search

KiraLT / certbot-lambda

Run Certbot on AWS Lambda/Cloud Functions and upload certs to AWS Secrets Manager.
MIT License
16 stars 8 forks source link

PEX dependency error for v0.4.0 #166

Closed mmeidlinger closed 4 months ago

mmeidlinger commented 1 year ago

Problem Description

Testing v0.4.0 gives the following error

[ERROR] ResolveError: Failed to resolve requirements from PEX environment @ /var/task.Needed cp39-cp39-[ERROR] ResolveError: Failed to resolve requirements from PEX environment @ /var/task.
Needed cp39-cp39-manylinux_2_26_x86_64 compatible dependencies for:
 1: cryptography>=2.5.0
    Required by:
      acme 2.1.0
      certbot 2.1.0
    But this pex had no ProjectName(raw='cryptography', normalized='cryptography') distributions.
 2: cryptography>=1.5
    Required by:
      josepy 1.13.0
    But this pex had no ProjectName(raw='cryptography', normalized='cryptography') distributions.
 3: cryptography<39,>=38.0.0
    Required by:
      pyOpenSSL 22.1.0
    But this pex had no ProjectName(raw='cryptography', normalized='cryptography') distributions.
 4: cryptography>=2
    Required by:
      dns-lexicon 3.11.7
    But this pex had no ProjectName(raw='cryptography', normalized='cryptography') distributions.
Traceback (most recent call last):
  File "/var/lang/lib/python3.9/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1030, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 680, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 850, in exec_module
  File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed
  File "/var/task/main.py", line 34, in <module>
    bootstrap_pex_env(__entry_point__)
  File "/var/task/.bootstrap/pex/pex_bootstrapper.py", line 684, in bootstrap_pex_env
    PEXEnvironment.mount(entry_point, pex_info).activate()
  File "/var/task/.bootstrap/pex/environment.py", line 321, in activate
    self._activated_dists = self._activate()
  File "/var/task/.bootstrap/pex/environment.py", line 671, in _activate
    resolved = self.resolve()
  File "/var/task/.bootstrap/pex/environment.py", line 502, in resolve
    for fingerprinted_distribution in self.resolve_dists(all_reqs)
  File "/var/task/.bootstrap/pex/environment.py", line 589, in resolve_dists
    raise ResolveError(

How to reproduce

Create an S3 Bucket my-bucket, download certbot-lambda.zip release v0.4.0 and upload to s3://my-bucket/certbot-lambda/v0.4.0/certbot-lambda.zip. Then deploy this Cloudformation to setup cerbot-lambda as described in README.md and trigger the lambda function with a test event from the Console.

AWSTemplateFormatVersion: '2010-09-09'
Description: An example template for a Step Functions state machine.
Parameters:
  CertbotDomains:
    Type: String
    Default: example.com
  CertbotEmails:
    Type: String
    Default: admin@example.com
  S3DeploymentAssetBucket:
    Type: String
    Default: my-bucket
  S3DeploymentAssetKey:
    Type: String
    Default: certbot-lambda/v0.4.0/certbot-lambda.zip
  SecretName:
    Type: String
    Default: /certificates/{domain}

Resources:
  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub LambdaExecutionRole-${AWS::StackName}
      Description: Role assumed by Lambda to provision Let's Enctpy TLS Certificate
      AssumeRolePolicyDocument: 
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/SecretsManagerReadWrite
        - arn:aws:iam::aws:policy/AmazonRoute53FullAccess
      Policies:
        - PolicyName: InlineLambdaExecutionRolePolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                  - logs:CreateLogGroup
                Resource: arn:aws:logs:*:*:*

  LambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      Description: Provisions TLS Certificates from Let's Encrypt and stores them in Secretsmanager
      FunctionName: certbot-lambda
      MemorySize: 150
      Role: !GetAtt LambdaExecutionRole.Arn
      Runtime: python3.9
      Handler: main.handler
      Environment:
        Variables:
          CERTBOT_EMAILS: !Ref CertbotEmails
          CERTBOT_DOMAINS: !Ref CertbotDomains
          CERTBOT_DNS_PLUGIN: dns-route53
          AWS_SECRET_NAME: !Ref SecretName
      Timeout: 600
      Code:
        S3Bucket: !Ref S3DeploymentAssetBucket
        S3Key: !Ref S3DeploymentAssetKey

  LambdaFunctionPermission:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !GetAtt LambdaFunction.Arn
      Action: lambda:InvokeFunction
      Principal: secretsmanager.amazonaws.com
vonschultz commented 11 months ago

I had this problem as well. I think the Glibc version of the manylinux tag is too new for the runtime. I tried regenerating the zip file for the Python 3.11 runtime instead, but still got the same problem, with an even newer manylinux tag this time. To actually fix this, run pex3 interpreter inspect --markers --tags on the AWS Lambda runtime you wish to support, put the result in a file called e.g. complete-platform.json and give --complete-platform complete-platform.json to pex when building the zip file.