search

terraform-aws-modules / terraform-aws-lambda

Terraform module, which takes care of a lot of AWS Lambda/serverless tasks (build dependencies, packages, updates, deployments) in countless combinations πŸ‡ΊπŸ‡¦
https://registry.terraform.io/modules/terraform-aws-modules/lambda/aws
Apache License 2.0
902 stars 677 forks source link

Changing the code of a lambda funtion in AWS console does not get detected by a subsequent terraform run #597

Open juergenz opened 1 month ago

juergenz commented 1 month ago

Description

Changing the code of a lambda funtion in AWS console does not get detected by a subsequent terraform run.

Versions

Reproduction Code [Required]

module "lambda_function" {
  source        = "terraform-aws-modules/lambda/aws"
  version       = "7.7.0"

  function_name = "lambda-simple"
  handler       = "index.lambda_handler"
  runtime       = "python3.12"

  source_path = ["index.py"]
}
import boto3
import botocore

def lambda_handler(event, context):
   print(f'boto3 version: {boto3.__version__}')
   print(f'botocore version: {botocore.__version__}')

Steps to reproduce the behavior:

Deploy lambda funtion - terraform apply Confirm there are no pending changes - terraform plan / terraform apply Change and deploy code in AWS console - e.g. insert a print("test") Run terraform plan again

Expected behavior

A change to source_code_hash should be detected.

Actual behavior

No change is detected.

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Additional context

Not sure if this is intended behavior looking at following code but from my perspective it would be useful to have the option to always check for a drift of source_code_hash.

was_missing = var.local_existing_package != null ? !fileexists(var.local_existing_package) : local.archive_was_missing

...

source_code_hash = var.ignore_source_code_hash ? null : (local.filename == null ? false : fileexists(local.filename)) && !local.was_missing ? filebase64sha256(local.filename) : null
github-actions[bot] commented 3 weeks ago

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

antonbabenko commented 3 weeks ago

I could not reproduce this issue. It works like it should, changes are being tracked properly.

Please make sure that you do terraform refresh before terraform plan (it is turned on, by default).

If you would want to not keep track of changes then you can set ignore_source_code_hash to true.

Xan0C commented 1 week ago

I could not reproduce this issue. It works like it should, changes are being tracked properly.

Please make sure that you do terraform refresh before terraform plan (it is turned on, by default).

If you would want to not keep track of changes then you can set ignore_source_code_hash to true.

Faced the same issue, doing a change to the code through the AWS Console (directly through the code editor, no zip upload etc.). This code change results in a change for the SHA256 hash which is also reflected in the terraform state.

e.g. for some lambda resource terraform state show "module.application_lambda.aws_lambda_function.this[0]"

Will give you the updated code_sha256 but the source_code_hash won't be updated/changed, when doing manual code changes through the AWS Console.

I guess the code_sha256 is not used to decide if the resource has been changed but only the source_code_hash and the source_code_hash is not updated when doing changes through the AWS Console.