awscc_lambda_function keeps wanting to update properties (which then also fails)

[ansgarm]

Given the following Terraform config:

terraform {
  required_providers {
    awscc = {
      source  = "local/hashicorp/awscc"
      version = "0.0.11" # I used commit a0d053e99fcfe here (also tagged as 0.0.11)
    }

    aws = {
      source  = "hashicorp/aws"
      version = "3.59.0"
    }
  }
}

provider "awscc" {
}
provider "aws" {
  region = "us-west-2" # same region as awscc in preview
}

resource "aws_iam_role" "lambda_service_role" {
  assume_role_policy = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"lambda.amazonaws.com\"}}],\"Version\":\"2012-10-17\"}"
  managed_policy_arns = [
    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
  ]
}

resource "awscc_lambda_function" "fails" {
  code = {
    zip_file = "def main(event, context):\n    print(\"I'm running!\")"
  }
  handler = "index.main"
  role    = aws_iam_role.lambda_service_role.arn
  runtime = "python3.6"
  timeout = 300
}

When running terraform apply:

1. For the first time: It only creates the iam role but fails for the lambda (different bug, see awscc_lambda_function cannot assume aws_role in one apply (running apply twice works) #172)
2. For the second time: It creates the lambda function successfully
3. For the third time: It wants to reset some defaults (which should be unnecessary) and fails when applying those changes.

terraform apply                                                                                                                                                                        16:05:40
aws_iam_role.lambda_service_role: Refreshing state... [id=terraform-20210927140450743500000001]
awscc_lambda_function.fails: Refreshing state... [id=VDM5JzPaI8yNnx2LMKCLnGhLo-T8Rxb0URuAvC]

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply":

  # awscc_lambda_function.fails has been changed
  ~ resource "awscc_lambda_function" "fails" {
      + file_system_configs = [
          + {          },
        ]
        id                  = "VDM5JzPaI8yNnx2LMKCLnGhLo-T8Rxb0URuAvC"
      + memory_size         = 128
      + package_type        = "Zip"
      + tracing_config      = {
        + mode = "PassThrough"
      }
        # (7 unchanged attributes hidden)
    }

Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes.

────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # awscc_lambda_function.fails will be updated in-place
  ~ resource "awscc_lambda_function" "fails" {
      - file_system_configs = [
          - {          },
        ]
        id                  = "VDM5JzPaI8yNnx2LMKCLnGhLo-T8Rxb0URuAvC"
      - memory_size         = 128 -> null
      - package_type        = "Zip" -> null
      - tracing_config      = {
        - mode = "PassThrough" -> null
      }
        # (7 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

awscc_lambda_function.fails: Modifying... [id=VDM5JzPaI8yNnx2LMKCLnGhLo-T8Rxb0URuAvC]
╷
│ Error: AWS SDK Go Service Operation Unsuccessful
│ 
│   with awscc_lambda_function.fails,
│   on main.tf line 28, in resource "awscc_lambda_function" "fails":
│   28: resource "awscc_lambda_function" "fails" {
│ 
│ Calling Cloud Control API service UpdateResource operation returned: operation error CloudControl: UpdateResource, https response error StatusCode: 400, RequestID: 11faa154-1c11-49b3-94bc-bff293491705, api error
│ ValidationException: Model validation failed (#: required key [Code] not found)

[ewbankkit]

The underlying issue here seems to be that the AWS::Lambda::Function CloudFormation resource schema

https://github.com/hashicorp/terraform-provider-awscc/blob/main/internal/service/cloudformation/schemas/AWS_Lambda_Function.json

does not define a default value for the MemorySize, PackageType etc. properties.
The default values are being returned in the AWS Read API call and Terraform correctly sees that there's a diff and wants to set them to null.

This type of issue should be reported against the CloudFormation resource schema - index here - but I can't see a Lambda::Function repository.

The required key [Code] not found error is strange.
The Update operation generates a JSON Patch document and passes this to the Cloud Control API.
As code hasn't changed the patch document doesn't contain the Code property.
My understanding is that it's the CloudFormation resource handler's responsibility to know that Code is required for updates and populate that field for the upstream Lambda API call.

An additional wrinkle is that the Code property is write-only.

For both of these issues I have contact AWS engineering.

[ansgarm]

Thanks!

I was able to work around the issue with the missing defaults. However the second issue is a blocking one (which I can only work around by using the aws_lambda_function instead). But I'm sure it'll be addressed upstream.