fix: new GPG binaries don't work on Node 14 Runtime

The Node 14 runtime is based on Amazon Linux 2, but these GPG binaries require Amazon Linux 2023. Move the runtime to Node 20.
cdklabs · Jul 23, 2024 · 93db74f · 93db74f
1 parent 7c610aa
commit 93db74f
Show file tree

Hide file tree

Showing 7 changed files with 27 additions and 14 deletions.
diff --git a/lib/change-controller.ts b/lib/change-controller.ts
@@ -79,7 +79,7 @@ export class ChangeController extends Construct {
     const fn = new nodejs.NodejsFunction(this, 'Function', {
       description: `Enforces a Change Control Policy into CodePipeline's ${props.pipelineStage.stageName} stage`,
       entry: path.join(__dirname, 'change-control-lambda', 'index.ts'),
-      runtime: lambda.Runtime.NODEJS_14_X,
+      runtime: lambda.Runtime.NODEJS_LATEST,
       environment: {
         // CAPITAL punishment 👌🏻
         CHANGE_CONTROL_BUCKET_NAME: changeControlBucket.bucketName,

diff --git a/lib/chime-notifier/chime-notifier.ts b/lib/chime-notifier/chime-notifier.ts
@@ -56,7 +56,7 @@ export class ChimeNotifier extends Construct {
         handler: 'index.handler',
         uuid: '0f4a3ee0-692e-4249-932f-a46a833886d8',
         code: lambda.Code.fromAsset(path.join(__dirname, 'handler')),
-        runtime: lambda.Runtime.NODEJS_14_X,
+        runtime: lambda.Runtime.NODEJS_LATEST,
         timeout: Duration.minutes(5),
       });
 

diff --git a/lib/code-signing/certificate-signing-request.ts b/lib/code-signing/certificate-signing-request.ts
@@ -66,7 +66,7 @@ export class CertificateSigningRequest extends Construct {
       uuid: '541F6782-6DCF-49A7-8C5A-67715ADD9E4C',
       lambdaPurpose: 'CreateCSR',
       description: 'Creates a Certificate Signing Request document for an x509 certificate',
-      runtime: lambda.Runtime.NODEJS_14_X,
+      runtime: lambda.Runtime.NODEJS_LATEST,
       handler: 'index.handler',
       code: new lambda.AssetCode(codeLocation),
       timeout: Duration.seconds(300),

diff --git a/lib/code-signing/private-key.ts b/lib/code-signing/private-key.ts
@@ -67,7 +67,7 @@ export class RsaPrivateKeySecret extends Construct {
       lambdaPurpose: 'RSAPrivate-Key',
       uuid: '72FD327D-3813-4632-9340-28EC437AA486',
       description: 'Generates an RSA Private Key and stores it in AWS Secrets Manager',
-      runtime: lambda.Runtime.NODEJS_14_X,
+      runtime: lambda.Runtime.NODEJS_LATEST,
       handler: 'index.handler',
       code: new lambda.AssetCode(codeLocation),
       timeout: Duration.seconds(300),

diff --git a/lib/custom-resource-handlers/layers/README.md b/lib/custom-resource-handlers/layers/README.md
@@ -1,11 +1,24 @@
-This directory contains ZIP files that are used as Lambda layers by our custom resources
-(private-key, pgp-secret and certificate-signing-request).
-Those Lambdas shell out to the `openssl` and `gpg` tools,
-which are not shipped with Node Lambda version older than 8.
+This directory contains ZIP files that are used as Lambda layers by our custom
+resources (private-key, pgp-secret and certificate-signing-request).  Those
+Lambdas shell out to the `openssl` and `gpg`, `gpg-agent` tools, which are not
+shipped with Node Lambda runtimes (actually `gpg` is, but `gpg-agent` is not...)
 
-If you ever need to update these,
-unzip these files, add any necessary binaries to it,
-and then zip them back up again.
+If you ever need to update these, unzip these files, add any necessary binaries
+to it, and then zip them back up again.
 
 The binaries contained in these files were downloaded from an EC2 instance
-running Amazon Linux 2.
+running Amazon Linux 2023.
+
+N.B:
+
+- Make sure the binaries are copied from a version of Amazon Linux that matches
+  the Lambda Runtime version that is being used, see here:
+  <https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html>.
+- Make sure that the file structure in the ZIP file does not contain an extra
+  directory, but looks like:
+  - `gpg`
+  - `lib/libgcrypt.so.X`
+  - etc.
+- `gpg` is probably linked against the major version dependencies only, so it will
+  depend on `libgcrypt.so.8` (and not `libgcrypt.so.8.4.1`). Confirm with `ldd` and
+  rename the files if necessary.
diff --git a/lib/open-pgp-key-pair.ts b/lib/open-pgp-key-pair.ts
@@ -120,7 +120,7 @@ export class OpenPGPKeyPair extends Construct implements ICredentialPair {
       code: new lambda.AssetCode(codeLocation),
       handler: 'index.handler',
       timeout: Duration.seconds(300),
-      runtime: lambda.Runtime.NODEJS_14_X,
+      runtime: lambda.Runtime.NODEJS_LATEST,
       // add the layer that contains the GPG binary (+ shared libraries)
       layers: [new lambda.LayerVersion(this, 'GpgLayer', {
         code: lambda.Code.fromAsset(path.join(__dirname, 'custom-resource-handlers', 'layers', 'gpg-layer.zip')),

diff --git a/lib/pipeline-watcher/watcher.ts b/lib/pipeline-watcher/watcher.ts
@@ -53,7 +53,7 @@ export class PipelineWatcher extends Construct {
 
     const pipelineWatcher = new lambda.Function(this, 'Poller', {
       handler: 'watcher-handler.handler',
-      runtime: lambda.Runtime.NODEJS_14_X,
+      runtime: lambda.Runtime.NODEJS_LATEST,
       code: lambda.Code.fromAsset(path.join(__dirname, 'handler')),
       environment: {
         METRIC_NAMESPACE: props.metricNamespace,