When using latest code and Python 3.8 the cloudformation failed with "No module named '_cffi_backend'"

[arkrud]

I was using version 1.0.0 for a while with no issues. We need to upgrade runtime to Python 3.8 due to AWS retiring support for 3.6 When using 1.4.0 and Python 3.8 we getting error in cloud formation while creating PrivateKey: "Received response status [FAILED] from custom resource. Message returned: No module named '_cffi_backend'"

[mvanholsteijn]

Sorry about that. This is fixed in 1.4.3.

[arkrud]

Thank You for fast response but I still see the same error while creating KeyPair with v1.4.3 and Python 3.8 Received response status [FAILED] from custom resource. Message returned: No module named '_cffi_backend'

In provider Lambda logs I can see a couple of the messages below:

/var/task/jmespath/visitor.py:32: SyntaxWarning: "is" with a literal. Did you mean "=="? And ERROR:

[ERROR] 2021-07-01T23:31:54.702Z 90bbcb98-f586-4d32-a216-98ad50b65590 exception occurred processing the request Traceback (most recent call last): File "/var/task/cfn_resource_provider/resource_provider.py", line 331, in handle self.execute() File "/var/task/cfn_resource_provider/resource_provider.py", line 312, in execute self.create() File "/var/task/cfn_rsakey_provider.py", line 146, in create self.create_or_update_secret(overwrite=False, new_secret=True) File "/var/task/cfn_rsakey_provider.py", line 117, in create_or_update_secret private_key, public_key = self.create_key() File "/var/task/cfn_rsakey_provider.py", line 88, in create_key backend=crypto_default_backend(), File "/var/task/cryptography/hazmat/backends/init.py", line 15, in default_backend from cryptography.hazmat.backends.openssl.backend import backend File "/var/task/cryptography/hazmat/backends/openssl/init.py", line 7, in from cryptography.hazmat.backends.openssl.backend import backend File "/var/task/cryptography/hazmat/backends/openssl/backend.py", line 18, in from cryptography import utils, x509 File "/var/task/cryptography/x509/init.py", line 8, in from cryptography.x509.base import ( File "/var/task/cryptography/x509/base.py", line 16, in from cryptography.x509.extensions import Extension, ExtensionType File "/var/task/cryptography/x509/extensions.py", line 18, in from cryptography.hazmat.primitives import constant_time, serialization File "/var/task/cryptography/hazmat/primitives/constant_time.py", line 11, in from cryptography.hazmat.bindings._constant_time import lib ModuleNotFoundError: No module named '_cffi_backend'

[mvanholsteijn]

Hi @arkrud,

I tested the deployment of the 1.4.3 provider and demo and they worked as expected. Another user who had the same error as you, successfully used version 1.4.3 too (see https://github.com/binxio/cfn-secret-provider/issues/51).

Did you update the runtime too? What region are you deploying in?

Cheers,

Mark

[arkrud]

Hi Mark,

I am working in us-east-1 region.

Due to my specifics I have slight differences in CF code for provider and Keys stack.

But I do not think this differences can be a reason for the error.

Attaching the files for reference

Sincerely,

Arkadiy

From: Mark van Holsteijn @. Sent: Friday, July 2, 2021 2:24 AM To: binxio/cfn-secret-provider @.> Cc: arkrud @.>; Mention @.> Subject: Re: [binxio/cfn-secret-provider] When using latest code and Python 3.8 the cloudformation failed with "No module named '_cffi_backend'" (#49)

Hi @arkrud https://github.com/arkrud ,

I tested the deployment of the 1.4.3 provider https://github.com/binxio/cfn-secret-provider/blob/master/cloudformation/cfn-resource-provider.yaml and demo https://github.com/binxio/cfn-secret-provider/blob/master/cloudformation/demo-stack.yaml and they worked as expected. Another user who had the same error as you, successfully used version 1.4.3 too (see #51 https://github.com/binxio/cfn-secret-provider/issues/51 ).

What region are you deploying in?

Cheers,

Mark

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/binxio/cfn-secret-provider/issues/49#issuecomment-872750115 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ABIXUA4MIAPNXRMLHK65PF3TVVLRNANCNFSM47UX5T7A . https://github.com/notifications/beacon/ABIXUA37R4INISAPVXEK47DTVVLRNA5CNFSM47UX5T7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOGQCRYIY.gif

[mvanholsteijn]

@arkrud, the attachments do not make it into this thread. Can you attach them here?

[arkrud]

Attached

Regards

Arkadiy

From: Mark van Holsteijn @. Sent: Friday, July 2, 2021 8:34 AM To: binxio/cfn-secret-provider @.> Cc: arkrud @.>; Mention @.> Subject: Re: [binxio/cfn-secret-provider] When using latest code and Python 3.8 the cloudformation failed with "No module named '_cffi_backend'" (#49)

@arkrud https://github.com/arkrud , the attachments do not make it into this thread. Can you attach them here?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/binxio/cfn-secret-provider/issues/49#issuecomment-872963650 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ABIXUA4RR4XIJGZK5OFLBEDTVWWZ7ANCNFSM47UX5T7A . https://github.com/notifications/beacon/ABIXUA7KFN6F3QY4UERRD6LTVWWZ7A5CNFSM47UX5T7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOGQEF4QQ.gif

[arkrud]

Hi Mark,

Do you have any updates on this?

To make sure I am getting updated code I deleted the provider lambda and let my stack to recreate it.

I am still getting the same error.

Sincerely,

Arkadiy

From: Arkadiy Rudin @. Sent: Friday, July 2, 2021 9:06 AM To: 'binxio/cfn-secret-provider' @.>; 'binxio/cfn-secret-provider' @.> Cc: 'Mention' @.> Subject: RE: [binxio/cfn-secret-provider] When using latest code and Python 3.8 the cloudformation failed with "No module named '_cffi_backend'" (#49)

Attached

Regards

Arkadiy

From: Mark van Holsteijn @. Sent: Friday, July 2, 2021 8:34 AM To: binxio/cfn-secret-provider @. @.> > Cc: arkrud @. @.> >; Mention @. @.***> > Subject: Re: [binxio/cfn-secret-provider] When using latest code and Python 3.8 the cloudformation failed with "No module named '_cffi_backend'" (#49)

@arkrud https://github.com/arkrud , the attachments do not make it into this thread. Can you attach them here?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/binxio/cfn-secret-provider/issues/49#issuecomment-872963650 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ABIXUA4RR4XIJGZK5OFLBEDTVWWZ7ANCNFSM47UX5T7A . https://github.com/notifications/beacon/ABIXUA7KFN6F3QY4UERRD6LTVWWZ7A5CNFSM47UX5T7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOGQEF4QQ.gif

[mvanholsteijn]

@arkrud, I have tested the 1.4.3 provider with the python3.8 lambda runtime and it works. If you want me to take a look at your template, please add it as an attachment on the github website. email attachments do not make here.

[arkrud]

Providing my templates key_stack.yaml.template.txt cfn-resource-provider.yaml.template.txt

[mvanholsteijn]

Your problem is caused by the fact that only the default value is changed, which is not effectuated on a stack update.

Change:

      Code:
        S3Bucket: !Sub '${S3BucketPrefix}-${AWS::Region}'
        S3Key: !Ref 'CFNCustomProviderZipFileName'

to:

      Code:
        S3Bucket: !Sub '${S3BucketPrefix}-${AWS::Region}'
        S3Key: 'lambdas/cfn-secret-provider-1.4.3.zip'

and you will probably be fine.

[arkrud]

Thank You very much. This worked. Was picking up old code. We had same issues with our lambdas CF build also and solved it by placing each new build code into versioned sub-folder in the bucket.