Changing the code of a lambda funtion in AWS console does not get detected by a subsequent terraform run

[juergenz]

Description

Changing the code of a lambda funtion in AWS console does not get detected by a subsequent terraform run.

• ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [Required]: 7.7.0

• Terraform version:
  Terraform v1.9.2

• Provider version(s):
  provider registry.terraform.io/hashicorp/aws v5.59.0
  provider registry.terraform.io/hashicorp/external v2.3.3
  provider registry.terraform.io/hashicorp/local v2.5.1
  provider registry.terraform.io/hashicorp/null v3.2.2

Reproduction Code [Required]

module "lambda_function" {
  source        = "terraform-aws-modules/lambda/aws"
  version       = "7.7.0"

  function_name = "lambda-simple"
  handler       = "index.lambda_handler"
  runtime       = "python3.12"

  source_path = ["index.py"]
}

import boto3
import botocore

def lambda_handler(event, context):
   print(f'boto3 version: {boto3.__version__}')
   print(f'botocore version: {botocore.__version__}')

Steps to reproduce the behavior:

Deploy lambda funtion - terraform apply
Confirm there are no pending changes - terraform plan / terraform apply
Change and deploy code in AWS console - e.g. insert a print("test")
Run terraform plan again

Expected behavior

A change to source_code_hash should be detected.

Actual behavior

No change is detected.

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Additional context

Not sure if this is intended behavior looking at following code but from my perspective it would be useful to have the option to always check for a drift of source_code_hash.

was_missing = var.local_existing_package != null ? !fileexists(var.local_existing_package) : local.archive_was_missing

...

source_code_hash = var.ignore_source_code_hash ? null : (local.filename == null ? false : fileexists(local.filename)) && !local.was_missing ? filebase64sha256(local.filename) : null

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[antonbabenko]

I could not reproduce this issue. It works like it should, changes are being tracked properly.

Please make sure that you do terraform refresh before terraform plan (it is turned on, by default).

If you would want to not keep track of changes then you can set ignore_source_code_hash to true.

[Xan0C]

I could not reproduce this issue. It works like it should, changes are being tracked properly.

Please make sure that you do terraform refresh before terraform plan (it is turned on, by default).

If you would want to not keep track of changes then you can set ignore_source_code_hash to true.

Faced the same issue, doing a change to the code through the AWS Console (directly through the code editor, no zip upload etc.).
This code change results in a change for the SHA256 hash which is also reflected in the terraform state.

e.g. for some lambda resource terraform state show "module.application_lambda.aws_lambda_function.this[0]"

Will give you the updated code_sha256 but the source_code_hash won't be updated/changed, when doing manual code changes through the AWS Console.

I guess the code_sha256 is not used to decide if the resource has been changed but only the source_code_hash and the source_code_hash is not updated when doing changes through the AWS Console.

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions]

This issue was automatically closed because of stale in 10 days