As mentioned previously, we are using terraform to spin up resources in AWS in an automated and repeatable fashion. Mostly it just works, but now and again things get tricky. We hit such a situation when automating the deployment of AWS Lambdas. We were using terraform to create AWS resources and then continuously deploying with ansible. So if the lambda source code changed, ansible would deploy the new version, while privileges and other plumbing were taken care of by terraform. It all seemed to work well, but trouble was lurking.
The problem was that when setting up the initial version of the lambda in terraform we were effectively creating it empty and leaving it up to ansible to deploy the actual code. This is fine up to the point you need to run your terraform script once again. Terraform defines its resources declaratively, so if additional resources or changes are needed you simply run the script again and everything is brought up to date. But when it came to the lambda it would say to itself “This lambda is declared as being empty, but it isn’t. I’ll fix that!”. So running the terraform script would wipe the source code. Oops.
We got around this by storing the lambda source code in s3 and always deploying from there. The terraform script ensures that the bucket and source zip exists and creates the lambda using that source:
resource "aws_s3_bucket" "source_bucket" { bucket = "my-bucket-for-source" } resource "aws_s3_bucket_object" "lambda_source" { bucket = "${aws_s3_bucket.source_bucket.bucket}" key = "source.zip" source = "initial_empty_lambda.zip" } resource "aws_lambda_function" "my_lambda" { function_name = "my_lambda_function" s3_bucket = "${aws_s3_bucket.source_bucket.bucket}" s3_key = "source.zip" runtime = "nodejs4.3" environment { variables = { foo = "bar" bez = "baz" } } }
Note that creating the zip in the way specified (without using the etag attribute) means that terraform only checks if the file exists in s3. Importantly it won’t overwrite an updated zip with the empty one later on…
Meanwhile, the ansible playbook uploads the latest zip to the s3 bucket and updates the lambda source using that. So now running terraform will not break the lambda, sanity restored.