Workaround attempt for perpetual diff in lambda with vpc_config

[maciejp-ro]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Relates #15952

Release note for CHANGELOG:

* resource/aws_lambda_function: workaround for perpetual plan with vpc_config [GH-15952]

WIP: Attempt at a workaround for perpetual plan on aws_lambda_function with vpc_config. #15952 is labeled "good first issue", so I tried.

I tracked the cause to d.HasChange("vpc_config") returning true even if vpc_config did not actually change (two results from GetChange are identical as confirmed by reflect.DeepEqual).

I'm not very familiar with either this provider's internals or mechanics of Terraform plugins in general. This might be a bug in terraform-plugin-sdk (search for HasChange in the SDK repo returns some open issues, but they seem to refer to v1 of the SDK) or some subtle issue in the provider itself. Falling back on reflection to compare values seems to be code smell, but this fixes the issue for me and might provide some hints for a real fix.

I haven't figured out how to update tests yet, I'll try to add a test case later. Publishing a draft in the meantime to gather feedback (or help maintainers with finding a proper fix).

TODO: Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccXXX'

...

[gdavison]

Hi @maciejp-ro, thanks for putting this together. It's helped me do some deeper investigation. It's related to hashicorp/terraform-plugin-sdk#617; a nested structure with a TypeSet element always returns true for HasChange().

As a workaround, checking HasChange on vpc_config.0.subnet_ids and vpc_config.0.security_group_ids might work, but eventually we'll need to make the fix in https://github.com/hashicorp/terraform-plugin-sdk.

[gdavison]

It took me a while to see this, but this is setting hasVpcConfigChange to true when they're DeepEqual. However, since vpc_config contains TypeSet elements, it will always return not equal, because TypeSets are never DeepEqual

[maciejp-ro]

I have tested this with a real Terraform project and this works: I don't have a plan with this change when a lambda_function has a vpc_config, and have a plan without that change. Additional debug logs show that hasChange("vpc_config") returns true, and reflect.DeepEqual(o, n) also returns true.

I have also tested it against a real change in vpc_config and made sure it shows up in plan.

However, since there can be only one vpc_config, if hasChange("vpc_config.0.subnet_ids") || hasChange("vpc_config.0.security_group_ids") does the trick, it seems to be a cleaner solution – it doesn't need reflection or conditionals. I'll test it.

[gdavison]

For tests, you could make a copy of TestAccAWSLambdaFunction_VPC and its setup function testAccAWSLambdaConfigWithVPC and add publish = true to the aws_lambda_function. For more details on acceptance tests, see https://github.com/hashicorp/terraform-provider-aws/blob/master/docs/contributing/running-and-writing-acceptance-tests.md.

[ewbankkit]

@maciejp-ro Thanks for the contribution 👏.
I'm going to close this one in favor of #17610.

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.