dry-pilot-49577
05/08/2023, 4:58 PMarn:aws:lambda:us-west-2:345057560386:layer:AWS-Parameters-and-Secrets-Lambda-Extension-Arm64:4
what happens - error: operation error CloudControl: UpdateResource, https response error StatusCode: 400, RequestID: zzzzz, api error ValidationException: Model validation failed (#: required key [Code] not found)
The total diff in pulumi is just the addition of the lambda layer. However, the error seems to imply that cloudcontrol needs code
as part of the update-function call. Hoping for a pointer or a workaround. Debug information in thread.
pulumi version: 3.66.0 (typescript code)
search tags: lambda layer Code cloudcontrol{"__type":"com.amazon.coral.validate#ValidationException","message":"Model validation failed (#: required key [Code] not found)"}
pulumi's update plan
Previewing update (t/development)
View in Browser (Ctrl+O): <https://app.pulumi.com/t/infra/development/previews/zzzzz>
Type Name Plan Info
pulumi:pulumi:Stack infra-development
~ ├─ aws-native:lambda:Function dev-jakob-graphql-public update [diff: +layers]
~ ├─ aws:apigatewayv2:Integration dev-jakob-api-graphql-eb6263ba update [diff: ~integrationUri]
~ └─ aws:apigatewayv2:Integration dev-jakob-api-graphql-eb6263ba-ext update [diff: ~integrationUri]
Outputs:
~ LAMBDA_GRAPHQL_PUBLIC_ARN : "arn:aws:lambda:us-west-2:zzzzz:function:dev-jakob-graphql-public" => output<string>
Resources:
~ 3 to update
35 unchanged
debug request w/ redactions
{"ClientToken":"zzzzzz","Identifier":"dev-jakob-graphql-public","PatchDocument":"[{\"op\":\"add\",\"path\":\"/Layers\",\"value\":[\"arn:aws:lambda:us-west-2:345057560386:layer:AWS-Parameters-and-Secrets-Lambda-Extension-Arm64:4\"]}]","TypeName":"AWS::Lambda::Function"}
code
property of lambda updates as well even though it's on the terraform side.export const graphqlPublic = new awsnative.lambda.Function(
lambdaName,
{
functionName: lambdaName,
role: graphqlPublicRole.arn,
memorySize: 128,
architectures: ["arm64"],
runtime: "nodejs16.x",
handler: "index.handler",
code: {
s3Bucket: lambdaStore.id,
s3Key: graphqlPublicZip.key,
s3ObjectVersion: graphqlPublicZip.versionId,
},
layers: [
// 💥 💥 💥 adding this line causes the exception on pulumi up
"arn:aws:lambda:us-west-2:345057560386:layer:AWS-Parameters-and-Secrets-Lambda-Extension-Arm64:4",
],
},
);
layers
to result in a replacement using the replaceOnChange
resource option. Because the lambda can be updated outside of pulumi, the replacement needs to be aware of the latest versionId
when recreating the resource.
1. get the object from s3 after creation and capture the latest versionId
const latest = pulumi
.all([graphqlPublicZip.bucket, graphqlPublicZip.key])
.apply(async ([bucket, key]) => {
const result = await aws.s3.getObject({
bucket,
key,
});
return result.versionId;
});
2. Update the awsnative lambda to replace on changes to code
and layers
export const graphqlPublic = new awsnative.lambda.Function(
lambdaName,
{
functionName: lambdaName,
role: graphqlPublicRole.arn,
memorySize: 128,
architectures: ["arm64"],
runtime: "nodejs16.x",
handler: "index.handler",
code: {
s3Bucket: lambdaStore.id,
s3Key: graphqlPublicZip.key,
s3ObjectVersion: latest,
},
layers: [
// enable KMS communication
"arn:aws:lambda:us-west-2:345057560386:layer:AWS-Parameters-and-Secrets-Lambda-Extension-Arm64:4",
],
},
{ replaceOnChanges: ["code", "layers"] }
);
I'll open a GitHub ticket for the issue, but it appears the problem is upstream with CloudControl.
Edit: https://github.com/pulumi/pulumi/issues/12844