fix(lambda): prevent strcontains null error on zip deploys

[johncblandii]

Summary

• Fix a plan-time failure that occurred whenever the function was deployed from a zip (image_uri == null) while cicd_ssm_param_name was set.
• Add a fast, credential-free terraform test unit suite that reproduces the regression and guards the image_uri resolution logic going forward.

Changes

• src/main.tf: make the local.image_uri resolution null-safe. Terraform/OpenTofu's && does not short-circuit, so strcontains(var.image_uri, "%s") was evaluated even when var.image_uri was null, failing with Invalid value for "str" parameter: argument must not be null. The string fed to strcontains() now goes through an inner ternary (var.image_uri == null ? "" : var.image_uri), which does short-circuit. (Note: coalesce(var.image_uri, "") is not a valid fix here — coalesce also rejects empty strings and would error when image_uri is null.)
• test/unit/image_uri/: new native terraform test fixture mirroring the local.image_uri logic, runnable without AWS credentials. The component itself can only be planned via the atmos/Terratest harness (it depends on account-map and remote-state modules), so this isolates the pure logic that broke.
• test/README.md: document the integration (atmos test run) and new unit test workflows.

Testing

• Unit tests added (test/unit/image_uri/image_uri_unit_test.tftest.hcl, 4 cases)
• Verified the test fails against the buggy logic, reproducing the exact production error (Invalid value for "str" parameter)
• Verified the test passes against the fix — Success! 4 passed, 0 failed
• terraform fmt -check -recursive clean

Run the unit tests with:

```bash
terraform -chdir=test/unit/image_uri init
terraform -chdir=test/unit/image_uri test
```

Notes

Covered scenarios: zip deploy with SSM param set (the regression), templated image_uri formatted with the SSM value, static image_uri passthrough, and image_uri passthrough when no SSM param is configured.

The unit fixture mirrors the src/main.tf expression rather than executing it directly (the component can't init standalone in plain CI). Cross-reference comments in both files note they must stay in sync.

Summary by CodeRabbit

• Bug Fixes

  • Fixed null-value handling in image URI computation to prevent errors when certain parameters are undefined.

• Tests

  • Added comprehensive unit tests validating image URI resolution behavior across multiple scenarios.

• Documentation

  • Added testing layer documentation covering integration and native unit tests with setup instructions.

[coderabbitai]

Warning

Review limit reached

@johncblandii, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 18 minutes and 48 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5fb3fed8-d8c0-4d16-a6ec-b03d7377359f

📥 Commits

Reviewing files that changed from the base of the PR and between 46cf96f and 92f2d2c.

📒 Files selected for processing (8)

• README.md
• src/README.md
• src/main.tf
• src/remote-state.tf
• src/triggers_s3_notifications.tf
• src/triggers_sqs_queue.tf
• test/unit/image_uri/image_uri_unit_test.tftest.hcl
• test/unit/image_uri/main.tf

📝 Walkthrough

Walkthrough

This PR fixes a null-safety bug in image URI resolution by preventing null values from being passed to strcontains(), adds a unit test fixture that mirrors the production logic, and provides four comprehensive test cases validating the behavior including null handling, SSM parameter templating, and edge cases, along with test documentation.

Changes

Image URI Resolution Fix

Layer / File(s)	Summary
Null-safety fix in image URI resolution src/main.tf	local.image_uri now uses empty-string fallback to safely handle null values before strcontains() check, with comments documenting Terraform && non-short-circuit behavior and referencing regression tests.
Unit test fixture with mirrored image URI logic test/unit/image_uri/main.tf	New test module reproduces the image_uri resolution logic from src/main.tf using input variables (image_uri, cicd_ssm_param_name, ssm_param_value) and outputs the computed result, enabling credential-free testing.
Unit test cases for image URI resolution test/unit/image_uri/image_uri_unit_test.tftest.hcl	Four Terraform plan-mode test cases validate: null image_uri stays null despite SSM param, templated image_uri gets formatted with SSM value, static image_uri passes through unchanged, and missing SSM param returns image_uri verbatim.
Test documentation test/README.md	Documents integration testing with atmos/Terratest and credential-free unit testing with terraform test, including dedicated unit/image_uri subsection with run commands and sync guidance.

Possibly Related PRs

• cloudposse-terraform-components/aws-lambda#34: Earlier PR modified src/main.tf's locals.image_uri logic to conditionally format the value when cicd_ssm_param_name is set; this PR adds the null-safe guard that was missing from that implementation.

Suggested Labels

patch, needs-test

Suggested Reviewers

• goruha
• milldr

Poem

🐰 A null crept in where strings dare play,
strcontains() had a troubled day,
But now we guard with empty shields,
And unit tests the logic fields!
Four cases strong to stand the test. ✨

---

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: fixing a null error in strcontains when deploying from a zip file, which is the core issue addressed in the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/lambda-zip-file-error

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mergify]

Important

Do not edit the README.md directly. It's auto-generated from the README.yaml

Please update the README.yaml file instead.

Could you fix it @johncblandii? 🙏

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/main.tf`:
- Line 35: The local.image_uri expression can call
one(data.aws_ssm_parameter.cicd_ssm_param[*].value) even when the SSM data
source was not created because local.enabled is false; change the ternary
condition to include local.enabled (i.e., only format when local.enabled is true
AND var.cicd_ssm_param_name != null AND var.image_uri contains "%s") so the true
branch cannot evaluate one([]). Update the mirror in test/unit/image_uri/main.tf
to use the same local.enabled gating and add a fixture test where enabled =
false but cicd_ssm_param_name and a templated var.image_uri are set to ensure no
plan-time error occurs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7a43b67a-bbb6-4b69-9205-41beccdfc41e

📥 Commits

Reviewing files that changed from the base of the PR and between 8d4621a and 46cf96f.

📒 Files selected for processing (4)

• src/main.tf
• test/README.md
• test/unit/image_uri/image_uri_unit_test.tftest.hcl
• test/unit/image_uri/main.tf

[johncblandii]

/terratest

[github-actions]

There are no real tests for this component. So we set terratest statuses to successful execution without running any tests

[github-actions]

These changes were released in v1.538.1.