Terraform Gitlab CI/CD pipeline insists on updating Lambda functions


I have a terraformed environment that I’ve been keeping up to date by hand from a local terminal. I’m moving that to a Gitlab CI/CD pipeline and I’m running a few tests.

I’ve found that terraform plan (gitlab-terraform plan, in any case) insists on terraforming a bunch of AWS Lambda functions I have. These Lambda functions are Python files that get zipped to be uploaded.

I’ve been checking what might be different between my local files and the files in the CI/CD pipeline checkout, and they are the same (I’ve run md5sum on a few of them). My hunch is that somehow the zip file is different (source_code_hash is computed from the zipped file, not from the Python source.) Is there anyway to find if this is the case? How can I see how terraform generates zip files?

I’ve also noticed that the image that I’m using ($CI_TEMPLATE_REGISTRY_HOST/gitlab-org/terraform-images/releases/1.3) doesn’t contain the program zip. I install it by hand at the start of the script, but it makes no difference. Am I on the right track here, or should I be looking at something entirely different?


Replying to myself: found the problem. We should have been using this flag when building our archive in the first place. With the files having the same permissions, the hash is the same and this issue doesn’t show up anymore.