From pulumi debug -v9

{"__type":"com.amazon.coral.validate#ValidationException","message":"Model validation failed (#: required key [Code] not found)"}

pulumi's update plan

Previewing update (t/development)

View in Browser (Ctrl+O): <https://app.pulumi.com/t/infra/development/previews/zzzzz>

     Type                             Name                                Plan       Info
     pulumi:pulumi:Stack              infra-development
 ~   ├─ aws-native:lambda:Function    dev-jakob-graphql-public            update     [diff: +layers]
 ~   ├─ aws:apigatewayv2:Integration  dev-jakob-api-graphql-eb6263ba      update     [diff: ~integrationUri]
 ~   └─ aws:apigatewayv2:Integration  dev-jakob-api-graphql-eb6263ba-ext  update     [diff: ~integrationUri]


Outputs:
  ~ LAMBDA_GRAPHQL_PUBLIC_ARN      : "arn:aws:lambda:us-west-2:zzzzz:function:dev-jakob-graphql-public" => output<string>

Resources:
    ~ 3 to update
    35 unchanged

debug request w/ redactions

{"ClientToken":"zzzzzz","Identifier":"dev-jakob-graphql-public","PatchDocument":"[{\"op\":\"add\",\"path\":\"/Layers\",\"value\":[\"arn:aws:lambda:us-west-2:345057560386:layer:AWS-Parameters-and-Secrets-Lambda-Extension-Arm64:4\"]}]","TypeName":"AWS::Lambda::Function"}

Doing research, I found https://github.com/hashicorp/terraform-provider-awscc/issues/185#issuecomment-928253587 which looks oddly similar and deals with the

code

property of lambda updates as well even though it's on the terraform side.

The lambda in question

export const graphqlPublic = new awsnative.lambda.Function(
  lambdaName,
  {
    functionName: lambdaName,
    role: graphqlPublicRole.arn,
    memorySize: 128,
    architectures: ["arm64"],
    runtime: "nodejs16.x",
    handler: "index.handler",
    code: {
      s3Bucket: lambdaStore.id,
      s3Key: graphqlPublicZip.key,
      s3ObjectVersion: graphqlPublicZip.versionId,
    },
    layers: [
      // 💥 💥 💥 adding this line causes the exception on pulumi up
      "arn:aws:lambda:us-west-2:345057560386:layer:AWS-Parameters-and-Secrets-Lambda-Extension-Arm64:4",
    ],
  },
);

WORKAROUND I was able to work around this issue by requiring all changes to

layers

to result in a replacement using the

replaceOnChange

resource option. Because the lambda can be updated outside of pulumi, the replacement needs to be aware of the latest

versionId

when recreating the resource. 1. get the object from s3 after creation and capture the latest

versionId

const latest = pulumi
  .all([graphqlPublicZip.bucket, graphqlPublicZip.key])
  .apply(async ([bucket, key]) => {
    const result = await aws.s3.getObject({
      bucket,
      key,
    });

    return result.versionId;
  });

2. Update the awsnative lambda to replace on changes to

code

and

layers

export const graphqlPublic = new awsnative.lambda.Function(
  lambdaName,
  {
    functionName: lambdaName,
    role: graphqlPublicRole.arn,
    memorySize: 128,
    architectures: ["arm64"],
    runtime: "nodejs16.x",
    handler: "index.handler",
    code: {
      s3Bucket: lambdaStore.id,
      s3Key: graphqlPublicZip.key,
      s3ObjectVersion: latest,
    },
    layers: [
      // enable KMS communication
      "arn:aws:lambda:us-west-2:345057560386:layer:AWS-Parameters-and-Secrets-Lambda-Extension-Arm64:4",
    ],
  },
  { replaceOnChanges: ["code", "layers"] }
);

I'll open a GitHub ticket for the issue, but it appears the problem is upstream with CloudControl. Edit: https://github.com/pulumi/pulumi/issues/12844