All 6 comments

I understand now, the computed values in the resource schema are only updated on create. There is a ComputedWhen attribute that can be added, but it is broken/not implemented.

[WIP] helper/schema: implement ComputedWhen

It seems that the CustomizeDiff option might be the way to go here. Adding this to resource_aws_lambda_function.go could fix this issue.

ChristopherGAndrews on 10 Jan 2018

I just pushed a PR up that should address this issue. I've been running with a patched version of the provider today and it fixes this problem for me.

mdlavin on 17 Jan 2018

I did not see you PR and just added my own #3043. There are two other attributes that need to be SetNewComputed:

last_modified - This need to be recomputed any time there is a change to the Lambda code, even if publish =false
qualified_arn - This needs to be updated only if publish = true

ChristopherGAndrews on 18 Jan 2018

Thanks to @mdlavin the fix for this has been merged into master and will be released in v1.10.0 of the AWS provider, likely later today or Monday. 🎉

bflad on 24 Feb 2018

🎉1

This has been released in version 1.10.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

bflad on 27 Feb 2018

🎉2

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] on 7 Apr 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

aws_alb_target_group_attachment does not support list for target_id

hashibot · 3Comments

Please add support for default values in Cloudwatch Metric Filters

hazmeister · 3Comments

tainting an ecs service and running terraform apply receives Creation of service was not idempotent

hashibot · 3Comments

On plan, redrive_policy is always marked as modified

hashibot · 3Comments

Failed to destroy AWS node with volume: * aws_volume_attachment.jenkins_disk_attachment: Error waiting for Volume (vol-XXXX) to detach from Instance: i-XXXXX

hashibot · 3Comments