TerraForm is not flagging changes to computed values of aws_lambda_function

[hashibot]

This issue was originally opened by @ChristopherGAndrews as hashicorp/terraform#17070. It was migrated here as a result of the provider split. The original body of the issue is below.

---

I have a module that contains a AWS Lambda function so that it is easy to apply this function to different AWS Accounts. I have the module configured to publish a new version every time the zip is updated. There is an aws_lambda_alias called "production" that is associated with this latest version of of the Lamda, so that a CloudWatch Event can target that specific version. We do not want to target $LATEST, because that can be edited. We do not want to have to track the version numbers of the Lambda function across all of the accounts, so we tie it to the last version. When I update the local ZIP file with a new version of the Lambda function, Terraform will update the code in AWS , increment the version at AWS, record these changes in the TerraForm state, and the values of qualified_arn and version, but all resources dependent on the qualified_arn and version changing do not see the change and so do not update . Everything that is set to use "${aws_lambda_function.main.version}" fails to update until you run TerraForm a second time.

Terraform Version

Terraform v0.11.1

• provider.aws v1.6.0
• provider.null v1.0.0

Terraform Configuration Files

Tags and environment variables removed to reduce clutter:

resource "aws_lambda_function" "check_alerts" {
  filename         = "${var.module_path}check_alerts.zip"
  function_name    = "check_alerts"
  description      = "Check for EC2 instance scheduled for reboot or retirement"
  role             = "${aws_iam_role.check_alerts.arn}"
  handler          = "check_alerts.lambda_handler"
  source_code_hash = "${base64sha256(file("${var.module_path}check_alerts.zip"))}"
  runtime          = "python2.7"
  timeout          = 30
  publish          = true
}

resource "aws_lambda_alias" "check_alerts" {
  depends_on = ["aws_lambda_function.check_alerts"]
  name             = "production"
  description      = "The Production version of check_alerts"
  function_name    = "${aws_lambda_function.check_alerts.arn}"
  function_version = "${aws_lambda_function.check_alerts.version}"
}

Even running this through a null data source does not help.

data "null_data_source" "check_alerts" {
  depends_on = ["aws_lambda_function.check_alerts"]
  inputs = {
      "version" = "${aws_lambda_function.check_alerts.version}"
    }
}

resource "aws_lambda_alias" "check_alerts" {
  depends_on = ["data.null_data_source.check_alerts"]
  name             = "production"
  description      = "The Production version of check_alerts"
  function_name    = "${aws_lambda_function.check_alerts.arn}"
  function_version = "${data.null_data_source.check_alerts.inputs.version}"
}

Moving the alias out of the module does not help either:

resource "aws_lambda_alias" "check_alerts" {
  name             = "production"
  description      = "The Production version of check_alerts"
  function_name    = "${module.check_alerts.check_alerts-arn}"
  function_version = "${module.check_alerts.check_alerts-version}"
}

Debug Output

The Lambda function was at version = 4 when terraform plan-out terraform.out was run. You can see the new version and qualified arn coming back to TerraForm during the terraform apply terraform.out

2018-01-09T12:52:59.358-0500 [DEBUG] plugin.terraform-provider-aws_v1.6.0_x4.exe: 2018/01/09 12:52:59 [DEBUG] [aws-sdk-go] {"CodeSha256":"sBEY9yTx9rmrattAiq6KStbhRy4JJSh8fojUKuGICAs=","CodeSize":2220,"DeadLetterConfig":null,"Description":"Check for EC2 instance scheduled for reboot or retirement","Environment":{"Error":null,"Variables":{"env_ec2_regions":"us-east-1;us-east-2;us-west-1;us-west-2","env_op_code":"1.1.19","env_op_url":"https://XXXXXXXX/cccccccc","env_sesconfset":"XXXXXXX","env_sesfrom":"XXXXXXX","env_sesto":"XXXXXXX"}},"FunctionArn":"arn:aws:lambda:us-east-1:XXXXXXXXXX:function:check_alerts:5","FunctionName":"check_alerts","Handler":"check_alerts.lambda_handler","KMSKeyArn":null,"LastModified":"2018-01-09T17:52:59.200+0000","MasterArn":null,"MemorySize":128,"RevisionId":null,"Role":"arn:aws:iam::XXXXXXXXXX:role/lambda_check_alerts","Runtime":"python2.7","Timeout":30,"TracingConfig":{"Mode":"PassThrough"},"Version":"5","VpcConfig":{"SecurityGroupIds":[],"SubnetIds":[],"VpcId":null}}

The state output section after the run, is now set to 5, like it should be:

aws_lambda_function.check_alerts |  
-- | --
type | "aws_lambda_function"
depends_on |  
0 | "aws_iam_role.check_alerts"
primary |  
id | "check_alerts"
attributes |  
arn | "arn:aws:lambda:us-east-1:XXXXXXXXXX:function:check_alerts"
dead_letter_config.# | "0"
description | "Check for EC2 instance scheduled for reboot or retirement"
version | "5"
vpc_config.# | "0"
meta | {}
tainted | false
deposed | []
provider | "provider.aws"

The Lambda Alias is still stuck at 4

aws_lambda_alias.check_alerts |  
-- | --
type | "aws_lambda_alias"
depends_on |  
0 | "aws_lambda_function.check_alerts"
primary |  
id | "arn:aws:lambda:us-east-1:XXXXXXXXXX:function:check_alerts:prod_check_alerts"
attributes |  
arn | "arn:aws:lambda:us-east-1:XXXXXXXXXX:function:check_alerts:prod_check_alerts"
description | "The Production version of check_alerts"
function_name | "arn:aws:lambda:us-east-1:XXXXXXXXXX:function:check_alerts"
function_version | "4"
id | "arn:aws:lambda:us-east-1:XXXXXXXXXX:function:check_alerts:prod_check_alerts"
name | "prod_check_alerts"
meta | {}
tainted | false
deposed | []
provider | "provider.aws"

Crash Output

NA

Expected Behavior

You should run TerraForm once to update the Lambda function and alias

1. Update the lambda function in the local zip file
2. terraform plan -out terraform.plan

• 1. The Lambda function file hash change is noted, triggering an update
• 2. The Lambda Function Alias has its version flagged to be updated

3. terraform apply terraform.plan

• 1. The Lambda function is updated
• 2. The Lambda Function Alias is updated

Actual Behavior/Steps to Reproduce

You have to run terraform twice to update the alias

1. Update the lambda function in the local zip file
2. terraform plan -out terraform.plan

• 1. The Lambda function file hash change is noted, triggering an update

3. terraform apply terraform.plan

• 1. The Lambda function is updated
• 2. The Lambda Function Alias is NOT updated

4. terraform plan -out terraform.plan

• 1. The Lambda Function Alias has its version flagged to be updated

5. terraform apply terraform.plan

• 1. The Lambda Function Alias is updated

Additional Context

The Lambda function and all of its related objects:

• CloudWatch logging
• CloudWatch Event Rule/Target
• IAM role
• Lambda Permissions
• Lambda Alias
  are in side of a TerraForm module.

References

• Issue 6067 where Lambda Function Versioning is requested
• Pull request 6233 that adds Lambda Function Versioning to aws_lambda_function

[ChristopherGAndrews]

I understand now, the computed values in the resource schema are only updated on create. There is a ComputedWhen attribute that can be added, but it is broken/not implemented.

• [WIP] helper/schema: implement ComputedWhen

It seems that the CustomizeDiff option might be the way to go here. Adding this to resource_aws_lambda_function.go could fix this issue.

[mdlavin]

I just pushed a PR up that should address this issue. I've been running with a patched version of the provider today and it fixes this problem for me.

[ChristopherGAndrews]

I did not see you PR and just added my own #3043. There are two other attributes that need to be SetNewComputed:

• last_modified - This need to be recomputed any time there is a change to the Lambda code, even if publish =false
• qualified_arn - This needs to be updated only if publish = true

[bflad]

Thanks to @mdlavin the fix for this has been merged into master and will be released in v1.10.0 of the AWS provider, likely later today or Monday. 🎉

[bflad]

This has been released in version 1.10.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!