When using latest code and Python 3.8 the cloudformation failed with "No module named '_cffi_backend'"

Question

When using latest code and Python 3.8 the cloudformation failed with "No module named '_cffi_backend'"

Closed this issue 3 years ago · 11 comments

I was using version 1.0.0 for a while with no issues.
We need to upgrade runtime to Python 3.8 due to AWS retiring support for 3.6
When using 1.4.0 and Python 3.8 we getting error in cloud formation while creating PrivateKey:
"Received response status [FAILED] from custom resource. Message returned: No module named '_cffi_backend'"

Answer 1 · 2021-07-01T20:37:10.000Z

Sorry about that. This is fixed in 1.4.3.

Answer 2 · 2021-07-01T23:45:31.000Z

Thank You for fast response but I still see the same error while creating KeyPair with v1.4.3 and Python 3.8
Received response status [FAILED] from custom resource. Message returned: No module named '_cffi_backend'

In provider Lambda logs I can see a couple of the messages below:

/var/task/jmespath/visitor.py:32: SyntaxWarning: "is" with a literal. Did you mean "=="?
And ERROR:

[ERROR] 2021-07-01T23:31:54.702Z 90bbcb98-f586-4d32-a216-98ad50b65590 exception occurred processing the request
Traceback (most recent call last):
File "/var/task/cfn_resource_provider/resource_provider.py", line 331, in handle
self.execute()
File "/var/task/cfn_resource_provider/resource_provider.py", line 312, in execute
self.create()
File "/var/task/cfn_rsakey_provider.py", line 146, in create
self.create_or_update_secret(overwrite=False, new_secret=True)
File "/var/task/cfn_rsakey_provider.py", line 117, in create_or_update_secret
private_key, public_key = self.create_key()
File "/var/task/cfn_rsakey_provider.py", line 88, in create_key
backend=crypto_default_backend(),
File "/var/task/cryptography/hazmat/backends/init.py", line 15, in default_backend
from cryptography.hazmat.backends.openssl.backend import backend
File "/var/task/cryptography/hazmat/backends/openssl/init.py", line 7, in
from cryptography.hazmat.backends.openssl.backend import backend
File "/var/task/cryptography/hazmat/backends/openssl/backend.py", line 18, in
from cryptography import utils, x509
File "/var/task/cryptography/x509/init.py", line 8, in
from cryptography.x509.base import (
File "/var/task/cryptography/x509/base.py", line 16, in
from cryptography.x509.extensions import Extension, ExtensionType
File "/var/task/cryptography/x509/extensions.py", line 18, in
from cryptography.hazmat.primitives import constant_time, serialization
File "/var/task/cryptography/hazmat/primitives/constant_time.py", line 11, in
from cryptography.hazmat.bindings._constant_time import lib
ModuleNotFoundError: No module named '_cffi_backend'

Answer 3 · 2021-07-02T06:24:12.000Z

Hi @arkrud,

I tested the deployment of the 1.4.3 provider and demo and they worked as expected. Another user who had the same error as you, successfully used version 1.4.3 too (see #51).

Did you update the runtime too? What region are you deploying in?

Cheers,

Mark

Answer 4 · 2021-07-02T12:30:32.000Z

Hi Mark, I am working in us-east-1 region. Due to my specifics I have slight differences in CF code for provider and Keys stack. But I do not think this differences can be a reason for the error. Attaching the files for reference Sincerely, Arkadiy From: Mark van Holsteijn ***@***.*** Sent: Friday, July 2, 2021 2:24 AM To: binxio/cfn-secret-provider ***@***.***> Cc: arkrud ***@***.***>; Mention ***@***.***> Subject: Re: [binxio/cfn-secret-provider] When using latest code and Python 3.8 the cloudformation failed with "No module named '_cffi_backend'" (#49) Hi @arkrud <https://github.com/arkrud> , I tested the deployment of the 1.4.3 provider <https://github.com/binxio/cfn-secret-provider/blob/master/cloudformation/cfn-resource-provider.yaml> and demo <https://github.com/binxio/cfn-secret-provider/blob/master/cloudformation/demo-stack.yaml> and they worked as expected. Another user who had the same error as you, successfully used version 1.4.3 too (see #51 <#51> ). What region are you deploying in? Cheers, Mark — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#49 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABIXUA4MIAPNXRMLHK65PF3TVVLRNANCNFSM47UX5T7A> . <https://github.com/notifications/beacon/ABIXUA37R4INISAPVXEK47DTVVLRNA5CNFSM47UX5T7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOGQCRYIY.gif>

Answer 5 · 2021-07-02T12:33:25.000Z

@arkrud, the attachments do not make it into this thread. Can you attach them here?

Answer 6 · 2021-07-02T13:06:05.000Z

Attached Regards Arkadiy From: Mark van Holsteijn ***@***.*** Sent: Friday, July 2, 2021 8:34 AM To: binxio/cfn-secret-provider ***@***.***> Cc: arkrud ***@***.***>; Mention ***@***.***> Subject: Re: [binxio/cfn-secret-provider] When using latest code and Python 3.8 the cloudformation failed with "No module named '_cffi_backend'" (#49) @arkrud <https://github.com/arkrud> , the attachments do not make it into this thread. Can you attach them here? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#49 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABIXUA4RR4XIJGZK5OFLBEDTVWWZ7ANCNFSM47UX5T7A> . <https://github.com/notifications/beacon/ABIXUA7KFN6F3QY4UERRD6LTVWWZ7A5CNFSM47UX5T7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOGQEF4QQ.gif>

Answer 7 · 2021-07-06T14:40:30.000Z

Hi Mark, Do you have any updates on this? To make sure I am getting updated code I deleted the provider lambda and let my stack to recreate it. I am still getting the same error. Sincerely, Arkadiy From: Arkadiy Rudin ***@***.*** Sent: Friday, July 2, 2021 9:06 AM To: 'binxio/cfn-secret-provider' ***@***.***>; 'binxio/cfn-secret-provider' ***@***.***> Cc: 'Mention' ***@***.***> Subject: RE: [binxio/cfn-secret-provider] When using latest code and Python 3.8 the cloudformation failed with "No module named '_cffi_backend'" (#49) Attached Regards Arkadiy From: Mark van Holsteijn ***@***.*** Sent: Friday, July 2, 2021 8:34 AM To: binxio/cfn-secret-provider ***@***.*** ***@***.***> > Cc: arkrud ***@***.*** ***@***.***> >; Mention ***@***.*** ***@***.***> > Subject: Re: [binxio/cfn-secret-provider] When using latest code and Python 3.8 the cloudformation failed with "No module named '_cffi_backend'" (#49) @arkrud <https://github.com/arkrud> , the attachments do not make it into this thread. Can you attach them here? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#49 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABIXUA4RR4XIJGZK5OFLBEDTVWWZ7ANCNFSM47UX5T7A> . <https://github.com/notifications/beacon/ABIXUA7KFN6F3QY4UERRD6LTVWWZ7A5CNFSM47UX5T7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOGQEF4QQ.gif>

Answer 8 · 2021-07-06T14:46:07.000Z

@arkrud, I have tested the 1.4.3 provider with the python3.8 lambda runtime and it works. If you want me to take a look at your template, please add it as an attachment on the github website. email attachments do not make here.

Answer 9 · 2021-07-06T15:57:07.000Z

Providing my templates
key_stack.yaml.template.txt
cfn-resource-provider.yaml.template.txt

Answer 10 · 2021-07-06T16:00:51.000Z

Your problem is caused by the fact that only the default value is changed, which is not effectuated on a stack update.

Change:

      Code:
        S3Bucket: !Sub '${S3BucketPrefix}-${AWS::Region}'
        S3Key: !Ref 'CFNCustomProviderZipFileName'

to:

      Code:
        S3Bucket: !Sub '${S3BucketPrefix}-${AWS::Region}'
        S3Key: 'lambdas/cfn-secret-provider-1.4.3.zip'

and you will probably be fine.

Answer 11 · 2021-07-06T17:21:23.000Z

Thank You very much. This worked.
Was picking up old code.
We had same issues with our lambdas CF build also and solved it by placing each new build code into versioned sub-folder in the bucket.