Contract tests failing with error "cannot import name 'verify_interface' from 'cryptography.utils' (/var/task/cryptography/utils.py)^MTraceback (most recent call last):"

[kurdekar]

Contract tests are failing with below error:

[ERROR] Runtime.ImportModuleError: Unable to import module 'cfnregistryresource.handlers': cannot import name 'verify_interface' from 'cryptography.utils' (/var/task/cryptography/utils.py)^MTraceback (most recent call last):

This was working fine until Thursday 23rd March. There are other CloudFormation custom resources that were created prior to this date are also working fine.

I do not see a 'verify_interface' function in the file ./build/cryptography/utils.py for this resource. However, other resources created before yesterday have this function available in utils.py

All new builds since Friday are failing. I have setup a new build environment and also tried the workaround here: SecurityInnovation/PGPy#402.

[kddejong]

Are you working on a python based extension?

aws-cloudformation/cloudformation-cli-python-plugin#253

[kddejong]

You can force a version of cryptography<40.0.0 in your requirements.txt file

[kurdekar]

yes, I am using python based extension. Forcing a lower version in requirements.txt helped. The contract tests are working fine now. Thank you.

[kddejong]

I'm glad you are unblocked. @kurdekar when we release the newer version of the python plugin you won't have to pin anymore so this is a workaround.

[colonmelvin]

This also appears to impact CloudFormation Hooks. While I'm able to package them successfully with cfn submit --dry-run I find the same error from above when the hook is invoked. Adding cryptography<40.0.0 to requirements.txt resolved the issue.

cannot import name 'verify_interface' from 'cryptography.utils'

[mrinaudo-aws]

@kurdekar @colonmelvin on the current workaround (that @kddejong mentioned above): I saw this newly-merged PR that took a new course (unpinning the version for cryptography, and using a new version of the aws-encryption-sdk). I have mimicked the approach of that PR, and temporarily added aws-encryption-sdk==3.1.1 to one of my requirements.txt files in the interim to be able to run my tests without that error.

[mrinaudo-aws]

Hi @kurdekar @colonmelvin @kddejong - both the Python plugin and lib are now updated - you should be able to update them on your machines using pip, and have the following:

• aws-encryption-sdk-3.1.1
• cloudformation-cli-python-lib-2.1.16
• cloudformation-cli-python-plugin-2.1.8

You should be able to remove the additional line in the requirements.txt file, and try again without it - it worked for me. Let us know!

[colonmelvin]

Hi @kurdekar @colonmelvin @kddejong - both the Python plugin and lib are now updated - you should be able to update them on your machines using pip, and have the following:

• aws-encryption-sdk-3.1.1
• cloudformation-cli-python-lib-2.1.16
• cloudformation-cli-python-plugin-2.1.8

You should be able to remove the additional line in the requirements.txt file, and try again without it - it worked for me. Let us know!

Awesome, thanks @mrinaudo-aws! Will give this a go once I'm back in the office next week.

[mmaeng]

The release should have resolved the dependency issue @colonmelvin ! Will close this issue out but please reopen if you are still blocked!

[colonmelvin]

The release should have resolved the dependency issue @colonmelvin ! Will close this issue out but please reopen if you are still blocked!

Just confirming all is working well now, I've removed the pinned version cryptography and was able to build/deploy hooks as expected. Thanks!