diff --git a/.github/workflows/ecdsa_default.yml b/.github/workflows/ecdsa_default.yml
index adec41ed..f5ac5ed5 100644
--- a/.github/workflows/ecdsa_default.yml
+++ b/.github/workflows/ecdsa_default.yml
@@ -100,7 +100,7 @@ jobs:
       - name: cache built python modules
         uses: actions/cache@v4
         with:
-          key: modules_terraform-aws-ca-lambda_build_${{ hashFiles('./modules/terraform-aws-ca-lambda/lambda_code/**') }}_py${{ steps.setup_python.outputs.python-version }}
+          key: modules_terraform-aws-ca-lambda_build_${{ hashFiles('./modules/terraform-aws-ca-lambda/lambda_code/**') }}_${{ hashFiles('./modules/terraform-aws-ca-lambda/utils/**') }}_py${{ steps.setup_python.outputs.python-version }}
           path: ./modules/terraform-aws-ca-lambda/build
 
       - name: terraform plan
diff --git a/.github/workflows/rsa_public_crl.yml b/.github/workflows/rsa_public_crl.yml
index 9e7503e7..224c0a4f 100644
--- a/.github/workflows/rsa_public_crl.yml
+++ b/.github/workflows/rsa_public_crl.yml
@@ -103,7 +103,7 @@ jobs:
       - name: cache built python modules
         uses: actions/cache@v4
         with:
-          key: modules_terraform-aws-ca-lambda_build_${{ hashFiles('./modules/terraform-aws-ca-lambda/lambda_code/**') }}_py${{ steps.setup_python.outputs.python-version }}
+          key: modules_terraform-aws-ca-lambda_build_${{ hashFiles('./modules/terraform-aws-ca-lambda/lambda_code/**') }}_${{ hashFiles('./modules/terraform-aws-ca-lambda/utils/**') }}_py${{ steps.setup_python.outputs.python-version }}
           path: ./modules/terraform-aws-ca-lambda/build
 
       - name: terraform plan
diff --git a/.gitignore b/.gitignore
index 2c744599..deb4647a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,7 +3,7 @@
 .idea
 .vs
 .venv
-.zip
+*.src.zip
 __pycache__
 .terraform.lock.hcl
 .terraform.tfstate
diff --git a/modules/terraform-aws-ca-lambda/archive/.gitkeep b/modules/terraform-aws-ca-lambda/archive/.gitkeep
deleted file mode 100644
index e69de29b..00000000
diff --git a/modules/terraform-aws-ca-lambda/main.tf b/modules/terraform-aws-ca-lambda/main.tf
index 303bc206..8ef0b540 100644
--- a/modules/terraform-aws-ca-lambda/main.tf
+++ b/modules/terraform-aws-ca-lambda/main.tf
@@ -1,6 +1,10 @@
 resource "null_resource" "install_python_dependencies" {
   triggers = {
-    source_archive_checksum = data.archive_file.lambda_source.output_base64sha256
+    # detect changes to Lambda code
+    lambda_code_sha256 = sha256(join("", [for f in sort(tolist(fileset("${path.module}/lambda_code/${local.file_name}", "**"))) : filesha256("${path.module}/lambda_code/${local.file_name}/${f}")]))
+
+    # detect changes to files in utils directory
+    utils_sha256 = sha256(join("", [for f in sort(tolist(fileset("${path.module}/utils", "**"))) : filesha256("${path.module}/utils/${f}")]))
 
     # static value (true) if present, variable value (timestamp()) when not present. (so the 'false' state isn't static and forces a build by change of state whenever so. a static false value doesn't force change of state.)
     build_already_present = fileexists("${path.module}/build/${local.file_name}/__init__.py") ? true : timestamp()
@@ -22,17 +26,11 @@ resource "null_resource" "install_python_dependencies" {
   }
 }
 
-data "archive_file" "lambda_source" {
-  type        = "zip"
-  source_dir  = "${path.module}/lambda_code/${local.file_name}"
-  output_path = "${path.module}/archive/${local.file_name}.src.zip"
-}
-
 data "archive_file" "lambda_zip" {
   depends_on  = [null_resource.install_python_dependencies]
   type        = "zip"
   source_dir  = "${path.module}/build/${local.file_name}"
-  output_path = "${path.module}/archive/${local.file_name}.zip"
+  output_path = "${path.module}/build/${local.file_name}.zip"
 }
 
 resource "aws_lambda_function" "lambda" {