[Enhancement]: `aws_lambda_function` should require the `source_code_hash` argument under most circumstances

[bengaywins]

Description

When deploying a lambda with TF, if you do not do something about hashing the file, changes are not noticed. And as such, it is very misleading if you haven't done this a lot. This is a bad UX and can bite you when trying to troubleshoot. I am sure there are circumstances where using it is not good, like if you use images instead of zip packages.

Affected Resource(s) and/or Data Source(s)

aws_lambda_function

Potential Terraform Configuration

No response

References

No response

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @bengaywins 👋 Thank you for taking the time to raise this! I see what you're saying, but I'm not sure there's anything that needs to change at the moment, for a couple of reasons.

It starts with something that you've already mentioned -- it's not really "required" in any case. The upstream API doesn't have a value that maps to source_code_hash -- it's a virtual attribute that the provider uses internally in order to help make Lambda functions more "Terraform friendly" (a bit of an oversimplification). Terraform's Provider Design Principles, which discuss matching as closely to the underlying API as possible. Since the underlying API doesn't require it, marking source_code_hash would diverge from the API in a way that might be unexpected to someone coming to the resource for the first time.

[bengaywins]

Doesn't the virtual attribute violate that too?

Imo the docs should have a way of saying something about this. As I mentioned, this is a pretty horrendous UX that until you realize this, it feels like you did something wrong when the reality is that neither the docs talk about this very well nor is it obvious. A coworker and I spent hours trying to figure out what the deal was (we had included some sensitive files by accident) and I found something about this on a blog basically.