This message was deleted.
# general
s
This message was deleted.
1
d
From pulumi debug -v9
{"__type":"com.amazon.coral.validate#ValidationException","message":"Model validation failed (#: required key [Code] not found)"}
pulumi's update plan
Copy code
Previewing update (t/development)

View in Browser (Ctrl+O): <https://app.pulumi.com/t/infra/development/previews/zzzzz>

     Type                             Name                                Plan       Info
     pulumi:pulumi:Stack              infra-development
 ~   ├─ aws-native:lambda:Function    dev-jakob-graphql-public            update     [diff: +layers]
 ~   ├─ aws:apigatewayv2:Integration  dev-jakob-api-graphql-eb6263ba      update     [diff: ~integrationUri]
 ~   └─ aws:apigatewayv2:Integration  dev-jakob-api-graphql-eb6263ba-ext  update     [diff: ~integrationUri]


Outputs:
  ~ LAMBDA_GRAPHQL_PUBLIC_ARN      : "arn:aws:lambda:us-west-2:zzzzz:function:dev-jakob-graphql-public" => output<string>

Resources:
    ~ 3 to update
    35 unchanged
debug request w/ redactions
{"ClientToken":"zzzzzz","Identifier":"dev-jakob-graphql-public","PatchDocument":"[{\"op\":\"add\",\"path\":\"/Layers\",\"value\":[\"arn:aws:lambda:us-west-2:345057560386:layer:AWS-Parameters-and-Secrets-Lambda-Extension-Arm64:4\"]}]","TypeName":"AWS::Lambda::Function"}
Doing research, I found https://github.com/hashicorp/terraform-provider-awscc/issues/185#issuecomment-928253587 which looks oddly similar and deals with the
code
property of lambda updates as well even though it's on the terraform side.
The lambda in question
Copy code
export const graphqlPublic = new awsnative.lambda.Function(
  lambdaName,
  {
    functionName: lambdaName,
    role: graphqlPublicRole.arn,
    memorySize: 128,
    architectures: ["arm64"],
    runtime: "nodejs16.x",
    handler: "index.handler",
    code: {
      s3Bucket: lambdaStore.id,
      s3Key: graphqlPublicZip.key,
      s3ObjectVersion: graphqlPublicZip.versionId,
    },
    layers: [
      // 💥 💥 💥 adding this line causes the exception on pulumi up
      "arn:aws:lambda:us-west-2:345057560386:layer:AWS-Parameters-and-Secrets-Lambda-Extension-Arm64:4",
    ],
  },
);
WORKAROUND I was able to work around this issue by requiring all changes to
layers
to result in a replacement using the
replaceOnChange
resource option. Because the lambda can be updated outside of pulumi, the replacement needs to be aware of the latest
versionId
when recreating the resource. 1. get the object from s3 after creation and capture the latest
versionId
Copy code
const latest = pulumi
  .all([graphqlPublicZip.bucket, graphqlPublicZip.key])
  .apply(async ([bucket, key]) => {
    const result = await aws.s3.getObject({
      bucket,
      key,
    });

    return result.versionId;
  });
2. Update the awsnative lambda to replace on changes to
code
and
layers
Copy code
export const graphqlPublic = new awsnative.lambda.Function(
  lambdaName,
  {
    functionName: lambdaName,
    role: graphqlPublicRole.arn,
    memorySize: 128,
    architectures: ["arm64"],
    runtime: "nodejs16.x",
    handler: "index.handler",
    code: {
      s3Bucket: lambdaStore.id,
      s3Key: graphqlPublicZip.key,
      s3ObjectVersion: latest,
    },
    layers: [
      // enable KMS communication
      "arn:aws:lambda:us-west-2:345057560386:layer:AWS-Parameters-and-Secrets-Lambda-Extension-Arm64:4",
    ],
  },
  { replaceOnChanges: ["code", "layers"] }
);
I'll open a GitHub ticket for the issue, but it appears the problem is upstream with CloudControl. Edit: https://github.com/pulumi/pulumi/issues/12844