-
Notifications
You must be signed in to change notification settings - Fork 159
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
patch lambda importing #3371
patch lambda importing #3371
Conversation
Does the PR have any schema changes?Does the PR have any schema changes?Looking good! No breaking changes found. Maintainer note: consult the runbook for dealing with any breaking changes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The change looks reasonable. TF does generate a generated.tf
file during an import, so I would like to make sure we understand if this bug shows up in TF, or just in Pulumi.
We can merge as soon as we understand that and have a test.
I'm struggling with understanding this one a bit, is it true that the bug also holds in pure TF, which is why we're patching? Is there an upstream issue open? |
So we document source_code_hash like this: source_code_hash That sounds exactly right, the upstream provider does not support specifying a lambda only by source_code_hash. Looks like that's not what this field is for. The proposal here is to add a feature that would exist only in the Pulumi provider that changes the behavior of source_code_hash? |
There's more work to do this with testing and documentation. Before we go down this route, can we quickly look at any other ways to satisfy the original problem? Why does pulumi not import this cleanly as is (presumably pure TF does)? I suspect we have a Read/import gap for archives that's related here? |
@t0yv0 great question, I had a look at TF issues and I found this: They've closed is as expected behaviour. Same issue reported here: hashicorp/terraform#34374 I guess one thing to test is invalid |
Can you paste what Pulumi Read() call produces during import and consequently what code does import produce? Thanks! |
Read GRPC:
Generated program:
|
Here is where the upstream code updating happens: https://github.com/hashicorp/terraform-provider-aws/blob/c42a6bbfd7f170bbb30254045c1657e2e9c973c2/internal/service/lambda/function.go#L935 They check that one of the code related attributes has changed: and then on So it looks to me like as long as there is no code change, the lambda should be fine to edit other resources. I think this means that if we are to ship this we need to add a check that |
I tried the upstream workaround:
Still getting the same error. Here is the Check call:
|
Reading upstream it seems that recovering the source code is not possible. Is that true? |
Not via the API, reads just return the hash - I think the console sometimes displays the code but that also fails for larger files. |
I wonder what TF |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for working with me @VenelinMartinov on this, appreciate it.
Approving for now.
Filed #3376 - the import story still feels like it needs some work. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I read this correctly, this is to fix a general import failure on AWS lambda that happens because of a field presence validation.
Would it be worth it to add a test here, especially given that a failure to pass could alert us to upstream changes?
Yup, totally, I’ll add tests before merging! |
func TestSourceCodeHashUpdatedLambdaFails(t *testing.T) { | ||
// Update requires a Configure, otherwise the AWS provider segfaults. | ||
|
||
// Error looks like this but contains a request ID so we can't match it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that this correctly fails but the error is not at all readable. I'm wondering if there is a nice way for this to fail earlier - essentially we want to fail if a user inputs this and then updates the value.
"role": "arn:aws:iam::616138583583:role/iamForLambda-d5757fe", | ||
"runtime": "nodejs18.x", | ||
"skipDestroy": false, | ||
"sourceCodeHash": "WUsPYQdwiMj+sDZzl3tNaSzS42vqVfng2CZtgcy+TRt=", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the only change in inputs.
Looks like this does not fix the original issue which motivated it. Turns out the original issue was about using the Details here: #2392 (comment) |
Addresses #2392
Looks like the upstream provider does not support specifying a lambda only by
source_code_hash
in inputs:https://github.com/hashicorp/terraform-provider-aws/blob/97c16f28e84ab7afda6b935e19b9243510931c81/internal/service/lambda/function.go#L169-L173
The schema has
ExactlyOneOf
on the other ways to provide the source code.This might have something to do with how TF treats imports, since I don't believe they generally generate the code for it.
We can however generate the input for the lambda, so we should support specifying it by the
source_code_hash
.I've tested that the issue no longer reproduces under this patch.
TODO: