resource/awscc_lambda_function: Immediate Plan After Creation

[bflad]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the Cloudformation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

$ terraform version
Terraform v1.0.8
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v3.61.0
+ provider registry.terraform.io/hashicorp/awscc v0.1.0

Affected Resource(s)

• awscc_lambda_function

Terraform Configuration Files

terraform {
  required_version = "1.0.8"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "3.61.0"
    }
    awscc = {
      source  = "hashicorp/awscc"
      version = "0.1.0"
    }
  }
}

provider "aws" {
  region = "us-west-2"
}

resource "aws_iam_role" "test" {
  name = "bflad-lambda-function-testing"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Principal = {
          Service = "lambda.amazonaws.com"
        }
        Effect = "Allow"
        Sid    = ""
      }
    ]
  })
}

resource "awscc_lambda_function" "test" {
  code = {
    zip_file = "lambdatest.zip"
  }

  handler = "exports.example"
  role    = aws_iam_role.test.arn
  runtime = "nodejs12.x"

}

Debug Output

Output from API:

{
    "ResourceDescription": {
        "Identifier": "5rvvobFl82TH6LI9PI5zvIxy9-g0qeCf2D5N1X",
        "Properties": {
            "Role": "arn:aws:iam::--OMITTED--:role/bflad-lambda-function-testing",
            "FileSystemConfigs": [],
            "FunctionName": "5rvvobFl82TH6LI9PI5zvIxy9-g0qeCf2D5N1X",
            "MemorySize": 128,
            "Runtime": "nodejs12.x",
            "Description": "",
            "TracingConfig": {
                "Mode": "PassThrough"
            },
            "Timeout": 3,
            "PackageType": "Zip",
            "Handler": "exports.example",
            "Arn": "arn:aws:lambda:us-west-2:--OMITTED--:function:5rvvobFl82TH6LI9PI5zvIxy9-g0qeCf2D5N1X",
            "Architectures": [
                "x86_64"
            ]
        }
    },
    "TypeName": "AWS::Lambda::Function"
}

Expected Behavior

No planned changes after creation.

Actual Behavior

$ terraform plan
aws_iam_role.test: Refreshing state... [id=bflad-lambda-function-testing]
awscc_lambda_function.test: Refreshing state... [id=5rvvobFl82TH6LI9PI5zvIxy9-g0qeCf2D5N1X]

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply":

  # awscc_lambda_function.test has been changed
  ~ resource "awscc_lambda_function" "test" {
      + architectures       = [
          + "x86_64",
        ]
      + file_system_configs = [
          + {          },
        ]
        id                  = "5rvvobFl82TH6LI9PI5zvIxy9-g0qeCf2D5N1X"
      + memory_size         = 128
      + package_type        = "Zip"
      + timeout             = 3
      + tracing_config      = {
        + mode = "PassThrough"
      }
        # (6 unchanged attributes hidden)
    }

Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to
these changes.

─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # awscc_lambda_function.test will be updated in-place
  ~ resource "awscc_lambda_function" "test" {
      - architectures       = [
          - "x86_64",
        ] -> null
      - file_system_configs = [
          - {          },
        ]
        id                  = "5rvvobFl82TH6LI9PI5zvIxy9-g0qeCf2D5N1X"
      - memory_size         = 128 -> null
      - package_type        = "Zip" -> null
      - timeout             = 3 -> null
      - tracing_config      = {
        - mode = "PassThrough" -> null
      }
        # (6 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Steps to Reproduce

1. terraform apply
2. terraform plan

Important Factoids

The CloudFormation resource schema does not define defaults for these attributes.

These attributes are not marked as Computed in the Terraform resource schema, so Terraform will propose removing the API default values being returned.

Setting them manually in the configuration after creation:

resource "awscc_lambda_function" "test" {
  architectures = ["x86_64"]

  code = {
    zip_file = "lambdatest.zip"
  }

  file_system_configs = []
  handler             = "exports.example"
  memory_size         = 128
  package_type        = "Zip"
  role                = aws_iam_role.test.arn
  runtime             = "nodejs12.x"
  timeout             = 3
  tracing_config = {
    mode = "PassThrough"
  }
}

Will still yield a drift plan for at least one refresh or apply:

$ terraform plan
aws_iam_role.test: Refreshing state... [id=bflad-lambda-function-testing]
awscc_lambda_function.test: Refreshing state... [id=5rvvobFl82TH6LI9PI5zvIxy9-g0qeCf2D5N1X]

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply":

  # awscc_lambda_function.test has been changed
  ~ resource "awscc_lambda_function" "test" {
      + architectures       = [
          + "x86_64",
        ]
      + file_system_configs = [
          + {          },
        ]
        id                  = "5rvvobFl82TH6LI9PI5zvIxy9-g0qeCf2D5N1X"
      + memory_size         = 128
      + package_type        = "Zip"
      + timeout             = 3
      + tracing_config      = {
        + mode = "PassThrough"
      }
        # (6 unchanged attributes hidden)
    }

Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to
these changes.

─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # awscc_lambda_function.test will be updated in-place
  ~ resource "awscc_lambda_function" "test" {
        id                  = "5rvvobFl82TH6LI9PI5zvIxy9-g0qeCf2D5N1X"
        # (12 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Although it turns out its not really possible to satisfy Terraform CLI for file_system_configs:

file_system_configs = [{}]

Yields:

│ Error: Incorrect attribute value type
│ 
│   on main.tf line 44, in resource "awscc_lambda_function" "test":
│   44:   file_system_configs = [{}]
│ 
│ Inappropriate value for attribute "file_system_configs": element 0: attributes "arn" and "local_mount_path" are required.

Even this configuration shows the "empty" plan difference:

resource "awscc_lambda_function" "test" {
  architectures = ["x86_64"]

  code = {
    zip_file = "lambdatest.zip"
  }

  file_system_configs = []
  handler             = "exports.example"
  memory_size         = 128
  package_type        = "Zip"
  role                = aws_iam_role.test.arn
  runtime             = "nodejs12.x"
  timeout             = 3
  tracing_config = {
    mode = "PassThrough"
  }

  lifecycle {
    ignore_changes = [file_system_configs]
  }
}

[bflad]

After more debugging with terraform plan -out test.tfplan and terraform show -json test.tfplan was able to see this difference that is typically hidden from Terraform CLI output due to the legacy SDK:

1c1
<                 "before": {
---
>                 "after": {
15c15
<                     "description": null,
---
>                     "description": "",

The CloudFormation resource schema in question does not list a default currently:

"Description" : {
    "description" : "A description of the function.",
    "type" : "string",
    "maxLength" : 256
},

This configuration will not show permanent differences:

resource "awscc_lambda_function" "test" {
  architectures = ["x86_64"]

  code = {
    zip_file = "lambdatest.zip"
  }

  description         = ""
  file_system_configs = []
  handler             = "exports.example"
  memory_size         = 128
  package_type        = "Zip"
  role                = aws_iam_role.test.arn
  runtime             = "nodejs12.x"
  timeout             = 3
  tracing_config = {
    mode = "PassThrough"
  }
}

[ewbankkit]

Relates #185.
Relates: #191.