Lambda@Edge Always Updating Without Changes #3776
Comments
armaneous
added
kind/bug
t0yv0
added
bug/diff
|
Thanks for reporting this @armaneous , I'm sorry this does not work as expected. Our team will be taking a look subject to time availability. |
|
@t0yv0 Is this another issue of diff calculation in the bridge? Should we link it to the epic then? |
|
CC @mjeffryes I'm not sure which epic - I've been labelling these as bug/diff for the moment. On the surface it looks very much like one of those issues. @armaneous if you have a chance to add a source program that reproduces this this could help us out a lot to make it easier to resolve. Thank you! |
|
I can confirm that we are seeing this as well with a function that ignores a specific tag. In our use case this is a tag that is updated at deploy time by our CI system to a version for our observability tools to read. This accurately ignores all the tags and code updates however it also says the lambda has a 0 change update every time its run because state still sees the version tag. |
|
@armaneous do you have an example app that we can use to reproduce? I've tried to reproduce this using the below app and I was unable to. There have been some changes since you reported this issue so it is possible that it has been fixed, do you know if you still see this on the latest version? const role = new aws.iam.Role('role', {
assumeRolePolicy: pulumi.jsonStringify({
Version: '2012-10-17',
Statement: [
{
Action: 'sts:AssumeRole',
Effect: 'Allow',
Principal: aws.iam.Principals.EdgeLambdaPrincipal,
},
{
Action: 'sts:AssumeRole',
Effect: 'Allow',
Principal: aws.iam.Principals.LambdaPrincipal,
},
],
}),
managedPolicyArns: [aws.iam.ManagedPolicy.AWSLambdaBasicExecutionRole],
});
const asset = archive.getFile({
type: 'zip',
sourceContentFilename: 'index.js',
sourceContent: `
export default function handler() {
return 'Hello World!';
}
`,
outputPath: 'lambda_function_payload.zip',
});
const code = new pulumi.asset.FileArchive(asset.then((a) => a.outputPath));
const func = new aws.lambda.Function(
'handler',
{
publish: true,
role: role.arn,
code,
handler: 'index.handler',
runtime: 'nodejs20.x',
},
{
customTimeouts: {
delete: '30m',
},
},
);
const bucket = new aws.s3.BucketV2('web-bucket', {});
const id = new aws.cloudfront.OriginAccessIdentity('identity', {
comment: 'id',
});
new aws.cloudfront.Distribution('distro', {
enabled: false,
viewerCertificate: {
cloudfrontDefaultCertificate: true,
},
restrictions: {
geoRestriction: {
restrictionType: 'none',
},
},
defaultCacheBehavior: {
defaultTtl: 0,
maxTtl: 0,
cachedMethods: ['HEAD', 'GET'],
allowedMethods: ['HEAD', 'GET'],
targetOriginId: 'chall-origin',
viewerProtocolPolicy: 'https-only',
lambdaFunctionAssociations: [
{
eventType: 'viewer-request',
lambdaArn: pulumi
.all([func.arn, func.version])
.apply(([arn, version]) => `${arn}:${version}`),
},
],
forwardedValues: {
queryString: false,
cookies: {
forward: 'none',
},
},
},
origins: [
{
customHeaders: [
{
name: 'key',
value: 'value',
},
],
originId: 'chall-origin',
domainName: bucket.bucketDomainName,
connectionTimeout: 9,
connectionAttempts: 2,
s3OriginConfig: {
originAccessIdentity: id.cloudfrontAccessIdentityPath,
},
},
],
}); |
What happened?
Without any changes made to the code that's deployed or the configuration, the Lambda function seems to keep registering a change requiring update which cascades to the Cloudfront Distribution requiring an update as well every time.
Example
Output of
pulumi up --diff:Unsure if this is the problem, but the ARN is assembled using the output of the lambda resource like so:
Output of
pulumi aboutAdditional context
Not a blocker, but just a nuisance when deploying. Seems to be doing unnecessary updates.
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: