fix remote resource bug#1335
Merged
Merged
Conversation
Use s3api head-object and HTTP HEAD instead of s3 ls, which requires ListBucket on public artifact buckets. Co-authored-by: Cursor <cursoragent@cursor.com>
Resolve CHANGELOG and remote-resources doc conflicts by keeping the Unreleased entry and combining release link formatting with branch docs. Co-authored-by: Cursor <cursoragent@cursor.com>
Terraform does not short-circuit || in variable validation, so
provision_auth_key = {} failed with null > 0. Mirror the GCP fix
using a ternary chain.
Co-authored-by: Erik Schultink <eschultink@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes Terraform plan/apply issues when using prebuilt s3:// / gs:// deployment bundles in configurations that may (or may not) also enable remote resource loading, by making artifacts-bucket provisioning and wiring more explicit and resilient.
Changes:
- Add
enable_remote_resourcesto the coreaws/gcpmodules and adjust artifacts bucket provisioning logic for prebuilt bundle scenarios. - Separate “deployment bundle bucket” from “artifacts bucket” in GCP so host modules can deploy from a remote bundle while still optionally using an artifacts bucket for remote resources.
- Harden remote-resource IAM/env-var handling (AWS) and update docs + changelog to reflect the opt-in behavior and provisioning rules.
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| tools/lib/deployment-bundle.sh | Adds S3 URL parsing + existence checks using aws s3api head-object with a curl fallback. |
| infra/modules/gcp/variables.tf | Introduces enable_remote_resources and clarifies artifacts bucket variable semantics. |
| infra/modules/gcp/main.tf | Adjusts artifacts-bucket provisioning and introduces outputs to distinguish deployment bundle bucket vs artifacts bucket. |
| infra/modules/gcp-host/variables.tf | Updates custom_artifacts_bucket_name/enable_remote_resources descriptions. |
| infra/modules/gcp-host/main.tf | Wires enable_remote_resources through and uses the new deployment bundle bucket output for function deployment. |
| infra/modules/aws/variables.tf | Introduces enable_remote_resources and clarifies artifacts bucket semantics. |
| infra/modules/aws/main.tf | Updates bucket provisioning logic to provision an artifacts bucket when remote resources are enabled. |
| infra/modules/aws-proxy-lambda/remote_resource_iam.tftest.hcl | Adds a test ensuring no remote-resource IAM statement is created when bucket is null. |
| infra/modules/aws-proxy-lambda/main.tf | Guards env vars/IAM ARN generation so paths without a bucket don’t generate remote-resource config. |
| infra/modules/aws-host/variables.tf | Updates descriptions for artifacts bucket + remote resources behavior. |
| infra/modules/aws-host/main.tf | Passes enable_remote_resources into the aws module and gates remote resource wiring on bucket existence. |
| docs/configuration/remote-resources.md | Updates documentation to describe opt-in remote resources and bucket provisioning behavior. |
| CHANGELOG.md | Adds an Unreleased note describing the plan/apply fix for prebuilt bundles + remote resources. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+208
to
+211
| if http_url="$(deployment_bundle_s3_to_http_url "$bundle_path")"; then | ||
| curl -fsSI "$http_url" >/dev/null 2>&1 | ||
| return $? | ||
| fi |
Member
Author
There was a problem hiding this comment.
would just prefer to error on anythign that's not a 2xx, right??
…te resources coalesce() fails when no artifacts bucket is provisioned and custom_artifacts_bucket_name is unset; use a ternary chain so plan succeeds for gs:// deployment bundles. Co-authored-by: Cursor <cursoragent@cursor.com>
aperez-worklytics
approved these changes
Jul 1, 2026
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
- Gate GCP artifacts bucket provisioning on custom_artifacts_bucket_name - Preserve full object key for gs:// deployment bundles with nested paths - Follow S3 redirects in deployment bundle HTTP existence check Co-authored-by: Cursor <cursoragent@cursor.com>
Follow redirects with a max of 5 hops, then fail unless the final response is 2xx so region redirects cannot masquerade as success. Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes
Change implications
CHANGELOG.mdanything that will show up interraform plan/applythat isn't obviously a no-op?alpha, requires major version change