Lambda Layers- New Version Every Run

[bbernays]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Affected Resource(s)

• aws_lambda_layer_version

Terraform Configuration Files

# Example S3 data source
data "aws_s3_bucket_object" "LambdaLayer" {
  bucket = "Lambda-Layers"
  key    = "firstLambdaLayer.zip"
}
resource "aws_lambda_layer_version" "lambda_layer" {
  layer_name          = "NewBaseLayer"
  s3_bucket           = "${data.aws_s3_bucket_object.LambdaLayer.bucket}"
  s3_key              = "${data.aws_s3_bucket_object.LambdaLayer.key}"
  s3_object_version   = "${data.aws_s3_bucket_object.LambdaLayer.version_id}"
  source_code_hash    = "${base64sha256(data.aws_s3_bucket_object.LambdaLayer.version_id)}"
  compatible_runtimes = ["python3.6", "python3.7"]
}

Debug Output

Panic Output

Expected Behavior

This should only be creating a new Lambda Layer Version when the Version_ ID changes

Actual Behavior

A new version is created every time that terraform apply is run

Steps to Reproduce

1. terraform apply

Important Factoids

References

[acburdine]

@bbernays I believe the reason this is occurring is because you have the source_code_hash present in your lambda layer configuration.

From the AWS docs on object versioning:

Unique version IDs are randomly generated, Unicode, UTF-8 encoded, URL-ready, opaque strings that are at most 1024 bytes long.

A lambda layer resource in AWS has a source code hash that contains an sha256 hash of the actual source code. Likely what you're seeing is that the base64sha256 hash of the version id (a random string) is different than what AWS is returning as the source_code_hash of the lambda layer, so it shows a diff every time.

I think you should be able to fix the issue (and still retain the behavior you want) by removing the source_code_hash line from your terraform. The lambda layer will still update whenever the s3 object version_id changes as you are passing that in via s3_object_version

[bbernays]

@acburdine- Thank you for that!

Do you think that theaws_lambda_layer_version could be updated to also update on s3_object_version changing? This behavior would be very similar to how the lambda resource also works where it looks for diffs in the s3 configs?

[acburdine]

Does it not already? I thought it did. If not that’s something I must have overlooked implementing it initially, and can definitely be added

[bbernays]

No it doesn't. That's why I was trying to pass the s3_object_version (as a hash) to the source_code_hash cause I didn't have the source code as it is in s3 and the data source for s3 doesn't automatically download zip files

[acburdine]

@bbernays I tested this locally and unfortunately couldn't reproduce what you're seeing. I added an acceptance test that tested whether or not a changing version_id would update the lambda layer, using this configuration:

resource "aws_s3_bucket" "lambda_bucket" {
  bucket = "<random name>"

  versioning {
    enabled = true
  }
}

resource "aws_s3_bucket_object" "lambda_code" {
  bucket = "${aws_s3_bucket.lambda_bucket.id}"
  key = "lambdatest.zip"
  source = "<source>"
  etag = "${md5(file("<source>"))}"
}

resource "aws_lambda_layer_version" "lambda_layer_test" {
  s3_bucket = "${aws_s3_bucket.lambda_bucket.id}"
  s3_key = "${aws_s3_bucket_object.lambda_code.id}"
  s3_object_version = "${aws_s3_bucket_object.lambda_code.version_id}"
  layer_name = "<random name>"
}

Changing the "source" of the s3_bucket object correctly caused the object and the layer version to be updated. I'd imagine there's something else going on that's causing you to not see your layer updating. Are you sure versioning is enabled on the s3 bucket that your lambda layer code is in?

[bflad]

Closing due to lack of response to the above. If there is something else expected here, please do reach out.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!