terraform-aws-lambda icon indicating copy to clipboard operation
terraform-aws-lambda copied to clipboard

Published 20 hours ago β€’ verified publisher icon terraform-aws-modules

Changing the code of a lambda funtion in AWS console does not get detected by a subsequent terraform run

Open juergenz opened this issue 1 year ago β€’ 2 comments

Description

Changing the code of a lambda funtion in AWS console does not get detected by a subsequent terraform run.

  • [x] βœ‹ I have searched the open/closed issues and my issue is not listed.

Versions

  • Module version [Required]: 7.7.0

  • Terraform version: Terraform v1.9.2

  • Provider version(s): provider registry.terraform.io/hashicorp/aws v5.59.0 provider registry.terraform.io/hashicorp/external v2.3.3 provider registry.terraform.io/hashicorp/local v2.5.1 provider registry.terraform.io/hashicorp/null v3.2.2

Reproduction Code [Required]

module "lambda_function" {
  source        = "terraform-aws-modules/lambda/aws"
  version       = "7.7.0"

  function_name = "lambda-simple"
  handler       = "index.lambda_handler"
  runtime       = "python3.12"

  source_path = ["index.py"]
}

import boto3
import botocore

def lambda_handler(event, context):
   print(f'boto3 version: {boto3.__version__}')
   print(f'botocore version: {botocore.__version__}')

Steps to reproduce the behavior:

Deploy lambda funtion - terraform apply Confirm there are no pending changes - terraform plan / terraform apply Change and deploy code in AWS console - e.g. insert a print("test") Run terraform plan again

Expected behavior

A change to source_code_hash should be detected.

Actual behavior

No change is detected.

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Additional context

Not sure if this is intended behavior looking at following code but from my perspective it would be useful to have the option to always check for a drift of source_code_hash.

was_missing = var.local_existing_package != null ? !fileexists(var.local_existing_package) : local.archive_was_missing

...

source_code_hash = var.ignore_source_code_hash ? null : (local.filename == null ? false : fileexists(local.filename)) && !local.was_missing ? filebase64sha256(local.filename) : null

juergenz avatar Jul 22 '24 12:07 juergenz

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions[bot] avatar Aug 22 '24 00:08 github-actions[bot]

I could not reproduce this issue. It works like it should, changes are being tracked properly.

Please make sure that you do terraform refresh before terraform plan (it is turned on, by default).

If you would want to not keep track of changes then you can set ignore_source_code_hash to true.

antonbabenko avatar Aug 23 '24 19:08 antonbabenko

I could not reproduce this issue. It works like it should, changes are being tracked properly.

Please make sure that you do terraform refresh before terraform plan (it is turned on, by default).

If you would want to not keep track of changes then you can set ignore_source_code_hash to true.

Faced the same issue, doing a change to the code through the AWS Console (directly through the code editor, no zip upload etc.). This code change results in a change for the SHA256 hash which is also reflected in the terraform state.

e.g. for some lambda resource terraform state show "module.application_lambda.aws_lambda_function.this[0]"

Will give you the updated code_sha256 but the source_code_hash won't be updated/changed, when doing manual code changes through the AWS Console.

I guess the code_sha256 is not used to decide if the resource has been changed but only the source_code_hash and the source_code_hash is not updated when doing changes through the AWS Console.

Xan0C avatar Sep 02 '24 09:09 Xan0C

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions[bot] avatar Oct 03 '24 00:10 github-actions[bot]

This issue was automatically closed because of stale in 10 days

github-actions[bot] avatar Oct 13 '24 00:10 github-actions[bot]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Nov 12 '24 02:11 github-actions[bot]