Adding support for Lambda function updates #3825
Conversation
|
I tried this code but I'm not seeing what I expected. I have a tf module with lambdas defined using local zips as the code source. I make a change to the zip and run apply but the lambda resources were not updated. I have an existing tfstate file, could that be the issue? I have not tried a fresh project to see if the |
|
Thanks for the update. I've been pulled onto something else at work temporarily, but I'll loop back onto this in a week or so. |
robzienert
force-pushed
the
lambda-update-support
branch
from
77869a8 to
0d005c6
Compare
|
Updated the PR to fix a few bugs. |
|
Wish I saw this PR before I started work on it myself!! ;) Going to pull this down and see if it does want I want it to do. |
|
Hey Rob, This code did not update the Lambda function when all that changed was the zip contents (so all it would have would be a local sum). I'm not too sure if this is enough to trigger an update, which is the challenge for me, and the wall I hit before trying your code. Maybe a sum can be implemented for both local and remote ZIP code to ensure that |
catsby
added
the
waiting-response
|
Everyone, I did this up, it looks like what would be necessary to get the function to update without tainting the resource. I understand that this could easily be broken by the user (depending on a modifiable attribute's default), unfortunately, it doesn't look like state change on computed resources alone is enough. Note that updating a function's code is a non-destructive change, you should be able to do it without forcing a new resource (and further, this would be feature parity with CloudFormation). With that said, state change on the source sum resources didn't seem to trigger a new resource either, from what I saw. I could not see in the code and haven't seen any examples so far of being able to force an update, versus taint - does such functionality exist? |
|
@vancluever Thanks for the addition, I pulled it into this PR. On the forcing updates front, I'm not aware of anything that's available on the resource level for this sort of thing. Modifying state is getting a little into the weeds for me, I'm not entirely sure how that would be implemented. |
|
Wow thanks @robzienert! Yeah I think it needs some tweaking still. I want to send this to the mailing list to see if we can't get it some more attention and discussion on what to do. I don't like the idea of |
|
Posted https://groups.google.com/forum/#!topic/terraform-tool/cyOpssFL7Sc. Maybe someone not actively looking at this PR will see that and help! |
|
Appreciate you helping usher this work along! |
|
Any movement on this? It'd be great to have this available |
|
Hey Alexander, unfortunately not :( no activity on the mailing list post either, maybe now that the holidays are done there will be some more movement soon. |
|
Hey all – I'm trying to get an understanding of what's not working here. Given a minimal config like so: resource "aws_lambda_function" "lambda_function_test_update" {
filename = "test-fixtures/lambdatest.zip"
function_name = "example_lambda_name_update"
role = "${aws_iam_role.iam_for_lambda.arn}"
handler = "exports.example"
}The problem then is if edit the contents, Terraform doesn't recognize new code, yeah? One way we could do this is by exposing the hash, and having users specify the sha256 hash of their zip file. This is extra work for the user, they'd have to recalculate it. It would be great if we could have a config method that calculates the sha256 here for us (similar to sha1 in https://terraform.io/docs/configuration/interpolation.html). Alternatively, we could add a |
|
I've been zipping it myself - then adding an md5 sum on the zip filename, then updating the terraform config with the new filename. This lets me (outside of terraform) detect if the code has been changed. For now, I am calling update on my own. I would say providing zip functionality would be difficult, and probably out of scope. My repo, for example, has a number of lambda functions in it, and there is a bunch of dancing that needs to be done to get things ready for zipping. Terraform detects that the filename in config is different than the state, which is almost there. I just need it to call out to updateFunction. |
|
@mostman79 yeah, changing the filename as a workaround works, but should not be necessary, and in fact if you use the branch in this PR with my changes (@robzienert has rolled them in) it works by simply updating the ZIP. So we are almost there, just we need to figure out how to do it without having to add an unnecessary attribute as a workaround. @catsby - Confirmed - updating the code ZIP contents does not trigger an update. I think I tried to use a Do you know if using |
catsby
removed
the
waiting-response
|
The way I've seen this handled elsewhere in Terraform is to use To make this completely robust it would be necessary for the But with the facilities we have today, you could detect when a change has been made within Terraform by making a The other gotcha with this design is that |
|
Hey @apparentlymart - yeah that's what I basically tried:
If this sounds like it should have worked, I can give it another go. |
|
@vancluever I don't think it works quite like you tried because the when you set But I'd expect that to always show as a diff, and you said it never shows as a diff, so apparently Terraform is doing something different than what I expected. |
|
Thanks @apparentlymart - will do another sanity check in the next day or two here to make sure it was doing what I thought it was doing and apply your suggestions! If Will update when I know more! |
catsby
added
the
waiting-response
|
I spent some time today trying to get to the bottom of this. There's a couple of things to solve/fix in the PR, until we can merge it. Sha256 calculation & representation/comparisonThe CodeSha256 from the AWS comes a base64-encoded sha256 sum, which we all probably already know. However the difference (and root cause of all troubles) is the representation of the sum. See an example in Go playground to get better understanding of the problem: https://play.golang.org/p/1LCqlwnFM2 How to move forward with this PR?As calculating the sha & base64 and doing the comparison internally inside the resource is a bit tricky, I'd rather suggest we just leave this up to the user. i.e. resource "aws_lambda_function" "test" {
filename = "lambdatest.zip"
function_name = "lambda_function_name"
role = "${aws_iam_role.iam_for_lambda.arn}"
handler = "exports.test"
source_code_hash = "${base64encode(sha256(file("lambdatest.zip")))}"
}This also gives them the freedom calculating this completely outside of Terraform and providing it as variable. However, as mentioned above, the newly introduced resource "aws_lambda_function" "test" {
filename = "lambdatest.zip"
function_name = "lambda_function_name"
role = "${aws_iam_role.iam_for_lambda.arn}"
handler = "exports.test"
source_code_hash = "${base64encode(hexdecode(sha256(file("lambdatest.zip"))))}"
}I'm hoping there are no hidden side-effects of the Schema changesWith the suggestions above, you could just omit all of the extra logic with I'd suggest to compare/save the base64 encoded string to I will have a look into what we can do with the interpolation functions in order to make the above happen. |
|
@robzienert As We'll also need to add acceptance tests covering the update functionality, at least for the local ZIP option, but ideally for both local & S3 options. If you don't have time to finish it or don't want to finish it for any reason that's totally 👌 , let me know, I can pick it up. If I do so, I will keep your git authorship as is and build changes on top of it - i.e. your contribution & effort you spent on this PR so far would be still credited to you! 😉 If I don't hear back until the end of next week, I will pick it up. I see this as a chance to unblock all Lambda users who're holding off from using Terraform to manage their Lambda resources because of this bug. |
radeksimko
removed
the
waiting-response
|
Fixed via #5239 which was just merged. Updates will be supported in the next release. |
Rather than doing our homebrew tainting of individual Lambdas, use the hash of the ZIP file and update the Lambda if it changes. It turns out this is indeed possible with Terraform, but it's somewhat obliquely documented: hashicorp/terraform#3825 This should resolve the issues with Lambda triggers being lost, because the Lambda is only updated, not deleted every time.
Rather than doing our homebrew tainting of individual Lambdas, use the hash of the ZIP file and update the Lambda if it changes. It turns out this is indeed possible with Terraform, but it's somewhat obliquely documented: hashicorp/terraform#3825 This should resolve the issues with Lambda triggers being lost, because the Lambda is only updated, not deleted every time.
…udformation_stack-schema-panic resource/aws_cloudformation_stack: Remove setting non-existent arn attribute
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
Current AWS Lambda resource does not support updates.