aws_synthetics_canary resource: Add source_code_hash attribute from aws_lambda_function resource

[brendan-sherrin]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

This is a feature request to add the "source_code_hash" attribute from the resource "aws_lambda_function" to the "aws_synthetics_canary" resource. AWS Synthetics canary runs a lambda to query website health.

Currently I use a data.archive_file to compress my script file for lambda. I pass the source code hash as below to the lambda so if the script file is updated the hashes don't match, it then updates the zip file and uploads the change.

depends_on = [ data.archive_file.lambda-zip ]
source_code_hash = data.archive_file.lambda-zip.output_base64sha256

The aws_synthetics_canary doesn't have the source code hash option so there's no way to tell TF that the file has changed and the canary resource is not updated when I change the source script file.

New or Affected Resource(s)

aws_synthetics_canary

Potential Terraform Configuration

resource "aws_synthetics_canary" "canary" {
  depends_on = [ data.archive_file.canary-zip ]
  name                 = "canary"
  artifact_s3_location = "s3://${aws_s3_bucket.canarystorage.bucket}/"   
  execution_role_arn   = aws_iam_role.canary-execution-role.arn
  handler              = "canary.handler"  
  zip_file             = data.archive_file.canary-zip.output_path
  source_code_hash =  data.archive_file.canary-zip.output_base64sha256
}

References

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function

source_code_hash - (Optional) Used to trigger updates. Must be set to a base64-encoded SHA256 hash of the package file specified with either filename or s3_key. The usual way to set this is filebase64sha256("file.zip") (Terraform 0.11.12 and later) or base64sha256(file("file.zip")) (Terraform 0.11.11 and earlier), where "file.zip" is the local filename of the lambda function source archive.

This is a similar problem to #17948 - stuff from lambda that's not exposed in the Canary resource atm

[dekarti1203]

I faced the same problem and came up with this workaround:

data "archive_file" "canary_function" {
  type = "zip"
  source {
    content  = file(var.canary_source)
    filename = length(regexall(".*python.*", var.canary_runtime)) > 0 ? "python/canary.py" : "nodejs/node_modules/canary.js"
  }
  // canary resource will not detect if file content has changed. So include hash in filename.
  output_path = "${path.root}/canary-${filemd5(var.canary_source)}.zip"
}

I'm very much in favor of your proposal. It would add consistent "lambda-like" behaviour to the canary resource.

[rajaie-sg]

I was having issues figuring out why my canary script wasn't being updated and ended up at this page. Turns out Terraform doesn't update the canary if you are using the same .zip filename (even though the contents are different)

[kaihendry]

I'm not sure how to solve this problem in a loop. https://stackoverflow.com/questions/74454360/how-to-set-terraform-output-path-based-on-source-checksum

variable "endpoints" {
  type = map(object({
    url = string
  }))
}

[ivicamihalic]

Any update on this? Would be great to avoid using some dirty workaround