Skip to content

Filter patterns match Lambda layer zip base directory #684

New issue
New issue
Open
Open
Filter patterns match Lambda layer zip base directory#684
@dre-gdn

Description

@dre-gdn
dre-gdn
opened on Jun 13, 2025

Description

  • When creating a layer, filters match file locations inside the zipfile, not the source directory
  • This may cause files to be included that shouldn't be, and excluded that should be
  • Additionally, it causes unexpected filter behavior because e.g. for a Python layer, a path python/foobar needs to be used inside the zipfile. If the layer contains a .venv, the user will expect !.venv/.* to filter the data; but since you use fullmatch, the filter is skipped.

This causes unexpected behavior.

  • ✋ I have searched the open/closed issues and my issue is not listed.

Versions

  • Module version: 7.20
  • Terraform version: OpenTofu 1.10.0-rc1 (should be irrelevant)
  • Provider version(s):
  • provider registry.opentofu.org/hashicorp/aws v5.100.0
  • provider registry.opentofu.org/hashicorp/external v2.3.5
  • provider registry.opentofu.org/hashicorp/local v2.5.3
  • provider registry.opentofu.org/hashicorp/null v3.2.4
  • provider registry.opentofu.org/hashicorp/random v3.7.2

Reproduction Code [Required]

terraform {}

provider "aws" {
  region = "eu-central-1"
}

resource "random_id" "artifact_namespace" {
  byte_length = 8
}

resource "aws_s3_bucket" "main" {
  bucket = "lambda-terraform-module-bug-demo-${random_id.artifact_namespace.hex}"
}

module "external" {
  source  = "registry.terraform.io/terraform-aws-modules/lambda/aws"
  version = "~> 7.21"

  create_layer = true
  layer_name   = "foo"

  artifacts_dir                = "${path.root}/.lambda-build/${random_id.artifact_namespace.hex}"
  hash_extra                   = random_id.artifact_namespace.hex
  trigger_on_package_timestamp = false

  store_on_s3 = true
  s3_bucket   = resource.aws_s3_bucket.main.id

  runtime             = "python3.13"
  compatible_runtimes = ["python3.13"]

  # Otherwise includes CPython Darwin binaries
  build_in_docker           = true
  compatible_architectures  = ["x86_64"]
  docker_additional_options = ["--platform=linux/amd64"]
  source_path = [
    {
      compatible_runtimes = ["python3.13"]
      path                = "${path.module}/layer"
      prefix_in_zip       = "filter/"
      patterns = [
        "!filter.*",
      ]
    }
  ]
}

mkdir layer
echo foo > layer/file.txt

Steps to reproduce the behavior:

  • Apply the code above
  • Observe that it fails with ValueError: BuildPlanManager.plan() should be called first. (This is a separate usability issue - it checks for if not self._source_paths and just assumes a plan hasn't been generated.)
  • Attempt the same operation with removing the !; the user would expect file.txt not to be added since it doesn't match filter, but the layer is created.

Module 7.21, OpenTofu v1.10.0-rc1 (shouldn't be relevant)

Expected behavior

  • Filter doesn't match base directory

Actual behavior

  • Filter matches base directory.

Additional context

--

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions