fix(ecr-assets): incorrect handling of nested excludes in .dockerignore

[Abogical]

Issue #13636

Closes #13636.

Reason for this change

Fixes a bug where asset copying does not correctly process .dockerignore files. CDK did not copy files excluded by a nested exclude pattern in .dockerignore.

Description of changes

Added a new method in DockerIgnoreStrategy that determines whether a directory is fully or partially ignored. The method is DockerIgnoreStrategy.completelyIgnores and if it returns true, it means that the directory is ignored AND that all of its children are ignored as well. For directories that are ignored but not "completely" ignored, the copyDirectory function will still walk through them.

As this changes the behaviour of asset copying, this can potientally be a breaking change. Therefore, a new feature flag is added which enables this fix. The feature flag is DOCKER_IGNORE_NESTED_EXCLUDE_FIX.

Describe any new or updated permissions being added

No new permissions are added.

Description of how you validated changes

Unit tests and integration tests are added.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

➡️ PR build request submitted to test-main-pipeline ⬅️

A maintainer must now check the pipeline and add the pr-linter/cli-integ-tested label once the pipeline succeeds.

[rix0rrr]

Please make sure that your PR title confirms to the conventional commit standard (fix, feat, chore) and that it is written in a style that will reflect correctly in the change log. In particular, if this is a bug fix, please describe the bug that was fixed, not the change you made. (See Contributing Guide, Pull Requests)

[rix0rrr]

Why would you copy "excludes" ?

Does this mean respectedNestedIgnoreFiles ?

[Abogical]

"respect" seems to be a better description. I've renamed it to dockerIgnoreRespectNestedExcludes

[rix0rrr]

I think this is a bit verbose. Can you shorten it? For example, do both ignore and exclude not refer to the same thing? So do we need both?

[rix0rrr]

respectNestedDockerIgnores?

[Abogical]

"exclude" means something that is excluded from the .dockerignore, so an exclude and ignore are not the same thing, they're the opposite.

**            # Ignore
!build/*.js   # Exclude  

[Abogical]

It is verbose, but I don't think there's a good way to shorten it.

[rix0rrr]

Wait, are you saying that:

In nested .dockerignore files, we do respect positive (ignore) declarations, but we didn't use to respect negative (dont-ignore) declarations?

[rix0rrr]

So we were ignoring more files than necessary?

[rix0rrr]

In that case, I'm leaning towards this not needing a flag. Because we will only ever include more files into the bundle, right? We will never accidentally include too few files.

Which means the chances if this breaking someone are vanishingly small?

[Abogical]

Yes @rix0rrr , we were ignoring more files than necessary.

The behavior of including more files in the docker image is undefined. Chance of breaking change is still small regardless. If you think it's safe to remove the feature flag, I can do so.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 23d512a
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.