Terraform-provider-aws: Changes to Lambda environment variables don't trigger a new version publication

Created on 31 Aug 2020 · 11Comments · Source: hashicorp/terraform-provider-aws

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform CLI: 0.13.1
AWS Provider Version: 3.4.0

Affected Resource(s)

aws_lambda_function
aws_lambda_alias

Terraform Configuration Files

resource "aws_lambda_alias" "voice-gram-skill-alias" {
    description = "Production version"
    function_name = aws_lambda_function.voice-gram-skill.function_name
    function_version = aws_lambda_function.voice-gram-skill.version
    name = "prod"
}

resource "aws_lambda_function" "voice-gram-skill" {
    function_name = "voice-gram-skill"
    handler = "index.handler"
    publish = true
    layers = [
        "arn:aws:lambda:eu-west-1:xxxxxxxxxxxx:layer:ffmpeg:2",
        aws_lambda_layer_version.voice-gram-layer.arn,
    ]
    memory_size = 192
    reserved_concurrent_executions = -1
    role = aws_iam_role.voice-gram-role.arn
    runtime = "python3.8"
    tags = local.tags
    timeout = 10

    source_code_hash = data.archive_file.zip-folders["skill"].output_base64sha256
    s3_bucket = aws_s3_bucket.voice-gram-bucket.bucket
    s3_key = aws_s3_bucket_object.voice-gram-artifacts["skill"].key
    s3_object_version = aws_s3_bucket_object.voice-gram-artifacts["skill"].version_id

    environment {
        variables = {
            ......
        }
    }

    timeouts {}

    tracing_config {
        mode = "PassThrough"
    }
}

Expected Behavior

When I plan that configuration after changing environment variables, voice-gram-skill-alias should get the value for function_version after voice-gram-skill new version has been published. The documentation also states _qualified_arn - The Amazon Resource Name (ARN) identifying your Lambda Function Version (if versioning is enabled via publish = true)_.

Actual Behavior

Actually, when I plan this configuration, voice-gram-skill-alias is set to $LATEST and doesn't wait for the voice-gram-skill version to be published even if publish is set to true, as you can see below. Furthermore, version and qualified_arn aren't updated and remain set to $LATEST.

+ resource "aws_lambda_alias" "voice-gram-skill-alias" {
      + arn              = (known after apply)
      + description      = "Production version"
      + function_name    = "voice-gram-skill"
      + function_version = "$LATEST" <-- THIS SHOULD BE (known after apply)
      + id               = (known after apply)
      + invoke_arn       = (known after apply)
      + name             = "prod"
}

# module.aws.aws_lambda_function.voice-gram-skill will be updated in-place
  ~ resource "aws_lambda_function" "voice-gram-skill" {
        arn                            = "arn:aws:lambda:eu-west-1:xxxxxxxxxxxx:function:voice-gram-skill"
        function_name                  = "voice-gram-skill"
        handler                        = "index.handler"
        id                             = "voice-gram-skill"
        invoke_arn                     = "arn:aws:apigateway:eu-west-1:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-1:xxxxxxxxxxx:function:voice-gram-skill/invocations"
        last_modified                  = "2020-08-30T19:15:34.633+0000"
        layers                         = [
            "arn:aws:lambda:eu-west-1:xxxxxxxxxxxx:layer:ffmpeg:2",
            "arn:aws:lambda:eu-west-1:xxxxxxxxxxxx:layer:voice-gram:12",
        ]
        memory_size                    = 192
        publish                        = true
        qualified_arn                  = "arn:aws:lambda:eu-west-1:xxxxxxxxxxxx:function:voice-gram-skill:$LATEST" <-- THIS IS NOT UPDATED TOO
        reserved_concurrent_executions = -1
        role                           = "arn:aws:iam::xxxxxxxxxx:role/voice-gram"
        runtime                        = "python3.8"
        s3_bucket                      = "voice-gram"
        s3_key                         = "artifacts/skill"
        s3_object_version              = "asdasdadasdadasdasdasdasdadsa"
        source_code_hash               = "ONBXtembDHc8urPkxxUVOEUmVcA1vbqX5t6v5VUgITc="
        source_code_size               = 23783
        tags                           = {
            "skill" = "voice-gram"
        }
        timeout                        = 10
        version                        = "$LATEST" <-- THIS IS NOT UPDATED TOO

      ~ environment {
          ~ variables = {
                ....
            }
        }

        timeouts {}

        tracing_config {
            mode = "PassThrough"
        }
    }

Steps to Reproduce

Apply an aws_lambda_function with environment variables and publish set to true
Edit only environment variables (if you change the code, it works)
terraform plan

bug good first issue serviclambda

Source

acerbisgianluca

👍9

All 11 comments

I think we should just add here something like d.HasChange("environment") https://github.com/terraform-providers/terraform-provider-aws/blob/5378e467edfd8ef8ed81a06bd82288be4379a427/aws/resource_aws_lambda_function.go#L679

acerbisgianluca on 31 Aug 2020

I don't think the issue is limited to just environment variable changes, although this is probably the most likley config to change, it seems any config change didn't result in a new version being published.

I've raised a PR to attempt a fix.

grahamhar on 11 Sep 2020

👍1

@grahamhar I've just noticed that a new version is always created if publish is set to true even if there are no code changes. The difference is that the version is published, but aliases are not updated. I've just ran plan and there weren't any new planned version, but if I go to the function page on AWS I can see that a new version has been created, but aliases weren't updated to the latest version.

acerbisgianluca on 11 Sep 2020

@grahamhar I've just noticed that a new version is always created if publish is set to true even if there are no code changes. The difference is that the version is published, but aliases are not updated. I've just ran plan and there weren't any new planned version, but if I go to the function page on AWS I can see that a new version has been created, but aliases weren't updated to the latest version.

@acerbisgianluca I added a new acceptance test first before writing the fix which seemed to prove the failure to publish the new version, adding the new code made the tests pass, so I'm reasonably sure #15116 will fix what you are seeing, or maybe we're seeing a different issue?

grahamhar on 11 Sep 2020

Mhh I don't know, we will see when your PR will be merged. Now I'm pretty confused lol and I might have misunderstood your PR.

Btw I was looking at the code and I found this: https://github.com/terraform-providers/terraform-provider-aws/blob/4ac98ce9911f302cb7181db28d4a8772b5e67112/aws/resource_aws_lambda_function.go#L927
Actually a new version is published, but this change is not detected as a dependecy for other resources, for example when an alias must point to the latest released version. Is your PR going to fix this?

acerbisgianluca on 11 Sep 2020

Mhh I don't know, we will see when your PR will be merged. Now I'm pretty confused lol and I might have misunderstood your PR.

Btw I was looking at the code and I found this:

https://github.com/terraform-providers/terraform-provider-aws/blob/4ac98ce9911f302cb7181db28d4a8772b5e67112/aws/resource_aws_lambda_function.go#L927

Actually a new version is published, but this change is not detected as a dependecy for other resources, for example when an alias must point to the latest released version. Is your PR going to fix this?

My fork was old so I didn't see that 🤦 looks like my PR is redundant and I just need to update the provider version!

grahamhar on 11 Sep 2020

@acerbisgianluca update of provider didn't work, I think I found the culprit though:

https://github.com/terraform-providers/terraform-provider-aws/blob/4ac98ce9911f302cb7181db28d4a8772b5e67112/aws/resource_aws_lambda_function.go#L273-L283

The updated version is only stored if there is a code change, I'll try figure out a fix

grahamhar on 11 Sep 2020

The updated version is only stored if there is a code change, I'll try figure out a fix

I think you should only update the if condition from if needsFunctionCodeUpdate(d) to if needsFunctionCodeUpdate(d) || configUpdate. I've never used GO, so I don't know if it's sufficient. You should also pass configUpdate to the function.

acerbisgianluca on 11 Sep 2020

@gdavison I've raised a PR for this and I think I have met all the requirements, if not could you help me out as it is my first PR against this repo. How do I go about moving forward on getting a review done?

grahamhar on 18 Sep 2020

👍1

Just got hit with this last week whilst working on a project. Would be a great help to get this fixed @gdavison, @bflad, @YakDriver 🙂 Anything we can do to prioritise this?