Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

terraform-provider-aws 3.13.0 and later including 3.25.0 cause lambdas in a VPC to be updated on every apply #17385

Closed
akloss-cibo opened this issue Feb 1, 2021 · 7 comments
Closed

terraform-provider-aws 3.13.0 and later including 3.25.0 cause lambdas in a VPC to be updated on every apply #17385

akloss-cibo opened this issue Feb 1, 2021 · 7 comments
Labels
service/iam Issues and PRs that pertain to the iam service. service/lambda Issues and PRs that pertain to the lambda service.

Comments

@akloss-cibo
Copy link

akloss-cibo commented Feb 1, 2021
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

% ../terraform version
Terraform v0.14.5
+ provider registry.terraform.io/hashicorp/aws v3.25.0
%

Affected Resource(s)

  • aws_lambda_function
  • aws_iam_role 👈 I have observed a similar problem with aws_iam_role in 3.12.0 as well.

Terraform Configuration Files

resource "aws_lambda_function" "function" {
  function_name    = "test-lambda"
  handler          = "cloudfront_alert.handler"
  publish          = true
  filename         = "lambda.zip"
  source_code_hash = filebase64sha256("lambda.zip")
  runtime          = "nodejs10.x"
  role = "arn:aws:iam::4********:role/AWSLambdaVPCAccessExecution"
  # Lambda's without vpc_config do not appear to be affected
  vpc_config {
    security_group_ids = [
      "sg-0*********",
    ]
    subnet_ids         = [
      "subnet-0c***********,
    ]
  }
}
provider "aws" {
  profile = "default"
  region  = "us-east-1"
}

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "3.13.0"
    }
  }
}

Debug Output

The debug output has a lot of sensitive data in it, including AWS credentials, so I'm including regular output.

https://gist.github.com/akloss-cibo/6eaf77d79ea9d91837baa94fca74173d

Expected Behavior

The lambda function should be updated once, and then left alone.

Actual Behavior

In every apply, the lambda function shows a change, which is then applied although is functionally a no-op.

Steps to Reproduce

  1. Create a file, lambda.tf with terraform config from above. Substitute in a correct IAM role, and correct VPC information
  2. Run zip lambda.zip lambda.tf to create a dummy zip
  3. Run terraform init
  4. Run terraform apply -auto-approve to create the lambda function
  5. Run terraform apply again. Observe that the plan shows a trivial change. Apply that change. Repeat.

References
@ghost ghost added the service/lambda Issues and PRs that pertain to the lambda service. label Feb 1, 2021
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Feb 1, 2021
@ghost ghost added the service/iam Issues and PRs that pertain to the iam service. label Feb 2, 2021
@kitos9112
Copy link

kitos9112 commented Feb 12, 2021
edited
Loading

Hi, hitting this issue as well. Strangely enough it only happens when a Lambda function is configured with VPC settings. It's super annoying because it's forcing codeDeploy deployments every time :(

❯ terraform --version
Terraform v0.14.6
+ provider registry.terraform.io/hashicorp/aws v3.25.0
+ provider registry.terraform.io/hashicorp/external v2.0.0
+ provider registry.terraform.io/hashicorp/local v2.0.0
+ provider registry.terraform.io/hashicorp/null v3.0.0
+ provider registry.terraform.io/hashicorp/random v3.0.1

After having initialized the module and applied it. No changes to the resources, and trigger a terraform apply:

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.lambda_function_no_vpc_instantdeploy.module.lambda_function.aws_lambda_function.this[0] will be updated in-place
  ~ resource "aws_lambda_function" "this" {
        id                             = "TestLambdaVPC-"
      ~ qualified_arn                  = "arn:aws:lambda:eu-west-2:12345678:function:TestLambdaVPC:3" -> (known after apply)
        tags                           = {}
      ~ version                        = "3" -> (known after apply)
        # (18 unchanged attributes hidden)
        # (3 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

This was referenced Feb 12, 2021
Closed
Closed
@grahamhar grahamhar mentioned this issue Feb 14, 2021
Merged
@askaribragimov
Copy link

Looks like without publish = true it does not happen. But publish = true is required if you need Provisioned Concurrency. So, still a problem

gdavison pushed a commit that referenced this issue Jun 4, 2021
@grahamhar
Fix change detection relating to vpc_config
82ff95d 
As reported in #17385
a change i  detected in vpc_config when there are no changes, this is
caused by an issue in hashicorp/terraform-plugin-sdk#617
The PR to provide a fix is not getting any traction.

On further debuging the issue is caused by the nested elements being of
type set which needs the use of Equal rather than reflect.DeepEqual to
test for differences.

We can work around this bug by testing for changes in the two fields
within vpc_config independantly as when the item passed to HasChanges is
a Set it is tested correctly.
@gdavison gdavison self-assigned this Jun 24, 2021
@bill-rich
Copy link
Contributor

Hi @akloss-cibo & @kitos9112,
I haven't been able to reproduce this issue with the provided configuration. Is anyone still experiencing this problem? If so, please post a copy of your configuration to help with reproducing the issue.

@kitos9112
Copy link

@bill-rich haven't tested it with the new provider yet. I'll give it a go this morning and comment back.

@akloss-cibo
Copy link
Author

Fixed for me starting in 3.45.0.

@bill-rich bill-rich self-assigned this Jul 23, 2021
@breathingdust
Copy link
Member

This seems to have been resolved, so closing for now. 👍 Please comment on the issue to reopen if this behaviour can be demonstrated in a version greater than 3.45.0.

@github-actions
Copy link

github-actions bot commented Sep 3, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 3, 2021
@breathingdust breathingdust removed the needs-triage Waiting for first response or review from a maintainer. label Sep 17, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
service/iam Issues and PRs that pertain to the iam service. service/lambda Issues and PRs that pertain to the lambda service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@breathingdust @gdavison @bill-rich @kitos9112 @askaribragimov @akloss-cibo