aws_lambda_layer_version fails with s3 object as layer source

[queglay]

Terraform Version

Terraform v1.5.6
on darwin_amd64
+ provider registry.terraform.io/hashicorp/archive v2.4.2
+ provider registry.terraform.io/hashicorp/aws v4.4.0
+ provider registry.terraform.io/hashicorp/http v2.2.0
+ provider registry.terraform.io/hashicorp/local v2.4.1
+ provider registry.terraform.io/hashicorp/null v3.2.2

Terraform Configuration Files

When using lambda layer with a zip file on my local disk containing an exectuable, it works fine. for example:

resource "aws_lambda_layer_version" "nebula_cert_layer" {
  depends_on          = [null_resource.calculate_hash]
  filename            = "/tmp/nebula_cert_layer.zip"
  layer_name          = "nebula_cert_layer"
  source_code_hash    = null_resource.calculate_hash.triggers["hash"]
  compatible_runtimes = ["provided.al2", "python3.9"]
}

But if I try to use the exact same zip in an s3 object, any runtimes will not include the contents:

data "aws_s3_object" "nebula_cert_layer_zip" {
  bucket = local.vpn_scripts_bucket_name
  key    = "nebula_cert_layer.zip"
}

resource "aws_lambda_layer_version" "nebula_cert_layer" {
  depends_on          = [data.aws_s3_object.nebula_cert_layer_zip, null_resource.calculate_hash]
  s3_bucket           = local.vpn_scripts_bucket_name
  s3_key              = "nebula_cert_layer.zip"
  layer_name          = "nebula_cert_layer"
  source_code_hash    = data.aws_s3_object.nebula_cert_layer_zip.etag
  compatible_runtimes = ["provided.al2", "python3.9"]
}

Debug Output

│ Error: Lambda function (store_ca_secret) returned error: ({"errorMessage": "File /opt/bin/nebula-cert does not exist", "errorType": "Exception", "requestId": "a1ebbece-0d75-422c-9ae3-aedae4668b64", "stackTrace": ["  File \"/var/task/lambda_function.py\", line 75, in lambda_handler\n    raise Exception(\"File {} does not exist\".format(filepath))\n"]})
│ 
│   with data.aws_lambda_invocation.store_ca_secret,
│   on main.tf line 219, in data "aws_lambda_invocation" "store_ca_secret":
│  219: data "aws_lambda_invocation" "store_ca_secret" {

Expected Behavior

If a zip is stored locally or on s3 the behaviour should not change.

Actual Behavior

When I try to use the zip in s3 for the lambda layer, the runtime consumes the layer, but it behaves as if the zip had no files at the usual location. In this case, the executable that the layer provides is completely missing

Steps to Reproduce

Use an executable in a lambda layer stored in a zip in S3.

Additional Context

No response

References

No response

[jbardin]

Hello,

This appears to be an issue or question with the AWS provider, not with Terraform itself. You can see existing issues and file a new one in their repository here: https://github.com/hashicorp/terraform-provider-aws/issues. If you have questions about Terraform or the AWS provider, it's better to use the community forum where there are more people ready to help. The GitHub issues here are monitored only by a few core maintainers.

Thanks!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.