https://pulumi.com logo
Join Slack
Powered by
If I have `aws.lambda_.Function(publish=True)`, is...
# aws
d
If I have 
aws.lambda_.Function(publish=True)
, is that supposed to create an update on every 
pulumi up
? Or is it supposed to only publish a new version if something has changed?
Because right now it seems like it’s publishing a new version on every run no matter what…
Actually, it’s not actually publishing a new version, but the 
lambda_function.qualified_arn
is changing, causing a downstream ripple effect
This wasn’t happening without publish=True
What’s strange is I’m getting infinite updates on this and a different lambda function that doesn’t use an Image… just a `code=pulumi.AssetArchive({"lambda.py": pulumi.FileAsset(CODE_PATH)}),`… that shows a diff on every preview/update.
And this only seems to have started since updating my python deps: 
pulumi 3.120.0=>3.136.0
pulumi-aws 6.40.0=>6.55.0
f
🤔 publish=true will create a new verison, which will change the qualified_arn as that includes the version
but i'm not sure why you're seeing this now with no code change aside from the deps update?
d
Yeah… in general I’m seeing issues with lamdba infinite updates…
f
do you have a code snippet you could share of just the lambda resource perhaps?
d
This is my container-based lambda (it’s a resource within a component resource):
Copy code
name = "foo"
vpc = ...
rds = ...

repo = awsx.ecr.Repository(
    f"{name}-ecr-repo",
    opts=pulumi.ResourceOptions(parent=self),
)

image = awsx.ecr.Image(
    f"{name}-image",
    repository_url=repo.url,
    context=os.path.join(os.path.dirname(__file__), "src"),
    platform="linux/x86_64",  # Default lambda architecture is x86_64
    opts=pulumi.ResourceOptions(parent=self),
)

lambda_security_group = aws.ec2.SecurityGroup(
    f"{name}-lambda-sg",
    vpc_id=vpc.vpc_id,
    egress=[
        aws.ec2.SecurityGroupEgressArgs(
            from_port=5432,
            to_port=5432,
            protocol="tcp",
            cidr_blocks=[vpc.vpc.cidr_block],
        ),
    ],
)

lambda_function = aws.lambda_.Function(
    f"{name}-lambda",
    role=lambda_role.arn,
    package_type="Image",
    image_uri=image.image_uri,
    publish=True,
    environment={
        "variables": {
            "DB_HOST_PORT": rds.endpoint,
            "DB_USER": db_username,
            "DB_NAME": db_name,
            "DB_PASSWORD": db_password,
        }
    },
    logging_config=aws.lambda_.FunctionLoggingConfigArgs(
        log_format="JSON",
    ),
    vpc_config=aws.lambda_.FunctionVpcConfigArgs(
        subnet_ids=vpc.private_subnet_ids,
        security_group_ids=[lambda_security_group.id],
    ),
    opts=pulumi.ResourceOptions(
        parent=self,
        depends_on=[rds],
    ),
)
image.png
the 
my--project-dev-fivetran-config-lambda
has the plan “update” every run
and since that seems to cause the 
lambda_function.qualified_arn
to be dirty, my Command get’s updated:
Copy code
invoke_lambda = command.local.Command(
    ...,
    create=lambda_function.qualified_arn.apply(...),
)
The other lambda that has a 
[diff: ~code]
on every run is this one:
Copy code
CODE_PATH = os.path.join(os.path.dirname(__file__), "lambda.py")
lambda_function = aws.lambda_.Function(
    "lambda",
    role=lambda_role.arn,
    runtime=aws.lambda_.Runtime.PYTHON3D12,
    handler="datadog_lambda.handler.handler",
    code=pulumi.AssetArchive({"lambda.py": pulumi.FileAsset(CODE_PATH)}),
    environment={
        "variables": {
            # ...
        }
    },
    layers=[
        f"arn:aws:lambda:{args.aws_region}:{DD_ACT}:layer:Datadog-Python312:98",
        f"arn:aws:lambda:{args.aws_region}:{DD_ACT}:layer:Datadog-Extension:65",
    ],
    timeout=15,
    opts=pulumi.ResourceOptions(parent=self),
)
Any thoughts…?
f
let me see if I can take a closer look today; bit of a busy week for me here
d
Ok also the diff that’s showing for the ~code “change” looks like:
Copy code
~ aws:lambda/function:Function: (update)
            [id=...]
            [urn=...]
            [provider=...]
          ~ code: archive(assets:fabcfb3) {
            }
(There’s nothing in the ~code that has actually changed.) And the one for the version “update” looks like this (there are no visible changes, yet the Lambda Invocation thinks there’s been an update):
Copy code
~ aws:lambda/function:Function: (update)
            [id=...]
            [urn=...]
            [provider=...]
            environment                 : {
              ...
            }
            imageUri                    : "..."
            loggingConfig               : {
                applicationLogLevel: ""
                logFormat          : "JSON"
                systemLogLevel     : ""
            }
            memorySize                  : 128
            name                        : "..."
            packageType                 : "Image"
            publish                     : true
            reservedConcurrentExecutions: -1
            role                        : "..."
            skipDestroy                 : false
            tags                        : {
                ...
            }
            tagsAll                     : {
                ...
            }
            timeout                     : 3
            vpcConfig                   : {
                ...
            }
        ++aws:lambda/invocation:Invocation: (create-replacement)
            [id=...]
            [urn=...]
            [provider=...]
          ~ qualifier: "4" => output<string>
f
@dry-journalist-60579 I still want to say most/all of this is because of https://docs.aws.amazon.com/lambda/latest/dg/configuration-versions.html / https://docs.aws.amazon.com/lambda/latest/dg/configuration-versions.html#versioning-versions-using and 
publish=True
. the qualifier will change at that point even if the code/image does not because you're "publishing" a new version. here's a related upstream issue https://github.com/hashicorp/terraform-provider-aws/issues/33383 you could try employing the workaround there; that will suppress the update based on version:
Copy code
opts=pulumi.ResourceOptions(
  ignore_changes=["qualifiedArn", "qualifiedInvokeArn", "version"],
),
I didn't dig deeper into whether the dependency updates should have made a difference - it's possible, but I'm suspecting that upstream issue would explain it overall.
d
@future-hairdresser-70637 ah, thank you! Hmm if I use 
ignore_changes
will that mean that legitimate updates will be ignored?
And any thoughts on what’s causing the infinite updates for the 
AssetArchive
?
And also, where/how does the code in https://github.com/hashicorp/terraform-provider-aws/ actually run? Is it in the pulumi sdk? The cli?
(Thank you again for all your help here!)
f
👋 @dry-journalist-60579
Hmm if I use 
ignore_changes
will that mean that legitimate updates will be ignored?
In general, yes. Specifically in this case I personally don't see this as a show-stopping workaround/hack if documented as the legit updates here are caused by the lambda versioning that isn't getting properly diffed. It's certainly not ideal, though. 🙂
any thoughts on what’s causing the infinite updates for the 
AssetArchive
?
My first assumption is a file changing thus the archive's hash changing (see here for code) - is something changing the contents of the 
AssetArchive
dir? a build? dependency update? etc.
where/how does the code in https://github.com/hashicorp/terraform-provider-aws/ actually run? Is it in the pulumi sdk? The cli?
This gets complicated fast; if you haven't, start here https://www.pulumi.com/docs/iac/concepts/how-pulumi-works/ then progress to here https://github.com/pulumi/pulumi/tree/master/docs/architecture and then https://github.com/pulumi/pulumi/blob/master/docs/architecture/providers.md where you'll end up at https://github.com/pulumi/pulumi-terraform-bridge 😄
d
Ah, thank you so much!! RE the AssetArchive, it’s just:
Copy code
CODE_PATH = os.path.join(os.path.dirname(__file__), "twilio_webhook_fallback/lambda.py")
lambda_function = aws.lambda_.Function(
    f"{name}-lambda",
    role=lambda_role.arn,
    runtime=aws.lambda_.Runtime.PYTHON3D12,
    handler="datadog_lambda.handler.handler",
    code=pulumi.AssetArchive({"lambda.py": pulumi.FileAsset(CODE_PATH)}),
    # ...
)
And that file is not changing at all, but I can literally run 
pulumi up
two times in a row and it picks up a diff
f
do you have 
publish=True
for that 
aws.lambda_.Function
?
d
Ah on that one I don’t.
f
well then, hmm. I can't imagine this would make a difference but if you feel like experimenting, what if you pull out the 
FileAsset
and 
AssetArchive
into their own variables? also, is the hash visibly changing in the diff after an 
up
? i.e. code: archive(assets:*fabcfb3*)
d
Just says 
[diff: ~code]
f
if you add 
--diff
to the command you should get more details
Copy code
~ code: archive(assets:f217920->32c74b9) {
          ~ "lambda.py": asset(file:1b676be->03d1a6b) { /code/./simple_lambda.py }
d
hmm nope, it’s empty
f
well that's a twist 😄 can you paste a 
pulumi about
d
mind if I DM it to you?
6 Views
Open in Slack
PreviousNext
Powered by