Changes to Lambda environment variables don't trigger a new version publication

[acerbisgianluca]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform CLI: 0.13.1
AWS Provider Version: 3.4.0

Affected Resource(s)

• aws_lambda_function
• aws_lambda_alias

Terraform Configuration Files

resource "aws_lambda_alias" "voice-gram-skill-alias" {
    description = "Production version"
    function_name = aws_lambda_function.voice-gram-skill.function_name
    function_version = aws_lambda_function.voice-gram-skill.version
    name = "prod"
}

resource "aws_lambda_function" "voice-gram-skill" {
    function_name = "voice-gram-skill"
    handler = "index.handler"
    publish = true
    layers = [
        "arn:aws:lambda:eu-west-1:xxxxxxxxxxxx:layer:ffmpeg:2",
        aws_lambda_layer_version.voice-gram-layer.arn,
    ]
    memory_size = 192
    reserved_concurrent_executions = -1
    role = aws_iam_role.voice-gram-role.arn
    runtime = "python3.8"
    tags = local.tags
    timeout = 10

    source_code_hash = data.archive_file.zip-folders["skill"].output_base64sha256
    s3_bucket = aws_s3_bucket.voice-gram-bucket.bucket
    s3_key = aws_s3_bucket_object.voice-gram-artifacts["skill"].key
    s3_object_version = aws_s3_bucket_object.voice-gram-artifacts["skill"].version_id

    environment {
        variables = {
            ......
        }
    }

    timeouts {}

    tracing_config {
        mode = "PassThrough"
    }
}

Expected Behavior

When I plan that configuration after changing environment variables, voice-gram-skill-alias should get the value for function_version after voice-gram-skill new version has been published. The documentation also states qualified_arn - The Amazon Resource Name (ARN) identifying your Lambda Function Version (if versioning is enabled via publish = true).

Actual Behavior

Actually, when I plan this configuration, voice-gram-skill-alias is set to $LATEST and doesn't wait for the voice-gram-skill version to be published even if publish is set to true, as you can see below. Furthermore, version and qualified_arn aren't updated and remain set to $LATEST.

+ resource "aws_lambda_alias" "voice-gram-skill-alias" {
      + arn              = (known after apply)
      + description      = "Production version"
      + function_name    = "voice-gram-skill"
      + function_version = "$LATEST" <-- THIS SHOULD BE (known after apply)
      + id               = (known after apply)
      + invoke_arn       = (known after apply)
      + name             = "prod"
}

# module.aws.aws_lambda_function.voice-gram-skill will be updated in-place
  ~ resource "aws_lambda_function" "voice-gram-skill" {
        arn                            = "arn:aws:lambda:eu-west-1:xxxxxxxxxxxx:function:voice-gram-skill"
        function_name                  = "voice-gram-skill"
        handler                        = "index.handler"
        id                             = "voice-gram-skill"
        invoke_arn                     = "arn:aws:apigateway:eu-west-1:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-1:xxxxxxxxxxx:function:voice-gram-skill/invocations"
        last_modified                  = "2020-08-30T19:15:34.633+0000"
        layers                         = [
            "arn:aws:lambda:eu-west-1:xxxxxxxxxxxx:layer:ffmpeg:2",
            "arn:aws:lambda:eu-west-1:xxxxxxxxxxxx:layer:voice-gram:12",
        ]
        memory_size                    = 192
        publish                        = true
        qualified_arn                  = "arn:aws:lambda:eu-west-1:xxxxxxxxxxxx:function:voice-gram-skill:$LATEST" <-- THIS IS NOT UPDATED TOO
        reserved_concurrent_executions = -1
        role                           = "arn:aws:iam::xxxxxxxxxx:role/voice-gram"
        runtime                        = "python3.8"
        s3_bucket                      = "voice-gram"
        s3_key                         = "artifacts/skill"
        s3_object_version              = "asdasdadasdadasdasdasdasdadsa"
        source_code_hash               = "ONBXtembDHc8urPkxxUVOEUmVcA1vbqX5t6v5VUgITc="
        source_code_size               = 23783
        tags                           = {
            "skill" = "voice-gram"
        }
        timeout                        = 10
        version                        = "$LATEST" <-- THIS IS NOT UPDATED TOO

      ~ environment {
          ~ variables = {
                ....
            }
        }

        timeouts {}

        tracing_config {
            mode = "PassThrough"
        }
    }

Steps to Reproduce

1. Apply an aws_lambda_function with environment variables and publish set to true
2. Edit only environment variables (if you change the code, it works)
3. terraform plan

[acerbisgianluca]

I think we should just add here something like d.HasChange("environment") https://github.com/terraform-providers/terraform-provider-aws/blob/5378e467edfd8ef8ed81a06bd82288be4379a427/aws/resource_aws_lambda_function.go#L679

[grahamhar]

I don't think the issue is limited to just environment variable changes, although this is probably the most likley config to change, it seems any config change didn't result in a new version being published.

I've raised a PR to attempt a fix.

[acerbisgianluca]

@grahamhar I've just noticed that a new version is always created if publish is set to true even if there are no code changes. The difference is that the version is published, but aliases are not updated. I've just ran plan and there weren't any new planned version, but if I go to the function page on AWS I can see that a new version has been created, but aliases weren't updated to the latest version.

[grahamhar]

@grahamhar I've just noticed that a new version is always created if publish is set to true even if there are no code changes. The difference is that the version is published, but aliases are not updated. I've just ran plan and there weren't any new planned version, but if I go to the function page on AWS I can see that a new version has been created, but aliases weren't updated to the latest version.

@acerbisgianluca I added a new acceptance test first before writing the fix which seemed to prove the failure to publish the new version, adding the new code made the tests pass, so I'm reasonably sure #15116 will fix what you are seeing, or maybe we're seeing a different issue?

[acerbisgianluca]

Mhh I don't know, we will see when your PR will be merged. Now I'm pretty confused lol and I might have misunderstood your PR.

Btw I was looking at the code and I found this: https://github.com/terraform-providers/terraform-provider-aws/blob/4ac98ce9911f302cb7181db28d4a8772b5e67112/aws/resource_aws_lambda_function.go#L927
Actually a new version is published, but this change is not detected as a dependecy for other resources, for example when an alias must point to the latest released version. Is your PR going to fix this?

[grahamhar]

Mhh I don't know, we will see when your PR will be merged. Now I'm pretty confused lol and I might have misunderstood your PR.

Btw I was looking at the code and I found this:

https://github.com/terraform-providers/terraform-provider-aws/blob/4ac98ce9911f302cb7181db28d4a8772b5e67112/aws/resource_aws_lambda_function.go#L927

Actually a new version is published, but this change is not detected as a dependecy for other resources, for example when an alias must point to the latest released version. Is your PR going to fix this?

My fork was old so I didn't see that 🤦 looks like my PR is redundant and I just need to update the provider version!

[grahamhar]

@acerbisgianluca update of provider didn't work, I think I found the culprit though:

https://github.com/terraform-providers/terraform-provider-aws/blob/4ac98ce9911f302cb7181db28d4a8772b5e67112/aws/resource_aws_lambda_function.go#L273-L283

The updated version is only stored if there is a code change, I'll try figure out a fix

[acerbisgianluca]

The updated version is only stored if there is a code change, I'll try figure out a fix

I think you should only update the if condition from if needsFunctionCodeUpdate(d) to if needsFunctionCodeUpdate(d) || configUpdate. I've never used GO, so I don't know if it's sufficient. You should also pass configUpdate to the function.

[grahamhar]

@gdavison I've raised a PR for this and I think I have met all the requirements, if not could you help me out as it is my first PR against this repo. How do I go about moving forward on getting a review done?

[gsingh1]

Just got hit with this last week whilst working on a project. Would be a great help to get this fixed @gdavison, @bflad, @YakDriver 🙂 Anything we can do to prioritise this?

[ghost]

This has been released in version 3.13.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!