aws_lambda_function qualified_arn isn't updated after changing publish to true

[YoshiWalsh]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.13
+ provider.archive v1.2.0
+ provider.aws v2.2.0
+ provider.local v1.2.0
+ provider.template v2.1.0

Affected Resource(s)

• aws_lambda_function

Terraform Configuration Files

resource "aws_lambda_function" "originrequest_lambda" {
  filename = "${path.module}/artifacts/lambda.zip"
  function_name = "myedgescript"
  role = "${aws_iam_role.myedgerole.arn}"
  handler = "index.handler"
  
  source_code_hash = "${data.archive_file.myedgescriptarchive.output_base64sha256}"
  runtime = "nodejs8.10"
}

resource "aws_cloudfront_distribution" "mydistribution" {
    enabled = true

    # there are heaps of settings here, but I've omitted them for the sake of brevity

    default_cache_behavior {
        lambda_function_association {
            event_type = "origin-request"
            lambda_arn = "${aws_lambda_function.originrequest_lambda.qualified_arn}"
            include_body = false
        }
    }
}

Note that I forgot to include publish = true in my lambda function resource. I have since amended it.

resource "aws_lambda_function" "originrequest_lambda" {
  filename = "${path.module}/artifacts/lambda.zip"
  function_name = "myedgescript"
  role = "${aws_iam_role.myedgerole.arn}"
  handler = "index.handler"
  
  source_code_hash = "${data.archive_file.myedgescriptarchive.output_base64sha256}"
  runtime = "nodejs8.10"
  publish = true
}

Expected Behavior

CloudFront Distribution should be updated to include the Lambda@Edge function based on the version number, which is now present because publish has been changed to true.

Actual Behavior

Terraform still tries to add the Lambda@Edge function using the $LATEST alias. CloudFront Distribution throws aws_cloudfront_distribution.mydistribution: error updating CloudFront Distribution (***********): InvalidLambdaFunctionAssociation: The function ARN must reference a specific function version. (The ARN must end with the version number.) ARN: arn:aws:lambda:us-east-1:XXXXXXXXXXXX:function:test.example.com_originrequest:$LATEST.

Steps to Reproduce

1. Create a module with a CloudFront Distribution that has a Lambda@Edge function that has publish set to false
2. Apply it. It should fail with (expected)
3. Update the module to add publish = true on the Lambda function
4. Apply it. Notice it still fails.

Workaround

Changing the function_name will cause the qualified_arn to be updated.

[ghost]

It's unable to attach existing lambda through data source to cloudfront because qualified_arn always return :$LATEST

As workaround: "${data.aws_lambda_function.existing.arn}:1"
But in terraform provider version < 2.0 arn will return output as qualified_arn see #4446

[YoshiWalsh]

Hi @monolithh, sorry for the very delayed response. I meant to reply but had completely forgotten.

qualified_arn always return :$LATEST

I'm not sure this is accurate. After I changed function_name to destroy and recreate the function, qualified_arn returned the qualified (non-aliased) ARN and it worked happily in cloudfront. It seems if qualified_arn is retrieved on a function that's not published then it will always return $LATEST (even after the function is published) but if the function was published from the start then it will include the function version as expected.

[walkafwalka]

This issue was fixed for the data type, but it looks like it has resurfaced for the data type, also.
See #4446.

[jeremychase]

I just ran into this issue and am considering contributing a PR. Is anyone already working on it?

[jeremychase]

I believe this issue is closed by #14934

edit: After running the tests, issue #8081 is still a problem. I need to look at this again, but I'll resubmit a PR that addresses this.

[ghost]

This has been released in version 3.14.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!