search

serverless-ca / terraform-aws-ca

Terraform module for serverless certificate authority on AWS
https://serverlessca.com/
Other
106 stars 17 forks source link

Error with local-exec provisioner due to Python version mismatch on Terraform Cloud #265

Open Karam-dev-ops opened 3 weeks ago

Karam-dev-ops commented 3 weeks ago

I'm encountering an error when using the serverless_ca module with Terraform Cloud's standard plan.

Error: local-exec provisioner error with module.serverless_ca.module.serverless_ca.module.create_rsa_issuing_ca_lambda.null_resource.install_python_dependencies on .terraform/modules/serverless_ca.serverless_ca/modules/terraform-aws-ca-lambda/main.tf line 13, in resource "null_resource" "install_python_dependencies": provisioner "local-exec" { Error running command 'chmod +x .terraform/modules/serverless_ca.serverless_ca/modules/terraform-aws-ca-lambda/scripts/lambda-build/create-package.sh .terraform/modules/serverless_ca.serverless_ca/modules/terraform-aws-ca-lambda/scripts/lambda-build/create-package.sh ': exit status 1. Output: Executing create_package.sh... Error: local Python version does not match Lambda Python runtime Local Python version: 3.8 Lambda Python version: 3.12

Steps to Reproduce:

  1. Include the serverless_ca module in Terraform with default settings.
  2. Run terraform plan and terraform apply on Terraform Cloud (standard plan).
  3. The apply fails with the above error message.

Expected Behavior: The module should successfully build and deploy the AWS Lambda function without errors.

Additional Context: Using Terraform locally is not ideal due to collaboration and state management considerations.

Any guidance or updates to accommodate this scenario would be greatly appreciated !

paulschwarzenberger commented 3 weeks ago

Hi @Karam-dev-ops thanks for using the serverless CA. In your pipeline, you need to include a build step where you install Python 3.12 to the runner in Terraform Cloud. There's an example of how to do the equivalent with GitHub Actions here.

paulschwarzenberger commented 3 weeks ago

I'd suggest adding a local-exec block to your Terraform, outside of the Serverless CA module, to install Python version 12. Then make your Serverless CA module dependent on completion of the local-exec script. See Terraform Cloud documentation.

Karam-dev-ops commented 3 weeks ago

Thank you, @paulschwarzenberger, for your quick response and helpful suggestions. Since we're using Terraform Cloud's standard plan, we can't install Python 3.12 on the execution environment or use self-hosted agents. Additionally, the Terraform Cloud documentation recommends avoiding the use of local-exec provisioners for installing software. Given these constraints, do you have any alternative suggestions that might work within this environment?

paulschwarzenberger commented 3 weeks ago

I would ignore the best practice warnings and use a local-exec provisioner to install Python 12. There's already a local-exec inside the serverless CA Terraform module to build the Lambda function zip files with dependencies. All we're doing is adding another local-exec outside the module to make the Python version compatible.

This is fundamentally a limitation of AWS in that they don't provide a neat way of packaging dependencies for Lambda functions (unlike Google Cloud Functions where it just works automatically).

Karam-dev-ops commented 2 weeks ago

Thank you @paulschwarzenberger for your help. For now i used Terrraform cloud to just store the state, and used local execution mode to use my local machine to run terraform with python 3.12 installed in it. I will try to implement what you suggested