From 4b37157b47ab38124b62649649d0df9b701cb7fe Mon Sep 17 00:00:00 2001 From: Cory Hall <43035978+corymhall@users.noreply.github.com> Date: Wed, 7 Sep 2022 11:45:25 -0400 Subject: [PATCH] fix(lambda-python): bundling with poetry is broken (#21945) It looks like something was changed in the base image and there is no longer write access to the `/tmp` directory which causes bundling with poetry to fail (see linked issue). This PR updates the Dockerfile to create a new cache location for both `pip` and `poetry` and switches to using a virtualenv for python so that it is no longer using root. To test this I executed the `integ.function.poetry` integration test both before (to reproduce the error) and after the fix. I'm actually not sure why our integration tests didn't start failing in the pipeline. The only thing I can think of is that we are caching the docker images and it just hasn't pulled down a newer one that has this issue. fixes #21867 ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../@aws-cdk/aws-lambda-python/lib/Dockerfile | 25 +++++++++++++++++++ .../@aws-cdk/aws-lambda-python/package.json | 1 + .../test/integ.function.poetry.ts | 14 ++++++++--- 3 files changed, 36 insertions(+), 4 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda-python/lib/Dockerfile b/packages/@aws-cdk/aws-lambda-python/lib/Dockerfile index ac34823b6c3c6..8825095b9f15c 100644 --- a/packages/@aws-cdk/aws-lambda-python/lib/Dockerfile +++ b/packages/@aws-cdk/aws-lambda-python/lib/Dockerfile @@ -7,10 +7,35 @@ ARG PIP_INDEX_URL ARG PIP_EXTRA_INDEX_URL ARG HTTPS_PROXY +# Create a new location for the pip cache +# Ensure all users can write to pip cache +RUN mkdir /tmp/pip-cache && \ + chmod -R 777 /tmp/pip-cache + +# set the cache location +ENV PIP_CACHE_DIR=/tmp/pip-cache + +# create a new virtualenv for python to use +# so that it isn't using root +RUN python -m venv /usr/app/venv +ENV PATH="/usr/app/venv/bin:$PATH" + # Upgrade pip (required by cryptography v3.4 and above, which is a dependency of poetry) RUN pip install --upgrade pip + # pipenv 2022.4.8 is the last version with Python 3.6 support RUN pip install pipenv==2022.4.8 poetry +# Create a new location for the poetry cache +# Ensure all users can write to poetry cache +RUN mkdir /tmp/poetry-cache && \ + chmod -R 777 /tmp/poetry-cache + +# set the poetry cache +ENV POETRY_CACHE_DIR=/tmp/poetry-cache + +# create non root user and change allow execute command for non root user +RUN /sbin/useradd -u 1000 user && chmod 711 / + CMD [ "python" ] diff --git a/packages/@aws-cdk/aws-lambda-python/package.json b/packages/@aws-cdk/aws-lambda-python/package.json index e2692689c15cb..bedfd090075b4 100644 --- a/packages/@aws-cdk/aws-lambda-python/package.json +++ b/packages/@aws-cdk/aws-lambda-python/package.json @@ -75,6 +75,7 @@ "@aws-cdk/assertions": "0.0.0", "@aws-cdk/cdk-build-tools": "0.0.0", "@aws-cdk/integ-runner": "0.0.0", + "@aws-cdk/integ-tests": "0.0.0", "@aws-cdk/pkglint": "0.0.0", "@types/jest": "^27.5.2" }, diff --git a/packages/@aws-cdk/aws-lambda-python/test/integ.function.poetry.ts b/packages/@aws-cdk/aws-lambda-python/test/integ.function.poetry.ts index 4d029fca0321b..31af5421fccc8 100644 --- a/packages/@aws-cdk/aws-lambda-python/test/integ.function.poetry.ts +++ b/packages/@aws-cdk/aws-lambda-python/test/integ.function.poetry.ts @@ -1,9 +1,7 @@ -// disabling update workflow because we don't want to include the assets in the snapshot -// python bundling changes the asset hash pretty frequently -/// !cdk-integ pragma:disable-update-workflow import * as path from 'path'; import { Runtime } from '@aws-cdk/aws-lambda'; import { App, CfnOutput, Stack, StackProps } from '@aws-cdk/core'; +import { IntegTest } from '@aws-cdk/integ-tests'; import { Construct } from 'constructs'; import * as lambda from '../lib'; @@ -35,5 +33,13 @@ class TestStack extends Stack { } const app = new App(); -new TestStack(app, 'cdk-integ-lambda-python'); +const testCase = new TestStack(app, 'cdk-integ-lambda-python'); + +new IntegTest(app, 'poetry', { + testCases: [testCase], + // disabling update workflow because we don't want to include the assets in the snapshot + // python bundling changes the asset hash pretty frequently + stackUpdateWorkflow: false, +}); + app.synth();