terraform-provider-archive icon indicating copy to clipboard operation
terraform-provider-archive copied to clipboard
verified publisher icon hashicorp

Hash-code of lambda function code file changes if run in diffrent shell/os

Open ghost opened this issue 6 years ago • 6 comments

This issue was originally opened by @wadhekarpankaj as hashicorp/terraform#22397. It was migrated here as a result of the provider split. The original body of the issue is below.

Hello, I am using the lambda module to create lambda function in AWS. However, the value of source_code_hash changes, If I try to do terraform plan/apply in different shell or OS. The code contents are the same every time I run terraform init. This code is used by multiple users and they have a different OS. We need a solution to avoid this. Hope the issue is clear.

Terraform version

Terraform v0.11.11

Terraform code

data "archive_file" "lambda_code" {
  type        = "zip"
  source_file = "${path.module}/functions/lambda-function.py"
  output_path = "${path.module}/functions/lambda-function.zip"
}

resource "aws_lambda_function" "lambda_function" {
  filename         = "${replace(substr(data.archive_file.lambda_code.output_path, length(path.cwd) + 1, -1), "\\", "/")}"
  function_name    = "my-test-function
  role             = "${aws_iam_role.iam_for_lambda.arn}"
  handler          = "lambda-function.lambda_handler"
  source_code_hash = "${data.archive_file.lambda_code.output_base64sha256}"
  runtime          = "python2.7"
  timeout          = "60"

  lifecycle {
    ignore_changes = [
      "filename",
      "last_modified",
    ]
  }
}

Actual Behavior

In Windows- No changes. Infrastructure is up-to-date. In Ubuntu-

~   aws_lambda_function.lambda_function
      source_code_hash: "7/j4FEt6mgWVm+t991ffkck72xH9LGJvesyNqeC8ETc=" => "/S9mgjpI5UBGSRpMVQUv8HJkj3jeKGnWvsSPW4QiMzY="

and vice versa

Expected Behavior

In Windows- No changes. Infrastructure is up-to-date. In Ubuntu- No changes. Infrastructure is up-to-date.

ghost avatar Aug 16 '19 00:08 ghost

@wadhekarpankaj I just ran foul of this, but found that the issue was down to permissions on the source files.

On one ubuntu host the source file had 0664 permissions, whilst on the other it had 0644. These read-write permissions aren't tracked by git, hence it was possible for them to be different between hosts. However, these permissions are stored in the resultant zip file.

I've not tried this on Windows, but I imagine it would be difficult (if not impossible) to get identical zip files as the permissions models are so different.

I don't think this is a terraform (or provider issue) really, it's just that we're stretching the usage of terraform a little far expecting it to create perfectly reproducible zip files across multiple platforms. It would be better to have some other tooling managing the zip files in an earlier part of the pipeline.

mf-lit avatar Aug 28 '19 15:08 mf-lit

Hello @mf-lit , Thank you for your response. I do agree with you regarding git not tracking file permissions. I am also doing a few experiments to figure out how I can do this with the existing capabilities of terraform. I can try to avoid zipping or try another approach for the same.

Regards, Pankaj

wadhekarpankaj avatar Oct 21 '19 06:10 wadhekarpankaj

Actually I think there is even a PR that as never been reviewed for this issue, see #47

ThinkBriK avatar Oct 25 '19 09:10 ThinkBriK

I think this should be closed as a duplicate of #34 ?

chrisbloe avatar Aug 27 '21 12:08 chrisbloe

Adding output_file_mode = "0644" (or any other value) to the "archive_file" solved this for me, as the default file mode is different on different OS, causing the file hash to change.

asaf-kali avatar Nov 26 '23 14:11 asaf-kali