2

When defining a lambda of package_type = Zip, it's possible to create a dummy temp.zip file and set it as the lambda's filename.

When created, the lambda will basically have an empty zip, which can later be replaced by something like a continuous delivery pipeline that pushes an artifact to it.

I've noticed this pattern used at work.

However, I'm playing with lambda container images for something personal.

I set it package_type = Image, and set other required arguments (per the Terraform docs). But when I run terraform apply, I get an error saying the lambda's image_uri argument must be set.

What if I don't have an image built yet? Is there some equivalent technique to satisfy the image_uri requirement, to essentially create an "empty" lambda, which I later plan to update via a CD pipeline?

Been looking around but have not yet found a solution.

Improve this question
3
  • Can you provide your relevant terraform config & exact output / error msg? Commented Jan 13, 2022 at 19:19
  • How did it go? Still unclear why you can't do that? Commented Jan 22, 2022 at 2:31
  • @Marcin your answer makes sense. When doing the equivalent using a Zip package type, I have to provide a dummy zip file just so that the Lambda can be created. Guess it makes sense that the same is true when using an Image; you have to provide some initial "value" for the resource to be created, even if it's a dummy image that does nothing. Commented Jan 28, 2022 at 18:23

2 Answers 2

Reset to default
2

What if I don't have an image built yet?

Then you can't create container lambda. You have to provide some image url. It can be dummy image that does nothing, but it must preexist before you can create such a lambda function.

Then later you can update the dummy image with something else.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Yes you can! This question has already been answered here, which I've copied below

data "aws_ecr_authorization_token" "token" {}

resource "aws_ecr_repository" "repository" {
  name                 = "lambda-${local.name}-${local.environment}"
  image_tag_mutability = "MUTABLE"
  tags = local.common_tags
  image_scanning_configuration {
    scan_on_push = true
  }
  lifecycle {
    ignore_changes = all
  }

  provisioner "local-exec" {
    # This is a 1-time execution to put a dummy image into the ECR repo, so 
    #    terraform provisioning works on the lambda function. Otherwise there is
    #    a chicken-egg scenario where the lambda can't be provisioned because no
    #    image exists in the ECR
    command     = <<EOF
      docker login ${data.aws_ecr_authorization_token.token.proxy_endpoint} -u AWS -p ${data.aws_ecr_authorization_token.token.password}
      docker pull alpine
      docker tag alpine ${aws_ecr_repository.repository.repository_url}:SOME_TAG
      docker push ${aws_ecr_repository.repository.repository_url}:SOME_TAG
      EOF
  }
}
Improve this answer

4 Comments

Unfortunately, this doesn't work. Although you have a local-exec provisioner trying to handle the initial image upload, there's a race condition because the Lambda function is being created before the provisioner has a chance to upload the initial image.
If you have a race-condition with your lambda, double-check to make sure your lambda has either an implicit or explicit depends_on on the ECR repo. Terraform is designed to handle cascading builds like this, you just have to tell it what depends on what
Ah, nevermind, I think I see what you mean. I'm kinda shocked that terraform wouldn't wait for the local-exec provisioner to finish before trying to build downstream resources like the lambda. That doesn't seem right
I ended up using an approach suggested here: hewi.blog/managing-aws-lambda-functions-using-terraform. Basically you create a null_resource which does the actual docker build ... docker push in its local-exec. Then you have your Lambda resource have a depends_on on that null resource. Worked like a charm, although feels hacky.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.