To create resource without further updating it, use "ignore_changes" lifecycle property.
There are two cases we used this as a workaround. First, the lambdas are created with Terraform, but the code and configuration updates are in separate process. To prevent Terraform from overwriting code, the
source_code_hash property can be ignored.
Another one is aws_lambda_alias. The issue is also caused by the 2-step process, that a version cannot be published until the last moment. Fortunately, the "function_version" can be ignored.
Another tip I want to mention is to read the code of verified modules. As I said in a previous post, Terraform lacks macros, so everything is repeated. And defining resource in modules is hard to manage. But a well written module seems to work. A module typically only defines one core resource, like one lambda or one s3 bucket. It might be overkill to wrap into a module, but writing shell scripts to generate code is not fun. What shell scripts can do, while module cannot, is optional properties that requires a value.