Fix: Race between layer and Lambda update (#5927)

DataBiosphere · Sep 11, 2024 · fa91f1e · fa91f1e
1 parent a578c47
commit fa91f1e
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 2 deletions.
diff --git a/scripts/delete_published_function_versions.py b/scripts/delete_published_function_versions.py
@@ -0,0 +1,31 @@
+"""
+Delete the published versions of every AWS Lambda function in the current
+deployment, leaving only the unpublished version ($LATEST) of each.
+"""
+
+import logging
+
+from azul import (
+    config,
+    require,
+)
+from azul.lambdas import (
+    Lambdas,
+)
+from azul.logging import (
+    configure_script_logging,
+)
+
+log = logging.getLogger(__name__)
+
+
+def main():
+    require(config.terraform_component == '',
+            'This script cannot be run with a Terraform component selected',
+            config.terraform_component)
+    Lambdas().delete_published_function_versions()
+
+
+if __name__ == '__main__':
+    configure_script_logging(log)
+    main()
diff --git a/src/azul/lambdas.py b/src/azul/lambdas.py
@@ -201,3 +201,18 @@ def reset_lambda_roles(self):
                             time.sleep(1)
                         else:
                             break
+
+    def delete_published_function_versions(self):
+        """
+        Delete all but the latest published version of every AWS Lambda function
+        in the current deployment.
+        """
+        log.info('Deleting stale versions of AWS Lambda functions')
+        for function in self.list_lambdas(deployment=config.deployment_stage,
+                                          all_versions=True):
+            if function.version == '$LATEST':
+                log.info('Skipping latest version %r', function.name)
+            else:
+                log.info('Deleting version %r of %r', function.version, function.name)
+                self._lambda.delete_function(FunctionName=function.name,
+                                             Qualifier=function.version)
diff --git a/src/azul/terraform.py b/src/azul/terraform.py
@@ -708,6 +708,10 @@ def tf_config(self, app_name):
         for resource in resources['aws_lambda_function'].values():
             assert 'layers' not in resource
             resource['layers'] = ['${aws_lambda_layer_version.dependencies.arn}']
+            # Publishing the Lambda function as a new version prevents a race
+            # condition when there's a dependency between updates to the
+            # function's configuration and its code.
+            resource['publish'] = True
             env = config.es_endpoint_env(
                 es_endpoint=(
                     aws.es_endpoint

diff --git a/terraform/Makefile b/terraform/Makefile
@@ -43,8 +43,12 @@ import_resources: rename_resources
 plan: import_resources
 	terraform plan
 
+.PHONY: delete_published_function_versions
+delete_published_function_versions: import_resources check_python
+	python $(project_root)/scripts/delete_published_function_versions.py
+
 .PHONY: apply
-apply: import_resources
+apply: delete_published_function_versions
 ifeq ($(AZUL_PRIVATE_API),1)
 	# For private API we need the VPC endpoints to be created first so that the
 	# aws_lb_target_group_attachment can iterate over the network_interface_ids.
@@ -53,7 +57,7 @@ endif
 	terraform apply
 
 .PHONY: auto_apply
-auto_apply: import_resources
+auto_apply: delete_published_function_versions
 ifeq ($(AZUL_PRIVATE_API),1)
 	# See `apply` above
 	terraform apply -auto-approve -target aws_vpc_endpoint.indexer -target aws_vpc_endpoint.service