[Version 2.0] Still unable to ignore ARN change in CloudFront lambda_function_association

[vhiairrassary]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.11
+ provider.archive v1.1.0
+ provider.aws v2.0.0
+ provider.google v2.0.0

Affected Resource(s)

• aws_cloudfront_distribution

Description

Version 2.0 of the provider removed a lot of noise for aws_cloudfront_distribution (especially #7732) but we are still not able to ignore change of lambda_arn in the lambda_function_association block.

Here is the plan with version 2.0:

Terraform will perform the following actions:

  ~ module.cdn.aws_cloudfront_distribution.cdn
      default_cache_behavior.0.lambda_function_association.4010905183.event_type:   "origin-request" => ""
      default_cache_behavior.0.lambda_function_association.4010905183.include_body: "false" => "false"
      default_cache_behavior.0.lambda_function_association.4010905183.lambda_arn:   "arn:aws:lambda:us-east-1:***:function:assets_origin_request:2" => ""
      default_cache_behavior.0.lambda_function_association.609050106.event_type:    "" => "origin-request"
      default_cache_behavior.0.lambda_function_association.609050106.include_body:  "" => "false"
      default_cache_behavior.0.lambda_function_association.609050106.lambda_arn:    "" => "arn:aws:lambda:us-east-1:***:function:assets_origin_request:3"

If I add the following lifecycle block (which I don't think is a good idea since I don't know if 4010905183 & 609050106 will be valid in the future and in deployments in other regions):

  lifecycle {
    ignore_changes = [
      "default_cache_behavior.0.lambda_function_association.4010905183.lambda_arn",
      "default_cache_behavior.0.lambda_function_association.609050106.lambda_arn"
    ]
  }

Then the plan becomes:

Terraform will perform the following actions:

  ~ module.cdn.aws_cloudfront_distribution.cdn
      default_cache_behavior.0.lambda_function_association.4010905183.event_type:   "origin-request" => ""
      default_cache_behavior.0.lambda_function_association.4010905183.include_body: "false" => "false"
      default_cache_behavior.0.lambda_function_association.609050106.event_type:    "" => "origin-request"
      default_cache_behavior.0.lambda_function_association.609050106.include_body:  "" => "false"

At the end we want to be able to create the lambda & the lambda_function_association in terraform with an empty lambda to bootstrap the infra and then be able to update them outside of terraform, i.e. in our CI tool.

References

• PR: resource/aws_cloudfront_distribution: Adjust TypeSet and TypeList attributes for better difference handling
• Issue: CloudFront default_cache_behaviour changes with every apply

[bflad]

Hi @vhiairrassary 👋

Are you able to achieve what you are looking for with the below?

resource "aws_cloudfront_distribution" "cdn" {
  # ... other configuration ...

  lifecycle {
    ignore_changes = ["default_cache_behavior.0.lambda_function_association"]
  }
}

Given the current Terraform functionality with ignore_changes and Terraform Provider SDK that we can use within the Terraform AWS Provider, I'm not sure if we will be able to provide a better method to ignore the lambda_arn itself within the lambda_function_association configuration block. Hope the above workaround helps for now though.

[vhiairrassary]

@bflad 👋 the workaround is good enough for now. Hopefully it will still work if we have several lambdas attached to the distribution 😬 Thanks!

[bluemalkin]

Hi, we're running into this issue as well, terraform keeps wanting to change from $LATEST to 1.
Hopefully there's a fix coming soon ?

[byF]

The aforementioned workaround does not work in TF 0.12 and provider.aws 2.12.0, the ignore is ignored :)

lifecycle {
  ignore_changes = ["default_cache_behavior[0].lambda_function_association"]
}

[bflad]

Hi @byF 👋 Sorry you are running into trouble there. There is a known issue upstream in Terraform Core relating to the [0] index syntax not working with ignore_changes in Terraform 0.12.0+: hashicorp/terraform#21433

[FxProgrm]

The issue #21433 mentioned above appears to have been closed but the behavior of wanting to revert a lambda function to a prior ARN (based on a config) or removed completely still exists. We are on v0.12.3 but also did validation using v0.12.7 and see the same issue.

Defined lambda function variables (ARN):

variable "account" {
  default = "sandbox"
}
variable "region" {
  default = "us-east-1"
}
variable "aws_lambda_function_webviewerrequest_arn" {
  type = map(string)
  default = {
    stage   = "arn:aws:lambda:us-east-1:<acct>:function:webviewerrequest:1"
    sandbox = "arn:aws:lambda:us-east-1:<acct>:function:web_viewerrequest:1"
  }
}
variable "aws_lambda_function_webviewerresponse_arn" {
  type = map(string)
  default = {
    stage   = "arn:aws:lambda:us-east-1:<acct>:function:webviewerresponse:1"
    sandbox = "arn:aws:lambda:us-east-1:<acct>:function:web_viewerresponse:1"
  }
}

The lifecycle definition in the distribution:

  lifecycle {
    ignore_changes = [
      #default_cache_behavior[0].lambda_function_association,
      #default_cache_behavior[1].lambda_function_association,
      #ordered_cache_behavior[7].lambda_function_association
      default_cache_behavior.0.lambda_function_association,
      default_cache_behavior.1.lambda_function_association,
      ordered_cache_behavior.7.lambda_function_association
    ]
  }

In the default cache behavior definition for CloudFront:

    lambda_function_association {
      event_type   = "viewer-request"
      lambda_arn   = var.aws_lambda_function_webviewerrequest_arn[var.account]
      include_body = false
    }
    lambda_function_association {
      event_type   = "viewer-response"
      lambda_arn   = var.aws_lambda_function_webviewerresponse_arn[var.account]
      include_body = false
    }

and generating the following during plan (arn version was updated in console to demonstrate):

+ lambda_function_association {
    + event_type   = "viewer-request"
    + include_body = false
    + lambda_arn   = "arn:aws:lambda:us-east-1:<acct>:function:web_viewerrequest:1"
  }
- lambda_function_association {
    - event_type   = "viewer-request" -> null
    - include_body = false -> null
    - lambda_arn   = "arn:aws:lambda:us-east-1:<acct>:function:web_viewerrequest:3" -> null
  }
+ lambda_function_association {
    + event_type   = "viewer-response"
    + include_body = false
    + lambda_arn   = "arn:aws:lambda:us-east-1:<acct>:function:web_viewerresponse:1"
  }
- lambda_function_association {
    - event_type   = "viewer-response" -> null
    - include_body = false -> null
    - lambda_arn   = "arn:aws:lambda:us-east-1:<acct>:function:webviewerresponse:1" -> null
  }

[ghost]

@byF it seems to work for me without the quotes:

resource "aws_cloudfront_distribution" "cdn" {
  # ... other configuration ...

  lifecycle {
    ignore_changes = [default_cache_behavior.0.lambda_function_association]
  }
}

In my use-case, lambda@edge are deployed from an automated pipeline using serverless and associated to the CloudFront distribution using the AWS CLI.

Current versions:

• terraform v0.12.8
• terraform-provider-aws ~> 2.19

[l1b3r]

@bflad Do I still have to define the lambda_function_association in order to be able to ignore its changes?

My use case is similar to what OP is having. I am managing all the AWS infra with Terraform except the Lambda functions which are handled by Serverless. Serverless builds, packages, uploads the function and associates it to a Cloudfront distribution that was previously created by Terraform (for those interested -- using this plugin).

Currently I have to declare lambda_function_association in Terraform and maintain a feedback of the most recent function ARN (with version) from Serverless to Terraform using CloudFormation Outputs. This seems like an overkill and scales poorly, but If I don't do it, Terraform will destroy the CloudFront <-> L@E associations that Serverless has set up once terraform apply is run.

Is there perhaps a way to make Terraform ignore any lambda_function_associations for a particular *_cache_behavior without even describing those in the configuration?

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.