The actual version 1.1.0 of the asg submodule uses a provisioner "local-exec" to manage the pip library requirements for the lambda function.
As per the nature of local-exec provisioners : they are ran when the resource they are defined within is created. Creation-time provisioners are only run during creation, not during updating or any other lifecycle.
In the case someone uses the submodule in a CICD pipeline with temporary runtime environement and external state we have the following behavior :
The first exectution of the pipeline is ok : the "terraform apply" runs the local-exec provisioner, dowloads the pip lib and consistently create the resource on AWS and in the state file
On upcoming executions : If there is change on the asg resource (ex change on desired capacities), the lambda function is updated without the pip libs : the state reconcile the reference to the previous local-exec, doesn't download the pip libs, and update the lambda function without the required libs (pan-os-python)
In that scenario, the lambda function execution will fail due to missing dependancy to panos class : [ERROR] Runtime.ImportModuleError: Unable to import module 'lambda': No module named 'panos' Traceback (most recent call last):
Describe the solution you'd like
The resource "null_resource" "python_requirements" should have a triggers block that dictate when it must be exectuted
Option 1 : verify is the pip librairies exists - if not trigger the local-exec provisioner
Option 2 (temporary) : always run the local-exec provisioner as per this article
Is your feature request related to a problem?
The actual version 1.1.0 of the asg submodule uses a provisioner "local-exec" to manage the pip library requirements for the lambda function.
As per the nature of local-exec provisioners : they are ran when the resource they are defined within is created. Creation-time provisioners are only run during creation, not during updating or any other lifecycle.
In the case someone uses the submodule in a CICD pipeline with temporary runtime environement and external state we have the following behavior :
The first exectution of the pipeline is ok : the "terraform apply" runs the local-exec provisioner, dowloads the pip lib and consistently create the resource on AWS and in the state file
On upcoming executions : If there is change on the asg resource (ex change on desired capacities), the lambda function is updated without the pip libs : the state reconcile the reference to the previous local-exec, doesn't download the pip libs, and update the lambda function without the required libs (pan-os-python)
In that scenario, the lambda function execution will fail due to missing dependancy to panos class : [ERROR] Runtime.ImportModuleError: Unable to import module 'lambda': No module named 'panos' Traceback (most recent call last):
Describe the solution you'd like
The resource "null_resource" "python_requirements" should have a triggers block that dictate when it must be exectuted
Option 1 : verify is the pip librairies exists - if not trigger the local-exec provisioner Option 2 (temporary) : always run the local-exec provisioner as per this article
Describe alternatives you've considered.
No response
Additional context
Impacted code on https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/blob/v1.1.0/modules/asg/main.tf / line 239 :
`# Python external dependencies (e.g. panos libraries) are prepared according to document:
https://docs.aws.amazon.com/lambda/latest/dg/python-package.html
resource "null_resource" "python_requirements" { provisioner "local-exec" { command = "pip install --upgrade --target ${path.module}/scripts -r ${path.module}/scripts/requirements.txt" } }`