Replies: 8 comments 9 replies
-
@cponfick-bhs can you try to reproduce this using a very simple hash (e.g. |
Beta Was this translation helpful? Give feedback.
-
@corymhall I am able to reproduce it by using In my case the changing file is the requirements.txt file, containing the auth token. When I use the same token in sequential deploys. The layer is not updated. |
Beta Was this translation helpful? Give feedback.
-
ah ok it looks like it's because the hash that is calculated includes the |
Beta Was this translation helpful? Give feedback.
-
@corymhall do I understand this correctly. When using a custom hash, this hash is used to create another hash based on the |
Beta Was this translation helpful? Give feedback.
-
Yes that is correct. We create a new hash using the custom hash and bundling options as inputs. This is because the bundling options instruct CDK how the asset should be bundled, so if that changes then the hash should be invalidated. Imagine you passed a different Docker image or an environment variable that would affect the output of bundling. aws-cdk/packages/@aws-cdk/core/lib/asset-staging.ts Lines 487 to 518 in f1c9c4e |
Beta Was this translation helpful? Give feedback.
-
Thanks for your explanation. Shouldn't this then be the fault of the user? As in: "You use a custom hash. Hence, it is your responsibility to provide a sufficient hash." As I see it right now it is not possible to use a token to authenticate to a pypi mirror. Even if I am able to exclude the requirements file, by implementing #19508, the environment will always be different, because the token is different. If I am not mistaken, the bellow example from the docs should always create a new layer. from child_process import exec_sync
entry = "/path/to/function"
image = DockerImage.from_build(entry)
domain = "my-domain"
domain_owner = "111122223333"
repo_name = "my_repo"
region = "us-east-1"
code_artifact_auth_token = exec_sync(f"aws codeartifact get-authorization-token --domain {domain} --domain-owner {domainOwner} --query authorizationToken --output text").to_string().trim()
index_url = f"https://aws:{codeArtifactAuthToken}@{domain}-{domainOwner}.d.codeartifact.{region}.amazonaws.com/pypi/{repoName}/simple/"
lambda_.PythonFunction(self, "function",
entry=entry,
runtime=Runtime.PYTHON_3_8,
bundling=lambda.BundlingOptions(
environment={"PIP_INDEX_URL": index_url}
)
) |
Beta Was this translation helpful? Give feedback.
-
It would be nice if this could take a DockerImageAssetInvalidationOptions (or something like it), so we could tell it to ignore the constantly changing |
Beta Was this translation helpful? Give feedback.
-
I was surprised to find that this is still a problem - and that the documentation around using CodeArtifact with the Specifically - the second paragraph indicates that using We've had to abandon the Am I missing something here? Isn't this a clear bug that needs resolving? |
Beta Was this translation helpful? Give feedback.
-
What is the problem?
It appears that asset_hash_type and asset_hash are ignored in the bundling parameter of the PythonLayerVersion. The asset_hash_type used is always AssetHashType.SOURCE. This is a problem if the requirement file includes a env variable which changes on every deploy, e.g a token.
Reproduction Steps
The token is the only thing, which is changing in the entry repository. On every cdk deploy call.
What did you expect to happen?
Update the layer only when the
lock_file_hash
variable changes.What actually happened?
The layer is updated every time.
CDK CLI Version
2.17.0
Framework Version
No response
Node.js Version
v17.7.2
OS
macOS Monterey 12.3
Language
Python
Language Version
Python (3.8.9)
Other information
This issue is somewhat related to #19508, since I tried to create a custom hash as a answer to the missing exclude possibility.
In my opinion it is also a security issue uploading the requirements file to the layer, since it might contain user and password information to private pypi mirrors. In our case a token with a short expiration time was the solution, but it might not be for other users.
Beta Was this translation helpful? Give feedback.
All reactions