Terraform-provider-aws: aws_lambda_function qualified_arn isn't updated after changing publish to true
Community Note
- Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version
Terraform v0.11.13
+ provider.archive v1.2.0
+ provider.aws v2.2.0
+ provider.local v1.2.0
+ provider.template v2.1.0
Affected Resource(s)
- aws_lambda_function
Terraform Configuration Files
resource "aws_lambda_function" "originrequest_lambda" {
filename = "${path.module}/artifacts/lambda.zip"
function_name = "myedgescript"
role = "${aws_iam_role.myedgerole.arn}"
handler = "index.handler"
source_code_hash = "${data.archive_file.myedgescriptarchive.output_base64sha256}"
runtime = "nodejs8.10"
}
resource "aws_cloudfront_distribution" "mydistribution" {
enabled = true
# there are heaps of settings here, but I've omitted them for the sake of brevity
default_cache_behavior {
lambda_function_association {
event_type = "origin-request"
lambda_arn = "${aws_lambda_function.originrequest_lambda.qualified_arn}"
include_body = false
}
}
}
Note that I forgot to include publish = true in my lambda function resource. I have since amended it.
resource "aws_lambda_function" "originrequest_lambda" {
filename = "${path.module}/artifacts/lambda.zip"
function_name = "myedgescript"
role = "${aws_iam_role.myedgerole.arn}"
handler = "index.handler"
source_code_hash = "${data.archive_file.myedgescriptarchive.output_base64sha256}"
runtime = "nodejs8.10"
publish = true
}
Expected Behavior
CloudFront Distribution should be updated to include the Lambda@Edge function based on the version number, which is now present because publish has been changed to true.
Actual Behavior
Terraform still tries to add the Lambda@Edge function using the $LATEST alias. CloudFront Distribution throws aws_cloudfront_distribution.mydistribution: error updating CloudFront Distribution (***********): InvalidLambdaFunctionAssociation: The function ARN must reference a specific function version. (The ARN must end with the version number.) ARN: arn:aws:lambda:us-east-1:XXXXXXXXXXXX:function:test.example.com_originrequest:$LATEST.
Steps to Reproduce
- Create a module with a CloudFront Distribution that has a Lambda@Edge function that has publish set to false
- Apply it. It should fail with (expected)
- Update the module to add
publish = trueon the Lambda function - Apply it. Notice it still fails.
Workaround
Changing the function_name will cause the qualified_arn to be updated.
JoshuaWalsh
All 6 comments
It's unable to attach existing lambda through data source to cloudfront because qualified_arn always return :$LATEST
As workaround: "${data.aws_lambda_function.existing.arn}:1"
But in terraform provider version < 2.0 arn will return output as qualified_arn see https://github.com/terraform-providers/terraform-provider-aws/issues/4446
ghost
on 11 Apr 2019
Hi @monolithh, sorry for the very delayed response. I meant to reply but had completely forgotten.
qualified_arnalways return:$LATEST
I'm not sure this is accurate. After I changed function_name to destroy and recreate the function, qualified_arn returned the qualified (non-aliased) ARN and it worked happily in cloudfront. It seems if qualified_arn is retrieved on a function that's not published then it will always return $LATEST (even after the function is published) but if the function was published from the start then it will include the function version as expected.
JoshuaWalsh
on 4 Jul 2019
This issue was fixed for the data type, but it looks like it has resurfaced for the data type, also.
See https://github.com/terraform-providers/terraform-provider-aws/issues/4446.
walkafwalka
on 8 Feb 2020
I just ran into this issue and am considering contributing a PR. Is anyone already working on it?
JeremyChase
on 19 Aug 2020
I believe this issue is closed by https://github.com/terraform-providers/terraform-provider-aws/issues/14934
_edit: After running the tests, issue https://github.com/terraform-providers/terraform-provider-aws/issues/8081 is still a problem. I need to look at this again, but I'll resubmit a PR that addresses this._
JeremyChase
on 1 Nov 2020
This has been released in version 3.14.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 6 Nov 2020
Related issues
hazmeister
路
3Comments
hashibot
路
3Comments
hashibot
路
3Comments
reedloden
路
3Comments
hashibot
路
3Comments
Most helpful comment
Hi @monolithh, sorry for the very delayed response. I meant to reply but had completely forgotten.
I'm not sure this is accurate. After I changed
function_nameto destroy and recreate the function, qualified_arn returned the qualified (non-aliased) ARN and it worked happily in cloudfront. It seems ifqualified_arnis retrieved on a function that's not published then it will always return $LATEST (even after the function is published) but if the function was published from the start then it will include the function version as expected.