Adding vpc_config to existing lambda function doesn't update function

mgkeen commented 5 years ago

I have an existing lambda function that I am trying to move into a VPC. The lambda is created via a module (configuration for the module listed below). Adding the vpc_config section and passing lists of subnet ids and security groups doesn't appear to alter the lambda function at all. If i alter a variable that forces a new resource (e.g. function name), then the change is picked up.

UPDATE: This bug only appears at the same time as creating the VPC resources. Creating the VPC resources first, and then running terraform apply a second time gives the expected behaviour.

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

terraform: 0.11.13 provider.aws: 2.8.0

Affected Resource(s)

aws_lambda_function

Terraform Configuration Files

resource "aws_lambda_function" "lambda" {
    function_name = "${var.function_name}"
    filename = "${var.zip_path}"
    role = "${aws_iam_role.lambda-role.arn}"
    handler = "${var.handler}"
    source_code_hash = "${filebase64sha256("${var.zip_path}")}"
    runtime = "${var.runtime}"
    timeout = "${var.timeout}"
    memory_size = "${var.memory_size}"

    tracing_config {
      mode = "${var.tracing_config_mode}"
    }

    environment {
      variables = "${var.environment_variables}"
    }

    vpc_config {
      subnet_ids = ["${var.subnet_ids}"]
      security_group_ids = ["${var.security_group_ids}"]
    }
}

Expected Behavior

Should update the vpc_config on the existing lambda function:

vpc_config.#:                               "0" => "1"
      vpc_config.0.security_group_ids.#:          "" => <computed>
      vpc_config.0.subnet_ids.#:                  "" => <computed>
      vpc_config.0.vpc_id:                        "" => <computed>

Actual Behavior

No changes applied when just adding vpc_config. If something that forces a new resource is changed (e.g. function name), then it applies the vpc_config changes.

Steps to Reproduce

Create function without a vpc_config
terraform apply
Add configuartion for a VPC and vpc_config
terraform apply

References

https://github.com/terraform-providers/terraform-provider-aws/issues/1073 I saw this issue, but not sure if it is related or not

mgkeen commented 5 years ago

Further update: When my automated deployment tests ran i got the following:

aws_lambda_function.lambda: diffs didn't match during apply. This is a bug with Terraform and should be reported as a GitHub Issue.

Please include the following information in your report:

    Terraform Version: 0.11.13
    Resource ID: aws_lambda_function.lambda
    Mismatch reason: extra attributes: vpc_config.0.security_group_ids.2170271681, vpc_config.0.subnet_ids.767090540, vpc_config.#, vpc_config.0.security_group_ids.3652956519, vpc_config.0.subnet_ids.2445766162, vpc_config.0.security_group_ids.#, vpc_config.0.subnet_ids.#
    Diff One (usually from plan): *terraform.InstanceDiff{mu:sync.Mutex{state:0, sema:0x0}, Attributes:map[string]*terraform.ResourceAttrDiff{"source_code_hash":*terraform.ResourceAttrDiff{Old:"dZvTurqfbWE7fcdQtZ+5zjrKMElkqvoVspXJFtkO64M=", New:"HverdkOpN6cy7ynwrxZfJ/RPM6fF6RKPkv/G9LHaq0M=", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "last_modified":*terraform.ResourceAttrDiff{Old:"2019-05-01T23:59:08.790+0000", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}}, Destroy:false, DestroyDeposed:false, DestroyTainted:false, Meta:map[string]interface {}(nil)}
    Diff Two (usually from apply): *terraform.InstanceDiff{mu:sync.Mutex{state:0, sema:0x0}, Attributes:map[string]*terraform.ResourceAttrDiff{"vpc_config.0.security_group_ids.3652956519":*terraform.ResourceAttrDiff{Old:"", New:"sg-0231dfb3bc6fc7cab", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "vpc_config.0.security_group_ids.2170271681":*terraform.ResourceAttrDiff{Old:"", New:"sg-0abca9f0c69752ed4", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "last_modified":*terraform.ResourceAttrDiff{Old:"2019-05-01T23:59:08.790+0000", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "vpc_config.#":*terraform.ResourceAttrDiff{Old:"0", New:"1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "vpc_config.0.subnet_ids.2445766162":*terraform.ResourceAttrDiff{Old:"", New:"subnet-0b37b93685387cce1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "source_code_hash":*terraform.ResourceAttrDiff{Old:"dZvTurqfbWE7fcdQtZ+5zjrKMElkqvoVspXJFtkO64M=", New:"HverdkOpN6cy7ynwrxZfJ/RPM6fF6RKPkv/G9LHaq0M=", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "vpc_config.0.security_group_ids.#":*terraform.ResourceAttrDiff{Old:"0", New:"2", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "vpc_config.0.subnet_ids.#":*terraform.ResourceAttrDiff{Old:"0", New:"2", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "vpc_config.0.subnet_ids.767090540":*terraform.ResourceAttrDiff{Old:"", New:"subnet-0efd57b2b04f1570d", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}}, Destroy:false, DestroyDeposed:false, DestroyTainted:false, Meta:map[string]interface {}(nil)}

On a second run it completed successfully

mikebutak commented 2 years ago

I'm having this problem too. Any solution available?

Jaxseras commented 2 years ago

Try adding ignore_source_code_hash = true to your resource "aws_lambda_function" "lambda"

Shuvoid commented 1 year ago

I am also facing this issue. Any solutions yet?

aprilmintacpineda commented 1 year ago

Is there any update on this?

snebhu3 commented 11 months ago

We are facing the same issue where terraform apply fails the 1st run after adding vpc_config to existing lambda with below error:


│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for
│ module.x.aws_lambda_function.x
│ to include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/aws" produced an invalid new value for
│ .vpc_config: block count changed from 0 to 1.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.╵

Re-running terraform apply works fine.

Expectation is for this to work on the 1st run of terraform apply too.

alexaandru commented 2 months ago

Same as above, the 2nd time I ran apply it worked fine. I had to find this bug report 1st to figure that one out... Maybe it would be worth adding some note in the docs for vpc_config?

hashicorp / terraform-provider-aws