aws_lambda_function is unable to detect code changes

[jonapich]

The aws_lambda_function resource look like it supports hashing the code file:

aws_lambda_function.some-lambda: Creating...
  (edited for clarity)
  source_code_hash: "" => "<computed>"

But the source_code_hash does not appear in the state file. Changes to the source file does not trigger a lambda function code update. Tainting the resource manually seems to be the only way.

[jonapich]

If I may add, about aws lambda specifics - when using the AWS API to 'update' the code of an existing function, new versions are created (also called aliases) and old ones can still be targeted. This is different from destroying/recreating the lambda function.

[yissachar]

Related to #4897

[night0wl]

I noticed the same thing. I had a look at the source code, although I'm pretty new to GoLang, so I may have missed something. It looks like it should be saving the source_code_hash in the state file.

In terraform/builtin/providers/aws/resource_aws_lambda_function.go I see
func resourceAwsLambdaFunctionCreate(d *schema.ResourceData, meta interface{}) error { (line 128)

followed by
d.Set("source_code_hash", sha256.Sum256(zipfile)) (line146)

So far as I can tell, invoking the ResourceData.Set method should add it to a map to be output in the state file. Evidently it's not that simple. I tried adding source_code_hash to the state file manually, but this had no effect either, so it seems this is being filtered for some reason.

[daveadams]

I admit to not grokking Terraform's resource plugin model all that well. Wild guess is that at the very least resourceAwsLambdaFunctionRead should be reading the hash value from the API into its data structure.

[mschurenko]

+1 for fixing this.

[radeksimko]

WIP in #5239
currently blocked by #5305

[radeksimko]

#5239 is now finished, waiting for review & merge. Feel free to test the bugfix/functionality from that branch.

[radeksimko]

Hi,
updates for Lambda function have been implemented as part of #5239 and will be part of the next release.

It will be possible to trigger an update of a Lambda function by specifying an optional attribute source_code_hash, e.g.

resource "aws_lambda_function" "test_lambda" {
  filename = "lambda_function_payload.zip"
  function_name = "lambda_function_name"
  role = "${aws_iam_role.iam_for_lambda.arn}"
  handler = "exports.test"
  source_code_hash = "${base64sha256(file("lambda_function_payload.zip"))}"
}

The update mechanism is also documented and docs update will be released along with the next version which makes it possible to update Lambda function.

In regards to use of Lambda aliases as versioning mechanisms, I'd be happy to discuss suggestions and ideas on how to approach that problem in a separate issue if there's any interest.

[alexissmirnov]

source_code_hash doesn't appear to trigger the update the lambda function when it is used in conjunction with s3_bucket/s3_key. Is that a different bug?

[mikewaters]

@alexissmirnov seeing the same behavior here with v0.9.2.

[duxan]

An alternative way to update lambda function on code change, when sourced from S3, would be to set S3 bucket versioning and set lambda zip version:

data "aws_s3_bucket_object" "lambda_zip" {
  bucket  = "bucket_name"
  key     = "lambda.zip"
}

resource "aws_lambda_function" "run_hll_lambda" {
  s3_bucket         = data.aws_s3_bucket_object.lambda_zip.bucket
  s3_key            = data.aws_s3_bucket_object.lambda_zip.key
  s3_object_version = data.aws_s3_bucket_object.lambda_zip.version_id
  function_name     = "Lambda_name"
  role              = aws_iam_role.lambda_iam.arn
  handler           = "lambda_function.lambda_handler"
  runtime           = "python3.7"
}

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.