Hash-code of lambda function code file changes if run in diffrent shell/os

[ghost]

This issue was originally opened by @wadhekarpankaj as hashicorp/terraform#22397. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Hello,
I am using the lambda module to create lambda function in AWS. However, the value of source_code_hash changes, If I try to do terraform plan/apply in different shell or OS.
The code contents are the same every time I run terraform init. This code is used by multiple users and they have a different OS. We need a solution to avoid this.
Hope the issue is clear.

Terraform version

Terraform v0.11.11

Terraform code

data "archive_file" "lambda_code" {
  type        = "zip"
  source_file = "${path.module}/functions/lambda-function.py"
  output_path = "${path.module}/functions/lambda-function.zip"
}

resource "aws_lambda_function" "lambda_function" {
  filename         = "${replace(substr(data.archive_file.lambda_code.output_path, length(path.cwd) + 1, -1), "\\", "/")}"
  function_name    = "my-test-function
  role             = "${aws_iam_role.iam_for_lambda.arn}"
  handler          = "lambda-function.lambda_handler"
  source_code_hash = "${data.archive_file.lambda_code.output_base64sha256}"
  runtime          = "python2.7"
  timeout          = "60"

  lifecycle {
    ignore_changes = [
      "filename",
      "last_modified",
    ]
  }
}

Actual Behavior

In Windows-
No changes. Infrastructure is up-to-date.
In Ubuntu-

~   aws_lambda_function.lambda_function
      source_code_hash: "7/j4FEt6mgWVm+t991ffkck72xH9LGJvesyNqeC8ETc=" => "/S9mgjpI5UBGSRpMVQUv8HJkj3jeKGnWvsSPW4QiMzY="

and vice versa

Expected Behavior

In Windows-
No changes. Infrastructure is up-to-date.
In Ubuntu-
No changes. Infrastructure is up-to-date.

[mf-lit]

@wadhekarpankaj
I just ran foul of this, but found that the issue was down to permissions on the source files.

On one ubuntu host the source file had 0664 permissions, whilst on the other it had 0644. These read-write permissions aren't tracked by git, hence it was possible for them to be different between hosts. However, these permissions are stored in the resultant zip file.

I've not tried this on Windows, but I imagine it would be difficult (if not impossible) to get identical zip files as the permissions models are so different.

I don't think this is a terraform (or provider issue) really, it's just that we're stretching the usage of terraform a little far expecting it to create perfectly reproducible zip files across multiple platforms. It would be better to have some other tooling managing the zip files in an earlier part of the pipeline.

[wadhekarpankaj]

Hello @mf-lit ,
Thank you for your response.
I do agree with you regarding git not tracking file permissions.
I am also doing a few experiments to figure out how I can do this with the existing capabilities of terraform. I can try to avoid zipping or try another approach for the same.

Regards,
Pankaj

[ThinkBriK]

Actually I think there is even a PR that as never been reviewed for this issue, see #47

[chrisbloe]

I think this should be closed as a duplicate of #34 ?

[asaf-kali]

Adding output_file_mode = "0644" (or any other value) to the "archive_file" solved this for me, as the default file mode is different on different OS, causing the file hash to change.

[micolun]

Hash of the original file can also be used

source_code_hash = base64encode(filesha256(data.archive_file.source_file.source_file))