fix: source_code_hash not computed correctly during plan (#5)

chatloop · Sep 10, 2024 · f2fd683 · f2fd683
1 parent f136c87
commit f2fd683
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 32 deletions.
diff --git a/main.tf b/main.tf
@@ -4,32 +4,46 @@ resource "tls_private_key" "key_pair" {
 }
 
 locals {
-  config = jsonencode({
-    AUTH_REQUEST = {
-      client_id     = var.client_id
-      redirect_uri  = var.redirect_uri
-      response_type = "code"
-      response_mode = "query"
-      scope         = "openid email profile"
-    }
-
-    TOKEN_REQUEST = {
-      client_id     = var.client_id
-      grant_type    = "authorization_code"
-      redirect_uri  = var.redirect_uri
-      client_secret = var.client_secret
-    }
-
-    DISTRIBUTION                     = "lambda-edge-azure-auth"
-    PRIVATE_KEY                      = tls_private_key.key_pair.private_key_pem
-    PUBLIC_KEY                       = tls_private_key.key_pair.public_key_pem
-    TENANT                           = var.tenant
-    DISCOVERY_DOCUMENT               = "https://login.microsoftonline.com/${var.tenant}/v2.0/.well-known/openid-configuration"
-    SESSION_DURATION                 = var.session_duration * 60 * 60
-    CALLBACK_PATH                    = regex("https?://.*(/.*$)", var.redirect_uri)[0]
-    TRAILING_SLASH_REDIRECTS_ENABLED = var.trailing_slash_redirects_enabled
-    SIMPLE_URLS_ENABLED              = var.simple_urls_enabled
-  })
+  config_file = {
+    path = "${path.module}/package/config.json"
+
+    contents = jsonencode({
+      AUTH_REQUEST = {
+        client_id     = var.client_id
+        redirect_uri  = var.redirect_uri
+        response_type = "code"
+        response_mode = "query"
+        scope         = "openid email profile"
+      }
+
+      TOKEN_REQUEST = {
+        client_id     = var.client_id
+        grant_type    = "authorization_code"
+        redirect_uri  = var.redirect_uri
+        client_secret = var.client_secret
+      }
+
+      DISTRIBUTION                     = "lambda-edge-azure-auth"
+      PRIVATE_KEY                      = tls_private_key.key_pair.private_key_pem
+      PUBLIC_KEY                       = tls_private_key.key_pair.public_key_pem
+      TENANT                           = var.tenant
+      DISCOVERY_DOCUMENT               = "https://login.microsoftonline.com/${var.tenant}/v2.0/.well-known/openid-configuration"
+      SESSION_DURATION                 = var.session_duration * 60 * 60
+      CALLBACK_PATH                    = regex("https?://.*(/.*$)", var.redirect_uri)[0]
+      TRAILING_SLASH_REDIRECTS_ENABLED = var.trailing_slash_redirects_enabled
+      SIMPLE_URLS_ENABLED              = var.simple_urls_enabled
+    })
+  }
+}
+
+data "external" "create_config" {
+  program = ["sh", "-c", "printf '%s' '${local.config_file.contents}' > ${local.config_file.path} | sh >&2; echo {}"]
+}
+
+resource "local_sensitive_file" "config" {
+  filename   = local.config_file.path
+  content    = local.config_file.contents
+  depends_on = [data.external.create_config]
 }
 
 module "lambda" {
@@ -44,15 +58,12 @@ module "lambda" {
   lambda_at_edge = true
 
   cloudwatch_logs_retention_in_days = 30
-  trigger_on_package_timestamp      = false
+  recreate_missing_package          = false
 
   source_path = {
     path     = "${path.module}/package"
     patterns = ["!.gitignore"]
-    commands = [
-      "printf '%s' '${local.config}' > config.json",
-      ":zip",
-      "rm -f config.json"
-    ]
   }
+
+  depends_on = [local_sensitive_file.config]
 }
diff --git a/readme.md b/readme.md
@@ -13,12 +13,16 @@ Currently, the only supported provider is Microsoft AzureAD.
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
+| <a name="requirement_external"></a> [external](#requirement\_external) | ~> 2.0 |
+| <a name="requirement_local"></a> [local](#requirement\_local) | ~> 2.0 |
 | <a name="requirement_tls"></a> [tls](#requirement\_tls) | ~> 4.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
+| <a name="provider_external"></a> [external](#provider\_external) | 2.3.4 |
+| <a name="provider_local"></a> [local](#provider\_local) | 2.5.1 |
 | <a name="provider_tls"></a> [tls](#provider\_tls) | 4.0.5 |
 
 ## Modules
@@ -31,7 +35,9 @@ Currently, the only supported provider is Microsoft AzureAD.
 
 | Name | Type |
 |------|------|
+| [local_sensitive_file.config](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/sensitive_file) | resource |
 | [tls_private_key.key_pair](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [external_external.create_config](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source |
 
 ## Inputs
 

diff --git a/versions.tf b/versions.tf
@@ -6,6 +6,14 @@ terraform {
       source  = "hashicorp/aws"
       version = "~> 5.0"
     }
+    external = {
+      source  = "hashicorp/external"
+      version = "~> 2.0"
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = "~> 2.0"
+    }
     tls = {
       source  = "hashicorp/tls"
       version = "~> 4.0"